Brocade Fabric OS Encryption Administrator's Guide v6.3.0 (53-1001341-02, July 2009)
Encryption Administrator’s Guide 107
53-1001341-02
CryptoTarget container configuration
3
Removing an initiator from a CryptoTarget container
You may remove one or more initiators from a given CryptoTarget container. This operation
removes the initiators’ access to the target port.
If the initiator has access to multiple targets and you wish to remove access to all targets, follow
the procedure described to remove the initiator from every CryptoTarget container that is
configured with this initiator.
NOTE
Stop all traffic between the initiator you intend to remove and its respective target ports. Failure to
do so results in I/O failure between the initiator and the target port.
1. Log into the group leader as Admin or FabricAdmin.
2. Enter the cryptocfg
--remove -initiator command. Specify the CryptoTarget container name
followed by one or more initiator port WWNs. The following example removes one initiator from
the CryptoTarget container “my_disk_tgt”.
FabricAdmin:switch>cryptocfg --rem -initiator my_disk_tgt
10:00:00:00:c9:2b:c9:3a
Operation Succeeded
3. Commit the transaction.
FabricAdmin:switch>cryptocfg --commit
Operation Succeeded
CAUTION
When configuring a multi-path LUN, you must remove all initiators from all CryptoTarget
containers in sequence before committing the transaction. Failure to do so may result in a
potentially catastrophic situation where one path ends up being exposed through the encryption
switch and another path has direct access to the device from a host outside the protected realm
of the encryption platform. Refer to the section “Configuring a multi-path Crypto LUN” on
page 117 for more information.
Deleting a CryptoTarget container
You may delete a CryptoTarget container to remove the target port from a given encryption switch
or blade. Deleting a CryptoTarget container removes the virtual target and all associated LUNs from
the fabric.
Before deleting a container, be aware of the following:
• Stop all traffic to the target port for which the CryptoTarget container is being deleted. Failure
to do so will cause data corruption (a mix of encrypted data and cleartext data will be written to
the LUN).
• Deleting a CryptoTarget container while a re-key or first-time encryption session causes all
data to be lost on the LUNs that are being re-keyed. Ensure that no re-key or first time
encryption sessions are in progress before deleting a container. Use the cryptocfg --show
-rekey -all command to determine the runtime status of the session. If for some reason, you
need to delete a container while re-keying, when you create a new container, be sure the LUNs
added to the container are set to cleartext. You can then start a new re-key session on clear
text LUNs.