Firmware upgrade and downgrade considerations – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 242
222
Fabric OS Encryption Administrator’s Guide (SKM/ESKM)
53-1002923-01
Firmware upgrade and downgrade considerations
5
Firmware upgrade and downgrade considerations
Before upgrading or downgrading firmware, consider the following:
•
The encryption engine and the control processor or blade processor are reset after a firmware
upgrade. Disruption of encryption I/O can be avoided if an HA cluster is configured. If
encryption engines are configured in an HA cluster, perform firmware upgrades one encryption
engine at a time so that the partner switch in the HA cluster can take over I/O by failover during
a firmware upgrade. When switches form a DEK cluster, firmware upgrades should also be
performed one at a time for all switches in the DEK cluster to ensure that a host MPIO failover
path is always available.
•
Fabric OS 7.2.0 uses SHA256 signatures for the TLS certificates that are used to connect to
the ESKM Key Vault. When you upgrade to v7.2.0 from v7.0.x, or downgrade from v7.2.0 to
v7.0.x, you must regenerate and reregister the certificates in order to restore connectivity to
the key vault.
Perform the following steps when performing an upgrade to v7.2.0 from v7.0.x, or downgrade
from v7.2.0 to v7.0.x.
NOTE
“Fabric OS and ESKM compatibility matrix”
on page 286 before considering a
downgrade from Fabric OS 7.1.0.
NOTE
This procedure is disruptive and should be done as an offline procedure for both the ESKM Key
Vault and the Brocade Encryption Switch.
KAC and key vault configuration
1. Generate the CA on the SKM/ESKM Key Vault. This should be done using SHA256 if you
are using Fabric OS 7.1.0, or SHA1 if you are using an earlier Fabric OS version.
2. Invoke the initNode command on the Brocade Encryption Switch.
3. Export the KAC CSR from the Brocade Encryption Switch using the cryptocfg
--
export
-
scp
-
KACcsr command.
4. Sign the KAC CSR on the SKM/ESKM Key Vault.
5. Import the signed KAC certificate back to the Brocade Encryption Switch using the
cryptocfg
--
import
-
scp command.
6. Import the SKM/ESKM CA to the Brocade Encryption Switch using the cryptocfg
--
import
-
scp command.
7. Register the signed KAC certificate on the Brocade Encryption Switch as KACcert using the
cryptocfg
--
reg
-
KACcert command.
8. Register the SKM/ESKM CA on the Brocade Encryption Switch as the key vault certificate
using the cryptocfg
--
reg
-
keyvault command.
•
The following warning can be ignored if the nodes in an EG are running different versions of
Fabric OS.
“2011/04/12-18:41:08, [SPM-1016], 17132, FID 128, WARNING, Security database is out of
sync.”
•
A downgrade to Fabric OS 7.0.1 results in the loss of thin provision LUN information.