HP A7533A - Brocade 4Gb SAN Switch Base Release Note page 33

Once the LUN comes online and clear-text host I/O starts, modify the LUN from clear-text
to encrypt, including the enable_encexistingdata option to convert the LUN from
clear-text to encrypted.
An exception to this LUN configuration process: if the LUN was previously encrypted by the
HP Encryption Switch or HP Encryption Blade, the LUN can be added to the Crypto Target
Container with the encrypt and lunstate ="encrypted" options.
LUN configurations must be committed to take effect. No more than 25 LUNs can be added
or modified in a single commit operation. Attempts to commit configurations that exceed 25
LUNs will fail with a warning. Note that there is also a five-second delay before the commit
operation takes effect.
Always ensure that any previously committed LUN configurations or LUN modifications have
taken effect before committing additional LUN configurations or additions. All LUNs should be
in an Encryption Enabled state before committing additional LUN modifications.
A new LUN state is being introduced: Disabled (Key not in sync). This new state indicates
that re-keying was started on a remote EE. However, the local EE is not capable of starting
rekey as it does not have the KeyID which was used by the remote EE in re-keying. This means
that the newest key returned from the key vault does not match with the KeyID used by the remote
EE. The user should use cryptocfg --discoverLUN <Container Name> interface to
re-enable the LUN only after the keys are synced between two key vaults.
Both VMware and clustering technologies utilize SCSI reservations to control host IO access
to LUNs. When BES/FS8-18 is performing a rekeying operation - first time encryption or oth-
erwise - it accommodates the use of this methodology. In deployments which have multiple
physical initiators accessing a target/LUN from an EE, FOS 6.2.1 does not have the ability to
failover FTE/rekey operations within the EE. Therefore, during FTE/Rekey operations in these
environments, only one physical initiator can be allowed to access the target/LUN combination
– this is for all EEs exposing the LUN. If only one initiator has access to a Target/LUN on a
particular EE, no configuration modification is required during FTE/Rekey operations
Avoid changing the configuration of any LUN that belongs to a Crypto Target Container/
LUN configuration while the rekeying process for that LUN is active. If the user changes the LUN's
settings during a manual or auto, rekeying or First Time Encryption, the system reports a warning
message stating that the encryption engine is busy and a forced commit is required for the changes
to take effect. A forced commit command halts all active rekeying processes running in all Crypto
Target Containers and corrupts any LUN engaged in a rekeying operation. There is no recovery
for this type of failure.
To remove access between a given initiator and target, the user must not only remove the active
zoning information between the initiator and target, but must also remove the associated CTCs,
which will in turn remove the associated frame redirection zone information. Make sure to back
up all data before taking this action.
Before committing configurations or modifications to the CTC or LUNs on an HP Encryption Switch
or HP Encryption Blade, make sure that there are no outstanding zoning transactions in the switch
or fabric. Failure to do so results in the commit operation for the Crypto Target or LUNs failing
and may cause the LUNs to be disabled. The user can check for outstanding zoning transaction
by issuing the cfgtransshow CLI command:
DCX_two:root> cfgtransshow
There is no outstanding zoning transaction
Each LUN is uniquely identified by the HP Encryption Switch or HP Encryption Blade using the
LUN's serial number. The LUN serial numbers must be unique for LUNs exposed from the same
target port. The LUN serial numbers must also be unique for LUNs belonging to different target
ports in non-multipathing configurations. Failure to ensure unique LUN serial numbers results in
nondeterministic behavior and may result in faulting of the HP Encryption Switch or HP Encryption
Blade.
HP StorageWorks Fabric OS 6.2.1 release notes 33