Pid failover, Turn off compression on extension switches, Rekeying best practices and policies – Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual

238

Fabric OS Encryption Administrator’s Guide (KMIP)

53-1002747-02

PID failover

5

PID failover

Virtual device PIDs do not persist upon failover within a single fabric HA cluster. Upon failover, the
virtual device is s assigned a different PID on the standby encryption switch or blade.

Some operating systems view the PID change as an indication of path failure, and will switch over
to redundant path in another fabric. In these cases, HA clusters should not be implemented. These
operating systems include the following:

•

HP-UX prior to 11.x. The issue is not present beginning with 11.31 and later releases.

•

All versions of IBM AIX, unless dynamic tracking is enabled.

•

Solaris 2.x releases, Solaris 7, and later releases.

Turn off compression on extension switches

We recommend disabling data compression on FCIP links that might carry encrypted traffic to
avoid potential performance issues as compression of encrypted data might not yield desired
compression ratio. We also recommend that tape pipelining and fastwrite also be disabled on the
FCIP link if it is transporting encrypted traffic.

Rekeying best practices and policies

Rekeying should be done only when necessary. In key management systems, DEKs are never
exposed in an unwrapped or unencrypted state. For all opaque key management systems, you
must rekey if the master key is compromised. The practice of rekeying should be limited to the
following cases:

•

Master key compromise in the case of opaque key vaults.

•

Insider security breaches.

•

As a general security policy as infrequently as every six months or once per year.

Manual rekey

Ensure that the link to the key management system is up and running before you attempt a manual
rekey.

Latency in rekey operations

Host I/O for regions other than the current rekey region has no latency during a rekey operation.
Host I/O for the region where the current rekey is happening has minimal latency (a few
milliseconds) because I/O is held until the rekey is complete. The I/O sync links (the Ethernet ports
labeled Ge0 and Ge1) must be configured, and must both be connected to the I/O sync LAN to
enable proper handling of rekey state synchronization in high availability (HA cluster)
configurations.