beautypg.com

Removing stale rekey information for a lun, Downgrading firmware from fabric os 7.1.0 – Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual

Page 305

background image

Fabric OS Encryption Administrator’s Guide (KMIP)

287

53-1002747-02

Removing stale rekey information for a LUN

6

NOTE

When attempting to reclaim a failed Brocade Encryption Switch, do not execute cryptocfg

–-

transabort. Doing so will cause subsequent reclaim attempts to fail.

Removing stale rekey information for a LUN

To clean up stale rekey information for a LUN, complete one of the following procedures:

Procedure 1:

1. Modify the LUN policy from “encrypt” to “cleartext” and commit. The LUN will become disabled.

2. Enable the LUN using the following command:

Admin:switch> cryptocfg --enable –LUN

2. Modify the LUN policy from “cleartext” to “encrypt” with the enable_encexistingdata command

to enable the first-time encryption, then commit. This will clear the stale rekey metadata on the
LUN and the LUN can be used again for encryption.

Procedure 2:

1. Remove the LUN from the CryptoTarget Container and commit.

2. Add the LUN back to the CryptoTarget Container with LUN State=”clear-text”, policy=”encrypt”
and “enable_encexistingdata” set for enabling the first-time encryption, then commit. This will
clear the stale rekey metadata on the LUN and the LUN can be used again for encryption.

Downgrading firmware from Fabric OS 7.1.0

NOTE

KMIP is not supported prior to Fabric OS 7.1.0. As a result, if your key vault type is KMIP and you
attempt to download firmware to a Fabric OS version earlier than 7.1.0, the action will be blocked
and you are prompted with the following error message

“Downgrade is not allowed when key vault type is KMIP. Please use the command cryptocfg

--

set

-

keyvault type to set a different key vault type other than KMIP to disable the feature.”

Follow the steps as described in the error message to disable the feature, and thus allow a firmware
downgrade to Fabric OS 7.0.x or v6.4.x.

NOTE

When disabling the firmware consistency check, there should be no LUNs with pending
decommission or in a failed state. If the firmware download to a version earlier than Fabric OS 7.1.0
is disallowed because of any LUNs under decommission or in a failed state, you must either
complete decommissioning, or remove the offending LUNs before retrying cryptocfg

--

delete

-

decommissionedkeyids to disable the firmware consistency check.