Fabric OS Encryption Administrator's Guide
240 Fabric OS Encryption Administrator’s Guide
53-1002159-03
BES removal and replacement
6
9. Set the IP address for the new Brocade Encryption Switch using the ipaddrset command for
the Mgmt Link and IO link. Check that the switch name and domain ID associated with the
replacement switch matches that of the original.
10. Zeroize the new Brocade Encryption Switch.
cryptocfg --zeroizeEE
The Brocade Encryption Switch reboots automatically.
11. If the encryption group has a system card authentication enabled, you must re-register the
system card through the Management application client for the new encryption engine.
12. Initialize the new Brocade Encryption Switch node.
cryptocfg --initnode
13. From the New Brocade Encryption Switch node, run the following command to export the CP
certificate of the New Brocade Encryption Switch:
cryptocfg --export -scp -CPcert <host IP> <host user> <host file path>
14. From the group leader node, run the following command to import the New Brocade Encryption
Switch node certificate on the group leader node:
cryptocfg --import -scp <Certificate file name> <host IP> <host user> <host
file path>
15. From the group leader node, run the following command to register the New Brocade
Encryption Switch node as a member node on the group leader:
cryptocfg --reg -membernode <New BES WWN> <Cert file Name> <Old IP address>
16. Initialize the new encryption engine.
cryptocfg --initEE [slotnumber]
17. Register the new encryption engine.
cryptocfg --regEE [slotnumber]
18. Enable the new encryption engine.
cryptocfg --enableEE [slotnumber]
19. Check the encryption engine state is online.
cryptocfg --show -localEE
20. Export the KAC CSR from New Node and sign the CSR from the HP SKM/ESKM Local CA.
21. Import the signed CSR/Certificate onto the New Node.
22. Register back the signed KAC CSR/Certificate onto the New Node using the following
command:
cryptocfg --reg -KACcert