Manualshelf

Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June 2010)

ManualsBrandsHP ManualsStorageHP 1606 FCIP 4-pt Enabled 8Gb FC 2-pt Enabled 1GbE Base Switch
151152153154155156157158159160
136 Fabric OS Encryption Administrator’s Guide
53-1001864-01
Crypto LUN configuration
3
When a device decommission operation fails on the encryption group leader for any reason, the
crypto configuration remains uncommitted until a user-initiated commit or a subsequent device
decommission operation issued on the encryption group leader completes successfully. Device
decommission operations should always be issued from a committed configuration. If not, the
operation will fail with the error message An outstanding transaction is pending in Switch/EG. IF
this happens, you can resolve the problems by committing the configuration from the encryption
group leader.
Provided that the crypto configuration is not left uncommitted because of any crypto configuration
changes or a failed device decommission operation issued on a encryption group leader node, this
error message will not be seen for any device decommission operation issued serially on an
encryption group member node. If more than one device decommission operation is tried in an
encryption group from member nodes simultaneously, then this error message is transient and will
go away after device decommission operation is complete. If the device decommissioning
operation fails, wait briefly and retry the operation. If a LUN is removed when undergoing
decommission or when it is in a decommissioned failed state, or if a container hosting the LUN is
deleted, you must use the -force option on the commit operation (
cryptocfg --commit -force). If
you do not, the commit operation fails with a decommission in progress error.
Use the following procedure to decommission a LUN.
1. Log into the node that hosts the container as Admin or FabricAdmin.
2. Enter the cryptocfg -decommission command.
cryptocfg --decommission -container disk_ct0 -initiator
21:01:00:1b:32:29:5d:1c -LUN 0
3. Enter cryptocfg -show -decommissionedkeyids to obtain a list of all the currently
decommissioned key IDs to be deleted after a decommissioning operation manually from the
keyvault.
cryptocfg -show -decommissionedkeyids
4. Delete the listed key IDs from the key vault.
5. Enter the cryptocfg -delete -decommissionedkeyids command to purge all the key IDs
associated with decommissioned LUN.
cryptocfg -delete -decommissionedkeyids
6. Enter the cryptocfg -show -decommissionedkeyids command to verify that the deleted key IDs
are no longer listed.
The cache is also cleared when cryptocfg --zeroizeEE is executed on the encryption engine.