Impact Of Tape Lun Configuration Changes; Configuring A Multi-Path Crypto Lun - Brocade Communications Systems StoreFabric SN6500B Administrator's Manual

Impact of tape LUN configuration changes

LUN-level policies apply when no policies are configured at the tape pool level. The following
restrictions apply when modifying tape LUN configuration parameters:
•
•
•

Configuring a multi-path Crypto LUN

A single LUN may be accessed over multiple paths. A multi-path LUN is exposed and configured on
multiple CryptoTarget Containers located on the same encryption switch or blade or on different
encryption switches or blades.
CAUTION
When configuring a LUN with multiple paths, there is a considerable risk of ending up with
potentially catastrophic scenarios where different policies exist for each path of the LUN, or a
situation where one path ends up being exposed through the encryption switch and other path
has direct access to the device from a host outside the secured realm of the encryption platform.
Failure to follow proper configuration procedures for multi-path LUNs results in data corruption.
To avoid the risk of data corruption, you must observe the following rules when configuring
multi-path LUNs:
•
•
•
Fabric OS Encryption Administrator's Guide (SKM/ESKM)
53-1002721-01
If you change a tape LUN policy from encrypt to cleartext or from cleartext to encrypt while data
is written to or read from a tape backup device, the policy change is not enforced until the
current process completes and the tape is unmounted, rewound, or overwritten. This
mechanism prevents the mixing of cleartext data to cipher-text data on the tape.
Make sure you understand the ramifications of changing the tape LUN encryption policy from
encrypt to cleartext or from cleartext to encrypt.
You cannot modify the key lifespan value. If you wish to modify the key lifespan, delete and
recreate the LUN with a different key lifespan value. Key lifespan values only apply to
native-mode pools.
During the initiator-target zoning phase, complete in sequence all zoning for ALL hosts that
should gain access to the targets before committing the zoning configuration.
Complete the CryptoTarget container configuration for ALL target ports in sequence and add
the hosts that should gain access to these ports before committing the container
configuration. Upon commit, the hosts lose access to all LUNs until the LUNs are explicitly
added to the CryptoTarget containers.
When configuring the LUNs, the same LUN policies must be configured for ALL paths of ALL
LUNs. Failure to configure all LUN paths with the same LUN policies results in data corruption.

Impact of tape LUN configuration changes

3
179