Administrator's Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) Instruction Manual

ManualsBrandsBrocade ManualsComputer AccessoriesFabric OS Encryption

241

242

243

244

245

246

247

248

249

250

224 Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002923-01

Firmware upgrade and downgrade considerations

• Do not try registering a node running Fabric OS 6.3.x or earlier to an encryption group when all

nodes are running Fabric OS 6.4.0(x) with one or more Fabric OS 6.4.0(x) features enabled.

• Disable all Fabric OS 6.4.0(x) features before ejecting a node running Fabric OS 6.4.0(x) and

registering the node as a member of an encryption group with nodes running Fabric OS 6.3.x or

earlier.

Specific guidelines for HA clusters

The following are specific guidelines for a firmware upgrade of the encryption switch or blade when

deployed in HA cluster. The guidelines are based on the following scenario:

• There are 2 nodes (BES1 and BES2) in the HA cluster.

• Each node hosts certain number of CryptoTarget containers and associated LUNs.

• Node 1 (BES1) needs to be upgraded first.

1. Change the failback mode to manual if it was set to auto by issuing the following command on

the group leader:

Admin:switch> cryptocfg --set -failbackmode manual

2. On node 1 (BES1), disable the encryption engine to force the failover of CryptoTarget

containers and associated LUNs onto the HA cluster peer member node 2 (BES2) by issuing

the following command.

Admin:switch> cryptocfg --disableEE

3. Ensure that these CryptoTarget Containers and LUNs actually fail over to node 2 (BES2) in the

HA cluster. Check for all LUNs in encryption enabled state on node 2 (BES2). This ensures that

I/O also fails over to node 2 (BES2) and continues during this process.

4. On node 1 (BES1) enable the encryption engine (EE), by issuing the following command.

Admin:switch> cryptocfg --enableEE

5. Start firmware download (upgrade) on the node 1 (BES1). Refer to the Fabric OS

Administrator’s Guide to review firmware download procedures.

6. After firmware download is complete and node 1 (BES1) is back up, make sure the encryption

engine is online.

7. On node 1 (BES1) initiate manual failback of CryptoTarget containers and associated LUNs

from node 2 (BES2) to node 1 (BES1) by issuing the following command.

Admin:switch> cryptocfg --failback -EE

8. Check that CryptoTarget Containers and associated LUNs fail back successfully on node 1

(BES1), and host I/O also moves from node 2 (BES2) to node 1 (BES1) and continues during

the failback process.

9. To upgrade node 2 (BES2), Repeat steps 2 to 8.

10. After all nodes in the Encryption Group have been upgraded, change back the failback mode to

auto from manual, if required, by issuing the following command.

Admin:switch> cryptocfg --set -failback auto