HP 8/40 Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June - Page 127
Registering SKM on a Brocade encryption group leader
View all HP 8/40 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 127 highlights
Steps for connecting to an SKM appliance 3 Registering SKM on a Brocade encryption group leader An encryption group consists of one or more encryption engines. Encryption groups can provide failover/failback capabilities by organizing encryption engines into Data Encryption Key (DEK) clusters. An encryption group has the following properties: • It is identified by a user-defined name. • When there is more than one member, the group is managed from a designated group leader. • All group members must share the same key manager. • The same master key is used for all encryption operations in the group. • In the case of FS8-18 blades: - All encryption engines in a chassis are part of the same encryption group. - An encryption group may contain up to four DCX nodes with a maximum of four encryption engines per node forming a total of sixteen encryption engines. You will need to know the download location for the CA certificate used when "Downloading the local CA certificate" on page 102. 1. Identify one node (a Brocade Encryption Switch or a Brocade DCX or Brocade DCX-4S with an FS8-18 blade) as the designated group leader and log in as Admin or SecurityAdmin. 2. Enter the cryptocfg --create -encgroup command followed by a name of your choice. The name can be up to 15 characters long, and it can include any alphanumeric characters and underscores. White space or other special characters are not permitted. The following example creates the encryption group "brocade". SecurityAdmin:switch>cryptocfg --create -encgroup brocade Encryption group create status: Operation Succeeded. The switch on which you create the encryption group becomes the designated group leader. Once you have created an encryption group, all group-wide configurations, including key vault configuration, adding member nodes, configuring failover policy settings, and setting up storage devices, as well as all encryption management operations, are performed on the group leader. 3. Set the key vault type to SKM by entering the cryptocfg --set -keyvault command. Successful execution sets the key vault type for the entire encryption group. The following example sets the keyvault type to SKM. SecurityAdmin:switch>cryptocfg --set -keyvault SKM Set key vault status: Operation Succeeded. 4. Import the CA certificate from the download location used when "Downloading the local CA certificate" on page 102, and register SKM as the key vault. The group leader automatically shares this information with other group members. SecurityAdmin:switch>cryptocfg --import -scp SecurityAdmin:switch>cryptocfg --reg -keyvault primary At this point, it may take around one minute to fully configure the switch with SKM. 5. As the switches come up, enable the encryption engines. SecurityAdmin:switch>cryptocfg --enableEE Operation succeeded. Fabric OS Encryption Administrator's Guide 109 53-1001864-01