Manualshelf

Brocade Network Advisor SAN User Manual v11.1x (53-1002167-01, May 2011)

ManualsBrandsHP ManualsSoftwareHP B-series Data Center Fabric Manager Enterprise Software
491492493494495496497498499500
Brocade Network Advisor SAN User Manual 451
53-1002167-01
Steps for connecting to an LKM appliance
18
LKM key vault high availability deployment
LKM appliances can be clustered to provide high availability capabilities. You can deploy and
register one LKM with an encryption switch or blade and later deploy and register another LKM at
any time if LKMs are clustered or linked together. Please refer to LKM documentation to link or
cluster the LKMs.
When LKM appliances are clustered, both LKMs in the cluster must be registered and configured
with the link keys before starting any crypto operations. If two LKM key vaults are configured, they
must be clustered. If only a single LKM key vault is configured, it may be clustered for backup
purposes, but it is not directly used by the switch.
When dual LKMs are used with the encryption switch or blade, the dual LKMs must be clustered.
There is no enforcement done at the encryption switch or blade to verify whether or not the dual
LKMs are clustered, but key creation operations will fail if you register non-clustered dual LKMs
with the encryption switch or blade.
Regardless of whether you deploy a single LKM or clustered dual LKMs, register only the primary
key vault with the encryption switch or blade. You do not need to register a secondary key vault.
Disk keys and tape pool keys (Brocade native mode support)
DEK creation, retrieval, and update for disk and tape pool keys in Brocade native mode are as
follows:
DEK creation - The DEK is archived into the primary LKM. Upon successful archival of the DEK
onto the primary LKM, the DEK is read from the secondary LKM until it is either synchronized
to the secondary LKM, or a timeout of 10 seconds occurs (2 seconds with 5 retries).
If key archival of the DEK to the primary LKM is successful, the DEK that is created can be
used for encrypting disk LUNs or tape pools in Brocade native mode.
If key archival of the DEK to the primary LKM fails, an error is logged and the operation is
retried. If the failure occurs after archival of the DEK to the primary LKM, but before
synchronization to the secondary LKM, a VAULT_OFFLINE error is logged and the operation
is retried. Any DEK archived to the primary LKM in this case is not used.
DEK retrieval - The DEK is retrieved from the primary LKM if the primary LKM is online and
reachable. If the registered primary LKM is not online or not reachable, the DEK is retrieved
from a clustered secondary LKM.
DEK Update - DEK update behavior is the same as DEK creation.