Importing a signed kac certificate into a switch, Steps for connecting to a tklm appliance – Brocade Network Advisor SAN + IP User Manual v12.1.0 User Manual

Page 951

Advertising
background image

Brocade Network Advisor SAN + IP User Manual

897

53-1002949-01

Steps for connecting to a TKLM appliance

25

Importing a signed KAC certificate into a switch

After a KAC CSR has been submitted and signed by a CA, the signed certificate must be imported
into the switch.

1. From the Encryption Center, select Switch > Import Certificate.

The Import Signed Certificate dialog box displays. (Refer to

Figure 322

.)

FIGURE 322

Import Signed Certificate dialog box

2. Browse to the location where the signed certificate is stored, then click OK.

The signed certificate is stored on the switch.

Steps for connecting to a TKLM appliance

All switches you plan to include in an encryption group must have a secure connection to the Tivoli
Key Lifecycle Manager (TKLM). A local LINUX host must be available to transfer certificates.

NOTE

Ensure that the time zone and clock time setting on the TKLM server and encryption nodes are the
same. A difference of only a few minutes can cause the TLS connectivity to fail.

Repeat the same steps for configuring both the primary and secondary key vaults.

NOTE

The primary and secondary key vaults should be registered before you export the master key or
encrypting LUNs. If the secondary key vault is registered after encryption is done for some of the
LUNs, then the key database should be backed up and restored on the secondary TKLM from the
registered primary TKLM before registering the secondary TKLM.

The following is a suggested order for the steps needed to create a secure connection to TKLM:

1. Initialize all encryption nodes to generate KAC certificates.

2. Export the signed KAC certificates to a local LINUX host. Refer to

“Exporting the Fabric OS node

self-signed KAC certificates”

on page 898.

3. Obtain the necessary user credentials and log in to the TKLM server appliance from the TKLM

management web console.

4. Create a default key store on TKLM. Refer to

“Establishing a default key store and device group

on TKLM”

on page 898.

5. Create a device group named BRCD_ENCRYPTOR with device family LTO.

6. Add devices to the group. Refer to

“Adding a device to the device group”

on page 899.

7. Create a certificate for the TKLM server. Refer to

“Creating a self-signed certificate for TKLM”

on page 899.

Advertising
Popular Brands
Popular manuals