Brocade Communications Systems StoreFabric SN6500B User Manual page 612

20
Steps for connecting to an ESKM/SKM appliance
Disk keys and tape pool keys support
DEK creation, retrieval, and update for disk and tape pool keys are as follows:
•
•
•
Tape LUN support
•
•
•
ESKM/SKM key vault deregistration
Deregistration of either the primary or secondary ESKM/SKM key vault from an encryption switch
or blade is allowed independently.
•
•
564
DEK creation: The DEK is first archived to the virtual IP address of the ESKM/SKM cluster. The
request gets routed to the primary or secondary ESKM/SKM, and is synchronized with other
ESKMs or SKMs in the cluster. If archival is successful, the DEK is read from both the primary
or secondary ESKMs or SKMs in the cluster until the DEK is read successfully from both. If
successful, then the DEK created can be used for encrypting disk LUNs or tape pools in
Brocade native mode. If key archival of the DEK to the ESKM/SKM cluster fails, an error is
logged and the operation is retried. If the failure occurs after archival to one of the ESKMs or
SKMs, but synchronization to all ESKMS or SKMs in the cluster times out, then an error is
logged and the operation is retried. Any DEK archived in this case is not used.
DEK retrieval: The DEK is retrieved from the ESKM/SKM cluster using the cluster's virtual
IP address. If DEK retrieval fails, it is retried.
DEK Update: DEK Update behavior is the same as DEK Creation.
DEK Creation: The DEK is created and archived to the ESKM/SKM cluster using the cluster's
virtual IP address. The DEK is synchronized with other ESKMs or SKMs in the cluster. Upon
successful archival of the DEK to the ESKM/SKM cluster, the DEK can be used for encryption
of the tape LUN. If archival of the DEK to the ESKM/SKM cluster fails, an error is logged and
the operation is retried.
DEK retrieval: The DEK is retrieved from the ESKM/SKM cluster using the cluster's virtual
IP address. If DEK retrieval fails, it is retried.
DEK update: DEK update behavior is the same as DEK Creation.
Deregistration of Primary ESKM: You can deregister the primary ESKM/SKM from an
encryption switch or blade without deregistering the backup or secondary ESKM/SKM for
maintenance or replacement purposes. However, when the primary ESKM/SKM is
deregistered, key creation operations will fail until either the primary ESKM/SKM is
reregistered, or the secondary ESKM/SKM is deregistered and reregistered as the primary
ESKM/SKM.
When the primary ESKM/SKM is replaced with a different ESKM/SKM, you must first
synchronize the DEKs from the secondary ESKM/SKM before reregistering the primary
ESKM/SKM.
Deregistration of Secondary ESKM: You can deregister the secondary ESKM/SKM
independently. Future key operations will use only the primary ESKM/SKM until the secondary
ESKM/SKM is reregistered on the encryption switch or blade.
When the secondary ESKM/SKM is replaced with a different ESKM/SKM, you must first
synchronize the DEKs from primary ESKM/SKM before reregistering the secondary
ESKM/SKM.
Brocade Network Advisor SAN User Manual
53-1002696-01