Brocade Network Advisor SAN User Manual v11.1x (53-1002167-01, May 2011)
Brocade Network Advisor SAN User Manual 443
53-1002167-01
Steps for connecting to an RKM appliance
18
Steps for connecting to an RKM appliance
All switches you plan to include in an encryption group must have a secure connection to the RSA
Key Manager (RKM). The following is a suggested order of steps needed to create a secure
connection to RKM:
1. Export the KAC CSR to a location accessible to a CA for signing.
2. Submit the KAC CSR for signing by a CA.
3. Import the signed certificate into the Fabric OS encryption node.
4. Upload the signed KAC and CA certificates onto the RKM appliance, and select the appropriate
key classes.
5. If dual RKM appliances are used for high availability, the RKM appliances must be clustered,
and must operate in maximum availability mode, as described in the RKM appliance user
documentation.
These steps are described in more detail in the following sections:
• “Exporting the KAC certificate signing request (CSR)” on page 443
• “Submitting the CSR to a certificate authority” on page 444
• “Importing the signed KAC certificate” on page 444
• “Uploading the KAC and CA certificates onto the RKM appliance” on page 444
• “RKM key vault high availability deployment” on page 446
Exporting the KAC certificate signing request (CSR)
1. Export the KAC CSR to a temporary location prior to submitting the KAC CSR to a CA for signing.
2. Synchronize the time on the switch and the key manager appliance. They should be within one
minute of each other. Differences in time can invalidate certificates and cause key vault
operations to fail.
3. Select a switch from the Encryption Center Devices table, then select Switch > Properties from
the menu task bar, or right-click the switch and select Properties.
NOTE
You can also select a switch from the Encryption Center Devices table, then click the
Properties icon.
The Properties dialog box displays.
4. Do one of the following:
• If a CSR is present, click Export.
• If a CSR is not present, select a switch from the Encryption Center Devices table, then
select Switch > Init Node from the menu task bar, or right-click a switch and select Init
Node. This generates switch security parameters and certificates, including the KAC CSR.
5. Save the file. The default location for the exported file is in the Documents folder.
NOTE
The CSR is exported in Privacy Enhanced Mail (.pem) format. This is the format required in
exchanges with certificate authorities.