HP B-series Fabric OS 7.0.2d Release Notes (5697-2822, August 2013--includes all 7.0.x versions)
Encryption Behavior for the HP StorageWorks Encryption SAN Switch and HP StorageWorks DC
Switch Encryption FC Blade
• For crypto tape operations, ensure that Emulex 4 Gbps PCIe FC HBA firmware/driver
2.82A4/7.2.50.007 or higher are used. Use of a lower level firmware/driver may result in
hosts not being able to access their tape LUNs through a crypto target container.
• If the migration to Fabric OS 7.0.0a or later does not occur from 6.4.1a, 6.4.1b, or 6.4.2a
or later, the following message is issued: HP StorageWorks Encryption SAN Switch
will reboot if auto reboot is enabled otherwise it needs to be
rebooted manually for recovery2010/11/08-04:54:35:485488, [FSS-1009],
4424/886, CHASSIS, ERROR, MACE, FSS Error: fcsw0-vs: MISMATCH:
component., svc.c, line: 2462, comp:FSSK_TH,
ltime:2010/11/08-04:54:35:485484.
• The addition of 3PAR Session/Enclosure LUNs to CTCs is now supported. Session/Enclosure
LUNs (LUN 0xFE) used by 3PAR InServ arrays must be added to CryptoTarget (CTC) containers
with LUN state set to cleartext, encryption policy set to cleartext. HP StorageWorks
Encryption SAN Switch/HP StorageWorks DC Switch Encryption FC Blade do not perform
any explicit enforcement of this requirement.
• The cryptocfg –manual_rekey –all command should not be used in environments
with multiple encryption engines (HP StorageWorks DC Switch Encryption FC blades) installed
in an HP StorageWorks DC SAN Backbone Director Switch / HP StorageWorks DC04 SAN
Director Switch/ HP SN8000B 8-Slot SAN Backbone Director Switch and the HP SN8000B
4-Slot SAN Director Switch chassis when more than one encryption engine has access to the
same LUN. In such situations, use the cryptocfg –manual_rekey <CTC><LUN
Num><Initiator PWWN> command to manually rekey these LUNs.
• When host clusters are deployed in an Encryption environment, note the following
recommendations:
◦ If two EEs (encryption engines) are part of an HAC (High Availability Cluster), configure
the host/target pair such that they form a multipath from both EEs. Avoid connecting both
the host/target pairs to the same EE. This connectivity does not give full redundancy in
the case of EE failure resulting in HAC failover.
◦ Since quorum disk plays a vital role in keeping the cluster in sync, configure the quorum
disk to be outside of the encryption environment.
• The –key_lifespan option has no effect for cryptocfg –add –LUN; it has an effect only
for cryptocfg --create –tapepool for tape pools declared -encryption_format
native. For all other encryption cases, a new key is generated each time a medium is rewound
and block zero is written or overwritten. For the same reason, the Key Life field in the output
of cryptocfg --show -container -all –stat should always be ignored, and the
“Key life” field in cryptocfg --show –tapepool –cfg is significant only for
native-encrypted pools.
• The Quorum Authentication feature requires a compatible DCFM or HP Network Advisor
release (DCFM 10.4 or later for pre-Fabric OS 7.0.0a and Network Advisor 11.1 or later
for Fabric OS 7.0.0a or later) that supports this feature. Note, all nodes in the EG must be
running Fabric OS 6.3.0 or later for quorum authentication to be properly supported.
• The System Card feature requires a compatible DCFM or HP Network Advisor release (DCFM
10.4 or later for pre-Fabric OS 7.0.0a and Network Advisor 11.1 or later for Fabric OS
7.0.0a or later) that supports this feature. All nodes in the EG must be running Fabric OS
6.3.0 or later for system verification to be properly supported.
• The HP StorageWorks Encryption SAN Switch and HP StorageWorks DC Switch Encryption
FC Blade do not support QoS. When using encryption or Frame Redirection, participating
flows should not be included in QoS Zones.
Important notes and recommendations 21