Setting encryption node initialization, Key management interoperability protocol – Brocade Network Advisor SAN User Manual v12.3.0 User Manual
Page 761
Brocade Network Advisor SAN User Manual
709
53-1003154-01
Key Management Interoperability Protocol
20
Setting encryption node initialization
Encryption nodes are initialized by the Configure Switch Encryption wizard when you confirm a
configuration. Encryption nodes may also be initialized from the Encryption Center dialog box.
1. Select a switch from the Encryption Center Devices table, then select Switch > Init Node from
the menu task bar.
2. Select Yes after reading the warning message to initialize the node.
Key Management Interoperability Protocol
The Key Management Interoperability Protocol (KMIP) standardizes the communication between
an Enterprise key management system and an encryption device. The same key vault servers can
be used, only in a different mode. Currently, KMIP versions 1.0 and 1.1 are supported.
The initial deployment of the KMIP client is on the switch, where it will replace multiple third-party
implementations/vendor APIs. The interfaces of the KMIP client are generic and are not tied to the
key record formats used by the switch. Any encryption solution should be able to use the KMIP
client to communicate to a key server by compiling it on Linux-based PPC or X 86 environments.
Currently, the switch supports the KMIP servers from SafeNet Key Secure 6.1 and TEKA 4.0. All
nodes in an encryption group should be running Fabric OS 7.1.0 and later for the key vault type to
be set to KMIP.
Although KMIP support is available from multiple key vaults, each key vault implementation is
different in terms of High Availability (HA) clustering support, certificate exchange, and
authentication. In the current Fabric OS implementation, each key vault uses a separate adapter at
the Key Authentication Center (KAC), which is implemented to suit the key vault feature
implementation.
NOTE
Currently, KMIP with SafeNet KeySecure 6.1 in native KMIP mode and Thales e-Security keyAuthority
running version 4.0 with the switch in KMIP mode are supported.
A generic KMIP 1.0 or 1.1 server is supported. The following KMIP servers can be configured on the
switch:
•
SafeNet KeySecure. The KeySecure is a KMIP-compliant server. (SSKM is the trusted mode
version of SafeNet which continues to use the LKM OpenKey Interfaces. These are mutually
exclusive use scenarios and cannot be used interchangeably.) This configuration is allowed
only for new installations. Refer to
“Steps for connecting to a KMIP-compliant SafeNet
•
TEKA 4.0. The Thales keyAuthority is a KMIP-compliant server that can be configured with the
switch; however, backward compatibility for keys created with Fabric OS versions earlier than
v7.2.0 is not supported. This configuration is allowed only for new installations. For more
information about configuring a KMIP-compliant keyAuthority, refer to Chapter 3 of the Fabric
OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol
(KMIP) Key-Compliant Environments.
Ensure that KMIP server is running on the key vault in order for the key vault to be configured as a
KMIP type on the switch.