HP Brocade 8/12c HP Fabric OS 6.2.2f Release Notes (5697-1756, February 2012) - Page 33

The disable EE interface CLI, before running

Get HP Brocade 8/12c PDF manuals and user guides View all HP Brocade 8/12c manuals
Add to My Manuals
Save this manual to your list of manuals

Page 33 highlights

message stating that the encryption engine is busy and a forced commit is required for the changes to take effect. A forced commit command halts all active rekeying processes running in all Crypto Target Containers and corrupts any LUN engaged in a rekeying operation. There is no recovery for this type of failure. • To remove access between a given initiator and target, the user must not only remove the active zoning information between the initiator and target, but must also remove the associated CTCs, which will in turn remove the associated frame redirection zone information. Make sure to back up all data before taking this action. • Before committing configurations or modifications to the CTC or LUNs on an HP encryption switch or encryption blade, make sure that there are no outstanding zoning transactions in the switch or fabric. Failure to do so results in the commit operation for the Crypto Target or LUNs failing and may cause the LUNs to be disabled. The user can check for outstanding zoning transaction by issuing the cfgtransshow CLI command: DCX_two:root> cfgtransshow There is no outstanding zoning transaction • Each LUN is uniquely identified by the HP encryption switch or encryption blade using the LUN's serial number. The LUN serial numbers must be unique for LUNs exposed from the same target port. The LUN serial numbers must also be unique for LUNs belonging to different target ports in non-multipathing configurations. Failure to ensure unique LUN serial numbers results in nondeterministic behavior and may result in faulting of the HP encryption switch or encryption blade. • When creating an HA Cluster or EG with two or more HP encryption switch/encryption blades, the GE_Ports (I/O sync links) must be configured with an IP address for the eth0 and eth1 Ethernet interfaces using ipaddrset. In addition, both eth0 and eth1 Ethernet ports should be connected to the network for redundancy. These I/O sync links connections must be established before any Re-Key, First Time Encryption, or enabling EE for crypto operations. Failure to do so results in HA Cluster creation failure. If the IP address for these ports is configured after the EE was enabled for encryption, HP Encryption Switch needs to be rebooted and Encryption blades should be slotpoweroff/slotpoweron to sync up the IP address information to the EEs. If only one Ethernet port is configured and connected to a network, data loss or suspension of Re-Key may occur when the network connection toggles or fails. • initEE will remove the existing master key or link key. Backup the master key by running cryptocfg -exportmasterkey and cryptocfg -export -currentMK before running initEE. After initEE, regEE and enableEE, run cryptocfg -recovermasterkey to recover the master key previously backed up, or in the case of fresh install run cryptocfg - genmasterkey to generate a new master key. If you are using SKM, establish a trusted link with SKM again. Certificate exchange between key vaults and switches are not required in this case. • The disable EE interface CLI cryptocfg --disableEE [slot no] command should be used only to disable encryption and security capabilities of the EE from the Fabric OS Security Admin in the event of a security compromise. When disabling the encryption capabilities of the EE using the noted commands, the EE should not be hosting any CTCs. Ensure that all CTCs hosted on the HP Encryption Switch or HP Encryption Blade are either removed or moved to a different EE in the HA Cluster or EG before disabling the encryption and security capabilities. • Whenever initNode is performed, new certificates for CP and KAC (SKM) are generated. Hence, each time InitNode is performed, the new KAC Certificate must be loaded onto key vaults for Secure Key Manager (SKM). Without this step, errors will occur, such as key vault not responding and ultimately key archival and retrieval problems. • The HTTP server should be listening to port 9443. Secure Key Manager is supported only when configured to port 9443. Encryption behavior 33

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
message stating that the encryption engine is busy and a forced commit is required for the
changes to take effect. A forced commit command halts all active rekeying processes running
in all Crypto Target Containers and corrupts any LUN engaged in a rekeying operation. There
is no recovery for this type of failure.
To remove access between a given initiator and target, the user must not only remove the
active zoning information between the initiator and target, but must also remove the associated
CTCs, which will in turn remove the associated frame redirection zone information. Make sure
to back up all data before taking this action.
Before committing configurations or modifications to the CTC or LUNs on an HP encryption
switch or encryption blade, make sure that there are no outstanding zoning transactions in
the switch or fabric. Failure to do so results in the commit operation for the Crypto Target or
LUNs failing and may cause the LUNs to be disabled. The user can check for outstanding
zoning transaction by issuing the
cfgtransshow
CLI command:
DCX_two:root> cfgtransshow
There is no outstanding zoning transaction
Each LUN is uniquely identified by the HP encryption switch or encryption blade using the
LUN’s serial number. The LUN serial numbers must be unique for LUNs exposed from the same
target port. The LUN serial numbers must also be unique for LUNs belonging to different target
ports in non-multipathing configurations. Failure to ensure unique LUN serial numbers results
in nondeterministic behavior and may result in faulting of the HP encryption switch or encryption
blade.
When creating an HA Cluster or EG with two or more HP encryption switch/encryption blades,
the GE_Ports (I/O sync links) must be configured with an IP address for the
eth0
and
eth1
Ethernet interfaces using
ipaddrset
. In addition, both
eth0
and
eth1
Ethernet ports should
be connected to the network for redundancy. These I/O sync links connections must be
established before any Re-Key, First Time Encryption, or enabling EE for crypto operations.
Failure to do so results in HA Cluster creation failure. If the IP address for these ports is
configured after the EE was enabled for encryption, HP Encryption Switch needs to be rebooted
and Encryption blades should be
slotpoweroff
/
slotpoweron
to sync up the IP address
information to the EEs. If only one Ethernet port is configured and connected to a network,
data loss or suspension of Re-Key may occur when the network connection toggles or fails.
initEE
will remove the existing master key or link key. Backup the master key by running
cryptocfg
exportmasterkey
and
cryptocfg
export
currentMK
before running
initEE
. After
initEE
,
regEE
and
enableEE
, run
cryptocfg
recovermasterkey
to recover the master key previously backed up, or in the case of fresh install run
cryptocfg
genmasterkey
to generate a new master key. If you are using SKM, establish a trusted
link with SKM again. Certificate exchange between key vaults and switches are not required
in this case.
The disable EE interface CLI
cryptocfg --disableEE [slot no]
command should be
used only to disable encryption and security capabilities of the EE from the Fabric OS Security
Admin in the event of a security compromise. When disabling the encryption capabilities of
the EE using the noted commands, the EE should not be hosting any CTCs. Ensure that all
CTCs hosted on the HP Encryption Switch or HP Encryption Blade are either removed or moved
to a different EE in the HA Cluster or EG before disabling the encryption and security
capabilities.
Whenever
initNode
is performed, new certificates for CP and KAC (SKM) are generated.
Hence, each time
InitNode
is performed, the new KAC Certificate must be loaded onto key
vaults for Secure Key Manager (SKM). Without this step, errors will occur, such as key vault
not responding and ultimately key archival and retrieval problems.
The HTTP server should be listening to port 9443. Secure Key Manager is supported only
when configured to port 9443.
Encryption behavior
33