HP Brocade 8/12c Fabric OS Encryption Administrator's Guide - Page 56
SKM or ESKM key vault high availability deployment, Steps for Migrating from SKM to ESKM
![]() |
View all HP Brocade 8/12c manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 56 highlights
2 Steps for Migrating from SKM to ESKM SKM or ESKM key vault high availability deployment The SKM/ESKM key vault has high availability clustering capability. SKM/ESKM appliances can be clustered together in a transparent manner to the end user. Encryption keys saved to one key vault are synchronously hardened to the cluster pairs. Please refer to the HP SKM/ESKM appliance user documentation for configuration requirements and procedures. Configured primary and secondary HPSKM/ESKM appliances must be registered with the Brocade encryption switch or blade to begin key operations. The user can register only a single SKM/ESKM if desired. In that case, the HA features are lost, but the archived keys are backed up to any other non-registered cluster members. Beginning with Fabric OS 6.3.0, the primary and secondary appliances must be clustered. Both the SKM/ESKM appliances in the cluster can be registered using the following command. cryptocfg --reg -keyvault Related Topics • "Disk keys and tape pool keys support" on page 131 • "Tape LUN support" on page 132 • "SKM or ESKM Key Vault Deregistration" on page 132 Steps for Migrating from SKM to ESKM The procedure for migrating SKM to ESKM assumes the following: • An encryption group already exists on the BES with SKM configured and connected. • ESKM has the following data transferred from SKM: • User group, users, CA information • SSL/FIPS settings • Key database • ESKM uses the same CA certificate that was used by SKM. NOTE If the CA changes on the ESKM, you must deregister the key vaults and redo the procedure for configuring the key vault for the encryption group. To perform the steps using the GUI, see "Steps for connecting to an SKM or ESKM appliance" on page 26. To perform the steps using cli, see "Steps for connecting to an SKM or ESKM appliance" on page 119. Steps required from the BES CLI From the group leader BES: 1. Deregister SKM using the command cryptocfg --dereg -keyvault. 2. Import the CA certificate using the command cryptocfg -import -scp . 36 Fabric OS Encryption Administrator's Guide 53-1002159-03
![](/manual_guide/products/hewlettpackard-brocade-812c-fabric-os-encryption-administrator039s-guide-2e9e911/56.png)