Manualshelf

Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June 2010)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/32B SAN Switch Power Pack
121122123124125126127128129130
106 Fabric OS Encryption Administrator’s Guide
53-1001864-01
Steps for connecting to an SKM appliance
3
Initializing the Brocade encryption engines
You must perform a series of encryption engine initialization steps on every Brocade encryption
node (switch or blade) that is expected to perform encryption within the fabric.
NOTE
The initialization process overwrites any authentication data and certificates that reside on the node
and the security processor. If this is not a first-time initialization, make sure to export the master key
by running cryptocfg
--exportmasterkey and cryptocfg –export -scp --currentMK before running
--initEE.
Take the following steps to initialize an encryption engine.
1. Log into the switch as Admin or SecurityAdmin.
2. Zeroize all critical security parameters (CSPs) on the switch by entering the cryptocfg
--zeroizeEE command. Provide a slot number if the encryption engine is a blade.
SecurityAdmin:switch>cryptocfg --zeroizeEE
This will zeroize all critical security parameters
ARE YOU SURE (yes, y, no, n): [no]y
Operation succeeded.
3. Zeroization leaves the switch or blade faulted. Perform the appropriate action depending on
whether the encryption engine is a switch or a blade.
When the encryption engine is on an encryption switch, reboot the switch.
When the encryption engine is on an FS8-18 blade, issue the slotpoweroff slot number
command followed by the slotpoweron slot number command.
4. Synchronize the time on the switch and the key manager appliance. They should be within one
minute of each other. Differences in time can invalidate certificates and cause key vault
operations to fail.
5. Initialize the node by entering the cryptocfg
--initnode command. Successful execution
generates the following security parameters and certificates:
Node CP certificate
Key Archive Client (KAC) certificate
NOTE
Node initialization overwrites any existing authentication data on the node.
SecurityAdmin:switch>cryptocfg --initnode
This will overwrite all identification and authentication data
ARE YOU SURE (yes, y, no, n): [no] y
Notify SPM of Node Cfg
Operation succeeded.
6. Initialize the encryption engine by entering the cryptocfg --initEE command. Provide a slot
number if the encryption engine is a blade. This step generates critical security parameters
(CSPs) and certificates in the CryptoModule’s security processor (SP). The CP and the SP
perform a certificate exchange to register respective authorization data.
SecurityAdmin:switch>cryptocfg --initEE
This will overwrite previously generated identification
and authentication data