Pid Failover; Turn Off Compression On Extension Switches; Re-Keying Best Practices And Policies; Manual Re-Key - Brocade Communications Systems Brocade 8/12c Administrator's Manual
Supporting hp secure key manager (skm) environments and hp enterprise secure key manager (eskm) environments
Hide thumbs
Also See for Brocade 8/12c:
- User manual (1301 pages) ,
- Command reference manual (1132 pages) ,
- Reference (362 pages)
Table of Contents
Advertisement
5
PID failover
PID failover
Virtual device PIDs do not persist upon failover within a single fabric HA cluster. Upon failover, the
virtual device is s assigned a different PID on the standby encryption switch or blade.
Some operating systems view the PID change as an indication of path failure, and will switch over
to redundant path in another fabric. In these cases, HA clusters should not be implemented. These
operating systems include the following:
•
•
•
Turn off compression on extension switches
We recommend disabling data compression on FCIP links that might carry encrypted traffic to
avoid potential performance issues as compression of encrypted data might not yield desired
compression ratio. We also recommend that tape pipelining and fastwrite also be disabled on the
FCIP link if it is transporting encrypted traffic.
Re-keying best practices and policies
Re-keying should be done only when necessary. In key management systems, DEKs are never
exposed in an unwrapped or unencrypted state. For all opaque key management systems, you
must re-key if the master key is compromised. The practice of re-keying should be limited to the
following cases:
•
•
•
Manual re-key
Ensure that the link to the key management system is up and running before you attempt a manual
re-key.
Latency in re-key operations
Host I/O for regions other than the current re-key region has no latency during a re-key operation.
Host I/O for the region where the current re-key is happening has minimal latency (a few
milliseconds) because I/O is held until re-key is complete. The I/O sync links (the Ethernet ports
labeled Ge0 and Ge1) must be configured, and must both be connected to the I/O sync LAN to
enable proper handling of re-key state synchronization in high availability (HA cluster)
configurations.
200
HP-UX prior to 11.x. The issue is not present beginning with 11.31 and later releases.
All versions of IBM AIX, unless dynamic tracking is enabled.
Solaris 2.x releases, Solaris 7, and later releases.
Master key compromise in the case of opaque key vaults.
Insider security breaches.
As a general security policy as infrequently as every six months or once per year.
Fabric OS Encryption Administrator's Guide
53-1002159-03
Advertisement
Table of Contents
Troubleshooting
