Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 165
Fabric OS Encryption Administrator’s Guide (SKM/ESKM)
145
53-1002923-01
Steps for connecting to an SKM or ESKM appliance
3
10. Allow Certificate Duration to default to 3649 days.
11. Paste the file contents that you copied in step 3 in the Certificate Request Copy area.
12. Select Sign Request.
Upon success, you are presented with the option of downloading the signed certificate.
13. Download the signed certificate to your local system as signed_kac_skm_cert.pem.
14. Import the signed certificate from its location, or from a USB storage device.
SecurityAdmin:switch> cryptocfg --import -scp signed_kac_skm_cert.pem \
192.168.38.245 mylogin /tmp/certs/kac_skm_cert.pem
Password:
Operation succeeded.
The following example imports a KAC certificate that was previously exported to USB storage.
SecurityAdmin:switch> cryptocfg --import -usb signed_kac_skm_cert.pem \
kac_skm_cert.pem
Operation succeeded.
15. Register the KAC certificate.
SecurityAdmin:switch> cryptocfg --reg -KACcert signed_kac_skm_cert.pem
Operation succeeded
16. Repeat this procedure for every encryption node that is expected to perform encryption within
the fabric.
Registering SKM or ESKM on a Brocade encryption group leader
An encryption group consists of one or more encryption engines. Encryption groups can provide
failover/failback capabilities by organizing encryption engines into Data Encryption Key (DEK)
clusters. An encryption group has the following properties:
•
It is identified by a user-defined name.
•
When there is more than one member, the group is managed from a designated group leader.
•
All group members must share the same key manager.
•
The same master key is used for all encryption operations in the group.
•
In the case of FS8-18 blades:
-
All encryption engines in a chassis are part of the same encryption group.
-
An encryption group may contain up to four DCX Backbone nodes with a maximum of four
encryption engines per node forming a total of sixteen encryption engines.
You will need to know the download location for the CA certificate used when
1. Identify one node (a Brocade Encryption Switch or a Brocade DCX Backbone chassis with an
FS8-18 blade) as the designated group leader and log in as Admin or SecurityAdmin.
2. Enter the cryptocfg
--
create
-
encgroup command followed by a name of your choice. The
name can be up to 15 characters long, and it can include any alphanumeric characters and
underscores. White space or other special characters are not permitted.