beautypg.com

Initializing the fabric os encryption engines – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 163

background image

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

143

53-1002923-01

Steps for connecting to an SKM or ESKM appliance

3

20. Create and install an SKM/ESKM certificate. Refer to

“Creating and installing the SKM or

ESKM server certificate”

on page 139 for a description of this procedure.

NOTE

An SKM/ESKM cluster may have many members, but the Brocade encryption products support only
two as primary and secondary key vaults.

Initializing the Fabric OS encryption engines

You must perform a series of encryption engine initialization steps on every Brocade encryption
node (switch or blade) that is expected to perform encryption within the fabric.

NOTE

The initialization process overwrites any authentication data and certificates that reside on the node
and the security processor. If this is not a first-time initialization, make sure to export the master key
by running cryptocfg

--

exportmasterkey and cryptocfg

export

-

scp

-

currentMK before running

--

initEE.

Complete the following steps to initialize an encryption engine.

1. Log in to the switch as Admin or SecurityAdmin.

2. Synchronize the time on the switch and the key manager appliance. They should be within one

minute of each other. Differences in time can invalidate certificates and cause key vault
operations to fail.

3. Initialize the node by entering the cryptocfg

--

initnode command. Successful execution

generates the following security parameters and certificates:

Node CP certificate

Key Archive Client

(

KAC) certificate

NOTE

Node initialization overwrites any existing authentication data on the node.

SecurityAdmin:switch> cryptocfg --initnode

This will overwrite all identification and authentication data

ARE YOU SURE (yes, y, no, n): [no] y

Notify SPM of Node Cfg

Operation succeeded.

4. Zeroize all critical security parameters (CSPs) on the switch by entering the cryptocfg

--

zeroizeEE command. Provide a slot number if the encryption engine is a blade.

SecurityAdmin:switch> cryptocfg --zeroizeEE

This will zeroize all critical security parameters

ARE YOU SURE (yes, y, no, n): [no]y

Operation succeeded.

Zeroization leaves the switch or blade faulted. The switch or blade reboots automatically.

See also other documents in the category Brocade Computer Accessories: