Submitting the csr to a ca – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

136

Fabric OS Encryption Administrator’s Guide (DPM)

53-1002922-01

Steps for connecting to a DPM appliance

3

6. Register the encryption engine by entering the cryptocfg

--

regEE command. Provide a slot

number if the encryption engine is a blade. This step registers the encryption engine with the
CP or chassis. Successful execution results in a certificate exchange between the encryption
engine and the CP through the FIPS boundary.

SecurityAdmin:switch> cryptocfg --regEE

Operation succeeded.

7. Enable the encryption engine by entering the cryptocfg

--

enableEE command.

SecurityAdmin:switch> cryptocfg --enableEE

Operation succeeded.

8. Repeat the above steps on every node that is expected to perform encryption.

Exporting the KAC certificate signing request (CSR)

You can export the KAC CSR from the switch to file on a LAN-attached host, or you can attach a USB
storage device to the switch and export the KAC CSR to that device.

1. Log in to the Brocade Encryption Switch on which the CSR was generated as Admin or

SecurityAdmin.

2. Export the CSR from the switch over an SCP-protected LAN connection to a file on an external

host (for example, your workstation), or to a mounted USB device.

The following example exports a CSR to an external SCP-capable host at IP address
192.168.38.245.

SecurityAdmin:switch> cryptocfg --export -scp -KACcsr \

192.168.38.245 mylogin /tmp/certs/kac_dpm_cert.pem

Password:

Operation succeeded.

The following example exports a CSR to USB storage.

SecurityAdmin:switch> cryptocfg --export -usb KACcsr kac_dpm_cert.pem

Operation succeeded.

If you export the CSR to a USB storage device, you must remove the storage device from the
switch and attach it to a computer that has access to a third-party CA. The CSR must be
submitted to a CA.

NOTE

The CSR is exported in Privacy Enhanced Mail (.pem) format. The is the format required in exchanges
with certificate authorities.

Submitting the CSR to a CA

The CSR must be submitted to a CA to be signed. The CA is a trusted third-party entity that signs the
CSR. Several CAs are available and procedures vary, but the general steps are as follows:

1. Open an SSL connection to an X.509 server.

2. Submit the CSR for signing.