Fabric OS v6.4.1 Release Notes v1.0 Page 27 of 62
BES/FS8-18 Encryption Group. Please refer to the Encryption Admin Guide for configuration
• The RKM Appliance A1.6, SW v2.7 is supported. The procedure for setting up the RKM Appliance
with BES or a DCX/DCX-4S with FS8-18 blades is located in the Encryption Admin Guide.
• Support for registering a 2nd RKM Appliance on BES/FS8-18 is blocked. If the RKM Appliances
are clustered, then the virtual IP address hosted by a 3rd party IP load balancer for the RKM
Cluster must be registered on BES/FS8-18 in the primary slot for Key Vault IP.
• With Windows and Veritas Volume Manager/Veritas Dynamic Multipathing, when LUN sizes less
than 400MB are presented to BES for encryption, a host panic may occur and this configuration is
not supported in the FOS v6.3.1 or later release.
• HCL from FOS v6.3.x to v6.4 is supported. Cryptographic operations and I/O will be disrupted but
other layer 2 traffic will not.
• Relative to the BES and a DCX with FS8-18, all nodes in the Encryption Group must be at the
same firmware level of FOS v6.2 or later before starting a rekey or First Time Encryption operation.
Make sure that existing rekey or First Time Encryption operations complete before upgrading any
of the encryption products in the Encryption Group. Also, make sure that the upgrade of all nodes
in the Encryption Group completes before starting a rekey or First Time Encryption operation.
• To clean up the stale rekey information for the LUN, follow one of the following two methods:
Method 1:Method 1:
1. First, modify the LUN policy from “encrypt” to “cleartext” and commit. The LUN will
2. Enable the LUN using “cryptocfg --enable –LUN”. Modify the LUN policy from “clear-
text” to “encrypt” with “enable_encexistingdata” to enable the first time encryption
and do commit. This will clear the stale rekey metadata on the LUN and the LUN can
be used again for encryption.
Method 2:Method 2:
1. Remove the LUN from Crypto Target Container and commit.
2. Add the LUN back to the Crypto Target Container with LUN State=”clear-text”,
policy=”encrypt” and “enable_encexistingdata” set for enabling the First Time
Encryption and commit. This will clear the stale rekey metadata on the LUN and the
LUN can be used again for encryption.
• TEMS key vault support troubleshooting tips:
o Regarding TEMS key vault (KV) communication with a Brocade encryption group, the
default communication port setting for the TEMS KV is 37208, however, the Brocade
encryption members and leader use 9000 so this needs to be reset on NCKA.
Additionally, the following is a checklist of things to review if the initial attempt to connect
to the KV fails:
Check physical and logical connection via a ping on port 9000, this should be the
For the group leader node, the kac client cert and the kv cert files are to be
For group member nodes the kv file is to be the same as the kv file on the group
Crosscheck to ensure the private key file corresponds to the kac public cert file
on any node.