Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June 2010)
Fabric OS Encryption Administrator’s Guide 125
53-1001864-01
CryptoTarget container configuration
3
Removing an initiator from a CryptoTarget container
You may remove one or more initiators from a given CryptoTarget container. This operation removes
the initiators’ access to the target port.
If the initiator has access to multiple targets and you wish to remove access to all targets, follow the
procedure described to remove the initiator from every CryptoTarget container that is configured
with this initiator.
NOTE
Stop all traffic between the initiator you intend to remove and its respective target ports. Failure to
do so results in I/O failure between the initiator and the target port.
1. Log into the group leader as Admin or FabricAdmin.
2. Enter the cryptocfg
--remove -initiator command. Specify the CryptoTarget container name
followed by one or more initiator port WWNs. The following example removes one initiator from
the CryptoTarget container “my_disk_tgt”.
FabricAdmin:switch>cryptocfg --rem -initiator my_disk_tgt
10:00:00:00:c9:2b:c9:3a
Operation Succeeded
3. Commit the transaction.
FabricAdmin:switch>cryptocfg --commit
Operation Succeeded
CAUTION
When configuring a multi-path LUN, you must remove all initiators from all CryptoTarget
containers in sequence before committing the transaction. Failure to do so may result in a
potentially catastrophic situation where one path ends up being exposed through the encryption
switch and another path has direct access to the device from a host outside the protected realm
of the encryption platform. Refer to the section “Configuring a multi-path Crypto LUN” on
page 141 for more information.
Deleting a CryptoTarget container
You may delete a CryptoTarget container to remove the target port from a given encryption switch
or blade. Deleting a CryptoTarget container removes the virtual target and all associated LUNs from
the fabric.
Before deleting a container, be aware of the following:
• Stop all traffic to the target port for which the CryptoTarget container is being deleted. Failure
to do so will cause data corruption (a mix of encrypted data and cleartext data will be written to
the LUN).
• Deleting a CryptoTarget container while a re-key or first-time encryption session causes all data
to be lost on the LUNs that are being re-keyed. Ensure that no re-key or first time encryption
sessions are in progress before deleting a container. Use the cryptocfg --show -rekey -all
command to determine the runtime status of the session. If for some reason, you need to
delete a container while re-keying, when you create a new container, be sure the LUNs added
to the container are set to cleartext. You can then start a new re-key session on clear text LUNs.