Brocade Communications Systems Encryption Switch Service Manual Page 200
- Page / 326
- Table of contents
- TROUBLESHOOTING
- BOOKMARKS
Rated. / 5. Based on customer reviews
182 Fabric OS Encryption Administrator’s Guide (DPM)
53-1002720-02
SRDF LUNs
3
CAUTION
Do not add a node running an earlier Fabric OS version to an encryption group that is running
version 6.4.0 or later if remote replication is enabled. Also, be aware that a Fabric OS 6.4.0
configuration file is not blocked from being downloaded to a node running an earlier Fabric OS
version.
Adding replication LUNs
Replication LUNs must be added to the container with the -newLUN option. Replication mode
needs to be enabled prior to adding replication LUNs with
-newLUN option, using the
cryptocfg
--set -replication enable command. The primary LUN and all mirror LUNs need to be
added to their respective containers with the
-newLUN option.
From the standpoint of the encryption switch or blade, the local and remote copies of the LUN are
configured in different encryption groups. From the DPM perspective, DPM clusters at local and
remote encryption groups must be configured as part of the same DPM cluster group.
Rekey operations for replicated LUNs
Auto rekey is disabled for replicated LUNs. Sync between primary LUNs and mirror LUNs should be
disabled before starting manual rekey on primary LUNs. If sync is not disabled, the mirror LUN will
be disabled for host access. Once the primary LUN rekey is completed, the sync can be performed
between the primary (R1) and mirror (R2) LUN. Manual rekey works only on primary LUNs. Mirror
LUNs can be converted to primary LUNs by performing a manual rekey with the
-include_mirror
option.
Be aware that when an individual primary LUN is rekeyed using the
-include_mirror option, no
warning message is displayed prior to the rekey occurring.
If a rekey is invoked using the
-include_mirror option, and the LUN is not a mirror LUN or a
read-only primary LUN, the rekey operation acts as usual.
NOTE
cryptocfg --manual_rekey -all -include_mirror rekeys all the primary and mirror LUNs, not just
mirror LUNs and out-of-sync primary LUNs. Enter only cryptocfg
--manual_rekey -all if you want to
rekey only out-of-sync primary LUNs. The
-include_mirror option is ignored if the command applies
only to a primary LUN.
Reading metadata after sync
The cryptocfg --refreshDEK command can be used to perform a read of the metadata and
reprogram the encryption tables with a new encryption key. After a sync from rekeyed primary LUN
to the mirror LUN, performing cryptocfg
--refreshDEK will obtain the latest encryption keys for the
primary LUN and configure that for encryption and decryption of the mirror LUN.
NOTE
For all multi-path LUN environments, it is critical to ensure that the target port settings (for example,
os2007 bit, or spc-2 bit) for all paths to a given LUN are configured identically.
- Fabric OS Encryption 1
- Document History 2
- Contents 3
- 53-1002720-02 10
- About This Document 13
- What’s new in this document 14
- Document conventions 14
- Command syntax conventions 15
- Notes, cautions, and warnings 15
- Additional information 16
- Getting technical help 17
- Document feedback 18
- Encryption Overview 19
- Terminology 20
- The Brocade Encryption Switch 22
- The FS8-18 blade 23
- FIPS mode 23
- Performance licensing 23
- Usage limitations 24
- FIGURE 2 Encryption overview 25
- FIGURE 3 Frame redirection 26
- IO Sync LAN 27
- FIGURE 5 DEK life cycle 28
- Master key management 29
- Support for virtual fabrics 29
- Encryption Center features 32
- Encryption user privileges 33
- Smart card usage 34
- Using system cards 39
- Deregistering system cards 41
- Using smart cards 41
- Tracking smart cards 42
- Editing smart cards 44
- Network connections 45
- Blade processor links 45
- (KAC) certificate 46
- Encryption preparation 53
- Creating an encryption group 53
- Creating HA clusters 70
- Failback option 72
- Invoking failback 72
- Adding an encryption target 73
- FIGURE 46 Next Steps screen 81
- Configuring storage arrays 89
- Remote replication LUNs 89
- SRDF pairs 90
- Moving targets 94
- Tape LUN statistics 97
- Encryption engine rebalancing 102
- Master keys 103
- Active master key 104
- Alternate master key 104
- Master key actions 104
- ATTENTION 106
- Creating a master key 111
- Security Settings 112
- Setting zeroization 113
- Redirection zones 115
- Disk device decommissioning 115
- Decommissioning disk LUNs 116
- Displaying Universal IDs 118
- Setting disk LUN Re-key All 119
- Thin provisioned LUNs 123
- Thin Provisioning support 124
- Time left for auto rekey 125
- General tab 131
- Members tab 133
- Members tab Remove button 134
- Security tab 135
- HA Clusters tab 137
- Tape Pools tab 139
- Adding tape pools 140
- Engine Operations tab 141
- TABLE 3 Encryption acronyms 142
- In this chapter 143
- Overview 144
- Command validation checks 144
- (Continued) 146
- Cryptocfg Help command output 148
- Management LAN configuration 148
- Configuring cluster links 149
- Node is a group leader node 150
- Node is a member node 150
- • FIPS crypto officer 151
- • FIPS user 151
- • Node CP certificate 151
- Submitting the CSR to a CA 154
- • cryptocfg --initEE 161
- • cryptocfg --regEE 161
- • cryptocfg --enableEE 161
- High availability clusters 166
- Creating an HA cluster 167
- Policy Configuration Examples 170
- Re-exporting a master key 171
- Viewing the master key IDs 172
- Zoning considerations 175
- Frame redirection zoning 176
- Gathering information 180
- Crypto LUN configuration 184
- Discovering a LUN 185
- Configuring a Crypto LUN 186
- Configuring a tape LUN 189
- Decommissioning LUNs 193
- SRDF LUNs 198
- --set -replication enable 199
- Adding replication LUNs 200
- Reading metadata after sync 200
- -newLUN option 201
- TF snapshot rekeying details 207
- -not_ready option of TF 208
- <initiator PWWN> 208
- ID> <initiator PWWN> 210
- Tape pool configuration 212
- CommVault Galaxy labeling 213
- NetBackup labeling 213
- Creating a tape pool 214
- Deleting a tape pool 215
- Modifying a tape pool 215
- First-time encryption 220
- Space reclamation 222
- Data rekeying 223
- Deployment Scenarios 227
- --rdcreate [host wwn] 236
- FIGURE 103 FCIP deployment 238
- Data mirroring deployment 239
- VMware ESX server deployments 241
- General guidelines 244
- HP-UX considerations 248
- Enabling a disabled LUN 249
- AIX Considerations 249
- Disk metadata 250
- Tape metadata 250
- Tape data compression 251
- Tape pools 251
- Tape block zero handling 252
- Tape key expiry 252
- Avoid double encryption 254
- PID failover 254
- Manual rekey 255
- Latency in rekey operations 255
- Key Vault Best Practices 259
- Tape Device LUN Mapping 259
- Deleting an encryption group 265
- Removing an HA cluster member 265
- Deleting an HA cluster member 269
- Failover/failback example 270
- Recovery 271
- -hbmisses and -hbtimeout 276
- Key vault diagnostics 282
- Command Activity 285
- Problem Resolution 285
- General errors and conditions 286
- LUN policy troubleshooting 293
- MPIO and internal LUN states 295
- Multi-node EG replacement 296
- Single-node EG replacement 298
- Multi-node EG Case 299
- Single-node EG Replacement 302
- Deregistering a DPM key vault 305
- TABLE 15 Compatibility Matrix 308
- State and Status Information 311
- Security processor KEK status 312
- Encrypted LUN states 312
- TABLE 22 Tape LUN states 315
Related products and manuals for Network switches Brocade Communications Systems Encryption Switch
(34 pages)
(120 pages)© 2020, manymanuals.com. All rights reserved. | 1.433 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals