Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 4
iv
Fabric OS Encryption Administrator’s Guide (LKM/SSKM)
53-1002925-01
Configuring Encryption Using the Management Application
Encryption Center features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Encryption user privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Smart card usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Using authentication cards with a card reader . . . . . . . . . . . . . 16
Registering authentication cards from a card reader . . . . . . . . 17
Registering authentication cards from the database . . . . . . . . 19
Deregistering an authentication card. . . . . . . . . . . . . . . . . . . . .20
Setting a quorum for authentication cards . . . . . . . . . . . . . . . .20
Using system cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Enabling or disabling the system card requirement . . . . . . . . .22
Registering systems card from a card reader . . . . . . . . . . . . . .22
Deregistering system cards. . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Using smart cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Tracking smart cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Editing smart cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Network connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Blade processor links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Configuring blade processor links . . . . . . . . . . . . . . . . . . . . . . .28
Encryption node initialization and certificate generation. . . . . . . . .28
Setting encryption node initialization . . . . . . . . . . . . . . . . . . . . .29
Steps for connecting to an LKM/SSKM appliance . . . . . . . . . . . . . .29
Launching the NetApp DataFort Management Console . . . . . .29
Establishing the trusted link . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Obtaining and importing the LKM/SSKM certificate. . . . . . . . .30
Exporting and registering the switch KAC certificates
on LKM/SSKM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
LKM/SSKM key vault high availability deployment . . . . . . . . . .32
Disk keys and tape pool keys (Brocade native mode
support) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Tape LUN and DF -compatible tape pool support . . . . . . . . . . .33
LKM/SSKM key vault deregistration . . . . . . . . . . . . . . . . . . . . .33
Encryption preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Creating an encryption group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Configuring key vault settings for NetApp Link
Key Manager (LKM/SSKM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Understanding configuration status results. . . . . . . . . . . . . . . .43
Adding a switch to an encryption group. . . . . . . . . . . . . . . . . . . . . . .44
Replacing an encryption engine in an encryption group . . . . . . . . .49
High availability clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
HA cluster configuration rules . . . . . . . . . . . . . . . . . . . . . . . . . .50
Creating HA clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Removing engines from an HA cluster . . . . . . . . . . . . . . . . . . . .52
Swapping engines in an HA cluster . . . . . . . . . . . . . . . . . . . . . .52
Failback option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Invoking failback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53