Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June 2010)

ManualsBrandsHP ManualsStorageHP StorageWorks Edge Switch 2/12

viii Fabric OS Encryption Administrator’s Guide

53-1001864-01

Configuring cluster links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Special consideration for blades . . . . . . . . . . . . . . . . . . . . . . . .98

IP Address change of a node within an encryption group. . . . .99

Steps for connecting to an SKM appliance . . . . . . . . . . . . . . . . . . .100

Configuring a Brocade group. . . . . . . . . . . . . . . . . . . . . . . . . . .100

Setting up the local Certificate Authority (CA) . . . . . . . . . . . . .100

Downloading the local CA certificate . . . . . . . . . . . . . . . . . . . .102

Creating and installing the SKM server certificate . . . . . . . . .102

Enabling SSL on the Key Management System

(KMS) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

Creating an SKM High Availability cluster . . . . . . . . . . . . . . . .104

Copying the local CA certificate. . . . . . . . . . . . . . . . . . . . . . . . .104

Adding SKM appliances to the cluster . . . . . . . . . . . . . . . . . . .105

Initializing the Brocade encryption engines . . . . . . . . . . . . . . .106

Registering the SKM Brocade group

user name and password . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Signing the Brocade encryption node KAC certificates. . . . . .108

Registering SKM on a Brocade encryption group leader . . . .109

Generating and backing up the master key . . . . . . . . . . . . . . . . . .111

High Availability (HA) cluster configuration . . . . . . . . . . . . . . . . . . .113

HA cluster configuration rules. . . . . . . . . . . . . . . . . . . . . . . . . .113

Creating an HA cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

Adding an encryption engine to an HA cluster. . . . . . . . . . . . .114

Failover/failback policy configuration. . . . . . . . . . . . . . . . . . . .115

Enabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . . .116

Checking encryption engine status . . . . . . . . . . . . . . . . . . . . .116

Zoning considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117

Setting default zoning to no access . . . . . . . . . . . . . . . . . . . . .117

Frame redirection zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

Creating an initiator - target zone . . . . . . . . . . . . . . . . . . . . . . .118

CryptoTarget container configuration . . . . . . . . . . . . . . . . . . . . . . .121

LUN re-balancing when hosting both disk and tape . . . . . . . .122

Creating a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .123

Removing an initiator from a CryptoTarget container . . . . . . .125

Deleting a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .125

Moving a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . . .126

Crypto LUN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Discovering a LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Configuring a Crypto LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128

Crypto LUN parameters and policies . . . . . . . . . . . . . . . . . . . .129

Configuring a tape LUN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

Modify example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132

Removing a LUN from a CryptoTarget container . . . . . . . . . . .133

Modifying Crypto LUN parameters . . . . . . . . . . . . . . . . . . . . . .134

LUN modification considerations . . . . . . . . . . . . . . . . . . . . . . .134

Impact of tape LUN configuration changes . . . . . . . . . . . . . . .135

Force-enabling a disabled disk LUN for encryption . . . . . . . . .135

Decommissioning LUNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135