HP 4400 Release Note page 31

When creating an HA Cluster or EG with two or more HP encryption switch/encryption blades,
the GE_Ports (I/O sync links) must be configured with an IP address for the eth0 and eth1
Ethernet interfaces using ipaddrset. In addition, both eth0 and eth1 Ethernet ports should
be connected to the network for redundancy. These I/O sync links connections must be
established before any Re-Key, First Time Encryption, or enabling EE for crypto operations.
Failure to do so results in HA Cluster creation failure. If the IP address for these ports is
configured after the EE was enabled for encryption, HP Encryption Switch needs to be rebooted
and Encryption blades should be slotpoweroff/slotpoweron to sync up the IP address
information to the EEs. If only one Ethernet port is configured and connected to a network,
data loss or suspension of Re-Key may occur when the network connection toggles or fails.
initEE will remove the existing master key or link key. Backup the master key by running
exportmasterkey and cryptocfg currentMK before running
cryptocfg export
initEE. After initEE, regEE and enableEE, run cryptocfg
recovermasterkey
to recover the master key previously backed up, or in the case of fresh install run cryptocfg
genmasterkey to generate a new master key. If you are using SKM, establish a trusted
link with SKM again. Certificate exchange between key vaults and switches are not required
in this case.
The disable EE interface CLI cryptocfg --disableEE [slot no] command should be
used only to disable encryption and security capabilities of the EE from the Fabric OS Security
Admin in the event of a security compromise. When disabling the encryption capabilities of
the EE using the noted commands, the EE should not be hosting any CTCs. Ensure that all
CTCs hosted on the HP Encryption Switch or HP Encryption Blade are either removed or moved
to a different EE in the HA Cluster or EG before disabling the encryption and security
capabilities.
Whenever initNode is performed, new certificates for CP and KAC (SKM) are generated.
Hence, each time InitNode is performed, the new KAC Certificate must be loaded onto key
vaults for Secure Key Manager (SKM). Without this step, errors will occur, such as key vault
not responding and ultimately key archival and retrieval problems.
The HTTP server should be listening to port 9443. Secure Key Manager is supported only
when configured to port 9443.
The HP Encryption Switch and HP Encryption blade support registration of only one HPSKM
Key Vault for Fabric OS 6.2.2x. Multiple HP SKM Key Vaults can be clustered at the SKM
server level. Registration of a second SKM key vault is not blocked.
When the registered key vault connection goes down or the registered key vault is down, you
must correct the connection with Key Vault, or replace the failed SKM and re-register (deregister
failed SKM entry and register the new SKM entry) on the HP Encryption Switch or HP Encryption
blade. You must ensure that the replaced (new) SKM key vault is in sync with the rest of the
SKM units in Cluster in terms of Keys Database (manually sync the Key Database from existing
SKM Key Vault in Cluster to new or replacing SKM Key Vault using SKM Admin Guide Provided
Key Synchronization methods).
The SKM is supported with Multiple Nodes and Dual SKM Key Vaults. Two-way certificate
exchange is supported. See the Encryption Admin Guide for configuration information.
Direct FICON device connectivity is not supported for the HP Encryption Switch, or HP
Encryption Blade for front end User Ports. Also, FICON devices as part of Encryption or
Clear-Text flows are not supported, which means FICON devices cannot be configured as
Crypto Target Containers on the encryption switch or blade.
Ensure that all encryption engines in the HA cluster (HAC), Data Encryption Key (DEK) cluster,
or encryption group are online before invoking or starting rekey operations on LUNs. Also
ensure that all target paths for a LUN are online before invoking or starting rekey operations
on LUNs.
Encryption behavior 31