Brocade Fabric OS v6.4.3f Release Notes v1.0
Fabric OS v6.4.3f Release Notes v1.0 Page 26 of 149
o Maximum of 6 Encryption nodes per Windows/Linux TKLM server.
o Maximum of 10 Encryption nodes per AIX TKLM server.
o Maximum of 16 tape sessions per Encryption node.
o Minimum of 180 second timeout for tape hosts.
Disk Encryption Rekey: Configupload/download does not retain the auto rekey value. The first auto
rekey after configdownload will occur based on the previously configured key life. The newly configured
key life value (as part of configdownload) will be used after the first auto rekey. (Defect 315174)
Disk encryption is not support for IBM iSeries (AS/400) hosts.
3Par Session/Enclosure LUNs to CTCs are now supported. Session/Enclosure LUNs (LUN 0xFE) used
by 3Par InServ arrays must be added to CryptoTarget (CTC) containers with LUN state “cleartext”,
encryption policy “cleartext”. No enforcement will be performed.
The “cryptocfg –manual_rekey –all” command should not be used in environments with multiple
encryption engines (FS8-18 blades) installed in a director-class chassis when more than one
encryption engine has access to the same LUN. In such situations, use the “cryptocfg –manual_rekey
<CTC> <LUN Num> <Initiator PWWN>” command to manually rekey these LUNs.
When adding Nodes to an Encryption Group, ensure all Node Encryption Engines are in an Enabled
state.
When host clusters are deployed in an Encryption environment, please note the following
recommendations:
o If two EEs (encryption engines) are part of a HAC, configure the host/target pair such that they
form a multipath from both EEs. Avoid connecting both the host/target pairs to the same EE.
This connectivity does not give full redundancy in case of EE failure resulting in HAC failover.
o Since quorum disk plays a vital role in keeping the cluster in sync, please configure the
quorum disk to be outside of the encryption environment.
The “–key_lifespan” option has no effect for “cryptocfg –add –LUN”, and only has an effect for
“cryptocfg --create –tapepool” for tape pools declared “-encryption_format native”. For all other
encryption cases, a new key is generated each time a medium is rewound and block zero is written or
overwritten. For the same reason, the “Key Life” field in the output of “cryptocfg --show -container -all
–stat” should always be ignored, and the “Key life” field in “cryptocfg --show –tapepool –cfg” is only
significant for native-encrypted pools.
The Quorum Authentication feature requires a compatible DCFM release (DCFM 10.3 or later) that
supports this feature. Note, all nodes in the EG must be running FOS v6.3.0 or later for quorum
authentication to be properly supported.
The System Card feature requires a compatible DCFM release that supports this feature. Note, all
nodes in the EG must be running FOS v6.3.0 or later for system verification to be properly supported.
The Brocade Encryption switch and FS8-18 blade do not support QoS. When using encryption or
Frame Redirection, participating flows should not be included in QoS Zones.
When using Brocade Native Mode, in LKM installations, manual rekey is highly recommended. If auto
rekey is desired, the key expiry date should be configured only when the LUN is created. Never modify
the expiry date after configuring a LUN. If you modify the expiry time, after configuring the LUN the
expiration date will not update properly.
SKM is supported with Multiple Nodes and Dual SKM Key Vaults. Two-way certificate exchange is
supported. Please refer to the Encryption Admin Guide for configuration information. If using dual
SKMs on BES/FS8-18 Encryption Group, then these SKM Appliances must be clustered. Failure to
cluster will result in key creation failure. Otherwise, register only one SKM on the BES/FS8-18
Encryption Group.