Manualshelf

Brocade Fabric OS Encryption Administrator's Guide v6.3.0 (53-1001341-02, July 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch
111112113114115116117118119120
102 Encryption Administrator’s Guide
53-1001341-02
CryptoTarget container configuration
3
CryptoTarget container configuration
A CryptoTarget container is a configuration of “virtual devices” that is created for each target port
hosted on a Brocade Encryption Switch or FS8-18 blade. The container holds the configuration
information for a single target, including associated hosts and LUN settings. A CryptoTarget
container interfaces between the encryption engine, the external storage devices (targets), and the
initiators (hosts) that can access the storage devices through the target ports. Virtual devices
redirect the traffic between host and target/LUN to encryption engines so they can perform
cryptographic operations.
Virtual targets: Any given physical target port is hosted on one encryption switch or blade. If the
target LUN is accessible from multiple target ports, each target port is hosted on a separate
encryption switch or blade. There is a one-to-one mapping between virtual target and physical
target to the fabric whose LUNs are being enabled for cryptographic operations.
Virtual initiators: For each physical host configured to access a given physical target LUN, a virtual
initiator (VI) is generated on the encryption switch or blade that hosts the target port. If a physical
host has access to multiple targets hosted on different encryption switches or blades, you must
configure one virtual initiator on each encryption switch or blade that is hosting one of the targets.
The mapping between physical host and virtual initiator in a fabric is one-to-n, where n is the
number of encryption switches or blades that are hosting targets.
FIGURE 56 Relationship between initiator, virtual target, virtual initiator and target
CAUTION
When configuring a LUN with multiple paths, there is a considerable risk of ending up with
potentially catastrophic scenarios where different policies exist for each path of the LUN, or a
situation where one path ends up being exposed through the encryption switch and another path
has direct access to the device from a host outside the secured realm of the encryption platform.
Failure to follow correct configuration procedures for multi-path LUNs results in data corruption.
If you are configuring multi-path LUNs as part of an HA cluster or DEK cluster or as a stand-alone
LUN accessed by multiple hosts, follow the instructions described in the section “Configuring a
multi-path Crypto LUN” on page 117.