beautypg.com

Adding a member node to an encryption group – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 163

background image

Fabric OS Encryption Administrator’s Guide (DPM)

143

53-1002922-01

Adding a member node to an encryption group

3

Adding a member node to an encryption group

During the initialization phase, a set of key pairs and certificate is generated on every node. The
certificates are used for mutual identification and authentication with other group members and
with DPM. Every device must have a certificate to participate in the deployment of encryption
services. Some devices must have each other’s certificates in order to communicate.

Before adding a member node to an encryption group, ensure that the node has been properly
initialized and that all encryption engines are in an enabled state. See

“Initializing the Fabric OS

encryption engines”

on page 135.

After adding a member node to the encryption group, the following operations can still be
performed on the member node, if necessary. Initially, these commands should not be necessary if
the initialization procedure was followed:

cryptocfg

--

initEE

cryptocfg

--

regEE

cryptocfg

--

enableEE

CAUTION

After adding the member node to the encryption group, you should not use the cryptocfg

--

zeroizeEE command on that node. Doing so removes critical information and makes it

necessary to reinitialize the node and export the new CP certificates and KAC certificates to the
group leader and the key vault.

To add a member node to an encryption group, complete the following steps:

1. Log in to the switch on which the certificate was generated as Admin or FabricAdmin.

2. Execute the cryptocfg

--

reclaimWWN

-

cleanup command.

3. Log in as Admin or SecurityAdmin.

4. Export the certificate from the local switch to an SCP-capable external host or to a mounted

USB device. Enter the cryptocfg

--

export command with the appropriate parameters. When

exporting a certificate to a location other than your home directory, you must specify a fully
qualified path that includes the target directory and file name. When exporting to USB storage,
certificates are stored by default in a predetermined directory, and you only need to provide a
file name for the certificate. The file name must be given a .pem (privacy enhanced mail)
extension. Use a character string that identifies the certificate’s originator, such as the switch
name or IP address.

The following example exports a CP certificate from an encryption group member to an external
SCP-capable host and stores it as enc_switch1_cp_cert.pem.

SecurityAdmin:switch> cryptocfg --export -scp CPcert \

192.168.38.245 mylogin /tmp/certs/enc_switch1_cp_cert.pem

Password:

Operation succeeded.

The following example exports a CP certificate from the local node to USB storage.

SecurityAdmin:switch>cryptocfg --export -usb CPcert enc_switch1_cp_cert.pem

Operation succeeded.