Brocade Network Advisor SAN User Manual v11.1x (53-1002167-01, May 2011)

ManualsBrandsHP ManualsSoftwareHP B-series SAN Network Advisor Software

511

512

513

514

515

516

517

518

519

520

Brocade Network Advisor SAN User Manual 469

53-1002167-01

Steps for connecting to a TKLM appliance

All switches you plan to include in an encryption group must have a secure connection to the Tivoli

Key Lifecycle Manager (TKLM). A local LINUX host must be available to transfer certificates.

NOTE

Ensure that the time zone and clock time setting on the TKLM server and Brocade encryption nodes

are the same. A difference of only a few minutes can cause the TLS connectivity to fail.

Repeat the same steps for configuring both the primary and secondary key vaults.

NOTE

The primary and secondary key vaults should be registered before you export the master key or

encrypting LUNs. If the secondary key vault is registered after encryption is done for some of the

LUNs, then the key database should be backed up and restored on the secondary TKLM from the

registered primary TKLM before registering the secondary TKLM.

The following is a suggested order for the steps needed to create a secure connection to TKLM:

• Initialize all Brocade encryption nodes to generate KAC certificates and export the signed KAC

certificates to a local LINUX host.

• Obtain the necessary user credentials and log in to the TKLM server appliance from the TKLM

management web console.

• Create a default key store on TKLM.

• Create a device group named BRCD_ENCRYPTOR with device family LTO.

• Add devices to the group.

• Create a certificate for the TKLM server.

• Import the Brocade node KAC certificates.

• Export the server CA certificate to a LINUX or Windows host.

• Add encryption group members as needed. The first node added to an encryption group

functions as the group leader. It is valid to have only one node in an encryption group.

• Import the server CA certificate and register TKLM on the Brocade encryption group leader

nodes.

• Enable the encryption engines.

These configuration steps are described in the following sections:

• “Establishing a default key store and device group on TKLM” on page 470

• “Creating a self-signed certificate for TKLM” on page 471

• “Importing the Fabric OS encryption node KAC certificates to TKLM” on page 471

• “Exporting the TKLM self-signed server certificate” on page 471

• “Importing the TKLM certificate into the group leader” on page 472

Exporting the Fabric OS node self-signed KAC certificates

Each Fabric OS node generates a self-signed KAC certificate as part of the node initialization

process as described under “Encryption node initialization and certificate generation”. These

certificates must be exported from each switch and stored on a local LINUX host to make them

available for importing to TKLM.