Initializing the brocade encryption engines – Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual

Fabric OS Encryption Administrator’s Guide (KMIP)

157

53-1002747-02

Configuring the Brocade Encryption Switch key vault setup (SafeNet KeySecure)

3

Time of Day on Key Server: N/A
Server SDK Version: N/A

Encryption Node (Key Vault Client) Information:

Node KAC Certificate Validity: Yes
Time of Day on the Switch: 2012-05-23 02:45:09
Client SDK Version: N/A
Client Username: N/A
Client Usergroup: N/A
Connection Timeout: 10 seconds
Response Timeout: 10 seconds
Connection Idle Timeout: N/A

Key Vault configuration and connectivity checks successful, ready for key
operations.

Initializing the Brocade encryption engines

You must perform a series of encryption engine initialization steps on every Brocade encryption
node (switch or blade) that is expected to perform encryption within the fabric.

NOTE

The initialization process overwrites any authentication data and certificates that reside on the node
and the security processor. If this is not a first-time initialization, make sure to export the master key
by running cryptocfg

--

exportmasterkey and cryptocfg

–

export

-

scp

-

currentMK before running

--

initEE.

Complete the following steps to initialize an encryption engine.

1. Log in to the switch as Admin or SecurityAdmin.

2. Zeroize all critical security parameters (CSPs) on the switch by entering the cryptocfg

--

zeroizeEE command. Provide a slot number if the encryption engine is a blade.

SecurityAdmin:switch>cryptocfg --zeroizeEE
This will zeroize all critical security parameters
ARE YOU SURE (yes, y, no, n): [no]y
Operation succeeded.

Zeroization leaves the switch or blade faulted. The switch or blade reboots automatically.

3. Synchronize the time on the switch and the key manager appliance. They should be within one

minute of each other. Differences in time can invalidate certificates and cause key vault
operations to fail.

4. Initialize the node by entering the cryptocfg

--

initnode command. Successful execution

generates the following security parameters and certificates:

•

Node CP certificate

•

Key Archive Client

(

KAC) certificate

NOTE

Node initialization overwrites any existing authentication data on the node.

SecurityAdmin:switch> cryptocfg --initnode
This will overwrite all identification and authentication data
ARE YOU SURE (yes, y, no, n): [no] y