Rekeying luns for rp deployments - remote site, Tape pool configuration – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (DPM)

193

53-1002922-01

Tape pool configuration

3

Rekeying LUNs for RP deployments - remote site

To rekey a remote site LUN, you must first do an RP reverse direction. Complete the following steps
to reverse the local LUN and remote LUN RP functional roles:

1. Issue the RP reverse direction command to change the old local LUN to the new remote LUN

and old remote LUN to the new local LUN.

2. Disable the RP source/target LUN consistency group

3. Issue the cryptocfg

--

manual_rekey

-

include_mirror <new local LUN container> < new local

LUN ID> <initiator PWWN> command on the new local LUN (old remote LUN).

NOTE

This CLI command will fail with an error if the

-

include_mirror option is not provided with the

manual_rekey request

4. After the rekey is completed, disable the new remote target ports.

5. Enable the RP source/target LUN consistency group and wait for the RP pair to be fully

synchronized.

6. Verify that the DEKs are synched up from local site DPM cluster to the remote site DPM cluster.

NOTE

In all operations prior to enabling the RP source/target LUN consistency group, ensure that the
DEKs are synchronized between the local and remote site key vaults.

Behavior with Hosts writing beyond reported capacity

If a host writes beyond the reported capacity of a source or destination LUN, it can cause the LUN
to become disabled when exposed. Hosts must honor the READ CAPACITY10/READ CAPACITY16
data returned by the Brocade Encryption Switch for SRDF/TF/RP source and destination LUNs.

Tape pool configuration

Tape pools are used by tape backup application programs to group all configured tape volumes into
a single backup to facilitate their management within a centralized backup plan. A tape pool is
identified by either a name or a number, depending on the backup application. Tape pools have the
following properties:

•

They are configured and managed per encryption group at the group leader level.

•

All encryption engines in the encryption group share the same tape pool policy definitions.

•

Tape pool definitions are only used when writing tapes. The tape contains enough information
(encryption method and key ID) to enable any encryption engine to read the tape.

•

Tape pool names and numbers must be unique within the encryption group.

•

If a given tape volume belongs to a tape pool, tape pool-level policies (defaults or configured
values) are applied and override any LUN-level policies.

•

Tape drive (LUN) policies are used if no tape pools are created or if a given tape volume does
not belong to any configured tape pools.