HP B-series Fabric OS 7.0.0c Release Notes (5697-1432, December 2011-includes all 7.0.0x versions)
• Addition of 3PAR Session/Enclosure LUNs to CTCs is now supported. Session/Enclosure LUNs
(LUN 0xFE) used by 3PAR InServ arrays must be added to CryptoTarget (CTC) containers with
LUN state set to cleartext, encryption policy set to cleartext. HP StorageWorks
Encryption SAN Switch/HP StorageWorks DC Switch Encryption FC Blade do not perform
any explicit enforcement of this requirement.
• The cryptocfg –manual_rekey –all command should not be used in environments
with multiple encryption engines (HP StorageWorks DC Switch Encryption FC blades) installed
in an HP StorageWorks DC SAN Backbone Director Switch / HP StorageWorks DC04 SAN
Director Switch/ HP SN8000B 8-Slot SAN Backbone Director Switch and the HP SN8000B
4-Slot SAN Director Switch chassis when more than one encryption engine has access to the
same LUN. In such situations, use the cryptocfg –manual_rekey <CTC><LUN
Num><Initiator PWWN> command to manually rekey these LUNs.
• When adding nodes to an Encryption Group, ensure all node Encryption Engines are in an
enabled state.
• When host clusters are deployed in an Encryption environment, note the following
recommendations:
◦ If two EEs (encryption engines) are part of an HAC (High Availability Cluster), configure
the host/target pair such that they form a multipath from both EEs. Avoid connecting both
the host/target pairs to the same EE. This connectivity does not give full redundancy in
the case of EE failure resulting in HAC failover.
◦ Since quorum disk plays a vital role in keeping the cluster in sync, configure the quorum
disk to be outside of the encryption environment.
• The –key_lifespan option has no effect for cryptocfg –add –LUN; it has an effect only
for cryptocfg --create –tapepool for tape pools declared -encryption_format
native. For all other encryption cases, a new key is generated each time a medium is rewound
and block zero is written or overwritten. For the same reason, the Key Life field in the output
of cryptocfg --show -container -all –stat should always be ignored, and the
“Key life” field in cryptocfg --show –tapepool –cfg is significant only for
native-encrypted pools.
• The Quorum Authentication feature requires a compatible DCFM or HP Network Advisor
release (DCFM 10.4 or later for pre-Fabric OS 7.0.0a and Network Advisor 11.1 or later
for Fabric OS 7.0.0x) that supports this feature. Note, all nodes in the EG must be running
Fabric OS 6.3.0 or later for quorum authentication to be properly supported.
• The System Card feature requires a compatible DCFM or HP Network Advisor release (DCFM
10.4 or later for pre-Fabric OS 7.0.0a and Network Advisor 11.1 or later for Fabric OS
7.0.0x) that supports this feature. All nodes in the EG must be running Fabric OS 6.3.0 or
later for system verification to be properly supported.
• The HP StorageWorks Encryption SAN Switch and HP StorageWorks DC Switch Encryption
FC Blade do not support QoS. When using encryption or Frame Redirection, participating
flows should not be included in QoS Zones.
• HP SKM/ESKM are supported with Multiple Nodes and Dual SKM/ESKM Key Vaults. Two-way
certificate exchange is supported. See the Encryption Admin Guide for configuration
information. If you are using dual SKM/ESKMs on HP StorageWorks Encryption SAN
Switch/HP StorageWorks DC Switch Encryption FC Blade Encryption Group, then these
SKM/ESKM appliances must be clustered. Failure to cluster results in key creation failure.
Otherwise, register only one SKM/ESKM on the HP StorageWorks Encryption SAN Switch/HP
StorageWorks DC Switch Encryption FC Blade Encryption Group.
• With Windows and Veritas Volume Manager/Veritas Dynamic Multipathing, when LUN sizes
less than 400 MB are presented to HP StorageWorks Encryption SAN Switch for encryption,
Important notes and recommendations 27