Dpm key vault high availability deployment – Brocade Network Advisor SAN User Manual v12.3.0 User Manual
Page 769
Brocade Network Advisor SAN User Manual
717
53-1003154-01
Steps for connecting to a DPM appliance
20
Uploading the KAC certificate onto the DPM appliance (manual identity
enrollment)
NOTE
The switch will not use the Identity Auto Enrollment feature supported with DPM 3.x servers. You
must complete the identity enrollment manually to configure the DPM 3.x server with the switch as
described in this section.
You need to install the switch public key certificate (KAC certificate). For each encryption node,
manually create an identity as follows:
1. Select the Identities tab.
2. Click Create.
3. Enter a label for the node in the Name field. This is a user-defined identifier.
4. Select the Hardware Retail Group in the Identity Groups field.
5. Select the Operational User role in the Authorization field.
6. Click Browse and select the imported certificate as the Identity certificate.
7. Click Save.
The CA certificate file referenced in the SSLCAcertificateFile field (
) must be imported and
registered on the switch designated as an encryption Group Leader. You may want to note this
location before proceeding to
“Loading the CA certificate onto the encryption group leader”
DPM key vault high availability deployment
When dual DPM appliances are used for high availability, the DPM appliances must be clustered
and must operate in maximum availability mode, as described in the DPM appliance user
documentation.
When dual DPM appliances are clustered, they are accessed using an IP load balancer. For a
complete high availability deployment, the multiple IP load balancers are clustered, and the IP load
balancer cluster exposes a virtual IP address called a floating IP address. The floating IP address
must be registered on the encryption Group Leader.
Neither the secondary DPM appliance nor individual DPM appliance IP addresses should be
registered.
Loading the CA certificate onto the encryption group leader
The certificate for the CA that signed the switch KAC CSRs must be loaded onto the encryption
Group Leader. The Group Leader can then distribute the CA certificate to the encryption group
members.
1. From the Encryption Center, select a group from the Encryption Center Devices table, then
select Group > Properties from the menu task bar to display the Encryption Group Properties
dialog box. The General tab is selected. (Refer to
If groups are not visible in the Encryption Devices table, select View > Groups from the menu
bar.