Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

31

53-1002925-01

Steps for connecting to an LKM/SSKM appliance

2

Copyright (c) 2001-2009 NetApp, Inc.

All rights reserved

+--------------------------------+

| NetApp Appliance Management CLI |

| Authorized use only! |

+--------------------------------+

Cannot read termcapdatabase;

using dumb terminal settings.

Checking system tamper status:

No physical intrusion detected.

2. Add the group leader to the LKM/SSKM key sharing group. Enter lkmserver add

--

type

third-party

--

key-sharing-group "/" followed by the group leader IP address.

NOTE

The Brocade Encryption Switch must be configured to the root group.

lkm-1>lkmserver add --type third-party --key-sharing-group \

"/"

10.32.244.71

NOTICE: LKM Server third-party 10.32.244.71 added.

Cleartext connections not allowed.

3. On the NetApp LKM/SSKM appliance terminal, enter sys cert getcert-v2 to display the

LKM/SSKM certificate content.

lkm-1> sys cert getcert-v2

-----BEGIN CERTIFICATE-----

[content removed]

-----END CERTIFICATE-----

4. Copy and paste the LKM/SSKM certificate content from the NetApp LKM/SSKM appliance

terminal into an editor buffer. Save the file as lkmcert.pem on the SCP-capable host. Save the
entire certificate, including the lines

-----BEGIN CERTIFICATE-----

and

-----END

CERTIFICATE-----.

5. If you are using Brocade Network Advisor, the path to the file must be specified ion the Select

Key Vault dialog box when creating a group leader. If the proper path is entered, the file is
imported.

Exporting and registering the switch KAC certificates on LKM/SSKM

1. Select Configure > Encryption from the menu task bar to display the Encryption Center

dialog box. (Refer to

Figure 6

on page 14.)

2. Select a switch from the Encryption Center Devices table, then select Switch > Export

Certificate from the menu task bar.

The Export Switch Certificate dialog box allows you to export a switch public key certificate
signing request (CSR) to a location you specify. (Refer to

Figure 15

.) The procedures for

submitting a CSR for signing are determined by the Certificate Authority (CA).

The CSR must be submitted to a Certificate Authority CA for signing, then imported into the
switch and the key vault. The signed switch certificate may be imported directly by a key vault.