Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual
Page 10
x
Fabric OS Encryption Administrator’s Guide (KMIP)
53-1002747-02
Rekeying best practices and policies. . . . . . . . . . . . . . . . . . . . . . . .238
Manual rekey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Latency in rekey operations . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Allow rekey to complete before deleting a container. . . . . . . .239
Rekey operations and firmware upgrades . . . . . . . . . . . . . . . .239
Do not change LUN configuration while rekeying . . . . . . . . . .239
Recommendation for Host I/O traffic during online
rekeying and first- time encryption . . . . . . . . . . . . . . . . . . . . . .239
KAC certificate registration expiry . . . . . . . . . . . . . . . . . . . . . . . . . .239
Changing IP addresses in encryption groups . . . . . . . . . . . . . . . . .240
Disabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . .240
Recommendations for Initiator Fan-Ins . . . . . . . . . . . . . . . . . . . . . .240
Best practices for host clusters in an encryption environment . . . 241
HA Cluster deployment considerations and best practices . . . . . .242
Key Vault Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
Tape Device LUN Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242
Maintenance and Troubleshooting
Encryption group and HA cluster maintenance. . . . . . . . . . . . . . . .244
Displaying encryption group configuration or status
information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Removing a member node from an encryption group. . . . . . .244
Deleting an encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Removing an HA cluster member . . . . . . . . . . . . . . . . . . . . . . . 247
Displaying the HA cluster configuration . . . . . . . . . . . . . . . . . .248
Replacing an HA cluster member . . . . . . . . . . . . . . . . . . . . . . .249
Deleting an HA cluster member . . . . . . . . . . . . . . . . . . . . . . . .251
Performing a manual failback of an encryption engine . . . . .252
Encryption group merge and split use cases . . . . . . . . . . . . . . . . .253
A member node failed and is replaced . . . . . . . . . . . . . . . . . .253
A member node reboots and comes back up . . . . . . . . . . . . .254
A member node lost connection to the group leader . . . . . . .255
A member node lost connection to all other nodes in the
encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Several member nodes split off from an encryption group . .256
Adjusting heartbeat signaling values . . . . . . . . . . . . . . . . . . . .257
EG split possibilities requiring manual recovery . . . . . . . . . . .258
Configuration impact of encryption group split or node
isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Encryption group database manual operations . . . . . . . . . . . . . . .263
Manually synchronizing the encryption group database. . . . .263
Manually synchronizing the security database . . . . . . . . . . . .263
Aborting a pending database transaction . . . . . . . . . . . . . . . .264
Key vault diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
Measuring encryption performance . . . . . . . . . . . . . . . . . . . . . . . .265