Manualshelf

Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsStorageHP SN8000B 4-slot SAN Director Switch
261262263264265266267268269270
Fabric OS Encryption Administrator’s Guide 243
53-1002159-03
BES removal and replacement
6
14. Check the encryption engine state using following command to ensure encryption engine is
online:
cryptocfg --show -localEE
15. Export the KAC CSR from the new node and sign the CSR from the HP SKM/ESKM Local CA.
16. Import the signed CSR/Certificate onto the new node.
17. Register back the signed KAC CSR/Certificate onto the new node.
cryptocfg --reg -KACcert
18. Register the new node KAC Certificate with the HP SKM/ESKM appliances and create a
username and password for this node on the HP SKM/ESKM appliances under the group
“Brocade.”
19. Create the username and password on the new node same as created on the HP SKM/ESKM
appliances using the following command:
cryptocfg --reg -KACLogin
20. In the case where the new node is single node encryption group, register the HP SKM/ESKM
appliances IP and CA Certificate onto this node.
21. If a master key is not present, restore the master key from a backed up copy. Procedures will
differ depending on the backup media used (from recovery smart cards, from the key vault,
from a file on the network or a file on a USB-attached device).
22. Set the defzone as allaccess on the new Brocade Encryption Switch, so the configuration from
Fabric is pushed to new Brocade Encryption Switch.
23. Run the following command on the new Brocade Encryption Switch:
cfgsave
24. Connect the FC Cables to the new Brocade Encryption Switch.
25. Run the cfgsave command on any switch in that fabric. The fabric configuration from the
existing fabric is merged into the new Brocade Encryption Switch. Verify that defzone is now set
as no access.
26. If the previous uploaded configuration is available, run the following command on the new
Brocade Encryption Switch to transfer the ownership of containers to the new Brocade
Encryption Switch:
cryptocfg --replace <old node WWN> <new node WWN>
If the uploaded configuration is not available, you must re-create the container.
27. Issue commit.
cryptocfg --commit