Technical data
Fabric OS Encryption Administrator’s Guide (DPM) 257
53-1002720-02
Encryption group merge and split use cases
6
Recovery
1. Restore the connection between the nodes in the separate encryption group islands, that is,
between nodes N3, N4 and between nodes N1 and N2.
When the lost connection is restored, an automatic split recovery process begins. The two
group leaders (N3 and N2 in this example) arbitrate the recovery, and the group leader node
with the highest WWN becomes group leader. If the number of nodes in each group is not
equal, the group leader for the group with the largest number of members becomes group
leader.
2. After the encryption group enters the converged state, execute the cryptocfg
--commit
command on the group leader node to distribute the crypto-device configuration from the
group leader to all member nodes.
Adjusting heartbeat signaling values
Encryption group nodes use heartbeat signaling to communicate to one another and to their
associated key vaults. A configurable threshold of heartbeat misses determined how long an
encryption group leader will wait before declaring a member node unreachable. The default
heartbeat signaling values are three heartbeat misses, each followed by a two second heartbeat
time-out. If three consecutive heartbeats are missed (by default, a time interval of six seconds
without a heartbeat signal), the encryption group leader node declares a member node as
unreachable, resulting in an encryption group split scenario (EG split).
If the management network becomes congested or unreliable resulting in excessive auto-recovery
processing or the need for manual recovery from EG splits, it is possible to set larger heartbeat and
heartbeat time-out values to mitigate the chances of having the EG split while the network issues
are being addressed. The following commands are issued from the encryption group leader nodes
to change the heartbeat signaling values.
switch:admin> cryptocfg --set -hbmisses <number>
switch:admin> cryptocfg --set -hbtimeout <time>
Where:
<number>
Sets the number of heartbeat misses allowed in a node that is part of an
encryption group before the node is declared unreachable and the
standby takes over. This value is set in conjunction with the time-out value.
It must be configured at the group leader node and is distributed to all
member nodes in the encryption group. The value entered specifies the
number of heartbeat misses. The default value is 3. The range is 3-14 in
integer increments only.
<time>
Sets the time-out value for the heartbeat in seconds. This parameter must
be configured at the group leader node and is distributed to all member
nodes in the encryption group. The value entered specifies the heartbeat
time-out in seconds. The default value is 2 seconds. Valid values are
integers in the range between 2 and 9.