Initializing the fabric os encryption engines – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (DPM)

135

53-1002922-01

Steps for connecting to a DPM appliance

3

Initializing the Fabric OS encryption engines

You must perform a series of encryption engine initialization steps on every Fabric OS encryption
node (switch or blade) that is expected to perform encryption within the fabric.

NOTE

The initialization process overwrites any authentication data and certificates that reside on the node
and the security processor. If this is not a first-time initialization, make sure to export the master key
by running cryptocfg

--

exportmasterkey and cryptocfg

–-

export

-

scp

--

currentMK before running

--

initEE.

To initialize an encryption engine, complete the following steps:

1. Log in to the switch as Admin or SecurityAdmin.

2. Synchronize the time on the switch and the key manager appliance. They should be within one

minute of each other. Differences in time can invalidate certificates and cause key vault
operations to fail.

3. Initialize the node by entering the cryptocfg

--

initnode command. Successful execution

generates the following security parameters and certificates:

•

Node CP certificate.

•

Key Archive Client

Certificate Signing Request (KAC CSR).

NOTE

Node initialization overwrites any existing authentication data on the node.

SecurityAdmin:switch> cryptocfg --initnode

This will overwrite all identification and authentication data

ARE YOU SURE (yes, y, no, n): [no] y

Notify SPM of Node Cfg

Operation succeeded.

4. Zeroize all critical security parameters (CSPs) on the switch by entering the

cryptocfg

--

zeroizeEE command. Provide a slot number if the encryption engine is a blade.

SecurityAdmin:switch> cryptocfg --zeroizeEE

This will zeroize all critical security parameters

ARE YOU SURE (yes, y, no, n): [no]y

Operation succeeded.

Zeroization leaves the switch or blade in the fault state. The switch or blade is rebooted
automatically.

5. Initialize the encryption engine using the cryptocfg

--

initEE command. Provide a slot number

if the encryption engine is a blade. This step generates critical security parameters (CSPs) and
certificates in the CryptoModule’s security processor (SP). The CP and the SP perform a
certificate exchange to register respective authorization data.

SecurityAdmin:switch> cryptocfg --initEE

This will overwrite previously generated identification

and authentication data

ARE YOU SURE (yes, y, no, n): y

Operation succeeded.