Rekeying remote site (r2) srdf luns – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

192

Fabric OS Encryption Administrator’s Guide (DPM)

53-1002922-01

SRDF/TF/RP manual rekeying procedures

3

Alternatively, simply bringing the remote site LUNs online to the remote EEs ensures the
remote DEKs are present. To bring the remote LUNs online use following steps:

1. Restore target LUN access by enabling all remote site target ports (associated with

remote site CTCs) with access to the target LUN.

7. Verify that the remote LUN states are encryption enabled and their key IDs used for

encryption are the same as those used by the local site LUNs.

8. Take all target ports associated with CTCs through which the remote LUNs are

accessible offline.

After the rekey has completed, restoring from a bookmark taken prior to the rekey operation will
result in the source LUN becoming READ ONLY. Once you have restored from the bookmark, it is
imperative that you issue the refreshDEK command on all paths with access to the restored LUN.

NOTE

If the DEK is not synchronized between the local and remote sites, the remote LUN will automatically
become disabled.

Rekeying remote site (R2) SRDF LUNs

To rekey an R2 LUN, you must first do an SRDF role reversal. Complete the following steps to
reverse the R1/R2 LUN functional roles:

1. Issue the SRDF role swap command to change the old R1 LUN to the new R2 LUN and old R2

LUN to the new R1 LUN.

2. Split the SRDF pair.

3. Issue the cryptocfg

--

manual_rekey <crypto target container name> <LUN Num> <Initiator

PWWN>

-

include_mirror command on the new R1 LUN (old R2 LUN).

NOTE

This command will fail with an error if the

-

include_mirror option is not provided with the

manual_rekey request.

4. After the rekey is completed, disable the new R2 target ports.

5. Establish the SRDF for replication and wait for the SRDF pair to be fully synchronized.

6. Verify that the DEKs are synched up from the local site key vault cluster to the remote site key

vault cluster.

NOTE

In all operations prior to SRDF establishment, ensure that the DEKs are synchronized between
the local and remote site key vaults.

7. Verify that the Replication LUN type of the new R1 LUN is now “Primary” and the Replication

LUN type of new R2 LUN is now “Mirror”.

NOTE

Verify the DEKs and Replication LUN type for all multi-paths are consistent.