Loss of encryption group leader after power outage – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

274

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002923-01

Loss of encryption group leader after power outage

6

Loss of encryption group leader after power outage

When all nodes in an encryption group, HA Cluster, or DEK Cluster are powered down due to
catastrophic disaster or power outage to whole data center, and the group leader node either fails
to come back up when the other nodes are powered on, or the group leader is kept powered down,
the member nodes might lose information and knowledge about the encryption group. If this
happens, no crypto operations or commands (except node initialization) are available on the
member node after the power-cycle. This condition persists until the group leader back is online.

When a group leader node fails to come back up, the group leader node can be replaced. Two
scenarios are considered:

•

When encryption group information is not lost by member nodes

•

When encryption group information is also lost by member nodes

Use the following procedure when encryption group information is not lost by the member nodes
and one of the member nodes has taken the role of group leader:

1. From the new group leader node, deregister the old group leader node (which has failed) from

the encryption group.

FabricAdmin:switch> cryptocfg –-dereg –membernode <failed GLswitchWWN>

2. Reclaim the WWN base of the failed Brocade Encryption Switch.

FabricAdmin:switch> cryptocfg --reclaimWWN –membernode <failed GLswitchWWN>

3. Synchronize the crypto configurations across all member nodes.

FabricAdmin:switch> cryptocfg –-commit

NOTE

When attempting to reclaim a failed Brocade Encryption Switch, do not execute
cryptocfg

–-

transabort. Doing so will cause subsequent reclaim attempts to fail.

4. For any containers hosted on the failed group leader node, issue the cryptocfg

--

replace

command to change the WWN association of containers from the failed group leader node to
the new group leader node (or any other member node in the encryption group) for all
containers on the encryption engine.

5. Synchronize the crypto configurations across all member nodes.

FabricAdmin:switch> cryptocfg –-commit

Use the following procedure to replace the failed group leader node with a new node when
encryption group information is lost by member nodes:

1. On the new node, perform the switch/node initialization steps as described in Chapter 3.

2. Create an encryption group on the new node with the same encryption group name as before.

3. Use the configDownload command to download previously uploaded group leader node and

encryption group configuration files to the new node.

4. For any containers hosted on the failed group leader node, issue the cryptocfg

--

replace

command to change the WWN association of containers from failed group leader node to the
new group leader node for all containers on the encryption engine.