HP Brocade 8/12c HP Fabric OS 6.2.2f Release Notes (5697-1756, February 2012) - Page 32

Encryption behavior

Get HP Brocade 8/12c PDF manuals and user guides View all HP Brocade 8/12c manuals
Add to My Manuals
Save this manual to your list of manuals

Page 32 highlights

1 Viewing FCIP tunnels is supported in Web Tools 6.1.1, but New, Edit Config, and Delete are available only in DCFM. 2 In Web Tools, non-local switch port id/WWN can be added using text box. Encryption behavior • HP recommends that the encrypted LUN containers be created when all of the nodes/Encryption Engines (EE) in the Data Encryption Key (DEK)/High Availability Cluster (HAC) are up and enabled. • If two EEs are part of a HAC, configure the host/target pair such that they form a multipath from both EEs. Avoid connecting both host/target pairs to the same EE. This connectivity does not provide full redundancy when EE failure results in HAC failover. • LUN configuration ◦ The following process is to be used then when configuring a LUN for encryption: - Add the LUN as clear-text to the Crypto Target Container (CTC). - When the LUN comes online and clear-text host I/O starts, modify the LUN from clear-text to encrypt, including the enable_encexistingdata option to convert the LUN from clear-text to encrypted. ◦ An exception to this LUN configuration process: if the LUN was previously encrypted by the HP encryption switch or HP encryption blade, the LUN can be added to the Crypto Target Container with the -encrypt and -lunstate ="encrypted" options. ◦ LUN configurations must be committed to take effect. No more than 25 LUNs can be added or modified in a single commit operation. Attempts to commit configurations that exceed 25 LUNs will fail with a warning. Note that there is also a five-second delay before the commit operation takes effect. Always ensure that any previously committed LUN configurations or LUN modifications have taken effect before committing additional LUN configurations or additions. All LUNs should be in an Encryption Enabled state before committing additional LUN modifications. • A new LUN state is available: Disabled (Key not in sync). This new state indicates re-keying was started on a remote EE but the local EE is not capable of starting rekey because it does not have the KeyID that was used by the remote EE in re-keying (that is, the newest key returned from the key vault does not match with the KeyID used by remote EE). You must use the cryptocfg --discoverLUN interface to re-enable the LUN only after the keys are properly synced between two key vaults. Both VMware and clustering technologies use SCSI reservations to control host I/O access to LUNs. When the HP Encryption Switch/HP Encryption Blade is performing a rekeying operation (first time encryption or otherwise), it accommodates the use of this methodology. In deployments that have multiple physical initiators accessing a target/LUN from an EE, Fabric OS 6.2x does not have the ability to failover FTE/rekey operations within the EE. Therefore, during FTE/Rekey operations in these environments, only one physical initiator can be allowed to access the target/LUN combination; this is true for all EEs exposing the LUN. If only one initiator has access to a Target/LUN on a particular EE, no configuration modification is required during FTE/Rekey operations. • The cryptocfg -manual_rekey -all command should not be used in environments with multiple encryption engines (encryption blades) installed in a director-class chassis when more than one encryption engine has access to the same LUN. In such situations, use the cryptocfg -manual_rekey CTCLUN NumInitiator PWWN command to manually rekey the LUNs. • Avoid changing the configuration of any LUN that belongs to a Crypto Target Container/LUN configuration while the rekeying process for that LUN is active. If the user changes the LUN's settings during manual or auto, rekeying or First Time Encryption, the system reports a warning 32

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
1
Viewing FCIP tunnels is supported in Web Tools 6.1.1, but New, Edit Config, and Delete are available only in DCFM.
2
In Web Tools, non-local switch port id/WWN can be added using text box.
Encryption behavior
HP recommends that the encrypted LUN containers be created when all of the nodes/Encryption
Engines (EE) in the Data Encryption Key (DEK)/High Availability Cluster (HAC) are up and
enabled.
If two EEs are part of a HAC, configure the host/target pair such that they form a multipath
from both EEs. Avoid connecting both host/target pairs to the same EE. This connectivity does
not provide full redundancy when EE failure results in HAC failover.
LUN configuration
The following process is to be used then when configuring a LUN for encryption:
Add the LUN as clear-text to the Crypto Target Container (CTC).
When the LUN comes online and clear-text host I/O starts, modify the LUN from
clear-text to
encrypt
, including the
enable_encexistingdata
option to convert
the LUN from clear-text to encrypted.
An exception to this LUN configuration process: if the LUN was previously encrypted by
the HP encryption switch or HP encryption blade, the LUN can be added to the Crypto
Target Container with the
encrypt
and
lunstate =
encrypted
options.
LUN configurations must be committed to take effect. No more than 25 LUNs can be
added or modified in a single commit operation. Attempts to commit configurations that
exceed 25 LUNs will fail with a warning. Note that there is also a five-second delay
before the commit operation takes effect.
Always ensure that any previously committed LUN configurations or LUN modifications
have taken effect before committing additional LUN configurations or additions. All LUNs
should be in an Encryption Enabled state before committing additional LUN modifications.
A new LUN state is available:
Disabled (Key not in sync)
. This new state indicates
re-keying was started on a remote EE but the local EE is not capable of starting rekey because
it does not have the KeyID that was used by the remote EE in re-keying (that is, the newest
key returned from the key vault does not match with the KeyID used by remote EE). You must
use the
cryptocfg --discoverLUN <ContainerName>
interface to re-enable the LUN
only after the keys are properly synced between two key vaults.
Both VMware and clustering technologies use SCSI reservations to control host I/O access to
LUNs. When the HP Encryption Switch/HP Encryption Blade is performing a rekeying operation
(first time encryption or otherwise), it accommodates the use of this methodology. In deployments
that have multiple physical initiators accessing a target/LUN from an EE, Fabric OS 6.2x does
not have the ability to failover FTE/rekey operations within the EE. Therefore, during FTE/Rekey
operations in these environments, only one physical initiator can be allowed to access the
target/LUN combination; this is true for all EEs exposing the LUN. If only one initiator has
access to a Target/LUN on a particular EE, no configuration modification is required during
FTE/Rekey operations.
The
cryptocfg -manual_rekey -all
command should not be used in environments
with multiple encryption engines (encryption blades) installed in a director-class chassis when
more than one encryption engine has access to the same LUN. In such situations, use the
cryptocfg -manual_rekey
CTCLUN NumInitiator PWWN
command to manually rekey
the LUNs.
Avoid changing the configuration of any LUN that belongs to a Crypto Target Container/LUN
configuration while the rekeying process for that LUN is active. If the user changes the LUN’s
settings during manual or auto, rekeying or First Time Encryption, the system reports a warning
32