DCFM Enterprise User Manual (53-1001775-01, June 2010)

ManualsBrandsHP ManualsStorageHP 8/80 Base (48) Full Fabric Ports Enabled SAN Switch

xx DCFM Enterprise User Manual

53-1001775-01

Contents

Supported encryption key manager appliances . . . . . . . . . . . . . . .504

Steps for connecting to an RKM appliance. . . . . . . . . . . . . . . . . . .504

Exporting the KAC certificate signing request (CSR) . . . . . . . 505

Submitting the CSR to a certificate authority . . . . . . . . . . . . 505

Importing the signed KAC certificate . . . . . . . . . . . . . . . . . . . 505

Uploading the KAC and CA certificates onto the

RKM appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506

RKM key vault high availability deployment. . . . . . . . . . . . . . 507

Steps for connecting to an LKM appliance . . . . . . . . . . . . . . . . . . .507

The NetApp DataFort Management Console . . . . . . . . . . . . . 508

Establishing the trusted link . . . . . . . . . . . . . . . . . . . . . . . . . . 508

Obtaining and importing the LKM certificate. . . . . . . . . . . . . 509

Exporting and registering the switch KAC certificates on LKM 510

LKM key vault high availability deployment . . . . . . . . . . . . . . 510

Disk keys and tape pool keys (Brocade native mode support) 510

Tape LUN and DF -compatible tape pool support . . . . . . . . . 511

LKM Key Vault Deregistration . . . . . . . . . . . . . . . . . . . . . . . . . 511

Steps for connecting to an SKM appliance . . . . . . . . . . . . . . . . . . .511

Configuring a Brocade group on SKM . . . . . . . . . . . . . . . . . . 512

Registering the SKM Brocade group user name and

password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513

Setting up the local Certificate Authority (CA) on SKM . . . . . 514

Downloading the local CA certificate from SKM . . . . . . . . . . 515

Creating and installing the SKM server certificate . . . . . . . . 515

Enabling SSL on the Key Management System (KMS) Server 516

Creating an SKM High Availability cluster . . . . . . . . . . . . . . . 517

Copying the local CA certificate for a clustered

SKM appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

Adding SKM appliances to the cluster . . . . . . . . . . . . . . . . . . 518

Signing the Brocade encryption node KAC certificates. . . . . 519

Importing a signed KAC certificate into a switch . . . . . . . . . . 519

Steps for connecting to a TEMS appliance . . . . . . . . . . . . . . . . . . .520

Setting up TEMS network connections. . . . . . . . . . . . . . . . . . 520

Creating a client on TEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521

Establishing TEMS key vault credentials on the switch . . . . 522

Gathering information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523

Creating a new encryption group . . . . . . . . . . . . . . . . . . . . . . . . . . .524

Adding a switch to an encryption group. . . . . . . . . . . . . . . . . . . . . .536

Replacing an encryption engine in an encryption group . . . . . . . .540

Creating high availability (HA) clusters . . . . . . . . . . . . . . . . . . . . . .541

Removing engines from an HA cluster . . . . . . . . . . . . . . . . . . 542

Swapping engines in an HA cluster . . . . . . . . . . . . . . . . . . . . 543

Failback option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

Invoking failback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543

Adding encryption targets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .544

Configuring hosts for encryption targets . . . . . . . . . . . . . . . . . . . . .551