Policy configuration examples, Enabling the encryption engine, Zoning considerations – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 153
Fabric OS Encryption Administrator’s Guide (LKM/SSKM)
135
53-1002925-01
Enabling the encryption engine
3
Policy Configuration Examples
The following examples illustrate the setting of group-wide policy parameters.
To set the failback mode to manual failback:
SecurityAdmin:switch> cryptocfg --set -failbackmode manual
Set failback policy status: Operation Succeeded.
To set the Heartbeat misses value to 3:
SecurityAdmin:switch> cryptocfg --set -hbmisses 3
Set heartbeat miss status: Operation Succeeded.
To set the Heartbeat timeout value to 3 seconds:
SecurityAdmin:switch> cryptocfg --set -hbtimeout 3
Set heartbeat timeout status: Operation Succeeded.
Enabling the encryption engine
Enable the encryption engine by entering the cryptocfg
--
enableEE command. Provide a slot
number if the encryption engine is a blade.
NOTE
Every time a Brocade Encryption Switch or DCX Backbone chassis containing one or more FS8-18
blades goes through power cycle event, or after issuing slotpoweroff <slot number> followed by
slotpoweron <slot number> for an FS8-18 blade in a DCX Backbone chassis, the encryption engine
must be enabled manually by the Security Administrator. Hosts cannot access the storage LUNs
through the storage paths exposed on this Brocade Encryption Switch or FS8-18 blade until the
encryption engine is enabled. The encryption engine state can viewed using the cryptocfg
--
show
-
localEE command, or by displaying switch or blade properties from DFCM. An encryption engine
that is not enabled indicates Waiting for Enable EE.
SecurityAdmin:switch> cryptocfg --enableEE
Operation succeeded.
Zoning considerations
When encryption is implemented, frames sent between a host and a target LUN are redirected to a
virtual target within an encryption switch or blade. Redirection zones are created to route these
frames. When redirection zones are in effect, direct access from host to target should not be
allowed to prevent data corruption.
Set zone hosts and targets together before configuring them for encryption. Redirection zones are
automatically created to redirect the host-target traffic through the encryption engine, but
redirection zones can only be created if the host and target are already zoned.