Manualshelf

Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsStorageHP SN8000B 4-slot SAN Director Switch
211212213214215216217218219220
200 Fabric OS Encryption Administrator’s Guide
53-1002159-03
PID failover
5
PID failover
Virtual device PIDs do not persist upon failover within a single fabric HA cluster. Upon failover, the
virtual device is s assigned a different PID on the standby encryption switch or blade.
Some operating systems view the PID change as an indication of path failure, and will switch over
to redundant path in another fabric. In these cases, HA clusters should not be implemented. These
operating systems include the following:
HP-UX prior to 11.x. The issue is not present beginning with 11.31 and later releases.
All versions of IBM AIX, unless dynamic tracking is enabled.
Solaris 2.x releases, Solaris 7, and later releases.
Turn off compression on extension switches
We recommend disabling data compression on FCIP links that might carry encrypted traffic to
avoid potential performance issues as compression of encrypted data might not yield desired
compression ratio. We also recommend that tape pipelining and fastwrite also be disabled on the
FCIP link if it is transporting encrypted traffic.
Re-keying best practices and policies
Re-keying should be done only when necessary. In key management systems, DEKs are never
exposed in an unwrapped or unencrypted state. For all opaque key management systems, you
must re-key if the master key is compromised. The practice of re-keying should be limited to the
following cases:
Master key compromise in the case of opaque key vaults.
Insider security breaches.
As a general security policy as infrequently as every six months or once per year.
Manual re-key
Ensure that the link to the key management system is up and running before you attempt a manual
re-key.
Latency in re-key operations
Host I/O for regions other than the current re-key region has no latency during a re-key operation.
Host I/O for the region where the current re-key is happening has minimal latency (a few
milliseconds) because I/O is held until re-key is complete. The I/O sync links (the Ethernet ports
labeled Ge0 and Ge1) must be configured, and must both be connected to the I/O sync LAN to
enable proper handling of re-key state synchronization in high availability (HA cluster)
configurations.