Cisco MDS 9000 Family Storage Media Encryption Configuration Guide - Release 4.x (OL-18091-01, February 2009)
Send documentation comments to mdsfeedback-doc@cisco.com
C-4
Cisco MDS 9000 Family Storage Media Encryption Configuration Guide
OL-18091-01, Cisco MDS NX-OS Release 4.x
Appendix C Provisioning Self-Sign Certificates
Generating and Installing Self-Signed Certificates
Generating KMC Certificate
To generate the KMC server certificate, follow these steps:
Step 1 Generate KMC certificate by entering the following commands in the OpenSSL application:
OpenSSL> genrsa -out sme_kmc_server.key 1024
OpenSSL> req -new -key sme_kmc_server.key -out sme_kmc_server.csr
OpenSSL> x509 -req -days 365 -in sme_kmc_server.csr -CA cacert.pem -CAkey privkey.pem
-CAcreateserial -out sme_kmc_server.cert
OpenSSL> pkcs12 -export -in sme_kmc_server.cert -inkey sme_kmc_server.key -out
sme_kmc_server.p12
Step 2 Import this PKCS12 keystore to Java Keystores using JAVA keytool (JRE 1.6).
"C:\Program Files\Java\jre1.6.0_02\bin\keytool.exe" -importkeystore -srckeystore
sme_kmc_server.p12 -srcstoretype PKCS12 -destkeystore sme_kmc_server.jks -deststoretype JKS
Note Remember the password as it needs to be updated in the properties file.
Step 3 Import the CA certificate to Java Keystores using JAVA keytool (JRE 1.6).
"C:\Program Files\Java\jre1.6.0_02\bin\keytool.exe" -importcert -file cacert.pem -keystore
sme_kmc_trust.jks -storetype JKS
Step 4 Place these keystore files in mds9000/conf/cert directory.
Step 5 Modify the KMC SSL settings in the Key Manager Settings in Fabric Manager Web Client.
Step 6 Restart the Fabric Manager server.
Note You can also use sme_kmc_server.p12 as KMC server certificate and cacert.pem as KMC trust certificate
instead of using Java keystores created in Step 3 and 4.
Generating and Installing Self-Signed Certificates
To configure SSL when KMC is not integrated with Fabric Manager server, follow these steps:
Step 1 Create the required certificates by using the following commands:
switch:./createSmeCerts.tcl
Usage: ./createSmeCerts.tcl [r] [k] [s] [a] [h]
r Generate Root CA certificate
k Generate KMC server certificate
s Generate Switch certificate and configure switch trust point
a Generate all certificates and configure switch
h Print this usage screen
Usage: ./createSmeCerts.tcl [r] [k] [s] [a] [h]
r Generate Root CA certificate
k Generate KMC server certificate
s Generate Switch certificate and configure switch trust point