Configuring srdf gatekeeper luns, Srdf/tf/rp manual rekeying procedures, Tf snapshot rekeying details – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

188

Fabric OS Encryption Administrator’s Guide (DPM)

53-1002922-01

SRDF/TF/RP manual rekeying procedures

3

NOTE

If the target device specified above is a snapshot of a cleartext LUN, the above command
results in that LUN becoming disabled. For cleartext snapshots, use the syntax

-

lunstate

cleartext

-

cleartext.

4. Commit the configuration.

5. Verify the target LUN state shows “encryption enabled” and the key ID used for encryption is

the same as the source LUN's key ID.

Configuring SRDF Gatekeeper LUNs

Gatekeeper LUNs used by SYMAPI on the host for configuring SRDF using in-band management
must be added to their containers with a LUN state of cleartext, encryption policy of cleartext, and
without the

-

newLUN option.

SRDF/TF/RP manual rekeying procedures

The following topics describe encryption rekeying procedures relative to SRDF, TF, and RP.

TF snapshot rekeying details

In TimeFinder environments, rekeying a source LUN which has one or more snapshot target devices
will result in full copy outs of the source devices to the target devices.

When source LUNs are rekeyed, the target snapshot LUNs will continue to utilize the older/original
DEK and therefore use of the refreshDEK command is not required. However, if an existing target
LUN/snapshot is recreated, then the refreshDEK command must be used on every path/container
which has access to the target device. The refreshDEK command forces the Brocade Encryption
Switch to re-read the metadata on the target LUN and then updates the FPGA tables for the LUN if
the DEK in the metadata has changed.

FabricAdmin:switch> cryptocfg --refreshDEK <target_container> <target LUN ID>

<initiator PWWN>

NOTE

Manual rekeying is supported for TimeFinder snapshot target device LUNs using the

-

include_mirror option; however, it would defeat the purpose of using snapshot LUNs because

rekeying them would cause all blocks of the snapshot to be allocated to the virtual device (i.e. the
source and snap LUNs would have the same number of blocks).

TF clone/mirror rekeying details

Manual rekeying is supported for TimeFinder source LUNs and is not supported for target devices
(clone, mirror) unless the source to target connection is first split.

1. Log in as Admin or Fabric Admin.

2. Split the TF source/target LUN pair ensuring the data synchronization from the source LUN to

the destination LUN has been stopped.