Data Center Fabric Manager Enterprise User Manual v10.3.X (53-1001357-01, November 2009)
DCFM Enterprise User Manual 615
53-1001357-01
Registering the certificates
A
NODE LIST
Total Number of defined nodes: 2
Group Leader Node Name: 10:00:00:05:1e:41:7e
Encryption Group state: CLUSTER_STATE_CONVERGED
Node Name IP address Role
10:00:00:05:1e:41:9a:7e 10.32.244.71 GroupLeader
10:00:00:05:1e:39:14:00 10.32.244.60 MemberNode (current node)
5. Exchange certificates between the LKM key vault and the member node, starting with
exporting the KAC certificate from the member node to an SCP-capable external host.
SecurityAdmin:enc1_switch>cryptocfg --export -scp -KACcert \
192.168.38.245 mylogin enc1_kac_lkm_cert.pem
Password:
Operation succeeded.
6. Open an SSH connection to the NetApp LKM appliance and add the member node IP address.
lkm-1> lkmserver add --type third-party --key-sharing-group "/" \
10.32.244.60
NOTICE: LKM Server third-party 10.32.244.60 added.
Cleartext connections not allowed.
7. On the external host, register the KAC LKM certificate you exported from the member node
with the NetApp LKM appliance.
host$echo lkmserver certificate set 10.32.244.60
’cat enc1_kac_lkm_cert.pem’ | ssh-l admin 10.33.54.231
Pseudo-terminal will not be allocated because stdinis not a terminal.
admin@10.33.54.231's password:
Checking system tamper status:No physical intrusion detected.
ALERT: There are pending unapproved trustees.
NOTICE: LKM Peer '10.32.244.60' certificate is set
8. Enter the cryptocfg --show -groupcfg command on the member node. If the link key has been
established (refer to “Establishing the trusted link”), the display shows the LKM as connected.
SecurityAdmin:enc1_switch>cryptocfg --show -groupcfg
Encryption Group Name: brocade
Failback mode: Manual
Heartbeat misses: 3
Heartbeat timeout: 2
Key Vault Type: LKM
Primary Key Vault:
IP address: 10.33.54.231
Certificate ID: lkm-1
Certificate label: LKM1
State: Connected
Type: LKM
Secondary Key Vault not configured
[output truncated]