Data Center Fabric Manager Enterprise User Manual v10.3.X (53-1001357-01, November 2009)

ManualsBrandsHP ManualsSoftwareHP B-series SAN Network Advisor Software

651

652

653

654

655

656

657

658

659

660

DCFM Enterprise User Manual 617

53-1001357-01

Establishing the trusted link

2. To add the encryption group leader to an LKM appliance third party key sharing group, enter

lkmserver add

--type third-party --key-sharing-group "/" followed by the group leader IP

address.

lkm-1>lkmserver add --type third-party --key-sharing-group \

"/" 10.32.244.71

NOTICE: LKM Server third-party 10.32.244.71 added.

Cleartext connections not allowed.

3. From the external host, enter echo lkmserver set <group leader IP address> ‘cat

kac_cert_lkm.pem’ | ssh -l admin <LKM IP address> to register the KAC LKM certificate you

exported from the group leader with the NetApp LKM appliance.

host$echo lkmserver certificate set 10.32.244.71 \

‘cat kac_lkm_cert.pem‘ | ssh -l admin 10.33.54.231

Pseudo-terminal will not be allocated because stdinis not a terminal.

admin@10.33.54.231's password:

Checking system tamper status:

No physical intrusion detected.

NOTICE: LKM Peer '10.32.244.71' certificate is set

4. Select the Link Keys tab on the Encryption Group Properties dialog box.

The switch name displays in the link status table under Switch, with a Link Key Status of Link

Key requested, pending LKM approval.

5. Select the switch, and click Establish.

This results in a Trusted link establishment package (TEP), which is needed to establish the

trusted link between the switch and the LKM appliance.

6. Launch the NetApp DataFort Management Console (DMC) and click the View Unapproved

Trustees tab.

The switch is listed as openkey_trustee_<ip address>, where the IP address is the switch IP

address entered in step 2.

7. Select the switch, and click Approve and Create TAP.

The Approve TEP dialog box displays. The TEP must be approved before a TAP can be created.

8. Provide a label in the dialog box and click Approve to approve the TEP.

A list of recovery cards and recovery officers is displayed. TEP approval is done by a quorum of

recovery officers, using assigned recovery cards. Each recovery officer must individually insert

one of listed recovery cards into a card reader attached to the PC or workstation, enter the

password for that card, and click Start. The procedure is repeated until a quorum of recovery

officers has approved the TEP.

9. Save the TAP to a file (location does not matter).

10. Select the Link Keys tab on the Encryption Group Properties dialog box.

11. Select the switch in the link key status table, and click Accept to retrieve the TAP from the LKM

appliance.

12. Repeat the above steps for the each of the remaining member nodes.