Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsStorageHP SN8000B 4-slot SAN Director Switch

141

142

143

144

145

146

147

148

149

150

126 Fabric OS Encryption Administrator’s Guide

53-1002159-03

Steps for connecting to an SKM or ESKM appliance

NOTE

An SKM/ESKM cluster may have many members, but the Brocade encryption products support only

two as primary and secondary key vaults.

Initializing the Brocade encryption engines

You must perform a series of encryption engine initialization steps on every Brocade encryption

node (switch or blade) that is expected to perform encryption within the fabric.

NOTE

The initialization process overwrites any authentication data and certificates that reside on the node

and the security processor. If this is not a first-time initialization, make sure to export the master key

by running cryptocfg

--exportmasterkey and cryptocfg –export -scp --currentMK before running

--initEE.

Take the following steps to initialize an encryption engine.

1. Log in to the switch as Admin or SecurityAdmin.

2. Zeroize all critical security parameters (CSPs) on the switch by entering the cryptocfg

--zeroizeEE command. Provide a slot number if the encryption engine is a blade.

SecurityAdmin:switch>cryptocfg --zeroizeEE

This will zeroize all critical security parameters

ARE YOU SURE (yes, y, no, n): [no]y

Operation succeeded.

3. Zeroization leaves the switch or blade faulted. Perform the appropriate action depending on

whether the encryption engine is a switch or a blade.

• When the encryption engine is on an encryption switch, reboot the switch.

• When the encryption engine is on an FS8-18 blade, issue the slotpoweroff slot number

command followed by the slotpoweron slot number command.

4. Synchronize the time on the switch and the key manager appliance. They should be within one

minute of each other. Differences in time can invalidate certificates and cause key vault

operations to fail.

5. Initialize the node by entering the cryptocfg

--initnode command. Successful execution

generates the following security parameters and certificates:

• Node CP certificate

• Key Archive Client (KAC) certificate

NOTE

Node initialization overwrites any existing authentication data on the node.

SecurityAdmin:switch>cryptocfg --initnode

This will overwrite all identification and authentication data

ARE YOU SURE (yes, y, no, n): [no] y

Notify SPM of Node Cfg

Operation succeeded.