Specific guidelines for ha clusters – Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual
Page 247

Fabric OS Encryption Administrator’s Guide (KMIP)
229
53-1002747-02
Firmware upgrade and downgrade considerations
5
•
Guidelines for firmware upgrade of encryption switches and a DCX Backbone chassis with
encryption blades deployed in DEK cluster with No HA cluster (each node hosting one path).
-
Upgrade one node at a time.
-
In the case of active/passive arrays, upgrade the node which is hosting the passive path
first. Upgrade the node which is hosting active path next. The Host MPIO ensures that I/O
fails over and fails back from active to passive and back to active during this firmware
upgrade process.
-
In the case of active/active arrays, upgrade order of nodes does not matter, but you still
must upgrade one node at a time. The Host MPIO ensures that I/O fails over and fails back
from one active path to another active path during this firmware upgrade process.
•
All nodes in an encryption group must be at the same firmware level before starting a rekey or
first-time encryption operation.
Specific guidelines for HA clusters
The following are specific guidelines for a firmware upgrade of the encryption switch or blade when
deployed in HA cluster. The guidelines are based on the following scenario:
•
There are 2 nodes (BES1 and BES2) in the HA cluster.
•
Each node hosts certain number of CryptoTarget containers and associated LUNs.
•
Node 1 (BES1) needs to be upgraded first.
1. Change the failback mode to manual if it was set to auto by issuing the following command on
the group leader:
Admin:switch> cryptocfg --set -failbackmode manual
2. On node 1 (BES1), disable the encryption engine to force the failover of CryptoTarget
containers and associated LUNs onto the HA cluster peer member node 2 (BES2) by issuing
the following command.
Admin:switch> cryptocfg --disableEE
3. Ensure that these CryptoTarget Containers and LUNs actually fail over to node 2 (BES2) in the
HA cluster. Check for all LUNs in encryption enabled state on node 2 (BES2). This ensures that
I/O also fails over to node 2 (BES2) and continues during this process.
4. On node 1 (BES1) enable the encryption engine (EE), by issuing the following command.
Admin:switch> cryptocfg --enableEE
5. Start firmware download (upgrade) on the node 1 (BES1). Refer to the Fabric OS
Administrator’s Guide to review firmware download procedures.
6. After firmware download is complete and node 1 (BES1) is back up, make sure the encryption
engine is online.
7. On node 1 (BES1) initiate manual failback of CryptoTarget containers and associated LUNs
from node 2 (BES2) to node 1 (BES1) by issuing the following command.
Admin:switch> cryptocfg --failback -EE