Removing stale rekey information for a lun, Downgrading firmware from fabric os 7.2.0 – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 305

Advertising
background image

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

285

53-1002923-01

Removing stale rekey information for a LUN

6

Removing stale rekey information for a LUN

To clean up stale rekey information for a LUN, complete one of the following procedures:

Procedure 1:

1. Modify the LUN policy from “encrypt” to “cleartext” and commit. The LUN will become disabled.

2. Enable the LUN using the following command:

Admin:switch> cryptocfg --enable –LUN

2. Modify the LUN policy from “cleartext” to “encrypt” with the enable_encexistingdata command

to enable the first-time encryption, then commit. This will clear the stale rekey metadata on the
LUN and the LUN can be used again for encryption.

Procedure 2:

1. Remove the LUN from the CryptoTarget Container and commit.

2. Add the LUN back to the CryptoTarget Container with LUN State=”clear-text”, policy=”encrypt”
and “enable_encexistingdata” set for enabling the first-time encryption, then commit. This will
clear the stale rekey metadata on the LUN and the LUN can be used again for encryption.

Downgrading firmware from Fabric OS 7.2.0

If you are attempting to download firmware to an earlier Fabric OS version, for example, v7.0.x, you
might be prompted with the following error message, even if there are no failed decommissioned
LUNs, and even if no decommissioned key ID list exists on a node:

"Downgrade is not allowed for this key vault type, as device decommissioning feature is in use.
Please use cryptocfg

--

delete

-

decommissionedkeyids to disable device decommission. Make

sure that no LUN is undergoing decommission or is in failed state.”

If a device decommission firmware consistency check is enabled in the encryption group, firmware
downgrades from Fabric OS v7.2.0 to v7.0.x will be blocked until the firmware consistency check for
device decommission feature is disabled.

The firmware consistency check for device decommission is enabled when you execute the
following:

SecurityAdmin:switch> cryptocfg --decommission -container <container name>

-initiator <initiatator PWWN> -LUN <lun number>

The firmware consistency check for device decommission is disabled when you execute the
following:

SecurityAdmin:switch> cryptocfg --delete –decommissionedkeyids

The success of the operation does not mandate that the firmware consistency check be disabled
for device decommission.

Advertising
Popular Brands
Popular manuals