Manualshelf

Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsStorageHP SN8000B 4-slot SAN Director Switch
51525354555657585960
36 Fabric OS Encryption Administrator’s Guide
53-1002159-03
Steps for Migrating from SKM to ESKM
2
SKM or ESKM key vault high availability deployment
The SKM/ESKM key vault has high availability clustering capability. SKM/ESKM appliances can be
clustered together in a transparent manner to the end user. Encryption keys saved to one key vault
are synchronously hardened to the cluster pairs. Please refer to the HP SKM/ESKM appliance user
documentation for configuration requirements and procedures.
Configured primary and secondary HPSKM/ESKM appliances must be registered with the Brocade
encryption switch or blade to begin key operations. The user can register only a single SKM/ESKM
if desired. In that case, the HA features are lost, but the archived keys are backed up to any other
non-registered cluster members. Beginning with Fabric OS 6.3.0, the primary and secondary
appliances must be clustered.
Both the SKM/ESKM appliances in the cluster can be registered using the following command.
cryptocfg --reg -keyvault <cert label> <certfile> <hostname/ip address> <primary |
secondary>
Related Topics
“Disk keys and tape pool keys support” on page 131
“Tape LUN support” on page 132
“SKM or ESKM Key Vault Deregistration” on page 132
Steps for Migrating from SKM to ESKM
The procedure for migrating SKM to ESKM assumes the following:
An encryption group already exists on the BES with SKM configured and connected.
ESKM has the following data transferred from SKM:
User group, users, CA information
SSL/FIPS settings
Key database
ESKM uses the same CA certificate that was used by SKM.
NOTE
If the CA changes on the ESKM, you must deregister the key vaults and redo the procedure for
configuring the key vault for the encryption group. To perform the steps using the GUI, see
“Steps for connecting to an SKM or ESKM appliance” on page 26. To perform the steps using
cli, see “Steps for connecting to an SKM or ESKM appliance” on page 119.
Steps required from the BES CLI
From the group leader BES:
1. Deregister SKM using the command cryptocfg
--dereg -keyvault.
2. Import the CA certificate using the command cryptocfg
import scp <cert_name.pem> <host
IP> <host name> <CAcert.cer>.