Manualshelf

Data Center Fabric Manager Enterprise User Manual v10.3.X (53-1001357-01, November 2009)

ManualsBrandsHP ManualsSoftwareHP B-series SAN Network Advisor Software
651652653654655656657658659660
622 DCFM Enterprise User Manual
53-1001357-01
RKM Appliance cluster support
A
10. Register the RKM key vault on the group leader using the CA certificate for the CA that signed
the RKM key vault certificate. The path to the file was entered in the SSLCAcertificateFile field.
The group leader automatically shares this information with other group members.
SecurityAdmin:switch>cryptocfg --import -scp <CA certificate file>
<host IP> <host username> <host path>
SecurityAdmin:switch>cryptocfg --reg -keyvault <CA certificate file>
<RKM IP> primary
11. Display the group configuration, using the cryptocfg - - show -groupcfg command
RKM Appliance cluster support
When dual RKM appliances are used for high availability, the RKM appliances must be clustered,
and must operate in maximum availability mode, as described in the RKM appliance user
documentation. Only one RKM key vault should be configured. Do not configure a second RKM key
vault from the cluster.
The HP Secure Key Manager
The HP StorageWorks Secure Key Manager (SKM) is a security appliance providing centralized key
management operations. SKM runs on a stand-alone FIPS 140-2 level 2 compliant hardware
platform that is isolated from the other applications, and runs a hardened operating system. SKM
offers high availability, clustering and failover options.
After the required certificate file is loaded on the encryption switch, and the SKM IP addresses are
configured on the encryption switch, the encryption switch automatically establishes a secure
connection with SKM. Communication with SKM is secured by wrapping DEKs in a master key. The
encryption engine must generate its own master key, send DEKs to SKM encrypted in the master
key, and decrypt DEKs received from SKM using the same master key.
Setting up an HP SKM key vault consists of registering the encryption group leader and group
member nodes with the HP SKM key vault by exporting their KAC certificates, and taking steps on
the HP SKM appliance that allow the certificates to be signed by a local certificate authority (CA) on
the HP SKM appliance. These steps can be broken down into the following tasks.