Data Center Fabric Manager Enterprise User Manual v10.3.X (53-1001357-01, November 2009)
618 DCFM Enterprise User Manual
53-1001357-01
The RSA Key Manager
A
The RSA Key Manager
Communication with the RSA Key Manager (RKM) is secured by wrapping DEKs in a master key.
The encryption engine must generate its own master key, send DEKs to RKM encrypted in the
master key, and decrypt DEKs received from RKM using the same master key. The master key may
optionally be stored as a key record in the RKM key vault as a backup, but RKM does not assume
responsibility for the master key. The master key must be backed up and stored, and policies and
procedures for responding to theft or loss must be in place.
Obtaining and Importing the RKM certificate
Certificates must be exchanged between RKM and the encryption switch to enable mutual
authentication. You must obtain a certificate from RKM, and import it into the encryption group
leader. The encryption group leader exports the certificate to other encryption group members.
To obtain and import an RKM certificate, do the following.
1. Export the RKM certificate using a file transfer utility, such as FTP, and save it on an
SCP-capable host.
2. On the group leader, import the previously saved RKM certificate from the SCP-capable host:
- If you are using the Management application, the path to the file must be specified on the
Select Key Vault dialog box. If the proper path is entered, the file is imported.
- If you are using the CLI, use the cryptocfg -- import command with the -scp option. The
following example imports a certificate file named rkmcert.pem.
SecurityAdmin:switch>cryptocfg --import -scp rkmcert.pem 192.168.38.245 \
mylogin /tmp/certs/rkmcert.pem
Password:
Operation succeeded.
Exporting the KAC certificate signing request (CSR)
If you are using the SAN Management program, the KAC CSR is exported to a location you specify
when you create a new encryption group or add a switch to an encryption group. If you are using the
CLI, you can export the KAC CSR from the switch to file on a LAN-attached host, or you can attach a
USB storage device to the switch and export the KAC CSR to that device.
1. Log into the switch on which the CSR was generated as Admin or SecurityAdmin.
2. Export the CSR from the switch over an SCP-protected LAN connection to a file on an external
host (e.g., your workstation), or to a mounted USB device.
The following example exports a CSR to an external SCP-capable host.
SecurityAdmin:switch>cryptocfg --export -scp -KACcsr \
192.168.38.245 mylogin /tmp/certs/kac_rkm_cert.pem
Password:
Operation succeeded.