Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June 2010)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/32B SAN Switch Power Pack

121

122

123

124

125

126

127

128

129

130

Fabric OS Encryption Administrator’s Guide 109

53-1001864-01

Steps for connecting to an SKM appliance

Registering SKM on a Brocade encryption group leader

An encryption group consists of one or more encryption engines. Encryption groups can provide

failover/failback capabilities by organizing encryption engines into Data Encryption Key (DEK)

clusters. An encryption group has the following properties:

• It is identified by a user-defined name.

• When there is more than one member, the group is managed from a designated group leader.

• All group members must share the same key manager.

• The same master key is used for all encryption operations in the group.

• In the case of FS8-18 blades:

- All encryption engines in a chassis are part of the same encryption group.

- An encryption group may contain up to four DCX nodes with a maximum of four encryption

engines per node forming a total of sixteen encryption engines.

You will need to know the download location for the CA certificate used when “Downloading the

local CA certificate” on page 102.

1. Identify one node (a Brocade Encryption Switch or a Brocade DCX or Brocade DCX-4S with an

FS8-18 blade) as the designated group leader and log in as Admin or SecurityAdmin.

2. Enter the cryptocfg

--create -encgroup command followed by a name of your choice. The

name can be up to 15 characters long, and it can include any alphanumeric characters and

underscores. White space or other special characters are not permitted.

The following example creates the encryption group "brocade".

SecurityAdmin:switch>cryptocfg --create -encgroup brocade

Encryption group create status: Operation Succeeded.

The switch on which you create the encryption group becomes the designated group leader. Once

you have created an encryption group, all group-wide configurations, including key vault

configuration, adding member nodes, configuring failover policy settings, and setting up storage

devices, as well as all encryption management operations, are performed on the group leader.

3. Set the key vault type to SKM by entering the cryptocfg --set -keyvault command. Successful

execution sets the key vault type for the entire encryption group. The following example sets

the keyvault type to SKM.

SecurityAdmin:switch>cryptocfg --set -keyvault SKM

Set key vault status: Operation Succeeded.

4. Import the CA certificate from the download location used when “Downloading the local CA

certificate” on page 102, and register SKM as the key vault. The group leader automatically

shares this information with other group members.

SecurityAdmin:switch>cryptocfg --import -scp <CA certificate file>

SecurityAdmin:switch>cryptocfg --reg -keyvault <CA certificate file>

<SKM IP> primary

At this point, it may take around one minute to fully configure the switch with SKM.

5. As the switches come up, enable the encryption engines.

SecurityAdmin:switch>cryptocfg --enableEE

Operation succeeded.