Enabling remote replication mode, Adding replication luns, Rekey operations for replicated luns – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (DPM)

181

53-1002922-01

SRDF LUNs

3

NOTE

When Symmetrix arrays are managed in-band, the gatekeeper LUNs must be added to the
crypto-target containers as cleartext LUNs. Adding these as encrypted LUNs generates a CRITICAL
error on the console, and the other encrypted LUNs are not visible from the host.

Enabling remote replication mode

To enable the remote replication features, issue the cryptocfg

--

set

-

replication enable

command.The remote replication features are supported in Fabric OS 6.4 and later. Remote
replication is disallowed under the following conditions:

•

One of the nodes in an encryption group is currently running a Fabric OS version prior to v6.4.

•

A node is downgraded to Fabric OS version prior to v6.4.

When replication mode is enabled, starting first-time encryption (FTE) or manual rekey on LUNs
without metadata (due to uncompressible metadata blocks) generates a RASLOG entry, providing
the key ID that is used to encrypt the LUN. Key expiry rekey (or auto rekey) is disabled for LUNs
without metadata.

Replication mode can be disabled with the cryptocfg

--

set

-

replication disable command. This

operation will fail if there are LUNs configured with the

-

newLUN option in the encryption group.

After replication mode is enabled, the switch firmware cannot be downgraded to firmware versions
prior to Fabric OS 6.4.0.

CAUTION

Do not add a node running an earlier Fabric OS version to an encryption group that is running
version 6.4.0 or later if remote replication is enabled. Also, be aware that a Fabric OS 6.4.0
configuration file is not blocked from being downloaded to a node running an earlier Fabric OS
version.

Adding replication LUNs

Replication LUNs must be added to the container with the

-

newLUN option. Replication mode

needs to be enabled prior to adding replication LUNs with

-

newLUN option, using the

cryptocfg

--

set

-

replication enable command. The primary LUN and all mirror LUNs need to be

added to their respective containers with the

-

newLUN option.

From the standpoint of the encryption switch or blade, the local and remote copies of the LUN are
configured in different encryption groups. From the DPM perspective, DPM clusters at local and
remote encryption groups must be configured as part of the same DPM cluster group.

Rekey operations for replicated LUNs

Auto rekey is disabled for replicated LUNs. Sync between primary LUNs and mirror LUNs should be
disabled before starting manual rekey on primary LUNs. If sync is not disabled, the mirror LUN will
be disabled for host access. Once the primary LUN rekey is completed, the sync can be performed
between the primary (R1) and mirror (R2) LUN. Manual rekey works only on primary LUNs. Mirror
LUNs can be converted to primary LUNs by performing a manual rekey with the

-

include_mirror

option.