Aborting a pending database transaction, Key vault diagnostics, Key vault connectivity – Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual

264

Fabric OS Encryption Administrator’s Guide (KMIP)

53-1002747-02

Key vault diagnostics

6

Use the

--

sync

-

securitydb command to distribute the security database from the group leader

node to all member nodes. This command is valid only on the group leader.

In scenarios where this master key propagation issue still persists, exporting the master key to a
file and recovering it resolves the issue. To do this, use the following commands:

•

Use the cryptocfg

--

exportmasterkey

-

file option to export the master key to a file.

•

Use the cryptocfg

--

recovermasterkey currentMK

-

srcfile to recover the master key.

Aborting a pending database transaction

You can abort a pending database transaction for any device configurations invoked earlier through
the CLI or BNA interfaces by completing the following steps.

1. Use the

--

transshow command to determine the currently pending transaction ID.

The

--

transshow command displays the pending database transaction for any device

configurations invoked earlier through the CLI or BNA interfaces. The command displays the
transaction status (completed or pending), the transaction ID, and the transaction owner (CLI
or BNA).

2. Use the

--

transabort <transaction_ID> command to abort the transaction, where

<transaction_ID> specifies the ID of the transaction to be aborted.

Key vault diagnostics

With the introduction of Fabric OS 7.0.0, you can run key vault diagnostics tests to identify any key
vault connectivity or key operation errors. You configure the key vault diagnostic test using the
cryptocfg

--

kvdiag command.

If an encryption switch is part of an EG, the diagnostic testing is performed on that switch only and
not the entire group. If multiple nodes in an encryption group have different Fabric OS versions,
only those nodes running Fabric OS 7.0.0 and later can be configured for periodic key vault
diagnostic testing.

You can set the diagnostic tests to run at regular intervals. When incidents occur, the findings are
collected in log reports. The first instance of a failure and subsequent restoration of operation is
reported as a Remote Access Server (RAS) log. Subsequent findings for the same incident are not
logged to avoid redundant messages.

Key vault connectivity

Key vault connectivity is adiagnostics feature that allows you to periodically collect information
about the state of key vault connectivity from the Brocade Encryption Switch and possible version,
configuration, or cluster information of the key vault (KV).

This feature reports the following types of configuration information:

•

Key Vault/Cluster scope:

•

CA Certificate and its validity (for example, valid header and expiry date)

•

Key Vault IP/Port

•

KV firmware version

•

Time of day on the KV