Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)
190 Encryption Administrator’s Guide
53-1001201-04
Firmware download considerations
5
Firmware download considerations
The encryption engine and the control processor or blade processor are reset after a firmware
upgrade. Disruption of encryption I/O can be avoided if an HA cluster is configured. If encryption
engines are configured in an HA cluster, perform firmware upgrades one encryption engine at a
time so that the partner switch in the HA cluster can take over I/O by failover during firmware
upgrade. When switches form a DEK cluster, firmware upgrades should also be performed one at a
time for all switches in the DEK cluster to ensure there is always a host MPIO failover path
available.
Firmware Upgrades and Downgrades
You cannot downgrade to a Fabric OS version release prior to Fabric OS version 6.1.1_enc. A
DCX/DCX-4S with one or more encryption blades must have the encryption blades removed prior to
downgrading from FOS v6.1.1_enc to an earlier release.
A downgrade to Fabric OS version 6.1.1_enc results in the loss of the following functionality.
• If an HP SKM key vault is implemented, a downgrade to v6.1.1_enc results in a loss of
encryption services in HP SKM environment.
• If tape encryption is configured on an encryption switch or blade, downgrading to v6.1.1_enc
will result in loss of tape encryption services.
• The Brocade Encryption Switch cannot operate with firmware prior to FOS v6.1.1_enc.
• General Guides for firmware upgrade of encryption switches and DCX or DCX-4S with
encryption blades in encryption groups, HA clusters, and DEK clusters are as follows:
- Upgrade one node at time.
- Do not do a firmware upgrade when re-key operations and first time encryption operations
are underway.
- Do not start any manual re-key operations and first time encryption operations during the
firmware upgrade process for all nodes in the HA/DEK cluster.
• Guidelines for firmware upgrade of encryption switches and DCX or DCX-4S with encryption
blades deployed in a DEK cluster with two HA clusters:
- Upgrade nodes in one HA cluster at a time.
- Within an HA cluster, upgrade one node at a time.
• Guidelines for firmware upgrade of encryption switches and DCX or DCX-4S with encryption
blades deployed in DEK cluster with No HA cluster (each node hosting one path.
- Upgrade one node at a time.
- In the case of active/passive arrays, upgrade the node which is hosting the passive path
first. Upgrade the node which is hosting active path next. The Host MPIO ensures that I/O
fails over and fails back from active to passive and back to active during this firmware
upgrade process.
- In the case of active/active arrays, upgrade order of nodes does not matter, but you still
must upgrade one node at a time. The Host MPIO ensures that I/O fails over and fails back
from one active path to another active path during this firmware upgrade process.
• All nodes in an encryption group must be at the same firmware level before starting a re-key or
first time encryption operation.