HP Brocade 8/12c Fabric OS Encryption Administrator's Guide - Page 153
The following example exports a CP certificate from an encryption group member to an external
View all HP Brocade 8/12c manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 153 highlights
Steps for connecting to an SKM or ESKM appliance 3 CAUTION After adding the member node to the encryption group, you should not use the cryptocfg --zeroizeEE command on that node. Doing so removes critical information such as CP certificates from the node and makes it necessary to reinitialize the node and export the new CP certificates and KAC certificates to the group leader and the key vault. To add a member node to an encryption group, follow these steps: 1. Log in to the switch on which the certificate was generated as Admin or SecurityAdmin. 2. Execute the cryptocfg --reclaimWWN -cleanup command. 3. Export the certificate from the local switch to an SCP-capable external host or to a mounted USB device. Enter the cryptocfg --export command with the appropriate parameters. When exporting a certificate to a location other than your home directory, you must specify a fully qualified path that includes the target directory and file name. When exporting to USB storage, certificates are stored by default in a predetermined directory, and you only need to provide a file name for the certificate. The file name must be given a .pem (privacy enhanced mail) extension. Use a character string that identifies the certificate's originator, such as the switch name or IP address. The following example exports a CP certificate from an encryption group member to an external SCP-capable host and stores it as enc_switch1_cp_cert.pem. SecurityAdmin:switch>cryptocfg --export -scp CPcert \ 192.168.38.245 mylogin /tmp/certs/enc_switch1_cp_cert.pem Password: Operation succeeded. The following example exports a CP certificate from the local node to USB storage. SecurityAdmin:switch>cryptocfg --export -usb CPcert enc_switch1_cp_cert.pem Operation succeeded. 4. Log in to the group leader as Admin or SecurityAdmin. 5. Use the cryptocfg --import command to import the CP certificates to the group leader node. You must import the CP certificate of each node you wish to add to the encryption group. The following example imports a CP certificate named "enc_switch1_cp_cert.pem" that was previously exported to the external host 192.168.38.245. Certificates are imported to a predetermined directory on the group leader. SecurityAdmin:switch>cryptocfg --import -scp enc_switch1_cp_cert.pem \ 192.168.38.245 mylogin /tmp/certs/enc_switch1_cp_cert.pem Password: Operation succeeded. The following example imports a CP certificate named "enc_switch1_cp_cert.pem" that was previously exported to USB storage. SecurityAdmin:switch>cryptocfg --import -usb enc_switch1_cp_cert.pem \ enc_switch1_cp_cert.pem Operation succeeded. Fabric OS Encryption Administrator's Guide 133 53-1002159-03