Manualshelf

Brocade Fabric OS v6.4.3f Release Notes v1.0

ManualsBrandsHP ManualsComputer AccessoriesHP B-series SAN Director FICON CUP LTU
21222324252627282930
Fabric OS v6.4.3f Release Notes v1.0 Page 27 of 149
For dual LKM configuration on the Brocade Encryption Switch (BES) or a DCX/DCX-4S with FS8-18
blades as the primary and secondary key vaults, these LKM appliances must be clustered (linked).
Failure to cluster will result in key creation failure. Otherwise, register only one LKM on the BES/FS8-
18 Encryption Group. Please refer to the Encryption Admin Guide for configuration information.
The RKM Appliance A1.6, SW v2.7 is supported. The procedure for setting up the RKM Appliance with
BES or a DCX/DCX-4S with FS8-18 blades is located in the Encryption Admin Guide.
Support for registering a 2nd RKM Appliance on BES/FS8-18 is blocked. If the RKM Appliances are
clustered, then the virtual IP address hosted by a 3rd party IP load balancer for the RKM Cluster must
be registered on BES/FS8-18 in the primary slot for Key Vault IP.
With Windows and Veritas Volume Manager/Veritas Dynamic Multipathing, when LUN sizes less than
400MB are presented to BES for encryption, a host panic may occur and this configuration is not
supported in the FOS v6.3.1 or later release.
HCL from FOS v6.3.x to v6.4 is supported. Cryptographic operations and I/O will be disrupted but
other layer 2 traffic will not.
Relative to the BES and a DCX with FS8-18, all nodes in the Encryption Group must be at the same
firmware level of FOS v6.2 or later before starting a rekey or First Time Encryption operation. Make
sure that existing rekey or First Time Encryption operations complete before upgrading any of the
encryption products in the Encryption Group. Also, make sure that the upgrade of all nodes in the
Encryption Group completes before starting a rekey or First Time Encryption operation.
To clean up the stale rekey information for the LUN, follow one of the following two methods:
Method 1:
1. First, modify the LUN policy from “encrypt” to “cleartext” and commit. The LUN will
become disabled.
2. Enable the LUN using “cryptocfg --enable –LUN”. Modify the LUN policy from “clear-
text” to “encrypt” with “enable_encexistingdata” to enable the first time encryption
and do commit. This will clear the stale rekey metadata on the LUN and the LUN can
be used again for encryption.
Method 2:
1. Remove the LUN from Crypto Target Container and commit.
2. Add the LUN back to the Crypto Target Container with LUN State=”clear-text”,
policy=”encrypt” and “enable_encexistingdata” set for enabling the First Time
Encryption and commit. This will clear the stale rekey metadata on the LUN and the
LUN can be used again for encryption.
TEMS key vault support troubleshooting tips:
Regarding TEMS key vault (KV) communication with a Brocade encryption group, the default
communication port setting for the TEMS KV is 37208, however, the Brocade encryption members
and leader use 9000 so this needs to be reset on NCKA. Additionally, the following is a checklist
of things to review if the initial attempt to connect to the KV fails:
o Check physical and logical connection via a ping on port 9000, this should be the first
check.
o For the group leader node, the kac client cert and the kv cert files are to be identical.
o For group member nodes the kv file is to be the same as the kv file on the group leader
node.
o Crosscheck to ensure the private key file corresponds to the kac public cert file on any
node.