HP B-series Fabric OS 7.0.2d Release Notes (5697-2822, August 2013--includes all 7.0.x versions)
forced commit command halts all active rekeying processes running in all CTCs and corrupts
any LUN engaged in a rekeying operation. There is no recovery for this type of failure.
• If the data encryption group (Encryption Group) gets into a state where the Group Leader
encryption switch reports that another encryption switch is NOT a member node of the
encryption group, and the encryption switch member node still indicates that it IS part of the
encryption group, the following recovery action can be performed to re-merge the nodes into
the encryption group:
1. On the Group Leader encryption switch, execute the CLI cryptocfg –dereg
–membernode <WWN of member node> command.
2. Wait for 30 seconds.
3. Execute the CLI cryptocfg –reg –membernode <WWN membernode>
<certificate file name> <ipaddr of member node> command.
This is a rare situation that has been noted in a test environment where there were intermittent
management network connectivity problems.
• To remove access between a given initiator and target, you must not only remove the active
zoning information between the initiator and target, but must also remove the associated
CTCs, which in turn removes the associated frame redirection zone information. Make sure
to back up all data before taking this action.
• Before committing configurations or modifications to the CTC or LUNs on an HP Encryption
Switch or HP Encryption Blade, make sure that there are no outstanding zoning transactions
in the switch or fabric. Failure to do so results in the commit operation for the CTC or LUNs
failing and may cause the LUNs to be disabled. The user can check for outstanding zoning
transactions by issuing the CLI cfgtransshow command :
DCX_two:root> cfgtransshow
There is no outstanding zoning transaction
• Each LUN is uniquely identified by the HP Encryption Switch or HP Encryption Blade using
the LUN serial number. The LUN serial numbers must be unique for LUNs exposed from the
same target port. The LUN serial numbers must also be unique for LUNs belonging to different
target ports in nonmultipathing configurations. Failure to ensure unique LUN serial numbers
results in nondeterministic behavior and may result in faulting of the HP Encryption Switch or
HP Encryption Blade.
• When creating an HA cluster or EG with two or more HP Encryption Switch/Encryption Blades,
the GE ports (I/O sync links) must be configured with an IP address for the eth0 and eth1
Ethernet interfaces using ipaddrset. In addition, the eth0 and eth1 Ethernet ports should
be connected to the network for redundancy. These I/O sync links connections must be
established before any Re-Key, First Time Encryption, or enabling EE for crypto operations.
Failure to do so results in HA Cluster creation failure. If the IP address for these ports is
configured after the EE was enabled for encryption, HP Encryption Switch needs to be rebooted
and Encryption Blades should be slotpoweroff/slotpoweron to sync up the IP address
information to the EEs. If only one Ethernet port is configured and connected to a network,
data loss or suspension of Re-Key may occur when the network connection toggles or fails.
• initEE removes the existing master key or link key. Backup the master key by running
cryptocfg –exportmasterkey and cryptocfg –export –currentMK before running
initEE. After initEE, regEE and enableEE, run cryptocfg –recovermasterkey
to recover the master key previously backed up, or in the case of fresh install run cryptocfg
– genmasterkey to generate a new master key. If you are using SKM/ESKM, establish a
trusted link with SKM/ESKM again. Certificate exchange between key vaults and switches
are not required in this case.
• The disable EE interface CLI cryptocfg --disableEE [slot no] should be used only
to disable encryption and security capabilities of the EE from the Fabric OS Security Admin
32