Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 9
Fabric OS Encryption Administrator’s Guide (LKM/SSKM)
ix
53-1002925-01
Configuring CryptoTarget containers and LUNs . . . . . . . . . . . . . . .201
Redirection zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Deployment with Admin Domains (AD) . . . . . . . . . . . . . . . . . . . . . .202
Do not use DHCP for IP interfaces . . . . . . . . . . . . . . . . . . . . . . . . . .202
Ensure uniform licensing in HA clusters . . . . . . . . . . . . . . . . . . . . .202
Tape library media changer considerations . . . . . . . . . . . . . . . . . .202
Turn off host-based encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Avoid double encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
PID failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Turn off compression on extension switches . . . . . . . . . . . . . . . . .203
Rekeying best practices and policies. . . . . . . . . . . . . . . . . . . . . . . .203
Manual rekey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Latency in rekey operations . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Allow rekey to complete before deleting a container. . . . . . . .204
Rekey operations and firmware upgrades . . . . . . . . . . . . . . . .204
Do not change LUN configuration while rekeying . . . . . . . . . .204
Brocade native mode in LKM/SSKM installations . . . . . . . . .204
Recommendation for Host I/O traffic during online
rekeying and first- time encryption . . . . . . . . . . . . . . . . . . . . . .205
KAC certificate registration expiry . . . . . . . . . . . . . . . . . . . . . . . . . .205
Changing IP addresses in encryption groups . . . . . . . . . . . . . . . . .205
Disabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . .205
Recommendations for Initiator Fan-Ins . . . . . . . . . . . . . . . . . . . . . .206
Best practices for host clusters in an encryption environment . . .207
HA Cluster deployment considerations and best practices . . . . . .207
Key Vault Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
Tape Device LUN Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
Maintenance and Troubleshooting
Encryption group and HA cluster maintenance. . . . . . . . . . . . . . . .210
Displaying encryption group configuration
or status information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210
Removing a member node from an encryption group. . . . . . .210
Deleting an encryption group . . . . . . . . . . . . . . . . . . . . . . . . . .213
Removing an HA cluster member . . . . . . . . . . . . . . . . . . . . . . .213
Displaying the HA cluster configuration . . . . . . . . . . . . . . . . . .214
Replacing an HA cluster member . . . . . . . . . . . . . . . . . . . . . . .215
Deleting an HA cluster member . . . . . . . . . . . . . . . . . . . . . . . . 217
Performing a manual failback of an encryption engine . . . . .218