Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsStorageHP SN8000B 4-slot SAN Director Switch

141

142

143

144

145

146

147

148

149

150

Fabric OS Encryption Administrator’s Guide 129

53-1002159-03

Steps for connecting to an SKM or ESKM appliance

The switch on which you create the encryption group becomes the designated group leader. Once

you have created an encryption group, all group-wide configurations, including key vault

configuration, adding member nodes, configuring failover policy settings, and setting up storage

devices, as well as all encryption management operations, are performed on the group leader.

3. Set the key vault type for SKM/ESKM by entering the cryptocfg --set -keyvault command.

Successful execution sets the key vault type for the entire encryption group. The following

example sets the key vault type to SKM, which is the selection also used for ESKM.

SecurityAdmin:switch>cryptocfg --set -keyvault SKM

Set key vault status: Operation Succeeded.

4. Import the CA certificate from the download location used when “Downloading the local CA

certificate” on page 121, and register SKM as the key vault. The group leader automatically

shares this information with other group members.

SecurityAdmin:switch>cryptocfg --import -scp <CA certificate file>

SecurityAdmin:switch>cryptocfg --reg -keyvault <CA certificate file>

<SKM IP> primary

At this point, it may take around one minute to fully configure the switch with SKM/ESKM.

5. As the switches come up, enable the encryption engines.

SecurityAdmin:switch>cryptocfg --enableEE

Operation succeeded.

6. Use the cryptocfg - - show groupcfg command to verify that the key vault state is Connected.

Mace_127:admin> cryptocg --show groupcfg

rbash: cryptocg: command not found

Mace_127:admin> cryptocfg --show -groupcfg

Encryption Group Name: mace127_mace129

Failback mode: Auto

Replication mode: Disabled

Heartbeat misses: 3

Heartbeat timeout: 2

Key Vault Type: SKM

System Card: Disabled

Primary Key Vault:

IP address: 10.32.53.55

Certificate ID: Brocade

Certificate label: skmcert

State: Connected

Type: SKM

Secondary Key Vault not configured

Additional Key Vault/Cluster Information:

Key Vault/CA Certificate Validity: Yes

Port for Key Vault Connection: 9000

Time of Day on Key Server: 2010-03-17 17:51:31

Server SDK Version: 4.8.1

Encryption Node (Key Vault Client) Information:

Node KAC Certificate Validity: Yes

Time of Day on the Switch: 2010-03-17 17:22:05