The following figure shows a single LUN on a port target that is accessed over two paths by a dual-port host. The two encryption switches form an encryption group and an HA cluster. The following example illustrates a simplified version of a multi-path LUN configuration.
Impact of tape LUN configuration changes
FIGURE 90 A LUN accessible through multiple paths
The following steps may be used to configure multiple path access to the LUN, as shown in the figure.
1. Create zoning between host port 1 and target port 1. Refer to the section Creating an initiator -target zone on page 152 for instructions.
2. Create zoning between host port 2 and target port 2. Refer to the section Creating an initiator -target zone on page 152 for instructions.
3. On the group leader encryption switch (switch 1), create a CryptoTarget container for each target port and add the hosts in sequence. Do NOT commit the configuration until you have created all CryptoTarget containers and added all hosts to the respective containers.
a) Log in as Admin or FabricAdmin.
b) Create a CryptoTarget container (CTC1) for target port 1 to be hosted on the encryption engine of encryption switch 1. Refer to the section Creating a CryptoTarget container on page 155 for instructions on steps b. through e.
FabricAdmin:switch> cryptocfg --create -container disk CTC1 \
<switch 1 WWN> 0 <Target Port 1 WWN> <Target NWWN>
c) Create a CryptoTarget container (CTC2) for target port 2 to be hosted on the encryption engine of encryption switch 2.
FabricAdmin:switch> cryptocfg --create -container disk CTC2 \
<switch 2 WWN> 0 <Target Port2 WWN> <Target NWWN>
Configuring Encryption Using the CLI
d) Add host port 1 to the container CTC1.
FabricAdmin:switch> cryptocfg --add -initiator <CTC1> <Host Port1 WWN> \ <Host NWWN>
e) Add host port 2 to the container CTC2.
FabricAdmin:switch> cryptocfg --add -initiator <CTC2> <Host Port2 WWN> <Host NWWN>
f) Commit the configuration.
FabricAdmin:switch> cryptocfg --commit
Upon commit, redirection zones are created for target port 1, host port 1 and target port 2, host port 2. These redirection zones include the virtual target VT1 for CTC1, the virtual initiator VI1 for host port 1, the virtual target VT2 for CTC2 and the virtual initiator VI2 for host port 2. At this stage, the host loses access to all LUNs until the LUNs are explicitly added to the CryptoTarget containers.
4. Discover the LUNs. Perform steps 4 a. through c. to discover the LUNs for ALL CryptoTarget containers in sequence. Refer to the section Discovering a LUN on page 159 for details on the LUN discovery process and a command output example.
a) On the encryption switch 1 (the group leader), enter the cryptocfg --discoverLUN for the container CTC1. The command output displays the LUNs present in the target as exposed from target port 1 and as seen by host port1, the LUN Number, host port1 WWN, and the LUN Serial Number.
FabricAdmin:switch> cryptocfg --discoverLUN CTC1
b) On the encryption switch 2, enter the cryptocfg --discoverLUN for the container CTC2. The command output displays the LUNs present in the target as exposed from target port and as seen by host port 2, the LUN Number, host port1 WWN, and the LUN Serial Number.
FabricAdmin:switch> cryptocfg --discoverLUN CTC2
c) Review the output of the LUN discovery to ensure that the LUN serial number for ALL LUNs are the same as seen from target-port 1 to host-Port 1 path and from target-port 2 to host-port 2.
Identical LUN serial numbers validate the multi-path configuration.
5. Configure the LUN for all CryptoTarget containers in sequence by adding the LUN to each
CryptoTarget container with identical policy settings. Refer to the sections Configuring a Crypto LUN on page 160 and Crypto LUN parameters and policies on page 161 for more information.
a) Add the LUN to the CryptoTarget container CTC1 with policies.
FabricAdmin:switch> cryptocfg --add -LUN CTC1 0 <Host Port1 WWN> \
<Host NWWN> -lunstate cleartext -encryption_format native -encrypt \ -enable_encexistingdata -enable_rekey 10
b) Add the same LUN to the CryptoTarget container CTC2. Use exactly the same LUN state and policy settings that you used for the LUN added to CTC1.
FabricAdmin:switch> cryptocfg --add -LUN CTC2 0 <Host Port1 WWN> \
<Host NWWN> -lunstate cleartext -encryption_format native -encrypt \ -enable_encexistingdata -enable_rekey 10
NOTE
The LUN policies must be exactly the same on both CTC1 and CTC2. Failure to do so results in undefined behavior and data corruption.
6. Validate the LUN policies for all containers. Display the LUN configuration for ALL CryptoTarget containers to confirm that the LUN policy settings are the same for all CryptoTarget containers.
FabricAdmin:switch> cryptocfg --show -LUN CTC1 0 <Host Port1 WWN> -cfg FabricAdmin:switch> cryptocfg --show -LUN CTC2 0 <Host Port2 WWN> -cfg
Configuring Encryption Using the CLI
Example:
FabricAdmin:switch> cryptocfg show LUN cx320157A 0x1 10:00:00:00:c9:56:e4:7b -cfgEE node: 10:00:00:05:1e:40:4c:00
EE slot: 9
Target: 50:06:01:60:30:20:db:34 50:06:01:60:b0:20:db:34 VT: 20:00:00:05:1e:53:8d:cd 20:01:00:05:1e:53:8d:cd Number of host(s): 1
Configuration status: committed
Host: 10:00:00:00:c9:56:e4:7b 20:00:00:00:c9:56:e4:7b Encrypt existing data: disabled Rekey: enabled Key ID: not available New LUN: No
Key life: 30 (days) 0 (minutes) Operation succeeded.
7. Commit the LUN configuration.
FabricAdmin:switch> cryptocfg --commit
Make sure the LUNs in previously committed LUN configurations and LUN modifications have a LUN state of Encryption Enabled before creating and committing another batch of LUN
configurations or modifications.
NOTE
A maximum of 25 disk LUNs can be added or modified in a single commit operation. The maximum commit for tape LUNs is eight. Attempts to commit configurations or modifications that exceed the maximum commit allowed will fail with a warning. There is a five-second delay before the commit operation takes effect.