beautypg.com

Kac certificate registration expiry, Changing ip addresses in encryption groups, Disabling the encryption engine – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 223

background image

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

205

53-1002925-01

KAC certificate registration expiry

5

Recommendation for Host I/O traffic during online rekeying and first-
time encryption

You may see failed I/Os if writes are done to a LUN that is undergoing first-time encryption or
rekeying. It is recommended that host I/O operations are quiesced and not started again until
rekey operations or first-time encryption operations for the LUN are complete.

KAC certificate registration expiry

It is important to keep track as to when your signed KAC certificates will expire. Failure to work with
valid certificates causes certain commands to not work as expected. If you are using the certificate
expiry feature and the certificate expires, the key vault server will not respond as expected. For
example, the Group Leader in an encryption group might show that the key vault is connected;
however, a member node reports that the key vault is not responding.

To verify the certificate expiration date, use the following command:

openssl x509 –in signed_kac_cert.pem -dates –noout

Output:

Not Before: Dec 4 18:03:14 2009 GMT

Not After : Dec 4 18:03:14 2010 GMT

In the example above, the certificate validity is active until “Dec 4 18:03:14 2010 GMT.” After the
KAC certificate has expired, the registration process must be redone.

Changing IP addresses in encryption groups

Generally, when IP addresses are assigned to the Ge0 and Ge1 ports, they should not be changed.
If an encryption group member node IP address must be changed, refer to

“IP Address change of a

node within an encryption group”

on page 120.

Disabling the encryption engine

The disable encryption engine interface command cryptocfg

--

disableEE [slot number]

should be

used only during firmware download, and when the encryption and security capabilities of the
encryption engine have been compromised. When disabling the encryption capabilities of the
encryption engine, be sure the encryption engine is not hosting any CryptoTarget containers. All
CryptoTarget containers hosted on the encryption switch or FS8-18 blade must either be removed
from the encryption engine, or be moved to different encryption engine in an HA Cluster or
encryption group before disabling the encryption and security capabilities.

See also other documents in the category Brocade Computer Accessories: