Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual

Page 179

Advertising
background image

Fabric OS Encryption Administrator’s Guide (KMIP)

161

53-1002747-02

Adding a member node to an encryption group

3

CAUTION

After adding the member node to the encryption group, you should not use the cryptocfg

--

zeroizeEE command on that node. Doing so removes critical information from the node and

makes it necessary to re-initialize the node and export the new KAC certificate to the group
leader and the key vault.

To add a member node to an encryption group, follow these steps:

1. Log in to the switch on which the certificate was generated as Admin or FabricAdmin.

2. Execute the cryptocfg

--

reclaimWWN

-

cleanup command.

3. Log in as Admin or SecurityAdmin.

4. Export the certificate from the local switch to an SCP-capable external host or to a mounted

USB device. Enter the cryptocfg

--

export command with the appropriate parameters. When

exporting a certificate to a location other than your home directory, you must specify a fully
qualified path that includes the target directory and file name. When exporting to USB storage,
certificates are stored by default in a predetermined directory, and you only need to provide a
file name for the certificate. The file name must be given a .pem (privacy enhanced mail)
extension. Use a character string that identifies the certificate’s originator, such as the switch
name or IP address.

The following example exports a CP certificate from an encryption group member to an external
SCP-capable host and stores it as enc_switch1_cp_cert.pem.

SecurityAdmin:switch> cryptocfg --export -scp CPcert \
192.168.38.245 mylogin /tmp/certs/enc_switch1_cp_cert.pem
Password:
Operation succeeded.

The following example exports a CP certificate from the local node to USB storage.

SecurityAdmin:switch> cryptocfg --export -usb CPcert enc_switch1_cp_cert.pem
Operation succeeded.

5. Use the cryptocfg

--

import command to import the CP certificates to the group leader node.

You must import the CP certificate of each node you wish to add to the encryption group.

The following example imports a CP certificate named “enc_switch1_cp_cert.pem” that was
previously exported to the external host 192.168.38.245. Certificates are imported to a
predetermined directory on the group leader.

SecurityAdmin:switch> cryptocfg --import -scp enc_switch1_cp_cert.pem \
192.168.38.245 mylogin /tmp/certs/enc_switch1_cp_cert.pem
Password:
Operation succeeded.

The following example imports a CP certificate named “enc_switch1_cp_cert.pem” that was
previously exported to USB storage.

SecurityAdmin:switch> cryptocfg --import -usb enc_switch1_cp_cert.pem \
enc_switch1_cp_cert.pem
Operation succeeded.

Advertising
Popular Brands
Popular manuals