HP B-series Fabric OS 7.1.0c Release Notes (5697-2892, October 2013 - includes all 7.1.0x versions)
CHASSIS, ERROR, MACE, FSS Error: fcsw0-vs: MISMATCH: component.,
svc.c, line: 2462, comp:FSSK_TH, ltime:2010/11/08-04:54:35:485484.
• The addition of 3PAR Session/Enclosure LUNs to CTCs is now supported. Session/Enclosure
LUNs (LUN 0xFE) used by 3PAR InServ arrays must be added to CryptoTarget (CTC) containers
with LUN state set to cleartext, and encryption policy set to cleartext. HP Encryption
SAN Switch/HP DC Switch Encryption FC Blade do not perform any explicit enforcement of
this requirement.
• When host clusters are deployed in an Encryption environment, note the following
recommendations:
◦ If two EEs (encryption engines) are part of an HAC (High Availability Cluster), configure
the host/target pair such that they form a multipath from both EEs. Avoid connecting both
the host/target pairs to the same EE. This connectivity does not give full redundancy in
the case of EE failure resulting in HAC failover.
◦ Since quorum disk plays a vital role in keeping the cluster in sync, configure the quorum
disk to be outside of the encryption environment.
• The –key_lifespan option has no effect for cryptocfg –add –LUN. It has an effect only
for cryptocfg --create –tapepool for tape pools declared -encryption_format
native. For all other encryption cases, a new key is generated each time a medium is rewound
and block zero is written or overwritten. For the same reason, the Key Life field in the output
of cryptocfg --show -container -all –stat should always be ignored, and the
“Key life” field in cryptocfg --show –tapepool –cfg is significant only for
native-encrypted pools.
• The Quorum Authentication feature requires a compatible DCFM or HP Network Advisor
release that supports this feature: DCFM 10.4 or later for pre-Fabric OS 7.0.0a and Network
Advisor 11.1 or later for Fabric OS 7.0.0a or later.
NOTE: All nodes in the EG must be running Fabric OS 6.3.0 or later for quorum
authentication to be properly supported.
• The System Card feature requires a compatible DCFM or HP Network Advisor release that
supports this feature: DCFM 10.4 or later for pre-Fabric OS 7.0.0a and Network Advisor
11.1 or later for Fabric OS 7.0.0a or later. All nodes in the EG must be running Fabric OS
6.3.0 or later for system verification to be properly supported.
• The HP Encryption SAN Switch and HP DC Switch Encryption FC Blade do not support QoS.
When using encryption or Frame Redirection, participating flows should not be included in
QoS Zones.
• HP SKM/ESKM are supported with Multiple Nodes and Dual SKM/ESKM Key Vaults. Two-way
certificate exchange is supported. See the Encryption Administration Guide for configuration
information. If you are using dual SKM/ESKMs on HP Encryption SAN Switch/HP DC Switch
Encryption FC Blade Encryption Group, then these SKM/ESKM appliances must be clustered.
Failure to cluster results in key creation failure. Otherwise, register only one SKM/ESKM on
the HP Encryption SAN Switch/HP DC Switch Encryption FC Blade Encryption Group.
• Starting with Fabric OS 7.1, SHA256 signatures will be used for the TLS certificates to connect
to the ESKM 3.0 Server using the ESKM 2.0 client. Upgrade from Fabric OS versions
(6.4.x/7.0.x) to Fabric OS 7.1.0 and later requires regeneration and re-registration of CA
and signed KAC certificates to restore connectivity to the key vault. This is also true for
downgrade from Fabric OS 7.1.0 and later to Fabric OS versions 6.4.x/7.0.x. Please refer
to the Encryption Administration Guide for more details on the ESKM/Fabric OS compatibility
matrix.
Important notes and recommendations 27