Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 9
Fabric OS Encryption Administrator’s Guide (SKM/ESKM)
vii
53-1002923-01
Steps for connecting to an SKM or ESKM appliance . . . . . . . . . . .136
Configuring a Brocade group. . . . . . . . . . . . . . . . . . . . . . . . . . .136
Setting up the local Certificate Authority (CA) . . . . . . . . . . . . .137
Downloading the local CA certificate . . . . . . . . . . . . . . . . . . . .138
Creating and installing the SKM or ESKM server
certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Enabling SSL on the Key Management System
(KMS) Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140
Creating an SKM or ESKM high availability cluster . . . . . . . . . 141
Copying the local CA certificate. . . . . . . . . . . . . . . . . . . . . . . . . 141
Adding SKM or ESKM appliances to the cluster . . . . . . . . . . .142
Initializing the Fabric OS encryption engines. . . . . . . . . . . . . .143
Signing the Brocade encryption node KAC certificates. . . . . .144
Registering SKM or ESKM on a Brocade encryption
group leader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Registering the SKM/ESKM Brocade group user name
and password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
SKM or ESKM key vault high availability deployment . . . . . . .148
Data Encryption Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Adding a member node to an encryption group . . . . . . . . . . .150
Generating and backing up the master key . . . . . . . . . . . . . . . . . .152
High availability clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
HA cluster configuration rules. . . . . . . . . . . . . . . . . . . . . . . . . .154
Creating an HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Adding an encryption engine to an HA cluster. . . . . . . . . . . . .156
Removing engines from an HA cluster . . . . . . . . . . . . . . . . . . .156
Swapping engines in an HA cluster . . . . . . . . . . . . . . . . . . . . .156
Failover/failback policy configuration. . . . . . . . . . . . . . . . . . . .157
Re-exporting a master key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Exporting an additional key ID . . . . . . . . . . . . . . . . . . . . . . . . .160
Viewing the master key IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Enabling the encryption engine . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Checking encryption engine status . . . . . . . . . . . . . . . . . . . . .162
Zoning considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Setting default zoning to no access . . . . . . . . . . . . . . . . . . . . .163
Frame redirection zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Creating an initiator - target zone . . . . . . . . . . . . . . . . . . . . . . .164
CryptoTarget container configuration . . . . . . . . . . . . . . . . . . . . . . .166
LUN rebalancing when hosting both disk
and tape targets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Gathering information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Creating a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . .169
Removing an initiator from a CryptoTarget container . . . . . . .170
Deleting a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . . 171
Moving a CryptoTarget container . . . . . . . . . . . . . . . . . . . . . . .172