Steps before configuration download – Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual
Page 249
Fabric OS Encryption Administrator’s Guide (KMIP)
231
53-1002747-02
Configuration upload and download considerations
5
•
Certificates generated internally:
-
KAC certificate
-
CP certificate
-
FIPS officer and user certificates
The Authentication Quorum size is included in the configuration upload for read-only purposes, but
is not set by a configuration download.
Steps before configuration download
The configuration download does not have any certificates, public or private keys, master key, or
link keys included. Perform following steps prior to configuration download to generate and obtain
the necessary certificates and keys:
1. Use the following commands to initialize the encryption engine
cryptocfg --InitNode
cryptocfg --initEE
cryptocfg --regEE
Initializing the switch generates the following internal certificates:
-
KAC certificate
-
CP certificate
-
FIPS officer and user certificates
2. Import peer nodes/switches certificates onto the switch prior to configuration download.
3. Import key vault certificates onto switch prior to configuration download.
4. Create an encryption group with same name as in configuration upload information for the
encryption group leader node.
5. Import Authentication Card Certificates onto the switch prior to configuration download.
Configuration download at the encryption group leader
The configuration download contains the encryption group-wide configuration information about
CryptoTargets, disk and tape LUNs, tape pools, HA clusters, security, and key vaults. The encryption
group leader first applies the encryption group-wide configuration information to the local
configuration database and then distributes the configuration to all members in the encryption
group. Also any layer-2 and switch specific configuration information is applied locally to the
encryption group leader.
Configuration download at an encryption group member
Switch specific configuration information pertaining to the member switch or blade is applied.
Information specific to the encryption group leader is filtered out.