Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June 2010)

Fabric OS Encryption Administrator’s Guide 185
53-1001864-01
Encryption group and HA cluster maintenance
6
Replacing an HA cluster member
1. Log into the group leader as Admin or SecurityAdmin.
2. Enter the cryptocfg
--replace -haclustermember command. Specify the HA cluster name, the
node WWN of the encryption engine to be replaced, and the node WWN of the replacement
encryption engine. Provide a slot number if the encryption engine is a blade. The replacement
encryption engine must be part of the same encryption group as the encryption engine that is
replaced.
SecurityAdmin:switch>cryptocfg --replace -haclustermember HAC2 \
10:00:00:05:1e:53:4c:91 10:00:00:05:1e:39:53:67
Replace HA cluster member status: Operation Succeeded.
3. Enter cryptocfg --commit to commit the transaction.
Case 1: Replacing a failed encryption engine in an HA cluster
Assume a working HA cluster with two operational encryption engines, EE1 and EE2. The target T1
is hosted on EE1 and target T2 is hosted on EE2. Refer to Figure 72.
EE2 fails and generates an offline notification. The target hosted on EE2 (T2 in this case)
automatically fails over to EE1. Even though the target T2 is now hosted on EE1 because of the
failover process, the target association is still EE2, and the container status is displayed on the
hosting node as failover. Use the cryptocfg --show -container crypto target container name -stat
command to display the container status.
1. Invoke the cryptocfg
--replace -haclustermember command on the group leader to replace
the failed encryption engine (EE2) with another encryption engine (EE3). This operation
effectively removes the failed encryption engine (EE2) from the HA cluster and adds the
replacement encryption engine (EE3) to the HA cluster. The target associations (T2) from the
failed encryption engine (EE2) are transferred to the replacement encryption engine (EE3).
2. Commit the transaction. If failback mode is set to auto, the target (T2) which failed over earlier
to EE1 automatically fails back to the replaced encryption engine (EE3).
3. Once the transaction is committed, remove the failed encryption engine from the encryption
group.