Manualshelf

Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch
151152153154155156157158159160
Encryption Administrator’s Guide 137
53-1001201-04
CryptoTarget container configuration
3
FIGURE 71 Relationship between initiator, virtual target, virtual initiator and target
CryptoTarget container configuration is performed by the Admin or FabricAdmin role.
CryptoTarget container configuration uses a transaction model. Configuration changes must be
committed before they take effect.
CAUTION
When configuring a LUN with multiple paths, there is a considerable risk of ending up with
potentially catastrophic scenarios where different policies exist for each path of the LUN, or a
situation where one path ends up being exposed through the encryption switch and another path
has direct access to the device from a host outside the secured realm of the encryption platform.
Failure to follow correct configuration procedures for multi-path LUNs results in data corruption.
If you are configuring multi-path LUNs as part of an HA cluster or DEK cluster or as a stand-alone
LUN accessed by multiple hosts, follow the instructions described in the section “Configuring a
multi-path Crypto LUN” on page 152.
Gathering information
Before you begin, have the following information ready:
The switch WWNs of all nodes in the encryption group. Use the cryptocfg --show
-groupmember -all command to gather this information.
The port WWNs of the targets whose LUNs are being enabled for data-at-rest encryption.
The port WWNs of the hosts (initiators) which should gain access to the LUNs hosted on the
targets.
Any given target may have multiple ports through which a given LUN is accessible and the ports are
connected to different fabrics for redundancy purposes. Any given target port through which the
LUNs are accessible must be hosted on only one Encryption switch (or pair in case of HA
deployment). Another such target port should be hosted on a different encryption switch either in
the same fabric or in a different fabric based on host MPIO configuration.
A given host port through which the LUNs are accessible is hosted on the same encryption switch
on which the target port (CryptoTarget container) of the LUNs is hosted.