Technical data
Fabric OS Encryption Administrator’s Guide (DPM) 187
53-1002720-02
Configuring LUNs for SRDF/TF or RP deployments
3
Synchronizing source and target LUN SRDF/RP pairs
This section describes the proper procedure for establishing the local/remote LUN pair in a SRDF
or RP environment.
NOTE
The remote/target LUNs must be added to their CryptoTarget Containers (CTCs) only after the local
site LUNs' encryption setup has been completed.
1. If necessary, create the remote/R2 LUN at the remote site ensuring that it is identical in size to
the local/R1 site LUN. At this time, do not configure the remote LUN to be a part of any remote
site CTC.
2. Establish the local-to-remote LUN replication/synchronization and wait for the pair to become
fully synchronized.
NOTE
During the initial SRDF/RP replication (or while replicating/synchronizing after a rekey of the
source LUN), the remote/R2 LUNs must not be exposed for access to the remote site hosts.
Although the SRDF/RP behavior may make the remote/R2 LUN read-only or not-ready, it is
mandated that the target ports be physically taken offline. Once synchronized, if remote
access to the target LUN becomes necessary, the process of bringing the remote target ports
online will ensure the correct Data Encryption Key (DEK) is injected into every Encryption
Engine (EE) with a path to the remote LUN.
3. Verify the SRDF/RP pair is in a synchronized state using the EMC Solution Enabler or the RP
GUI, depending on which technology you are implementing.
4. Verify that the DEKs are synchronized between the local and remote DPMs. This can be done
manually for each LUN as follows:
a. Issue the command cryptocfg
--show -vendorspecifickeyid key_ID for each replicated
LUN and capture the UUIDs (Universally Unique Identifier) returned.
b. Search for this UUID on the remote key vaults to ensure its presence.
Alternatively, simply bringing the remote site LUNs online ensures the remote DEKs are
present. To bring the remote/R2 LUNs online, follow these steps:
a. Bring all target ports through which the remote LUNs are accessible online.
b. If not already created, add the remote/R2 CTCs for each path to each remote LUN.
FabricAdmin:switch> cryptocfg --create -container disk <remote target
container name> EE_node_WWN [EE_slot] target_PWWN target_NWWN [-initiator
initiator_PWWN initiator_NWWN [initiator_PWWN initiator_NWWN]...]
c. Add the remote/R2 LUNs to all of their respective CTCs.
FabricAdmin:switch> cryptocfg --add -LUN <remote container name> <remote
LUN ID> <initiator PWWN & NWWN> -lunstate encrypted -encrypt -newLUN
5. Commit the configuration.
6. Verify that the remote LUN states are “Encryption enabled” and their key IDs used for
encryption are the same as those used by the local/R1 LUNs.