Setting encryption node initialization – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 153
Fabric OS Encryption Administrator’s Guide (DPM)
133
53-1002922-01
Setting encryption node initialization
3
4. Reboot the member node (the node on which the IP address has been modified).
5. Reregister the node with the group leader using new IP address.
Setting encryption node initialization
When an encryption node is initialized, the following security parameters and certificates are
generated:
•
FIPS crypto officer
•
FIPS user
•
Node CP certificate
•
A signed Key Authentication Center
(
KAC) certificate
•
A KAC Certificate Signing Request (CSR)
From the standpoint of external SAN management application operations, the FIPS crypto officer,
FIPS user, and node CP certificates are transparent to users. The KAC certificates are required for
operations with key managers. In most cases, KAC certificate signing requests must be sent to a
Certificate Authority (CA) for signing to provide authentication before the certificate can be used. In
all cases, signed KACs must be present on each switch.
1. Initialize the Brocade Encryption Switch node.
SecurityAdmin:switch> cryptocfg --initnode
Operation succeeded.
2. Zeroize all critical security parameters (CSPs) on the encryption engine.
SecurityAdmin:switch> cryptocfg --zeroizeEE [slotnumber]
This will zeroize all critical security parameters
ARE YOU SURE (yes, y, no, n): [no]y
Operation succeeded.
3. Initialize the new encryption engine.
SecurityAdmin:switch> cryptocfg --initEE [slotnumber]
Operation succeeded.
4. Register the encryption engine.
SecurityAdmin:switch> cryptocfg --regEE [slotnumber]
Operation succeeded.
5. Enable the encryption engine.
SecurityAdmin:switch> cryptocfg --enableEE [slotnumber]
Operation succeeded.
6. Check the encryption engine state using following command to ensure encryption engine is
online:
SecurityAdmin:switch> cryptocfg --show -localEE