HP Brocade 8/12c Fabric OS Encryption Administrator's Guide - Page 147
Signing the Brocade encryption node KAC certificates
![]() |
View all HP Brocade 8/12c manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 147 highlights
Steps for connecting to an SKM or ESKM appliance 3 6. Initialize the encryption engine using the cryptocfg --initEE command. Provide a slot number if the encryption engine is a blade. This step generates critical security parameters (CSPs) and certificates in the CryptoModule's security processor (SP). The CP and the SP perform a certificate exchange to register respective authorization data. SecurityAdmin:switch>cryptocfg --initEE This will overwrite previously generated identification and authentication data ARE YOU SURE (yes, y, no, n): y Operation succeeded. 7. Register the encryption engine by entering the cryptocfg --regEE command. Provide a slot number if the encryption engine is a blade. This step registers the encryption engine with the CP or chassis. Successful execution results in a certificate exchange between the encryption engine and the CP through the FIPS boundary. SecurityAdmin:switch>cryptocfg --regEE Operation succeeded. 8. Repeat the above steps on every node that is expected to perform encryption. Signing the Brocade encryption node KAC certificates The KAC certificate signing request generated when the encryption node is initialized must be exported for each encryption node and signed by the Brocade local CA on SKM/ESKM. The signed certificate must then be imported back into the encryption node. 1. Export the KAC sign request to an SCP-capable host. SecurityAdmin:switch>cryptocfg --export -scp -KACcsr 192.168.38.245 mylogin /tmp/certs/kac_skm.csr 2. Open the exported file and copy the contents, beginning with ---BEGIN CERTIFICATE REQUEST--- and ending with ---END CERTIFICATE REQUEST---. Be careful not to include any extra characters. 3. Launch the SKM/ESKM administration console in a web browser and log in. 4. Select the Security tab. 5. Select Local CAs under Certificates & CAs. The Certificate and CA Configuration page displays. 6. Under Local Certificate Authority List, select the Brocade CA name. 7. Select Sign Request. The Sign Certificate Request page is displayed. 8. Select Sign with Certificate Authority using the Brocade CA name with the maximum of 3649 days option. 9. Select Client as Certificate Purpose. 10. Allow Certificate Duration to default to 3649. 11. Paste the file contents that you copied in step 3 in the Certificate Request Copy area. 12. Select Sign Request. Fabric OS Encryption Administrator's Guide 127 53-1002159-03
![](/manual_guide/products/hewlettpackard-brocade-812c-fabric-os-encryption-administrator039s-guide-2e9e911/147.png)