Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsStorageHP SN8000B 4-slot SAN Director Switch

211

212

213

214

215

216

217

218

219

220

198 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Redirection zones

• Before committing CryptoTarget container or LUN configurations or modifications on an

encryption switch or FS8-18 blade, make sure that there are no outstanding zoning

transactions in the switch or fabric. If there is an outstanding zoning transaction, the commit

operation will fail and result in disabling the LUN. You can check for outstanding zoning

transactions by issuing cfgtransshow CLI command.

• LUNs are uniquely identified by the encryption switch or FS8-18 blade using the LUN serial

number. The LUN serial number must be unique for LUNs exposed from the same target port.

The LUN serial number must be unique for LUNs belonging to different target ports in

non-multipathing configurations. Failure to ensure that the serial numbers are unique will

result in undefined behavior and may result in faulting the encryption switch or FS8-18 blade.

• To enable host MPIO, LUNs must also be available through a second target port, hosted on a

second encryption switch, the same encryption switch or encryption engine. The second

encryption switch could be in the same fabric, or a different fabric.

• Hosts should be able to access LUNs through multiple ports for redundancy.

• For high availability and failover within the fabric, implement an HA cluster of two encryption

switches, and host the target port as a virtual target on one of the switches.

• Don't change the WWN of any node after it has been deployed in an encryption group.

• To minimize host IO disruption or time-outs during CryptoTarget container failover, it is

recommended that the devices (hosts, target ports) are connected to an edge switch in a

fabric, and not directly to Encryption switch/blade ports.

• Always use the following process when configuring the LUN for encryption, unless the LUN was

previously encrypted.

1. Add the LUN as cleartext to the CryptoTarget container.

2. When the LUN comes online and Host I/O starts flowing through the LUN as cleartext, then

modify the LUN from cleartext to encrypt and enable_encexistingdata options to convert

the LUN to encryption.

An exception to this LUN configuration process is that if the LUN was previously encrypted by

the encryption switch or FS8-18 blade, then the LUN can be added to the CryptoTarget

Container with the

–encrypt and –lunstate encrypted options.

Redirection zones

Redirection zones should not be deleted. If a redirection zone is accidentally deleted, I/O traffic

cannot be redirected to encryption devices, and encryption is disrupted. To recover, re-enable the

existing device configuration by invoking the cryptocfg

--commit command on the group leader. If

no changes have taken place since the last commit, you should use the cryptocfg

--commit -force

command. This recreates redirection zones related to the device configuration in the zone

database, and restores frame redirection, which makes it possible to restore encryption.

To remove access between a given initiator and target, remove both the active zoning information

between the initiator and target, and the associated Crypto Target Containers (CTCs). This will

remove the associated frame redirection zone information.