Creating an eskm/skm high availability cluster – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

35

53-1002923-01

Steps for connecting to an ESKM/SKM appliance

2

Creating an ESKM/SKM high availability cluster

The HP ESKM/SKM key vault supports clustering of HP ESKM/SKM appliances for high availability.
If two ESKM/SKM key vaults are configured, they must be clustered. If only a single ESKM/SKM
appliance is configured, it may be clustered for backup purposes, but the backup appliance will not
be directly used by the switch. The procedures in this section will establish a cluster configuration
on one ESKM/SKM appliance and then transfer that configuration to the remaining appliances.

•

Create the cluster on one ESKM/SKM appliance that is to be a member of the cluster.

•

Copy the local CA certificate from the first ESKM/SKM appliance or an existing cluster
member.

•

Paste the local CA certificate into the management console for each of the ESKM/SKM
appliances added to the cluster.

To create a cluster, complete the following steps on one of the HP ESKM/SKM appliances that is to
be a member of the cluster:

1. From the ESKM/SKM management console, click the Device tab.

2. In the Device Configuration menu, click Cluster.

The Create Cluster section displays.

3. Select and note the Local IP address. You will need this address when you add an appliance to

the cluster.

4. For Local Port, use the default value of 9001 unless you are explicitly directed to use a

different value for your site.

5. Type the cluster password in the Create Cluster section of the main window to create the new

cluster, then click Create.

6. In the Cluster Settings section of the window, click Download Cluster Key and save the key to a

convenient location, such as your computer's desktop. The cluster key is a text file and is only
required temporarily. It may be deleted from your computer's desktop after all ESKM/SKM
appliances have been added to the cluster.

Copying the local CA certificate for a clustered ESKM/SKM appliance

Before adding an ESKM/SKM appliance to a cluster, you must obtain the local CA certificate from
the original ESKM/SKM or from an ESKM/SKM that is already in the cluster.

1. Select the Security tab.

2. Select Local CAs under Certificates & CAs.

3. Select the name of the local CA from the Local Certificate Authority list.

The CA Certificate Information is displayed.

4. Copy the certificate request, beginning with

---BEGIN CERTIFICATE REQUEST---

and ending

with

---END CERTIFICATE REQUEST---

. Be careful not to include any extra characters.