Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP ISL Trunking Kit

141

142

143

144

145

146

147

148

149

150

128 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Steps for connecting to an SKM or ESKM appliance

Upon success, you are presented with the option of downloading the signed certificate.

13. Download the signed certificate to your local system as signed_kac_skm_cert.pem.

14. Import the signed certificate from its location, or from a USB storage device.

SecurityAdmin:switch>cryptocfg --import -scp signed_kac_skm_cert.pem \

192.168.38.245 mylogin /tmp/certs/kac_skm_cert.pem

Password:

Operation succeeded.

The following example imports a KAC certificate that was previously exported to USB storage.

SecurityAdmin:switch>cryptocfg --import -usb signed_kac_skm_cert.pem \

kac_skm_cert.pem

Operation succeeded.

15. Register the KAC certificate.

SecurityAdmin:switch>cryptocfg --reg -KACcert signed_kac_skm_cert.pem

Operation succeeded

16. Repeat this procedure for every encryption node that is expected to perform encryption within

the fabric.

Registering SKM or ESKM on a Brocade encryption group leader

An encryption group consists of one or more encryption engines. Encryption groups can provide

failover/failback capabilities by organizing encryption engines into Data Encryption Key (DEK)

clusters. An encryption group has the following properties:

• It is identified by a user-defined name.

• When there is more than one member, the group is managed from a designated group leader.

• All group members must share the same key manager.

• The same master key is used for all encryption operations in the group.

• In the case of FS8-18 blades:

- All encryption engines in a chassis are part of the same encryption group.

- An encryption group may contain up to four DCX nodes with a maximum of four encryption

engines per node forming a total of sixteen encryption engines.

You will need to know the download location for the CA certificate used when “Downloading the

local CA certificate” on page 121.

1. Identify one node (a Brocade Encryption Switch or a Brocade DCX or Brocade DCX-4S with an

FS8-18 blade) as the designated group leader and log in as Admin or SecurityAdmin.

2. Enter the cryptocfg

--create -encgroup command followed by a name of your choice. The

name can be up to 15 characters long, and it can include any alphanumeric characters and

underscores. White space or other special characters are not permitted.

The following example creates the encryption group "brocade".

SecurityAdmin:switch>cryptocfg --create -encgroup brocade

Encryption group create status: Operation Succeeded.