Technical data
192 Fabric OS Encryption Administrator’s Guide (DPM)
53-1002720-02
SRDF/TF/RP manual rekeying procedures
3
3. During the rekeying operation, if desired, you can enable the remote targets ports so the target
LUNs can be accessed by the remote hosts in read-only mode.
4. Issue a manual rekey request for the source LUN.
FabricAdmin:switch> cryptocfg --manual_rekey <source container> <source LUN
ID> <initiator PWWN>
5. Wait until the rekey operation on the source LUN has completed. If the source LUN has a
rekeying error of any type, the RP pair consistency group should not be enabled. The source
LUN rekey must complete successfully before the source/target pair consistency group gets
re-enabled. After confirming that the rekey has completed on the source LUN, complete the
following steps to re-establish the source to target LUN replication.
a. Remove target LUN access by disabling all remote site target ports with access to the
target LUN.
NOTE
In environments in which the target ports through which the target LUNs are accessible
cannot be taken offline because they are used to access other LUNs, before remote
access to the remote LUNs is established, the refreshDEK command must be issued for all
CTCs associated with the remote LUNs after the source LUNs have been rekeyed and
synchronized with their target LUNs.
b. Enable the source/target LUN consistency group so that the rekeyed data from the source
LUN is copied to target LUN.
c. Verify that the RP pair is fully synchronized state using the RP GUI.
d. Verify that the DEKs are synchronized between the local and remote DPMs. This can be
done manually for each LUN as follows:
1. Issue the command cryptocfg
--show -vendorspecifickeyid key_ID for each
replicated LUN and capture the UUIDs (Universally Unique Identifier) returned
2. Search for this UUID on the remote DPMs to ensure its presence.
Alternatively, simply bringing the remote site LUNs online to the remote EEs ensures the
remote DEKs are present. To bring the remote LUNs online use following steps:
1. Restore target LUN access by enabling all remote site target ports (associated with
remote site CTCs) with access to the target LUN.
2. Verify that the remote LUN states are encryption enabled and their key IDs used for
encryption are the same as those used by the local site LUNs.
3. Take all target ports associated with CTCs through which the remote LUNs are
accessible offline.
After the rekey has completed, restoring from a bookmark taken prior to the rekey operation will
result in the source LUN becoming READ ONLY. Once you have restored from the bookmark, it is
imperative that you issue the refreshDEK command on all paths with access to the restored LUN.
NOTE
If the DEK is not synchronized between the local and remote sites, the remote LUN will automatically
become disabled.