Configuration parameters, High availability, User credentials – Brocade Network Advisor SAN User Manual v12.3.0 User Manual
Page 762: Certificate type
710
Brocade Network Advisor SAN User Manual
53-1003154-01
Key Management Interoperability Protocol
20
Configuration parameters
The encryption group object has three additional properties that can be configured when the key
vault (KV) type is KMIP. These additional properties must be set by the user:
•
High availability
•
User credentials
•
Certificate type
High availability
The KMIP Key Authentication Center (KAC) adapter provides configurable HA support. HA for the
key vault should be set before you register the key vault. Three settings are supported; however,
certain settings are determined by the compliant key vault type that is being used:
•
Transparent: The client assumes the entire HA replication is implemented on the key vault. Key
archival and retrieval is performed without any additional key hardening or integrity checks.
•
Opaque: The primary and secondary key vaults are both registered on the switch. The client
archives the key to a single (primary) key vault and lets the KV pair internally perform the
replication. For disk operations, an additional key hardening and integrity check is done on the
secondary key vault before the key is used for encryption.
•
None: If no HA is selected, the primary and secondary key vaults are both registered on the
switch. The client archives keys to both key vaults and ensures that the archival process
succeeds before the key is used for encryption, including hardening and integrity checks.
By default, the HA mode is disabled and KAC login is not used. All parameters except log level are
configurable on the group leader only. All parameters except for logging are distributed to all nodes
in the encryption group. Log level, however, is configurable on a per-node basis.
User credentials
The switch has support for the optional credential structure used for username and password.
Username authentication can be defined after TLS connectivity to a client device is requested.
Three modes are available:
•
User Name: Only a user name is required to identify the client device.
•
User Name and Password: Both a user name and a password are required to identify the client
device.
•
None: No authentication is required.
Certificate type
The TLS certificates used between the switch and the key vault are either Self Signed or CA Signed.