Fabric OS Encryption Administrator's Guide
190 Fabric OS Encryption Administrator’s Guide
53-1002159-03
Firmware download considerations
5
Firmware download considerations
The encryption engine and the control processor or blade processor are reset after a firmware
upgrade. Disruption of encryption I/O can be avoided if an HA cluster is configured. If encryption
engines are configured in an HA cluster, perform firmware upgrades one encryption engine at a
time so that the partner switch in the HA cluster can take over I/O by failover during firmware
upgrade. When switches form a DEK cluster, firmware upgrades should also be performed one at a
time for all switches in the DEK cluster to ensure that a host MPIO failover path is always available.
Firmware upgrades and downgrades
A downgrade to Fabric OS v6.2.0 results in the loss of the following functionality:
• Fabric OS v6.2.0 supports only one HP SKM/ESKM key vault. Registering a second HP
SKM/ESKM key vault will be blocked.
• Fabric OS v6.2.0 uses brcduser1 as a standard user name when creating a Brocade group on
SKM/ESKM. If you downgrade from version 6.3.0 or later to version 6.2.0, the user name is
overwritten to brcduser1, and the Brocade group user name must be changed to brcduser1.
• When doing a firmware upgrade to Fabric OS v7.0.0 or downgrade from Fabric OS v7.0.0, the
message SPM-1016 will be observed on version 7.0.0 nodes in the encryption group (EG) when
other nodes in that EG that are still running versions earlier than Fabric OS v7.0.0. Although
this is a warning message, it is transient and is only observed during a firmware upgrade or
downgrade operation. The message can be ignored.
• The following warning can be ignored if the nodes in the EG are running different versions of
Fabric OS.
“2011/04/12-18:41:08, [SPM-1016], 17132, FID 128, WARNING, Security database is out of
sync.”
General guidelines for a firmware upgrade of encryption switches and a DCX or DCX-4S with
encryption blades in encryption groups, HA clusters, and DEK clusters are as follows:
• Upgrade one node at time.
• Do not perform a firmware upgrade when re-key operations and first time encryption
operations are underway.
• Do not start any manual re-key operations and first-time encryption operations during the
firmware upgrade process for all nodes in the HA/DEK cluster.
Guidelines for firmware upgrade of encryption switches and a DCX or DCX-4S with encryption
blades deployed in a DEK cluster with two HA clusters:
• Upgrade nodes in one HA cluster at a time.
• Within an HA cluster, upgrade one node at a time.
Guidelines for firmware upgrade of encryption switches and a DCX or DCX-4S with encryption
blades deployed in DEK cluster with No HA cluster (each node hosting one path).
• Upgrade one node at a time.
• In the case of active/passive arrays, upgrade the node which is hosting the passive path first.
Upgrade the node which is hosting active path next. The Host MPIO ensures that I/O fails over
and fails back from active to passive and back to active during this firmware upgrade process.