Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June 2010)

ManualsBrandsHP ManualsStorageHP StorageWorks Edge Switch 2/12

121

122

123

124

125

126

127

128

129

130

108 Fabric OS Encryption Administrator’s Guide

53-1001864-01

Steps for connecting to an SKM appliance

Signing the Brocade encryption node KAC certificates

The KAC certificate signing request generated when the encryption node is initialized must be

exported for each encryption node and signed by the Brocade local CA on SKM. The signed

certificate must then be imported back into the encryption node.

1. Export the KAC sign request to an SCP-capable host.

SecurityAdmin:switch>cryptocfg --export -scp -KACcsr

192.168.38.245 mylogin /tmp/certs/kac_skm.csr

2. Open the exported file and copy the contents, beginning with ---BEGIN CERTIFICATE

REQUEST---

and ending with ---END CERTIFICATE REQUEST---. Be careful not to include any

extra characters.

3. Launch the SKM administration console in a web browser and log in.

4. Select the Security tab.

5. Select Local CAs under Certificates & CAs.

The Certificate and CA Configuration page displays.

6. Under Local Certificate Authority List, select the Brocade CA name.

7. Se le ct Sign Request.

The Sign Certificate Request page is displayed.

8. Select Sign with Certificate Authority using the Brocade CA name with the maximum of 3649

days option.

9. Select Client as Certificate Purpose.

10. Allow Certificate Duration to default to 3649.

11. Paste the file contents that you copied in step 3 in the Certificate Request Copy area.

12. Select Sign Request.

Upon success, you are presented with the option of downloading the signed certificate.

13. Download the signed certificate to your local system as signed_kac_skm_cert.pem.

14. Import the signed certificate from its location, or from a USB storage device.

SecurityAdmin:switch>cryptocfg --import -scp signed_kac_skm_cert.pem \

192.168.38.245 mylogin /tmp/certs/kac_skm_cert.pem

Password:

Operation succeeded.

The following example imports a KAC certificate that was previously exported to USB storage.

SecurityAdmin:switch>cryptocfg --import -usb signed_kac_skm_cert.pem \

kac_skm_cert.pem

Operation succeeded.

15. Register the KAC certificate.

SecurityAdmin:switch>cryptocfg --reg -KACcert signed_kac_skm_cert.pem

Operation succeeded

16. Repeat this procedure for every encryption node that is expected to perform encryption within

the fabric.