Dell PowerEdge M1000e Fabric OS Release Notes - Page 27

With Windows and Veritas Volume Manager/Veritas Dynamic Multipathing, when LUN sizes less

Get Dell PowerEdge M1000e PDF manuals and user guides View all Dell PowerEdge M1000e manuals
Add to My Manuals
Save this manual to your list of manuals

Page 27 highlights

BES/FS8-18 Encryption Group. Please refer to the Encryption Admin Guide for configuration information. • The RKM Appliance A1.6, SW v2.7 is supported. The procedure for setting up the RKM Appliance with BES or a DCX/DCX-4S with FS8-18 blades is located in the Encryption Admin Guide. • Support for registering a 2nd RKM Appliance on BES/FS8-18 is blocked. If the RKM Appliances are clustered, then the virtual IP address hosted by a 3rd party IP load balancer for the RKM Cluster must be registered on BES/FS8-18 in the primary slot for Key Vault IP. • With Windows and Veritas Volume Manager/Veritas Dynamic Multipathing, when LUN sizes less than 400MB are presented to BES for encryption, a host panic may occur and this configuration is not supported in the FOS v6.3.1 or later release. • HCL from FOS v6.3.x to v6.4 is supported. Cryptographic operations and I/O will be disrupted but other layer 2 traffic will not. • Relative to the BES and a DCX with FS8-18, all nodes in the Encryption Group must be at the same firmware level of FOS v6.2 or later before starting a rekey or First Time Encryption operation. Make sure that existing rekey or First Time Encryption operations complete before upgrading any of the encryption products in the Encryption Group. Also, make sure that the upgrade of all nodes in the Encryption Group completes before starting a rekey or First Time Encryption operation. • To clean up the stale rekey information for the LUN, follow one of the following two methods: Method 1: 1. First, modify the LUN policy from "encrypt" to "cleartext" and commit. The LUN will become disabled. 2. Enable the LUN using "cryptocfg --enable -LUN". Modify the LUN policy from "cleartext" to "encrypt" with "enable_encexistingdata" to enable the first time encryption and do commit. This will clear the stale rekey metadata on the LUN and the LUN can be used again for encryption. Method 2: 1. Remove the LUN from Crypto Target Container and commit. 2. Add the LUN back to the Crypto Target Container with LUN State="clear-text", policy="encrypt" and "enable_encexistingdata" set for enabling the First Time Encryption and commit. This will clear the stale rekey metadata on the LUN and the LUN can be used again for encryption. • TEMS key vault support troubleshooting tips: o Regarding TEMS key vault (KV) communication with a Brocade encryption group, the default communication port setting for the TEMS KV is 37208, however, the Brocade encryption members and leader use 9000 so this needs to be reset on NCKA. Additionally, the following is a checklist of things to review if the initial attempt to connect to the KV fails: Check physical and logical connection via a ping on port 9000, this should be the first check. For the group leader node, the kac client cert and the kv cert files are to be identical. For group member nodes the kv file is to be the same as the kv file on the group leader node. Crosscheck to ensure the private key file corresponds to the kac public cert file on any node. Fabric OS v6.4.1 Release Notes v1.0 Page 27 of 62

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
Fabric OS v6.4.1 Release Notes v1.0
Page 27 of 62
BES/FS8-18 Encryption Group.
Please refer to the Encryption Admin Guide for configuration
information.
The RKM Appliance A1.6, SW v2.7 is supported.
The procedure for setting up the RKM Appliance
with BES or a DCX/DCX-4S with FS8-18 blades is located in the Encryption Admin Guide.
Support for registering a 2nd RKM Appliance on BES/FS8-18 is blocked.
If the RKM Appliances
are clustered, then the virtual IP address hosted by a 3rd party IP load balancer for the RKM
Cluster must be registered on BES/FS8-18 in the primary slot for Key Vault IP.
With Windows and Veritas Volume Manager/Veritas Dynamic Multipathing, when LUN sizes less
than 400MB are presented to BES for encryption, a host panic may occur and this configuration is
not supported in the FOS v6.3.1 or later release.
HCL from FOS v6.3.x to v6.4 is supported.
Cryptographic operations and I/O will be disrupted but
other layer 2 traffic will not.
Relative to the BES and a DCX with FS8-18, all nodes in the Encryption Group must be at the
same firmware level of FOS v6.2 or later before starting a rekey or First Time Encryption operation.
Make sure that existing rekey or First Time Encryption operations complete before upgrading any
of the encryption products in the Encryption Group.
Also, make sure that the upgrade of all nodes
in the Encryption Group completes before starting a rekey or First Time Encryption operation.
To clean up the stale rekey information for the LUN, follow one of the following two methods:
Method 1:
Method 1:
Method 1:
Method 1:
1.
1.
1.
1.
First, modify the LUN policy from “encrypt” to “cleartext” and commit.
The LUN will
become disabled.
2.
2.
2.
2.
Enable the LUN using “cryptocfg --enable –LUN”.
Modify the LUN policy from “clear-
text” to “encrypt” with “enable_encexistingdata” to enable the first time encryption
and do commit.
This will clear the stale rekey metadata on the LUN and the LUN can
be used again for encryption.
Method 2:
Method 2:
Method 2:
Method 2:
1.
1.
1.
1.
Remove the LUN from Crypto Target Container and commit.
2.
2.
2.
2.
Add the LUN back to the Crypto Target Container with LUN State=”clear-text”,
policy=”encrypt” and “enable_encexistingdata” set for enabling the First Time
Encryption and commit.
This will clear the stale rekey metadata on the LUN and the
LUN can be used again for encryption.
TEMS key vault support troubleshooting tips:
o
Regarding TEMS key vault (KV) communication with a Brocade encryption group, the
default communication port setting for the TEMS KV is 37208, however, the Brocade
encryption members and leader use 9000 so this needs to be reset on NCKA.
Additionally, the following is a checklist of things to review if the initial attempt to connect
to the KV fails:
°
Check physical and logical connection via a ping on port 9000, this should be the
first check.
°
For the group leader node, the kac client cert and the kv cert files are to be
identical.
°
For group member nodes the kv file is to be the same as the kv file on the group
leader node.
°
Crosscheck to ensure the private key file corresponds to the kac public cert file
on any node.