Do not change lun configuration while rekeying, Kac certificate registration expiry – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

240

Fabric OS Encryption Administrator’s Guide (DPM)

53-1002922-01

KAC certificate registration expiry

5

Do not change LUN configuration while rekeying

Never change the configuration of any LUN that belongs to a CryptoTarget container/LUN
configuration while the rekeying process for that LUN is active. If you change the LUN’s settings
during manual or auto, rekeying or first-time encryption, the system reports a warning message
stating that the encryption engine is busy and a forced commit is required for the changes to take
effect. A forced commit command halts all active rekeying progresses running in all CryptoTarget
containers and corrupts any LUN engaged in a rekeying operation. There is no recovery for this type
of failure.

Recommendation for Host I/O traffic during online rekeying and first-
time encryption

You may see failed I/Os if writes are done to a LUN that is undergoing first-time encryption or
rekeying. It is recommended that host I/O operations are quiesced and not started again until
rekey operations or first-time encryption operations for the LUN are complete.

KAC certificate registration expiry

It is important to keep track as to when your signed KAC certificates will expire. Failure to work with
valid certificates causes certain commands to not work as expected. If you are using the certificate
expiry feature and the certificate expires, the key vault server will not respond as expected. For
example, the Group Leader in an encryption group might show that the key vault is connected;
however, a member node reports that the key vault is not responding.

To verify the certificate expiration date, use the following command:

openssl x509 –in signed_kac_cert.pem -dates –noout

Output:

Not Before: Dec 4 18:03:14 2009 GMT

Not After : Dec 4 18:03:14 2010 GMT

In the example above, the certificate validity is active until “Dec 4 18:03:14 2010 GMT.” After the
KAC certificate has expired, the registration process must be redone.

NOTE

In the event that the signed KAC certificate must be re-registered, you will need to log in to the key
vault web interface and upload the new signed KAC certificate for the corresponding Brocade
Encryption Switch identity.

You can change the value of the certificate expiration date using the following command:

openssl x509 -req -sha1 -CAcreateserial -in certs/<Switch CSR Name> -days 365 -CA

cacert.pem -CAkey private/cakey.pem -out newcerts/<Switch Cert Name>

In the example above, the certificate is valid for a period of one year (365 days). You can increase
or decrease this value according to your own specific needs. The default is 3649 days, or 10 years.