Firmware Upgrade And Downgrade Considerations - Brocade Communications Systems StoreFabric SN6500B Administrator's Manual

5

Firmware upgrade and downgrade considerations

Firmware upgrade and downgrade considerations

Before upgrading or downgrading firmware, consider the following:
•
•
•
•
284
The encryption engine and the control processor or blade processor are reset after a firmware
upgrade. Disruption of encryption I/O can be avoided if an HA cluster is configured. If
encryption engines are configured in an HA cluster, perform firmware upgrades one encryption
engine at a time so that the partner switch in the HA cluster can take over I/O by failover during
a firmware upgrade. When switches form a DEK cluster, firmware upgrades should also be
performed one at a time for all switches in the DEK cluster to ensure that a host MPIO failover
path is always available.
Fabric OS 7.1.0 uses SHA256 signatures for the TLS certificates that are used to connect to
the ESKM Key Vault. When you upgrade to v7.1.0 from an earlier version, or downgrade from
v7.1.0 to an earlier version, you must regenerate and reregister the certificates in order to
restore connectivity to the key vault.
Perform the following steps when performing an upgrade to v7.1.0 from an earlier version, or
downgrade from v7.1.0 to an earlier version.
NOTE
Refer to "Fabric OS and ESKM compatibility matrix"
downgrade from Fabric OS 7.1.0.
NOTE
This procedure is disruptive and should be done as an offline procedure for both the ESKM Key
Vault and the Brocade Encryption Switch.
KAC and key vault configuration
1. Generate the CA on the SKM/ESKM Key Vault. This should be done using SHA256 if you
are using Fabric OS 7.1.0 , or SHA1 if you are using an earlier Fabric OS version.
2. Invoke the initNode command on the Brocade Encryption Switch.
3. Export the KAC CSR from the Brocade Encryption Switch using the cryptocfg
scp KACcsr command.
- -
4. Sign the KAC CSR on the SKM/ESKM Key Vault.
5. Import the signed KAC certificate back to the Brocade Encryption Switch using the
cryptocfg import
-- -
6. Import the SKM/ESKM CA to the Brocade Encryption Switch using the cryptocfg
scp command.
-
7. Register the signed KAC certificate on the Brocade Encryption Switch as KACcert using the
cryptocfg reg KACcert command.
-- -
8. Register the SKM/ESKM CA on the Brocade Encryption Switch as the key vault certificate
using the cryptocfg
--
The following warning can be ignored if the nodes in an EG are running different versions of
Fabric OS.
"2011/04/12-18:41:08, [SPM-1016], 17132, FID 128, WARNING, Security database is out of
sync."
A downgrade to Fabric OS 7.0.1 results in the loss of thin provision LUN information.
scp command.
reg keyvault command.
-
Fabric OS Encryption Administrator's Guide (SKM/ESKM)
on page 346 before considering a
export
--
import
--
53-1002721-01