Key vault best practices, Tape device lun mapping – Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual

242

Fabric OS Encryption Administrator’s Guide (KMIP)

53-1002747-02

HA Cluster deployment considerations and best practices

5

•

For AIX-based Power HA System Mirror host clusters, the cluster repository disk should be
defined outside of the encryption environment.

HA Cluster deployment considerations and best practices

It is mandatory that the two encryption engines in the HA cluster belong to two different nodes for
true redundancy. This is always the case for Brocade Encryption Switches, but is not true if two
FS8-18 blades in the same DCX Backbone chassis are configured in the same HA cluster. In Fabric
OS v6.3.0 and later releases, HA cluster creation is blocked when encryption engines belonging to
FS8-18 blades in the same DCX Backbone chassis are specified.

Key Vault Best Practices

•

Make sure that the time difference on the Brocade Encryption Switch and the KMIPkey vault
does not exceed one minute.

•

When encrypted disk LUNs are to be configured or moved to an Encryption Group that uses a
different key vault, make sure to decommission the encrypted LUNs from the old Encryption
Group.

Tape Device LUN Mapping

When performing LUN mapping, ensure that a given LUN number from a backend physical target is
the same across all initiators in the container. Failure to do so can result in unpredictable switch
behavior including blade/switch faults. Use the following command to list the LUNs in the target.

switch:admin> cryptocfg --discoverLUN

NOTE

It is recommended that you follow the above rule if a given LUN on the backend target is LUN
mapped to different initiators.