Adding a member node to an encryption group – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual
Page 163
Fabric OS Encryption Administrator’s Guide (DPM)
143
53-1002922-01
Adding a member node to an encryption group
3
Adding a member node to an encryption group
During the initialization phase, a set of key pairs and certificate is generated on every node. The
certificates are used for mutual identification and authentication with other group members and
with DPM. Every device must have a certificate to participate in the deployment of encryption
services. Some devices must have each other’s certificates in order to communicate.
Before adding a member node to an encryption group, ensure that the node has been properly
initialized and that all encryption engines are in an enabled state. See
After adding a member node to the encryption group, the following operations can still be
performed on the member node, if necessary. Initially, these commands should not be necessary if
the initialization procedure was followed:
•
cryptocfg
--
initEE
•
cryptocfg
--
regEE
•
cryptocfg
--
enableEE
CAUTION
After adding the member node to the encryption group, you should not use the cryptocfg
--
zeroizeEE command on that node. Doing so removes critical information and makes it
necessary to reinitialize the node and export the new CP certificates and KAC certificates to the
group leader and the key vault.
To add a member node to an encryption group, complete the following steps:
1. Log in to the switch on which the certificate was generated as Admin or FabricAdmin.
2. Execute the cryptocfg
--
reclaimWWN
-
cleanup command.
3. Log in as Admin or SecurityAdmin.
4. Export the certificate from the local switch to an SCP-capable external host or to a mounted
USB device. Enter the cryptocfg
--
export command with the appropriate parameters. When
exporting a certificate to a location other than your home directory, you must specify a fully
qualified path that includes the target directory and file name. When exporting to USB storage,
certificates are stored by default in a predetermined directory, and you only need to provide a
file name for the certificate. The file name must be given a .pem (privacy enhanced mail)
extension. Use a character string that identifies the certificate’s originator, such as the switch
name or IP address.
The following example exports a CP certificate from an encryption group member to an external
SCP-capable host and stores it as enc_switch1_cp_cert.pem.
SecurityAdmin:switch> cryptocfg --export -scp CPcert \
192.168.38.245 mylogin /tmp/certs/enc_switch1_cp_cert.pem
Password:
Operation succeeded.
The following example exports a CP certificate from the local node to USB storage.
SecurityAdmin:switch>cryptocfg --export -usb CPcert enc_switch1_cp_cert.pem
Operation succeeded.