Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)
206 Encryption Administrator’s Guide
53-1001201-04
General encryption troubleshooting using the CLI
B
switch:SecurityAdmin> cryptocfg --show
-groupcfg
Check key vault connection status.
Check encryption group/cluster status.
Note: CONVERGED status means the cluster is formed successfully.
switch:SecurityAdmin> cryptocfg --show
-groupmember -all
1 Check encryption group/cluster member status.
Note: DISCOVERED state means the member is currently part of a cluster.
2 Check encryption engine/SP and KEK status.
Note: SP state ONLINE means encryption engine is enabled for
encryption with valid KEK (Link Key or Master Key).
TABLE 16 General errors related to using the CLI
Problem Resolution
When the connectivity to an LKM key vault is lost, a RAS log
message is not generated.
Issue any of the cryptocfg commands that initialize a key vault communication
(such as the cryptocfg --show -groupcfg command).
After you create an encryption group using RKM, a newly
created container's LUN state changes between “Write
metadata is pending” and “Write metadata is in progress”
with continuous [RKD-1001] messages displayed on the
console.
Power cycle the DCX chassis and then issue the cryptocfg --enableEE [slot
number] command to bring the container’s LUN state to Encryption Enabled.If
the eth0 IP address on the Brocade Encryption Switch or on the FS8-18 port
blade has been modified, a reboot is required.
LUN state for some LUNS remains in "initialize" state on the
passive path.
This is expected behavior. The LUNs exposed through Passive paths of the
target array will be in either "Initialize" or "LUN Discovery Complete" state so
long as the paths remain n passive condition. When the passive path
becomes active, the LUN changes to "Encryption Enabled." Use the --show
-LUN command with the -stat option to check the LUN state.
A backup fails because the LUN is always in the initialize
state for the tape container.
Tape media is encrypted and gets a key which is archived in
the key vault. The key is encrypted with a master key. At a
later point in time you generate a new master key. You
decide to use this tape media to back up other data. You
rewind the tape, erase the tape, relabel the tape, and start
a backup from the start of the tape. When the first
command comes from the host, the key vault is queried for
the tape media based on the media serial number. Since
this tape media was used previously, the key is already
present in the key vault for this media serial number but
this key is encrypted with the old master key and that
master key is not present in the switch. You cannot create a
new key for this tape media because, per policy, there can
be only one key per media.
Use one of two resolutions:
• Load the old master key on the switch at an alternate location. The key
for the tape media can then be decrypted.
• Delete the key for the tape media from the key vault. This forces the
switch to create a new key for the tape media.
Until you start the backup, the LUN remains in “initialize” state.
“Invalid certificate” error message received when doing a
KAC certificate exchange between the Brocade Encryption
Switch and an LKM appliance. This error is due to the
Brocade Encryption Switch time being ahead of the LKM
appliance time.
Use one of two resolutions:
• Change the LKM appliance time to match the start period of the KAC
certificate.
• Change the Brocade Encryption Switch time to synchronize with the LKM
appliance time.
Upon completion, regenerate the KAC certificate and then do another KAC
certificate exchange with the LKM appliance.
TABLE 15 General troubleshooting tips using the CLI (Continued)
Command Activity