HP B-series Fabric OS 7.0.2d Release Notes (5697-2822, August 2013--includes all 7.0.x versions)
in the event of a security compromise. When disabling the encryption capabilities of the EE
using the noted commands, the EE should not be hosting any CTCs. Ensure that all CTCs
hosted on the HP Encryption Switch or HP Encryption Blade are either removed or moved to
a different EE in the HA Cluster or EG before disabling the encryption and security capabilities.
• Whenever initNode is performed, new certificates for CP and KAC (SKM/ESKM) are
generated. Hence, each time InitNode is performed, the new KAC Certificate must be
exported and signed by SKM/ESKM. Without this step, errors occur, such as key vault not
responding and ultimately key archival and retrieval problems.
• The HTTP server should be listening to port 9443. SKM/ESKM is supported only when
configured to port 9443.
• Configuring a Brocade group on SKM/ESKM: As described in the Fabric OS Encryption
Administrator's Guide, a Brocade group needs to be configured on SKM/ESKM (under Local
Users and Groups) for managing all keys generated by Brocade encryption switches and
blades. It is important to note that the name for this group is case sensitive and must be
“brocade,” not “Brocade.”
• The –key_lifespan option has no effect for cryptocfg –add –LUN, and only has an
effect for cryptocfg --create –tapepool for tape pools declared
-encryption_format native. For all other encryption cases, a new key is generated
each time a medium is rewound and block zero is written or overwritten. For the same reason,
the Key Life field in the output of cryptocfg --show -container -all –stat should
always be ignored, and the Key Life field in cryptocfg --show –tapepool –cfg is
significant only for native-encrypted pools.
• In a DC SAN Director or DC04 SAN Director with Fabric OS 6.3.1x and DC Switch encryption
FC blades installed, you must set the quorum size to zero and disable the system card on the
blade prior to downgrading to a Fabric OS version earlier than 6.3.0.
• The System Card feature requires DCFM 10.3.0 or later or HP Network Advisor. Note that
all nodes in the EG must be running Fabric OS 6.3.0 or later for system verification to be
properly supported.
• The Encryption SAN Switch and Encryption FC blade do not support QoS. When using
encryption or Frame Redirection, participating flows should not be included in QoS Zones.
• HP encryption devices can be configured for either disk or tape operation. However, encryption
FC blades can be configured to support different media types within a common DC SAN
Director/ DC04 SAN Director chassis. The ability to configure multiple Crypto-Target Containers
defining different media types on a single encryption engine (Encryption SAN Switch or
Encryption FC blade) is supported beginning with Fabric OS 6.4.0.
• When the tape key expires in the middle of write operation on the tape, the key is used to
append the data on the tape media. When the backup application rewinds the media and
starts writing to Block-0 again (and if the key is expired), a new key is created and used
henceforth. The expired key is then marked as read only and used only for restoring data
from previously encrypted tapes.
• Note that the disk device decommission functionality is not currently supported with SKM/ESKM.
• SKM/ESKM FIPS Mode Enablement
FIPS compliance mode is disabled in SKM/ESKM by default. To enable it, follow the procedure
described in the SKM/ESKM user guide, “Configuring the Key Manager for FIPS Compliance”
section.
NOTE: Per FIPS requirements, you cannot enable or disable FIPS when there are keys on
the Key Manager. Therefore, if FIPS enablement is required, HP strongly recommends that it
be performed during the initial SKM/ESKM configuration, before any key sharing between
the switch and the SKM/ESKM occurs.
Encryption — additional recommendations 33