Establishing the trusted link, Obtaining and importing the lkm/sskm certificate – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

30

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

Steps for connecting to an LKM/SSKM appliance

2

Establishing the trusted link

You must generate the trusted link establishment package (TEP) on all nodes to obtain a trusted
acceptance package (TAP) before you can establish a trusted link between each node and the
NetApp LKM/SSKM appliance.

1. Select Configure > Encryption from the menu task bar to display the Encryption Center

dialog box. (Refer to

Figure 6

on page 14.)

2. Select an LKM/SSKM group from the Encryption Center Devices table, then select Group >

Link Keys from the menu task bar.

The switch name displays in the link status table under Switch, with a Link Key Status of
Link Key requested, waiting for LKM approval.

3. Select the switch, then click Establish.

This sends a Trust Establishment Package (TEP) message to the LKM/SSKM, which is needed
to establish the trusted link between the switch and the LKM/SSKM appliance.

4. Launch the NetApp DataFort Management Console (DMC) and click the View Unapproved

Trustees tab.

The switch is listed as openkey_trustee_<ip address>, where the IP address is the switch
IP address.

5. Select the switch, then click Approve and Create TAP.

The Approve TEP dialog box displays. The TEP must be approved before a TAP can be created.

6. Provide a label in the dialog box, then click Approve to approve the TEP.

A list of recovery cards and recovery officers is displayed. TEP approval is done by a quorum of
recovery officers, using assigned recovery cards. Each recovery officer must individually insert
one of the listed recovery cards into a card reader attached to the PC or workstation, then
enter the password for that card and click Start. The procedure is repeated until a quorum of
recovery officers has approved the TEP.

7. Save the TAP to a file (location does not matter).

8. Select the Link Keys tab from the Encryption Group Properties dialog box.

9. Select the switch in the link key status table, then click Accept to retrieve the TAP from the

LKM/SSKM appliance.

10. Repeat the above steps for each of the remaining member nodes.

Obtaining and importing the LKM/SSKM certificate

Certificates must be exchanged between the LKM/SSKM appliance and the encryption switch to
enable mutual authentication. You must obtain a certificate from the LKM/SSKM appliance and
import it into the encryption group leader. The encryption group leader exports the certificate to
other encryption group members.

To obtain and import an LKM/SSKM certificate, complete the following steps:

1. Open an SSH connection to the NetApp LKM/SSKM appliance and log in.

host$ssh [email protected]

[email protected]'s password: