Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual
Page 7
Fabric OS Encryption Administrator’s Guide (KMIP)
vii
53-1002747-02
Setting FIPS compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Creating a local CA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Creating a server certificate . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Creating a cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Backing up the certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Configuring the KMIP server . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Adding a node to the cluster . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Setting the key vault type to KMIP . . . . . . . . . . . . . . . . . . . . . .152
Setting key vault Parameters . . . . . . . . . . . . . . . . . . . . . . . . . .152
Exporting the KAC CSR to a local machine . . . . . . . . . . . . . . .152
Signing the KAC CSR using the Local CA . . . . . . . . . . . . . . . . .153
Configure the user name and password . . . . . . . . . . . . . . . . .154
Register the KAC certificate . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Register the key vaults as primary and secondary
key vaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Verify connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Initializing the Brocade encryption engines . . . . . . . . . . . . . . .157
Registering KMIP on a Brocade encryption group leader . . . .158
Adding a member node to an encryption group . . . . . . . . . . . . . . .160
Generating and backing up the master key . . . . . . . . . . . . . . . . . .163
High availability clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
HA cluster configuration rules. . . . . . . . . . . . . . . . . . . . . . . . . .164
Creating an HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Adding an encryption engine to an HA cluster. . . . . . . . . . . . .166
Removing engines from an HA cluster . . . . . . . . . . . . . . . . . . .166
Swapping engines in an HA cluster . . . . . . . . . . . . . . . . . . . . .166
Failover/failback policy configuration. . . . . . . . . . . . . . . . . . . .167
Re-exporting a master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Exporting an additional key ID . . . . . . . . . . . . . . . . . . . . . . . . .170
Viewing the master key IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Enabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Checking encryption engine status . . . . . . . . . . . . . . . . . . . . .172
Zoning considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173
Setting default zoning to no access . . . . . . . . . . . . . . . . . . . . .173
Frame redirection zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Creating an initiator - target zone . . . . . . . . . . . . . . . . . . . . . . . 174
CryptoTarget container configuration . . . . . . . . . . . . . . . . . . . . . . . 176
LUN rebalancing when hosting both disk and tape targets . . 177
Gathering information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
Creating a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .178
Removing an initiator from a CryptoTarget container . . . . . . .180
Deleting a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .181
Moving a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . . .181