Specific guidelines for ha clusters – Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual

Fabric OS Encryption Administrator’s Guide (KMIP)

229

53-1002747-02

Firmware upgrade and downgrade considerations

5

•

Guidelines for firmware upgrade of encryption switches and a DCX Backbone chassis with
encryption blades deployed in DEK cluster with No HA cluster (each node hosting one path).

-

Upgrade one node at a time.

-

In the case of active/passive arrays, upgrade the node which is hosting the passive path
first. Upgrade the node which is hosting active path next. The Host MPIO ensures that I/O
fails over and fails back from active to passive and back to active during this firmware
upgrade process.

-

In the case of active/active arrays, upgrade order of nodes does not matter, but you still
must upgrade one node at a time. The Host MPIO ensures that I/O fails over and fails back
from one active path to another active path during this firmware upgrade process.

•

All nodes in an encryption group must be at the same firmware level before starting a rekey or
first-time encryption operation.

Specific guidelines for HA clusters

The following are specific guidelines for a firmware upgrade of the encryption switch or blade when
deployed in HA cluster. The guidelines are based on the following scenario:

•

There are 2 nodes (BES1 and BES2) in the HA cluster.

•

Each node hosts certain number of CryptoTarget containers and associated LUNs.

•

Node 1 (BES1) needs to be upgraded first.

1. Change the failback mode to manual if it was set to auto by issuing the following command on

the group leader:

Admin:switch> cryptocfg --set -failbackmode manual

2. On node 1 (BES1), disable the encryption engine to force the failover of CryptoTarget

containers and associated LUNs onto the HA cluster peer member node 2 (BES2) by issuing
the following command.

Admin:switch> cryptocfg --disableEE

3. Ensure that these CryptoTarget Containers and LUNs actually fail over to node 2 (BES2) in the

HA cluster. Check for all LUNs in encryption enabled state on node 2 (BES2). This ensures that
I/O also fails over to node 2 (BES2) and continues during this process.

4. On node 1 (BES1) enable the encryption engine (EE), by issuing the following command.

Admin:switch> cryptocfg --enableEE

5. Start firmware download (upgrade) on the node 1 (BES1). Refer to the Fabric OS

Administrator’s Guide to review firmware download procedures.

6. After firmware download is complete and node 1 (BES1) is back up, make sure the encryption

engine is online.

7. On node 1 (BES1) initiate manual failback of CryptoTarget containers and associated LUNs

from node 2 (BES2) to node 1 (BES1) by issuing the following command.

Admin:switch> cryptocfg --failback -EE