Home » HP Manuals » Servers » HP Brocade 8/12c » Manual Viewer

HP Brocade 8/12c Fabric OS Encryption Administrator's Guide - Page 229

Replacing an HA cluster member, Case 1: Replacing a failed encryption engine in an HA cluster

Add to My Manuals
Save this manual to your list of manuals

Page 229 highlights

Encryption group and HA cluster maintenance 6 HA cluster name: HAC1 - 2 EE entries Status: Committed WWN Slot Number 11:22:33:44:55:66:77:00 0 10:00:00:05:1e:53:74:87 3 Status Online Online HA cluster name: HAC2 - 1 EE entry Status: Defined WWN Slot Number 10:00:00:05:1e:53:4c:91 0 Status Online In the following example, the encryption group brocade has one HA cluster HAC3. The encryption engine with the WWN of 10:00:00:05:1e:53:89:dd has failed over containers from the encryption engine with the WWN of 10:00:00:05:1e:53:fc:8a it is offline. SecurityAdmin:switch>cryptocfg --show -hacluster -all Encryption Group Name: brocade Number of HA Clusters: 1 HA cluster name: HAC3- 2 EE entries Status: Committed WWN Slot Number Status 10:00:00:05:1e:53:89:dd 0 Online - Failover active 10:00:00:05:1e:53:fc:8a 0 Offline NOTE In this particular case, the correct status of Failover active is displayed only if group leader node is queried. If the other node is queried Failover active is not displayed, which is not consistent with the actual HA status. Replacing an HA cluster member 1. Log in to the Group Leader as Admin or SecurityAdmin. 2. Enter the cryptocfg --replace -haclustermember command. Specify the HA cluster name, the node WWN of the encryption engine to be replaced, and the node WWN of the replacement encryption engine. Provide a slot number if the encryption engine is a blade. The replacement encryption engine must be part of the same encryption group as the encryption engine that is replaced. SecurityAdmin:switch>cryptocfg --replace -haclustermember HAC2 \ 10:00:00:05:1e:53:4c:91 10:00:00:05:1e:39:53:67 Replace HA cluster member status: Operation Succeeded. 3. Enter cryptocfg --commit to commit the transaction. Case 1: Replacing a failed encryption engine in an HA cluster Assume a working HA cluster with two operational encryption engines, EE1 and EE2. The target T1 is hosted on EE1 and target T2 is hosted on EE2. Refer to Figure 110. EE2 fails and generates an offline notification. The target hosted on EE2 (T2 in this case) automatically fails over to EE1. Even though the target T2 is now hosted on EE1 because of the failover process, the target association is still EE2, and the container status is displayed on the hosting node as failover. Use the cryptocfg --show -container crypto target container name -stat command to display the container status. Fabric OS Encryption Administrator's Guide 209 53-1002159-03

Section	Page
Contents	5
About This Document	15
In this chapter	15
How this document is organized	15
Supported hardware and software	16
What’s new in this document	16
Document conventions	16
Text formatting	16
Command syntax conventions	17
Notes, cautions, and warnings	17
Key terms	17
Notice to the reader	18
Additional information	18
Brocade resources	18
Other industry resources	19
Getting technical help	19
Document feedback	20
Encryption Overview	21
In this chapter	21
Host and LUN considerations	21
Terminology	22
The Brocade Encryption Switch	24
The FS8-18 blade	25
FIPS mode	25
Performance licensing	25
Adding a license	25
Licensing best practices	25
Recommendation for connectivity	26
Usage limitations	26
Brocade encryption solution overview	27
Data flow from server to storage	28
Data encryption key life cycle management	29
Master key management	30
Master key generation	30
Master key backup	30
Support for Virtual Fabrics	31
Cisco Fabric Connectivity support	31
Encryption configuration	33
In this chapter	33
Encryption Center features	34
Encryption user privileges	35
Smart card usage	36
Registering authentication cards from a card reader	36
Registering authentication cards from the database	38
Deregistering an authentication card	39
Using authentication cards	40
Enabling or disabling the system card requirement	40
Registering system cards from a card reader	41
Deregistering a system card	41
Tracking smart cards	42
Editing smart cards	43
Network connections	44
Configuring blade processor links	44
Encryption node initialization and certificate generation	45
Steps for connecting to an SKM or ESKM appliance	46
Configuring a Brocade group on SKM or ESKM	47
Registering the SKM or ESKM Brocade group user name and password	48
Setting up the local Certificate Authority (CA) on SKM or ESKM	49
Downloading the local CA certificate from SKM or ESKM	50
Creating and installing the SKM or ESKM server certificate	50
Enabling SSL on the Key Management System (KMS) Server	51
Creating an SKM or ESKM High Availability cluster	52
Copying the local CA certificate for a clustered SKM or ESKM appliance	53
Adding SKM or ESKM appliances to the cluster	53
Signing the Brocade encryption node KAC certificates	54
Importing a signed KAC certificate into a switch	55
SKM or ESKM key vault high availability deployment	56
Steps for Migrating from SKM to ESKM	56
Steps required from the BES CLI	56
Steps required using Brocade Management application	57
Encryption preparation	58
Creating a new encryption group	58
Understanding configuration status results	66
Adding a switch to an encryption group	67
Replacing an encryption engine in an encryption group	73
Creating high availability (HA) clusters	74
Removing engines from an HA cluster	75
Swapping engines in an HA cluster	75
Failback option	76
Invoking failback	77
Adding encryption targets	77
Configuring hosts for encryption targets	84
Adding target disk LUNs for encryption	85
Configuring Storage Arrays	88
Adding target tape LUNs for encryption	88
Tape LUN write early and read ahead	91
Enabling and disabling tape LUN write early and read ahead	91
Tape LUN statistics	93
Viewing and clearing tape container statistics	93
Viewing and clearing tape LUN statistics for a container	94
Viewing and clearing statistics for specific tape LUNs	95
Re-balancing the encryption engine	97
Master keys	98
Active master key	98
Alternate master key	98
Master key actions	99
Reasons master keys can be disabled	99
Saving the master key to a file	99
Saving a master key to a key vault	101
Saving a master key to a smart card set	102
Restoring a master key from a file	104
Restoring a master key from a key vault	105
Restoring a master key from a smart card set	106
Creating a new master key	107
Viewing master key IDs	108
Zeroizing an encryption engine	108
Using the Encryption Targets dialog box	110
Redirection zones	111
Re-keying all disk LUNs manually	111
Viewing the progress of manual re-key operations	113
Viewing time left for auto re-key	114
Viewing and editing switch encryption properties	115
Exporting the public key certificate signing request (CSR) from Properties	117
Importing a signed public key certificate from Properties	117
Enabling and disabling the encryption engine state from Properties	117
Viewing and editing group properties	118
General tab	119
Members tab	120
Consequences of removing an encryption switch	121
Security tab	123
HA Clusters tab	124
Tape Pools tab	125
Engine Operations tab	127
Encryption-related acronyms in log messages	129
Configuring Brocade Encryption Using the CLI	131
In this chapter	131
Overview	132
Command validation checks	132
Command RBAC permissions and AD types	133
Cryptocfg Help command output	135
Management LAN configuration	136
Configuring cluster links	136
Special consideration for blades	137
IP Address change of a node within an encryption group	137
Steps for connecting to an SKM or ESKM appliance	139
Configuring a Brocade group	139
Setting up the local Certificate Authority (CA)	140
Downloading the local CA certificate	141
Creating and installing the SKM or ESKM server certificate	142
Enabling SSL on the Key Management System (KMS) Server	143
Creating an SKM or ESKM high availability cluster	144
Copying the local CA certificate	144
Adding SKM or ESKM appliances to the cluster	145
Initializing the Brocade encryption engines	146
Signing the Brocade encryption node KAC certificates	147
Registering SKM or ESKM on a Brocade encryption group leader	148
Registering the SKM or ESKM Brocade group user name and password	150
SKM or ESKM key vault high availability deployment	151
Adding a member node to an encryption group	152
Generating and backing up the master key	155
High availability cluster configuration	157
HA cluster configuration rules	157
Creating an HA cluster	158
Adding an encryption engine to an HA cluster	159
Failover/failback policy configuration	159
Re-exporting a master key	160
Exporting an additional key ID	161
Viewing the master key IDs	162
Enabling the encryption engine	163
Checking encryption engine status	163
Zoning considerations	164
Setting default zoning to no access	164
Frame redirection zoning	165
Creating an initiator - target zone	165
CryptoTarget container configuration	167
LUN re-balancing when hosting both disk and tape targets	168
Gathering information	169
Creating a CryptoTarget container	169
Removing an initiator from a CryptoTarget container	171
Deleting a CryptoTarget container	172
Moving a CryptoTarget container	173
Crypto LUN configuration	173
Discovering a LUN	174
Configuring a Crypto LUN	174
Crypto LUN parameters and policies	176
Configuring a tape LUN	178
Removing a LUN from a CryptoTarget container	179
Modifying Crypto LUN parameters	180
LUN modification considerations	181
Impact of tape LUN configuration changes	181
Force-enabling a disabled disk LUN for encryption	182
Tape pool configuration	182
Tape pool labeling	182
Creating a tape pool	184
Deleting a tape pool	185
Modifying a tape pool	185
Impact of tape pool configuration changes	186
Configuring a multi-path Crypto LUN	186
Multi-path LUN configuration example	186
First-time encryption	189
Resource allocation	190
First time encryption modes	190
Configuring a LUN for first time encryption	190
Data re-keying	190
Resource Allocation	191
Re-keying modes	191
Configuring a LUN for automatic re-keying	191
Initiating a manual re-key session	192
Suspension and resumption of re-keying operations	193
Deployment Scenarios	195
In this chapter	195
Single encryption switch, two paths from host to target	196
Single fabric deployment - HA cluster	197
Single fabric deployment - DEK cluster	198
Dual fabric deployment - HA and DEK cluster	199
Multiple paths, one DEK cluster, and two HA clusters	200
Multiple paths, DEK cluster, no HA cluster	202
Deployment in Fibre Channel routed fabrics	203
Deployment as part of an edge fabric	205
Deployment with FCIP extension switches	206
VMware ESX server deployments	207
Best Practices and Special Topics	209
In this chapter	209
Firmware download considerations	210
Firmware upgrades and downgrades	210
Data-at-rest encryption support for IBM SVC LUNs configuration	211
Specific guidelines for HA clusters	211
Configuration upload and download considerations	212
Configuration upload at an encryption group leader node	212
Configuration upload at an encryption group member node	213
Information not included in an upload	213
Steps before configuration download	213
Configuration download at the encryption group leader	214
Configuration download at an encryption group member	214
Steps after configuration download	214
HP-UX considerations	215
AIX Considerations	215
Enable of a disabled LUN	215
Disk metadata	215
Tape metadata	216
Tape data compression	216
Tape pools	216
Tape block zero handling	217
Tape key expiry	217
Configuring CryptoTarget containers and LUNs	217
Redirection zones	218
Deployment with Admin Domains (AD)	219
Do not use DHCP for IP interfaces	219
Ensure uniform licensing in HA clusters	219
Tape library media changer considerations	219
Turn off host-based encryption	219
Avoid double encryption	219
PID failover	220
Turn off compression on extension switches	220
Re-keying best practices and policies	220
Manual re-key	220
Latency in re-key operations	220
Allow re-key to complete before deleting a container	221
Re-key operations and firmware upgrades	221
Do not change LUN configuration while re-keying	221
Recommendation for Host I/O traffic during online rekeying and first time encryption	221
KAC certificate registration expiry	221
Changing IP addresses in encryption groups	222
Disabling the encryption engine	222
Recommendations for Initiator Fan-Ins	222
Best practices for host clusters in an encryption environment	224
HA Cluster deployment considerations and best practices	224
Key Vault Best Practices	224
Tape Device LUN Mapping	224
Maintenance and Troubleshooting	225
In this chapter	225
Encryption group and HA cluster maintenance	225
Displaying encryption group configuration or status information	225
Removing a member node from an encryption group	226
Deleting an encryption group	228
Removing an HA cluster member	228
Displaying the HA cluster configuration	228
Replacing an HA cluster member	229
Deleting an HA cluster member	231
Performing a manual failback of an encryption engine	232
Encryption group merge and split use cases	233
A member node failed and is replaced	233
A member node reboots and comes back up	234
A member node lost connection to the group leader	235
A member node lost connection to all other nodes in the encryption group	235
Several member nodes split off from an encryption group	236
Adjusting heartbeat signaling values	237
EG split possibilities requiring manual recovery	237
Configuration impact of encryption group split or node isolation	242
Encryption group database manual operations	243
Manually synchronizing the encryption group database	243
Manually synchronizing the security database	243
Aborting a pending database transaction	243
Key vault diagnostics	243
General encryption troubleshooting	246
Troubleshooting examples using the CLI	249
Encryption Enabled Crypto Target LUN	249
Encryption Disabled Crypto Target LUN	250
Management application encryption wizard troubleshooting	251
Errors related to adding a switch to an existing group	251
Errors related to adding a switch to a new group	252
General errors related to the Configure Switch Encryption wizard	253
LUN policy troubleshooting	254
Loss of encryption group leader after power outage	255
MPIO and internal LUN states	256
Suspension and resumption of re-keying operations	256
FS8-18 blade removal and replacement	257
BES removal and replacement	258
Multi Node EG Case	258
Single Node EG Replacement	262
Reclaiming the WWN base of a failed Brocade Encryption Switch	264
Splitting an encryption group into two encryption groups	264
Moving a blade from one EG to another EG in the same fabric	265
Moving a BES from one EG to another EG in the same fabric	266
Removing stale rekey information for a LUN	267
State and Status Information	269
In this appendix	269
Encryption engine security processor (SP) states	269
Security processor KEK status	270
Encrypted LUN states	270

Match case Limit results 1 per page

Fabric OS Encryption Administrator’s Guide

209

53-1002159-03

Encryption group and HA cluster maintenance

HA cluster name: HAC1 - 2 EE entries

Status:

Committed

WWN

Slot Number

Status

11:22:33:44:55:66:77:00

Online

10:00:00:05:1e:53:74:87

Online

HA cluster name: HAC2 - 1 EE entry

Status:

Defined

WWN

Slot Number

Status

10:00:00:05:1e:53:4c:91

Online

In the following example, the encryption group brocade has one HA cluster HAC3. The

encryption engine with the WWN of 10:00:00:05:1e:53:89:dd has failed over containers from

the encryption engine with the WWN of 10:00:00:05:1e:53:fc:8a it is offline.

SecurityAdmin:switch>cryptocfg --show -hacluster -all

Encryption Group Name: brocade

Number of HA Clusters: 1

HA cluster name: HAC3- 2 EE entries

Status: Committed

WWN

Slot Number

Status

10:00:00:05:1e:53:89:dd

Online - Failover active

10:00:00:05:1e:53:fc:8a

Offline

NOTE

In this particular case, the correct status of

Failover active

is displayed only if group leader

node is queried. If the other node is queried

Failover active

is not displayed, which is not

consistent with the actual HA status.

Replacing an HA cluster member

Enter the

cryptocfg

replace -haclustermember

command. Specify the HA cluster name, the

node WWN of the encryption engine to be replaced, and the node WWN of the replacement

encryption engine. Provide a slot number if the encryption engine is a blade. The replacement

encryption engine must be part of the same encryption group as the encryption engine that is

replaced.

SecurityAdmin:switch>

cryptocfg --replace -haclustermember HAC2 \

10:00:00:05:1e:53:4c:91 10:00:00:05:1e:39:53:67

Replace HA cluster member status: Operation Succeeded.

Enter

cryptocfg

commit

to commit the transaction.

Case 1: Replacing a failed encryption engine in an HA cluster

Assume a working HA cluster with two operational encryption engines, EE1 and EE2. The target T1

is hosted on EE1 and target T2 is hosted on EE2. Refer to

Figure 110

EE2 fails and generates an offline notification. The target hosted on EE2 (T2 in this case)

automatically fails over to EE1. Even though the target T2 is now hosted on EE1 because of the

failover process, the target association is still EE2, and the container status is displayed on the

hosting node as failover. Use the

cryptocfg

show -container

crypto target container name

-stat

command to display the container status.

HP Brocade 8/12c Fabric OS Encryption Administrator&#039;s Guide - Page 229

Replacing an HA cluster member, Case 1: Replacing a failed encryption engine in an HA cluster

Page 229 highlights

HP Brocade 8/12c Fabric OS Encryption Administrator's Guide - Page 229