Abstract: Aspects include receiving, at an input/output (I/O) processor, a transport control word (TCW) that includes an instruction to perform physical port mirroring. It is identified, by the I/O processor, a first port to be mirrored and a second port to perform the mirroring. The second port is a physical port on a host bus adapter (HBA). In response to outbound data being sent to the first port for transmission to a first target device and to the instruction specifying outbound port mirroring, the I/O processor sends a copy of the outbound data to a second target device via the second port. In response to receiving inbound data at the first port and to the instruction specifying inbound port mirroring, a copy of the inbound data is transmitted to the second target device via the second port.

Abstract: Techniques for a virtualized fabric name server for a storage area network are described herein. An aspect includes operating a storage area network, the storage area network including a hybrid control plane. Another aspect includes managing, using a virtualized fabric name server and the hybrid control plane, the storage area network, wherein the virtualized fabric name server is disposed in a container that is hosted on an element of the storage area network.

Abstract: Aspects include obtaining data to be transformed. A selected transformation to be applied to the data is determined based on a storage block address list entry (SBALE) in a storage block address list (SBAL). The SBALE includes at least one field that is used in determining the selected transformation to be applied. The selected transformation is applied on the data to generate transformed data and the transformed data is placed in a location specified by the SBAL.

Abstract: Embodiments of the invention are directed to registering one or more endpoint devices to receive a notification and detecting a congestion event related to a storage area network. The storage area network includes the one or more endpoint devices. The notification is sent regarding the congestion event to the one or more endpoint devices that have been registered for the notification.

Abstract: Techniques for a virtualized fabric management server for a storage area network are described herein. An aspect includes operating a storage area network, the storage area network including a hybrid control plane. Another aspect includes managing, using a virtualized fabric management server and the hybrid control plane, the storage area network, wherein the virtualized fabric management server is disposed in a container that is hosted on an element of the storage area network.

Abstract: Aspects of the invention include initializing a local key manager (LKM) on a node of a computing environment. The node includes a plurality of channels. The LKM is configured to provide a secure data transfer between the node and an other node of the computing environment. A connection is established, by the LKM, between the LKM and an external key manager (EKM) that stores a shared key for the node and the other node. In response to establishing the connection, the LKM registers security capabilities of the plurality of channels. The security capabilities are used by the LKM to provide the secure data transfer between the node and the other node.

Abstract: Aspects include obtaining data to be transformed. A selected transformation to be applied to the data is determined based on a storage block address list entry (SBALE) in a storage block address list (SBAL). The SBALE includes at least one field that is used in determining the selected transformation to be applied. The selected transformation is applied on the data to generate transformed data and the transformed data is placed in a location specified by the SBAL.

Abstract: Embodiments include performing a host-initiated link reset in a storage area network (SAN). Aspects include identifying, by a host in communication with the SAN, each link in the SAN, wherein each link is defined by a pair of ports. Aspects also include obtaining, by the host, a buffer credit balance for each port in the SAN and obtaining, by the host, a buffer credit for each port in the SAN and causing a reset of a link associated with the port by transmitting a link reset record from the host to a control device of the link based on a determination that the buffer credit of a port in the SAN is below a threshold value.

Abstract: Aspects include receiving, at an input/output (I/O) processor, a transport control word (TCW) that includes an instruction to perform physical port mirroring. It is identified, by the I/O processor, a first port to be mirrored and a second port to perform the mirroring. The second port is a physical port on a host bus adapter (HBA). In response to outbound data being sent to the first port for transmission to a first target device and to the instruction specifying outbound port mirroring, the I/O processor sends a copy of the outbound data to a second target device via the second port. In response to receiving inbound data at the first port and to the instruction specifying inbound port mirroring, a copy of the inbound data is transmitted to the second target device via the second port.

Abstract: Aspects include includes receiving, at an input/output (I/O) processor, a transport control word (TCW) that includes an instruction to perform virtual port mirroring. The I/O processor identifies a first port to be mirrored and a virtual port to perform the mirroring. The virtual port is a first memory location in a memory. In response to outbound data being sent to the first port for transmission to a first target device and to the instruction specifying outbound port mirroring, the I/O processor stores a copy of the outbound data in the first memory location. In response to inbound data being received at the first port and to the instruction specifying inbound port mirroring, a copy of the inbound data is stored at the first memory location.

Abstract: Aspects include selecting a channel group from a plurality of channel groups for an I/O operation. Each channel group in the plurality of channel groups is associated with a priority level and includes one or more channels. The selecting is based on a priority level assigned to the I/O operation and the priority level associated with the selected channel group. The I/O operation is driven on a selected channel in the selected channel group. A response time for the I/O operation is recorded and an average I/O response time for the selected channel is calculated. It is determined whether the plurality of channel groups should be reformed based at least in part on the calculated average response time for the selected channel. The plurality of channel groups are reformed in response to determining that the plurality of channel groups should be reformed.

Abstract: An approach for improving endpoint security. The approach requests security capabilities from endpoints of communications. The approach can analyze the differences between the security capabilities of the endpoints. The approach can negotiate a security capability supported by the endpoints of the communication. The approach can determine if the negotiation succeeded. If the negotiation failed, then the approach can create a report describing capabilities of the endpoints and suggesting changes to improve the endpoint security. The approach can send the report to the appropriate interested personnel.

Abstract: Aspects of the invention include receiving a request from an initiator channel on an initiator node to initiate a secure communication with a responder channel on a responder node. The receiving is at a local key manager (LKM) executing on the initiator node. A security association is created at the LKM between the initiator node and the responder node. An identifier of a shared key assigned for communication between the initiator node and the responder node is obtained, and a message requesting initialization of the secure communication between the initiator channel and the responder channel is built. The message includes the identifier of the shared key. The message is sent to the initiator channel.

Abstract: Techniques for a virtualized fabric login server for a storage area network are described herein. An aspect includes operating a storage area network, the storage area network including a hybrid control plane. Another aspect includes managing, using a virtualized fabric login server and the hybrid control plane, the storage area network, wherein the virtualized fabric login server is disposed in a container that is hosted on an element of the storage area network.

Abstract: Aspects of the invention include detecting that a rekey timer has expired. The rekey timer is one of a shared key rekey timer for a current shared key between the first node and a second node, and a session key rekey timer for a session key used in a secure communication between a channel on the first node and a channel on the second node. The session key was created based on the current shared key and is used for encrypting data in the secure communication. Based on the rekey timer being the shared key rekey timer, a new shared key is obtained and stored as the current shared key. Based on the rekey timer being the session key rekey timer, a new session key that is based at least in part on the current shared key is obtained and used in the secure communication.

Abstract: Aspects include selecting a channel group from a plurality of channel groups for an I/O operation. Each channel group in the plurality of channel groups is associated with a priority level and includes one or more channels. The selecting is based on a priority level assigned to the I/O operation and the priority level associated with the selected channel group. The I/O operation is driven on a selected channel in the selected channel group. A response time for the I/O operation is recorded and an average I/O response time for the selected channel is calculated. It is determined whether the plurality of channel groups should be reformed based at least in part on the calculated average response time for the selected channel. The plurality of channel groups are reformed in response to determining that the plurality of channel groups should be reformed.

Abstract: A host port is enabled for security. In response to a determination by the host port that authentication or security association negotiation with a storage port cannot be completed successfully, the host port determines whether an audit mode indicator has been enabled in a login response from the storage port. The host port preserves input/output (I/O) access to the storage port based on determining whether the audit mode indicator has been enabled in the login response from the storage port.

Abstract: Aspects of the invention include generation of a secure key exchange (SKE) authentication response by a responder node of a computing environment. A computer-implemented method includes receiving an authentication request message at a responder channel on the responder node from an initiator channel on an initiator node to establish a secure communication, the receiving at a local key manager (LKM) executing on the responder node. A state check is performed based on a security association of the initiator node and the responder node. A validation of the authentication request message is performed. A proposal list of the authentication request message is checked. An authentication response message is built based at least in part on a successful state check, a successful validation, and selecting an encryption algorithm from the proposal list. The authentication response message is sent from the LKM to the responder channel.

Abstract: Embodiments include methods, systems, and computer program products for routing mode support in a switched fabric network. A fabric login payload is built at a device to establish a plurality of communication parameters with a switched fabric network. A routing mode capability of the device is determined. One or more routing support bits are configured in the fabric login payload based on the routing mode capability of the device. The fabric login payload is sent to the switched fabric network to establish communication between the device and a network device of the switched fabric network.

Abstract: In-line data packet transformations. A transformation engine obtains data to be transformed and determines a transformation to be applied to the data. The determining uses an input/output control block that includes at least one field to be used in determining the transformation to be applied. Based on determining the transformation to be applied, the transformation is performed.