HP Brocade 8/12c HP Fabric OS 6.2.2f Release Notes (5697-1756, February 2012) - Page 35

Initial setup of encrypted LUNs, described in the SKM User Guide

Get HP Brocade 8/12c PDF manuals and user guides View all HP Brocade 8/12c manuals
Add to My Manuals
Save this manual to your list of manuals

Page 35 highlights

• The Encryption SAN Switch and Encryption FC blade do not support QoS. When using encryption or Frame Redirection, participating flows should not be included in QoS Zones. • With Windows and Veritas Volume Manager/Veritas Dynamic Multipathing, when LUN sizes less than 400 MB are presented to the Encryption SAN Switch for encryption, a host panic can occur. Fabric OS 6.2.2f does not support this configuration. • To clean up the stale rekey information for the LUN, use one of the following methods: ◦ Method 1 1. Modify the LUN policy from encrypt to cleartext and commit. The LUN will become disabled. 2. Enable the LUN using cryptocfg --enable -LUN. Modify the LUN policy from clear-text to encrypt with enable_encexistingdata to enable the first time encryption and do commit. This clears the stale rekey metadata on the LUN and the LUN can be used again for encryption. ◦ Method 2 1. Remove the LUN from Crypto Target Container and commit. 2. Add the LUN back to the Crypto Target Container with LUN State="clear-text", policy="encrypt" and enable_encexistingdata set for enabling the First Time Encryption and commit. This clears the stale rekey metadata on the LUN and the LUN can be used again for encryption. • Relative to the HP Encryption switch and HP Encryption blade, all nodes in the Encryption Group must be at the same firmware level before starting a rekey or First Time Encryption operation. Make sure that existing rekey or First Time Encryption operations complete before upgrading any of the encryption products in the Encryption Group. Also, make sure that the firmware upgrade of all nodes in the Encryption Group completes before starting a rekey or First Time Encryption operation. • SKM FIPS mode enablement FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure described in the SKM User Guide, "Configuring the Key Manager for FIPS Compliance" section. NOTE: Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key Manager. Therefore, if you must enable FIPS, HP strongly recommends that you do so during the initial SKM configuration, before any key sharing between the switch and the SKM occurs. Initial setup of encrypted LUNs IMPORTANT: While performing first-time encryption to a LUN with more than one initiator active at the time, rekey operations slow to a standstill. Define LUNs for a single initiator at a time to avoid this occurrence. Initial setup of encrypted LUNs 35

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
The Encryption SAN Switch and Encryption FC blade do not support QoS. When using
encryption or Frame Redirection, participating flows should not be included in QoS Zones.
With Windows and Veritas Volume Manager/Veritas Dynamic Multipathing, when LUN sizes
less than 400 MB are presented to the Encryption SAN Switch for encryption, a host panic
can occur. Fabric OS 6.2.2f does not support this configuration.
To clean up the stale rekey information for the LUN, use one of the following methods:
Method 1
1.
Modify the LUN policy from encrypt to cleartext and commit. The LUN will become
disabled.
2.
Enable the LUN using
cryptocfg --enable
LUN
. Modify the LUN policy from
clear-text to encrypt with
enable_encexistingdata
to enable the first time
encryption and do commit. This clears the stale rekey metadata on the LUN and the
LUN can be used again for encryption.
Method 2
1.
Remove the LUN from Crypto Target Container and commit.
2.
Add the LUN back to the Crypto Target Container with
LUN
State=
clear-text
, policy=
encrypt
and
enable_encexistingdata
set for enabling the First Time Encryption and commit. This clears the stale rekey
metadata on the LUN and the LUN can be used again for encryption.
Relative to the HP Encryption switch and HP Encryption blade, all nodes in the Encryption
Group must be at the same firmware level before starting a rekey or First Time Encryption
operation. Make sure that existing rekey or First Time Encryption operations complete before
upgrading any of the encryption products in the Encryption Group. Also, make sure that the
firmware upgrade of all nodes in the Encryption Group completes before starting a rekey or
First Time Encryption operation.
SKM FIPS mode enablement
FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure
described in the SKM User Guide, “Configuring the Key Manager for FIPS Compliance”
section.
NOTE:
Per FIPS requirements, you cannot enable or disable FIPS when there are keys on the Key
Manager. Therefore, if you must enable FIPS, HP strongly recommends that you do so during the
initial SKM configuration, before any key sharing between the switch and the SKM occurs.
Initial setup of encrypted LUNs
IMPORTANT:
While performing first-time encryption to a LUN with more than one initiator active
at the time, rekey operations slow to a standstill. Define LUNs for a single initiator at a time to
avoid this occurrence.
Initial setup of encrypted LUNs
35