HP B-series Fabric OS 6.3.2e Release Notes (5697-1816, March 2012) - includes all 6.3.2x versions
• SKM is supported with Multiple Nodes and Dual SKM Key Vaults. Two-way certificate exchange
is supported. See the Encryption Admin Guide for configuration information. If you are using
dual SKMs on Encryption SAN Switch/Encryption FC blade Encryption Group, these SKM
Appliances must be clustered. Failure to cluster will result in key creation failure. Otherwise,
register only one SKM on the Encryption SAN Switch/Encryption FC blade Encryption Group.
• When the tape key expires in the middle of write operation on the tape, the key is used to
append the data on the tape media. When the backup application rewinds the media and
starts writing to Block-0 again (and if the key is expired), a new key is created and used
henceforth. The expired key is then marked as read only and used only for restoring data
from previously encrypted tapes.
• With Windows and Veritas Volume Manager/Veritas Dynamic Multipathing, when LUN sizes
less than 400 MB are presented to the Encryption SAN Switch for encryption, a host panic
may occur; this configuration is not supported for Fabric OS 6.3.x.
• HCL from Fabric OS 6.2.x to 6.3.2 is supported. Cryptographic operations and I/O will be
disrupted but other layer 2 traffic will not be.
• Relative to the Encryption SAN Switch and a DC SAN Director with Encryption FC blade, all
nodes in the Encryption Group must be at the same firmware level of Fabric OS 6.2 or 6.3
before starting a rekey or First Time Encryption operation. Make sure that existing rekey or
First Time Encryption operations complete before upgrading any of the encryption products
in the Encryption Group. Also, make sure that the upgrade of all nodes in the Encryption
Group to Fabric OS 6.3.2 completes before starting a rekey or First Time Encryption operation.
• To clean up the stale rekey information for the LUN, use one of the following methods:
Method 1◦
1. Modify the LUN policy from encrypt to cleartext and commit.
The LUN will become disabled.
2. Enable the LUN using cryptocfg --enable –LUN. Modify the LUN policy from
clear-text to encrypt with enable_encexistingdata to enable the first
time encryption and do commit.
This will clear the stale rekey metadata on the LUN and the LUN can be used again
for encryption.
◦ Method 2
1. Remove the LUN from Crypto Target Container and commit.
2. Add the LUN back to the Crypto Target Container with LUN State=”clear-text”,
policy=”encrypt” and enable_encexistingdata set for enabling the First
Time Encryption and commit.
This will clear the stale rekey metadata on the LUN and the LUN can be used again
for encryption.
• In an environment with a mixed firmware version (Fabric OS 6.2.x + 6.3.x) Encryption Group,
the I/O link state reported for Fabric OS 6.2.x nodes is unreachable. During a rolling upgrade
from Fabric OS 6.2.0x to 6.3.2, you should see the I/O link status reported as Unreachable
when the cryptocfg –show -loc command is invoked. However, once all the nodes are
upgraded to Fabric OS 6.3.2, the show command will accurately reflect the status of the I/O
Link. The I/O link status while performing the rolling upgrade from Fabric OS 6.2.x to 6.3.2
can be ignored until all nodes have been upgraded to 6.3.2.
Mace39:root> cryptocfg --show -loc
EE Slot: 0
SP state: Online
Current Master KeyID: 43:f1:bd:dc:91:89:f2:f1:6a:a1:48:89:7b:d0:5f:59
Alternate Master KeyID: 3a:a4:5b:86:90:d5:69:26:29:78:f8:3b:f9:b2:9c:b9
HA Cluster Membership: hac39_115
38