Fabric OS v6.4.1 Release Notes v1.0 Page 26 of 62
• Disk Encryption Rekey: Configupload/download does not retain the auto rekey value. The first
auto rekey after configdownload will occur based on the previously configured key life. The newly
configured key life value (as part of configdownload) will be used after the first auto rekey. (Defect
• Disk encryption is not support for IBM iSeries (AS/400) hosts.
• 3Par Session/Enclosure LUNs to CTCs are now supported. Session/Enclosure LUNs (LUN 0xFE)
used by 3Par InServ arrays must be added to CryptoTarget (CTC) containers with LUN state
“cleartext”, encryption policy “cleartext”. No enforcement will be performed.
• The “cryptocfg –manual_rekey –all” command should not be used in environments with multiple
encryption engines (FS8-18 blades) installed in a director-class chassis when more than one
encryption engine has access to the same LUN. In such situations, use the “cryptocfg –
manual_rekey <CTC> <LUN Num> <Initiator PWWN>” command to manually rekey these LUNs.
• When adding Nodes to an Encryption Group, ensure all Node Encryption Engines are in an
• When host clusters are deployed in an Encryption environment, please note the following
o If two EEs (encryption engines) are part of a HAC, configure the host/target pair such that they
form a multipath from both EEs. Avoid connecting both the host/target pairs to the same EE.
This connectivity does not give full redundancy in case of EE failure resulting in HAC failover.
o Since quorum disk plays a vital role in keeping the cluster in sync, please configure the
quorum disk to be outside of the encryption environment.
• The “–key_lifespan” option has no effect for “cryptocfg –add –LUN”, and only has an effect for
“cryptocfg --create –tapepool” for tape pools declared “-encryption_format native”. For all other
encryption cases, a new key is generated each time a medium is rewound and block zero is
written or overwritten. For the same reason, the “Key Life” field in the output of “cryptocfg --show -
container -all –stat” should always be ignored, and the “Key life” field in “cryptocfg --show –
tapepool –cfg” is only significant for native-encrypted pools.
• The Quorum Authentication feature requires a compatible DCFM release (DCFM 10.3 or later) that
supports this feature. Note, all nodes in the EG must be running FOS v6.3.0 or later for quorum
authentication to be properly supported.
• The System Card feature requires a compatible DCFM release that supports this feature. Note,
all nodes in the EG must be running FOS v6.3.0 or later for system verification to be properly
• The Brocade Encryption switch and FS8-18 blade do not support QoS. When using encryption or
Frame Redirection, participating flows should not be included in QoS Zones.
• When using Brocade Native Mode, in LKM installations, manual rekey is highly recommended. If
auto rekey is desired, the key expiry date should be configured only when the LUN is created.
Never modify the expiry date after configuring a LUN. If you modify the expiry time, after
configuring the LUN the expiration date will not update properly.
• SKM is supported with Multiple Nodes and Dual SKM Key Vaults. Two-way certificate exchange is
supported. Please refer to the Encryption Admin Guide for configuration information. If using dual
SKMs on BES/FS8-18 Encryption Group, then these SKM Appliances must be clustered. Failure
to cluster will result in key creation failure. Otherwise, register only one SKM on the BES/FS8-18
• For dual LKM configuration on the Brocade Encryption Switch (BES) or a DCX/DCX-4S with FS8-18
blades as the primary and secondary key vaults, these LKM appliances must be clustered (linked).
Failure to cluster will result in key creation failure. Otherwise, register only one LKM on the