Gathering information – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

140

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

CryptoTarget container configuration

3

All nodes within an encryption group must be upgraded to Fabric OS v6.4 or a later release to
support hosting disk and tape target containers on the same encryption engine. If any node within
an encryption group is running an earlier release, disk and tape containers must continue to be
hosted on separate encryption engines.

If tape backup or restore jobs are in progress, quiesce the host I/Os for the disk LUNs for which
rekey or first-time encryption must be performed before rebalancing.

During rebalancing operations, be aware of the following:

•

You may notice a slight disruption in Disk I/O. In some cases, manual intervention may be
needed.

•

Backup jobs to tapes may need to be restarted after rebalancing completes.

To determine if rebalancing is recommended for an encryption engine, check the encryption engine
properties. Beginning with Fabric OS v6.4, a field is added that indicates whether or not
rebalancing is recommended

You may be prompted to rebalance during the following operations:

•

When adding a new disk or tape target container.

•

When removing an existing disk or tape target container.

•

After failover to a backup encryption engine in an HA cluster.

•

After an failed encryption engine in an HA cluster is recovered, and failback processing has
taken place.

To rebalance an encryption engine, do the following.

1. Log in to the switch as Admin or FabricAdmin.

2. Issue the cryptocfg

--

show

-

localEE command.

3. Look for Rebalance recommended under EE Attributes in the output.

4. If rebalancing is recommended, issue the cryptocfg

--

rebalance command. If the encryption

node is a blade, include the blade’s slot number (cryptocfg

--

rebalance ).

Gathering information

Before you begin, have the following information ready:

•

The switch WWNs of all nodes in the encryption group. Use the cryptocfg

--

show

-

groupmember

-

all command to gather this information.

•

The port WWNs of the targets whose LUNs are being enabled for data-at-rest encryption.

•

The port WWNs of the hosts (initiators) which should gain access to the LUNs hosted on the
targets.

Any given target may have multiple ports through which a given LUN is accessible and the ports are
connected to different fabrics for redundancy purposes. Any given target port through which the
LUNs are accessible must be hosted on only one Encryption switch (or pair in case of HA
deployment). Another such target port should be hosted on a different encryption switch either in
the same fabric or in a different fabric based on host MPIO configuration.

A given host port through which the LUNs are accessible is hosted on the same encryption switch
on which the target port (CryptoTarget container) of the LUNs is hosted.