HP StorageWorks 1606 - Extension SAN Switch Release Note page 40

of a security compromise. When disabling the encryption capabilities of the EE using the noted
commands, the EE should not be hosting any CTCs. Ensure that all CTCs hosted on the HP Encryp-
tion Switch or HP Encryption Blade are either removed or moved to a different EE in the HA Cluster
or EG before disabling the encryption and security capabilities.
Whenever initNode is performed, new certificates for CP and KAC (SKM) are generated. Hence,
each time InitNode is performed, the new KAC Certificate must be loaded onto key vaults for
(SKM. Without this step, errors will occur, such as key vault not responding and ultimately key
archival and retrieval problems.
The HTTP server should be listening to port 9443. SKM is supported only when configured to port
9443.
When all nodes in an EG (HA Cluster or DEK Cluster) are powered down (due to catastrophic
disaster or a power outage to the data center) and later nodes come back online (in the event of
the Group Leader (GL) node failing to come back up or the GL node being kept powered down)
the member nodes lose information and knowledge about the EG. This leads to no crypto operations
or commands (except node initialization) being available on the member nodes after the power-
cycle. This condition persists until the GL node is back online.
Workaround. In the case of a data center power down, bring the GL node online first, before
bringing the other member nodes online.
In the event of the GL node failing to come back up, the GL node can be replaced with a new
node. The following are the procedures to allow an EG to function with existing member nodes
and to replace the failed GL node with a new node.
Make one of the existing member nodes the Group Leader node and continue operations.
1. On one of the member nodes, create the EG with the same EG name. This will make that
node the GL node and the rest of the CTC and Tape Pool related configurations will remain
intact in this EG.
2. For any containers hosted on the failed GL node, issue cryptocfg --replace to
change the WWN association of containers from the failed GL node to the new GL node.
Replace the failed GL node with a new node.
1. On the new node, follow the switch/node initialization steps.
2. Create an EG on this fresh switch/node with the same EG name as before.
3. Perform a configdownload to the new GL node of a previously uploaded configuration
file for the EG from an old GL node.
4. For any containers hosted on the failed GL node, issue cryptocfg --replace to
change the WWN association of containers from failed GL node to the new GL node.
During an online upgrade from FOS 6.2.0x to 6.3.0, we expect to see the I/O link status reported
as Unreachable when the cryptocfg command is invoked. However, once all the nodes are
upgraded to FOS 6.3.0, the command will accurately reflect the status of the I/O Link. The I/O
link status should be disregarded during the code upgrade process.
The –key_lifespanoption has no effect for cryptocfg –add –LUN, and only has an effect
for cryptocfg --create –tapepool for tape pools declared -encryption_format
native. For all other encryption cases, a new key is generated each time a medium is rewound
and block zero is written or overwritten. For the same reason, the Key Life field in the output of
cryptocfg --show -container -all –stat should always be ignored, and the Key Life
field in cryptocfg --show –tapepool –cfg is significant only for native-encrypted pools.
The Quorum Authentication feature requires DCFM 10.3.0 or later. Note that all nodes in the EG
must be running FOS 6.3.0 for quorum authentication to be properly supported.
40