HP StorageWorks 1606 - Extension SAN Switch Release Note page 39

An exception to this LUN configuration process: If the LUN was previously encrypted by the
HP Encryption Switch or HP Encryption Blade, the LUN can be added to the CTC with the
–encrypt and –lunstate ="encrypted" options.
LUN configurations must be committed to take effect. No more than 25 LUNs can be added
or modified in a single commit operation. Attempts to commit configurations that exceed 25
LUNs will fail with a warning. There is also a five-second delay before the commit operation
takes effect.
Always ensure that any previously committed LUN configurations or LUN modifications have
taken effect before committing additional LUN configurations or additions. All LUNs should be
in an Encryption Enabled state before committing additional LUN modifications.
Avoid changing the configuration of any LUN that belongs to a CTC/LUN configuration while the
rekeying process for that LUN is active. If the user changes the LUN's settings during manual or
auto, rekeying or First Time Encryption, the system reports a warning message stating that the
encryption engine is busy and a forced commit is required for the changes to take effect. A forced
commit command halts all active rekeying processes running in all CTCs and corrupts any LUN
engaged in a rekeying operation. There is no recovery for this type of failure.
To remove access between a given initiator and target, the user must not only remove the active
zoning information between the initiator and target, but must also remove the associated CTCs,
which will in turn remove the associated frame redirection zone information. Make sure to back
up all data before taking this action.
Before committing configurations or modifications to the CTC or LUNs on an HP Encryption Switch
or HP Encryption Blade, make sure that there are no outstanding zoning transactions in the switch
or fabric. Failure to do so results in the commit operation for the CTC or LUNs failing and may
cause the LUNs to be disabled. The user can check for outstanding zoning transactions by issuing
the CLI command cfgtransshow:
DCX_two:root> cfgtransshow
There is no outstanding zoning transaction
Each LUN is uniquely identified by the HP Encryption Switch or HP Encryption Blade using the
LUN's serial number. The LUN serial numbers must be unique for LUNs exposed from the same
target port. The LUN serial numbers must also be unique for LUNs belonging to different target
ports in nonmultipathing configurations. Failure to ensure unique LUN serial numbers results in
nondeterministic behavior and may result in faulting of the HP Encryption Switch or HP Encryption
Blade.
When creating an HA cluster or EG with two or more HP Encryption Switch/Encryption Blades,
the GE ports (I/O sync links) must be configured with an IP address for the eth0 and eth1 Ethernet
interfaces using ipaddrset. In addition, the eth0 and eth1 Ethernet ports should be connected
to the network for redundancy. These I/O sync links connections must be established before any
Re-Key, First Time Encryption, or enabling EE for crypto operations. Failure to do so results in HA
Cluster creation failure. If the IP address for these ports is configured after the EE was enabled for
encryption, HP Encryption Switch needs to be rebooted and Encryption Blades should be slot-
poweroff/slotpoweron to sync up the IP address information to the EEs. If only one Ethernet
port is configured and connected to a network, data loss or suspension of Re-Key may occur when
the network connection toggles or fails.
initEE will remove the existing master key or link key. Backup the master key by running
cryptocfg –exportmasterkey and cryptocfg –export –currentMK before running
initEE. After initEE, regEE and enableEE, run cryptocfg –recovermasterkey to re-
cover the master key previously backed up, or in the case of fresh install run cryptocfg –
genmasterkey to generate a new master key. If you are using SKM, establish a trusted link with
SKM again. Certificate exchange between key vaults and switches are not required in this case.
The disable EE interface CLI cryptocfg --disableEE [slot no] should be used only to
disable encryption and security capabilities of the EE from the FOS Security Admin in the event
HP StorageWorks FOS 6.3.0b Release Notes 39