Dell POWEREDGE M1000E User Manual

Fabric OS Command Reference

185

53-1002746-01

cryptoCfg

2

encryption_group_name

Specifies the name of the encryption group to be deleted. This operand is required
when deleting an encryption group.

--reg -keyvault

Registers the specified key vault (primary or secondary) with the encryption
engines of all nodes present in an encryption group. Upon successful registration,
a connection to the key vault is automatically established. This command is valid
only on the group leader. Registered certificates are distributed from the group
leader to all member nodes in the encryption group. Each node in the encryption
group distributes the certificates to their respective encryption engines.

The following operands are required when registering a key vault:

cert_label

Specifies the key vault certificate label. This is a user-generated name for the
specified key vault. Use the cryptocfg --show -groupcfg command to view the
key vault label after registration is complete.

certfile

Specifies the certificate file. This file must be imported prior to registering the key
vault and reside in the predetermined directory where certificates are stored. In
the case of the HP SKM, this operand specifies CA file, which is the certificate of
the signing authority on the SKM. Use the --show -file -all command for a listing
of imported certificates.

hostname | ip_address

Specifies the key vault by providing either a host name or IP address. If you are
registering a key vault that is part of an DPM cluster, the value for ip_address is
the virtual IP address for the DPM cluster and not the address of the actual key
vault.

primary | secondary

Specifies the key vault as either primary or secondary. The secondary key vault
serves as backup.

--dereg -keyvault

Removes the registration for a specified key vault. The key vault is identified by
specifying the certificate label. Removing a key vault registration disconnects the
key vault. This command is valid only on the group leader.

cert_label

Specifies the key vault certificate label. This operand is required when removing
the registration for a key vault.

--reg -KACcert

Registers the signed node certificate. After being exported and signed by the
external signing authority, the signed node certificate must be imported back into
the node and registered for a successful two-way certificate exchange with the
key vault. This command is valid only on the group leader.

Registration functions need to be invoked on all the nodes in a DEK cluster for
their respective signed node certificates. The following operands are required:

signed_certfile

Specifies the name of the signed node certificate to be reimported.

primary | secondary

Specifies the signing key vault as primary or secondary. This operand is valid only
with the TEKA, SKM, or KMIP key vault, which requires the CSR to be signed by
the primary or secondary vault. If both primary and secondary vaults are
configured, this command must be run once for the primary and once for
secondary key vault from every node.