Setting encryption node initialization, Key management interoperability protocol – Brocade Network Advisor SAN User Manual v12.1.0 User Manual

Page 629

background image

Brocade Network Advisor SAN User Manual

581

53-1002948-01

Key Management Interoperability Protocol

20

Setting encryption node initialization

Encryption nodes are initialized by the Configure Switch Encryption wizard when you confirm a
configuration. Encryption nodes may also be initialized from the Encryption Center dialog box.

1. Select a switch from the Encryption Center Devices table, then select Switch > Init Node from

the menu task bar.

2. Select Yes after reading the warning message to initialize the node.

Key Management Interoperability Protocol

The Key Management Interoperability Protocol (KMIP) standardizes the communication between
an Enterprise key management system and an encryption device. The same key vault servers can
be used, only in a different mode. Currently, KMIP versions 1.0 and 1.1 are supported.

The initial deployment of the KMIP client is on the switch, where it will replace multiple third-party
implementations/vendor APIs. The interfaces of the KMIP client are generic and are not tied to the
key record formats used by the switch. Any encryption solution should be able to use the KMIP
client to communicate to a key server by compiling it on Linux-based PPC or X 86 environments.

Currently, the switch supports the KMIP servers from SafeNet Key Secure 6.1 and TEKA 4.0. All
nodes in an encryption group should be running Fabric OS 7.1.0 and later for the key vault type to
be set to KMIP.

Although KMIP support is available from multiple key vaults, each key vault implementation is
different in terms of High Availability (HA) clustering support, certificate exchange, and
authentication. In the current Fabric OS implementation, each key vault uses a separate adapter at
the Key Authentication Center (KAC), which is implemented to suit the key vault feature
implementation.

NOTE

Currently, KMIP with SafeNet KeySecure 6.1 in native KMIP mode and Thales e-Security keyAuthority
running version 4.0 with the switch in KMIP mode are supported.

A generic KMIP 1.0 or 1.1 server is supported. The following KMIP servers can be configured on the
switch:

SafeNet KeySecure. The KeySecure is a KMIP-compliant server. (SSKM is the trusted mode
version of SafeNet which continues to use the LKM OpenKey Interfaces. These are mutually
exclusive use scenarios and cannot be used interchangeably.) This configuration is allowed
only for new installations. Refer to

“Steps for connecting to a KMIP-compliant SafeNet

KeySecure”

on page 615.

TEKA 4.0. The Thales keyAuthority is a KMIP-compliant server that can be configured with the
switch; however, backward compatibility for keys created with Fabric OS versions earlier than
v7.2.0 is not supported. This configuration is allowed only for new installations. For more
information about configuring a KMIP-compliant keyAuthority, refer to Chapter 3 of the Fabric
OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol
(KMIP) Key-Compliant Environments.

Ensure that KMIP server is running on the key vault in order for the key vault to be configured as a
KMIP type on the switch.

See also other documents in the category Brocade Software: