Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsStorageHP SN8000B 4-slot SAN Director Switch

151

152

153

154

155

156

157

158

159

160

Fabric OS Encryption Administrator’s Guide 133

53-1002159-03

Steps for connecting to an SKM or ESKM appliance

CAUTION

After adding the member node to the encryption group, you should not use the cryptocfg

--zeroizeEE command on that node. Doing so removes critical information such as CP certificates

from the node and makes it necessary to reinitialize the node and export the new CP certificates

and KAC certificates to the group leader and the key vault.

To add a member node to an encryption group, follow these steps:

1. Log in to the switch on which the certificate was generated as Admin or SecurityAdmin.

2. Execute the cryptocfg

--reclaimWWN -cleanup command.

3. Export the certificate from the local switch to an SCP-capable external host or to a mounted

USB device. Enter the cryptocfg

--export command with the appropriate parameters. When

exporting a certificate to a location other than your home directory, you must specify a fully

qualified path that includes the target directory and file name. When exporting to USB storage,

certificates are stored by default in a predetermined directory, and you only need to provide a

file name for the certificate. The file name must be given a .pem (privacy enhanced mail)

extension. Use a character string that identifies the certificate’s originator, such as the switch

name or IP address.

The following example exports a CP certificate from an encryption group member to an external

SCP-capable host and stores it as enc_switch1_cp_cert.pem.

SecurityAdmin:switch>cryptocfg --export -scp CPcert \

192.168.38.245 mylogin /tmp/certs/enc_switch1_cp_cert.pem

Password:

Operation succeeded.

The following example exports a CP certificate from the local node to USB storage.

SecurityAdmin:switch>cryptocfg --export -usb CPcert enc_switch1_cp_cert.pem

Operation succeeded.

4. Log in to the group leader as Admin or SecurityAdmin.

5. Use the cryptocfg

--import command to import the CP certificates to the group leader node.

You must import the CP certificate of each node you wish to add to the encryption group.

The following example imports a CP certificate named “enc_switch1_cp_cert.pem” that was

previously exported to the external host 192.168.38.245. Certificates are imported to a

predetermined directory on the group leader.

SecurityAdmin:switch>cryptocfg --import -scp enc_switch1_cp_cert.pem \

192.168.38.245 mylogin /tmp/certs/enc_switch1_cp_cert.pem

Password:

Operation succeeded.

The following example imports a CP certificate named “enc_switch1_cp_cert.pem” that was

previously exported to USB storage.

SecurityAdmin:switch>cryptocfg --import -usb enc_switch1_cp_cert.pem \

enc_switch1_cp_cert.pem

Operation succeeded.