HP B-series Fabric OS 6.3.2e Release Notes (5697-1816, March 2012) - includes all 6.3.2x versions

ManualsBrandsHP ManualsComputer AccessoriesHP DC SAN Director Switch Multiprotocol Extension Blade Option

EE Attributes:

Link IP Addr : 10.32.50.36

Link GW IP Addr: 10.32.48.1

Link Net Mask : 255.255.240.0

Link MAC Addr : 00:05:1e:53:8a:86

Link MTU : 1500

Link State : UP

Media Type : DISK

System Card Label :

System Card CID :

Remote EE Reachability :

Node WWN/Slot EE IP Addr EE State

IO Link State

10:00:00:05:1e:53:77:80/0 10.32.53.107 EE_STATE_ONLINE Non-Reachable

10:00:00:05:1e:53:b7:ae/0 10.32.53.105 EE_STATE_ONLINE Non-Reachable

• SKM FIPS Mode Enablement

FIPS compliance mode is disabled in SKM by default. To enable it, follow the procedure

described in the SKM user guide, “Configuring the Key Manager for FIPS Compliance” section.

NOTE: Per FIPS requirements, you cannot enable or disable FIPS when there are keys on

the Key Manager. Therefore, if FIPS enablement is required, HP strongly recommends that it

be performed during the initial SKM configuration, before any key sharing between the switch

and the SKM occurs.

• SKM dual node cluster - Auto failover considerations:

In a dual node SKM cluster configuration with the encryption switch, ensure that the two SKM

nodes are always available and online for proper key archival. If one of the SKM nodes fails,

you cannot use the configuration to create new keys. In other words, adding new targets or

LUNs to the encryption path will not work until both the SKM nodes are available. However,

there will not be any issue for retrieving keys or using the existing setup as long as one SKM

node is available.

The encryption switch ensures that any new KEY is hardened (archived) to both SKM Key

Vaults in the SKM Cluster before the key gets used for encryption. In the event that one of the

SKM vaults is down, the key creation fails because of the hardening check failure. As a result,

the new key creation operation will not function. For Key retrieval, this is not the requirement

and any one Key Vault being online will get the Key as long as that Key Vault has the Key.

Initial setup of encrypted LUNs

IMPORTANT: While performing first-time encryption to a LUN with more than one initiator active

at the time, rekey operations slow to a standstill. Define LUNs for a single initiator at a time to

avoid this occurrence.

NOTE: When configuring multipath LUNs, care should be taken to add LUN 0 on all of the paths,

subject to the following considerations:

• If LUN 0 presented by the back-end target is a controller LUN (not a disk LUN; that is, not

visible in the discoverLUN output), add LUN 0 to the container as a clear text LUN. Make

sure all of the paths have this LUN 0 added for MPIO operation (EVA configuration, for

example).

• If LUN 0 presented by the back-end target is a disk LUN, LUN 0 can be added to the container

either as clear text or encrypted (MSA configuration, for example).

• For HP-UX, LUN 0 can appear as 0x0 or 0x400, but both of them are LUN 0 only and should

be treated alike.

Initial setup of encrypted LUNs 39