Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 245
Fabric OS Encryption Administrator’s Guide (LKM/SSKM)
227
53-1002925-01
Encryption group merge and split use cases
6
If you now perform a cryptocfg
--
show
-
groupcfg, you will see that no encryption group on
Node181 is defined:
Node181:admin-> cryptocfg --show -groupcfg
Encryption group not defined: Cluster DB and Persistent DB not present, No
Encryption Group Created or Defined.
The 2:2 EG split exception
The encryption group deletion procedure may be done directly in every scenario except when
there has been a 2:2 split. In that special case, the other encryption group island consists of
one group leader and one member node. The group leader node has taken over the group
leader role, and has been successful in contacting one member node, placing the member
node in a DEF_NODE_STATE_DISCOVERED state. Before you can delete the encryption group,
you must eject the discovered member node from the group leader node (EGisland2GLNode in
the command example that follows). To determine which node is the discovered member node
that needs to be ejected, use the following command:
EGisland2GLNode:admin-> cryptocfg --show -groupmember -all
NODE LIST
Total Number of defined nodes: 4
Group Leader Node Name: 10:00:00:05:1e:54:22:44
Encryption Group state: CLUSTER_STATE_DEGRADED
…. Output truncated…
Node Name: 10:00:00:05:1e:c1:9b:91
State: DEF_NODE_STATE_DISCOVERED
…Output truncated…
Eject the node shown above which is in the DEF_NODE_STATE_DISCOVERED state using the
following command:
EGisland2GLNode:admin-> cryptocfg --eject -membernode 10:00:00:05:1e:c1:9b:91
You can now delete the encryption group from the member node using the cryptocfg
--
delete
-
encgroup command, and perform a cryptocfg
--
show
-
groupcfg command to verify that no
encryption group is defined on the member node as was done for Node181 in the two node
example, as shown near the beginning of
.
5. Reregister all nodes from that were a part of the other encryption group islands.
From Node182, you need to determine the CP certificate name associated with Node181. Use
the following command to look for Node182's CP certificate name:
Node182:admin-> cryptocfg --show -file -all
The output of this command will display a listing of all imported CP certificates. Identify the
certificate associated with Node181 and then use it to re-register Node181 as follows:
Node182:admin-> cryptocfg --reg -membernode 10:00:00:05:1e:55:33:33 <node181's
certificate file name> <node181's IP address>
Within a minute or two; the encryption group will re-converge.