Specific guidelines for ha clusters – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 249

Fabric OS Encryption Administrator’s Guide (DPM)
229
53-1002922-01
Firmware upgrade and downgrade considerations
5
Guidelines for firmware upgrade of encryption switches and a DCX Backbone chassis with
encryption blades deployed in a DEK cluster with two HA clusters:
•
Upgrade nodes in one HA cluster at a time.
•
Within an HA cluster, upgrade one node at a time.
•
Guidelines for firmware upgrade of encryption switches and a DCX Backbone chassis with
encryption blades deployed in DEK cluster with No HA cluster (each node hosting one path).
-
Upgrade one node at a time.
-
In the case of active/passive arrays, upgrade the node which is hosting the passive path
first. Upgrade the node which is hosting active path next. The Host MPIO ensures that I/O
fails over and fails back from active to passive and back to active during this firmware
upgrade process.
-
In the case of active/active arrays, upgrade order of nodes does not matter, but you still
must upgrade one node at a time. The Host MPIO ensures that I/O fails over and fails back
from one active path to another active path during this firmware upgrade process.
•
All nodes in an encryption group must be at the same firmware level before starting a rekey or
first-time encryption operation.
•
A firmware consistency check for Fabric OS 6.4.0(x) and later is enforced in an encryption
group if any of the v6.4.0(x) features is enabled, for example, device decommission, disk tape
co-existence, and replication. If any Fabric OS 6.4.0(x) feature is in an enabled state, then any
firmware download to Fabric OS v6.3.x or earlier is blocked.
-
Do not try registering a node running Fabric OS 6.3.x or earlier to an encryption group
when all nodes are running Fabric OS 6.4.0(x) with one or more Fabric OS 6.4.0(x) features
enabled.
-
Disable all Fabric OS 6.4.0(x) features before ejecting a node running Fabric OS 6.4.0(x)
and registering the node as a member of an encryption group with nodes running Fabric
OS 6.3.x or earlier.
Specific guidelines for HA clusters
The following are specific guidelines for a firmware upgrade of the encryption switch or blade when
deployed in HA cluster. The guidelines are based on the following scenario:
•
There are 2 nodes (BES1 and BES2) in the HA cluster.
•
Each node hosts certain number of CryptoTarget containers and associated LUNs.
•
Node 1 (BES1) needs to be upgraded first.
1. Change the failback mode to manual if it was set to auto by issuing the following command on
the group leader:
Admin:switch> cryptocfg --set -failbackmode manual
2. On node 1 (BES1), disable the encryption engine to force the failover of CryptoTarget
containers and associated LUNs onto the HA cluster peer member node 2 (BES2) by issuing
the following command.
Admin:switch> cryptocfg --disableEE