beautypg.com

Adding a member node to an encryption group – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 170

background image

150

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002923-01

Steps for connecting to an SKM or ESKM appliance

3

When the secondary SKM/ESKM is replaced with a different SKM/ESKM, you must first
synchronize the DEKs from primary SKM/ESKM before reregistering the secondary
SKM/ESKM.

Adding a member node to an encryption group

Before adding a member node to an encryption group, ensure that the node has been properly
initialized and that all encryption engines are in an enabled state. See

“Initializing the Fabric OS

encryption engines”

on page 143.

After adding the member node to the encryption group, the following operations can still be
performed on the member node if necessary. Initially, these commands should not be necessary if
the initialization procedure was followed:

cryptocfg

--

initEE

cryptocfg

--

regEE

cryptocfg

--

enableEE

CAUTION

After adding the member node to the encryption group, you should not use the cryptocfg
--zeroizeEE command on that node. Doing so removes critical information from the node and
makes it necessary to re-initialize the node and export new KAC certificates to the group leader
and the key vault.

To add a member node to an encryption group, follow these steps:

1. Log in to the switch on which the certificate was generated as Admin or FabricAdmin.

2. Execute the cryptocfg

--

reclaimWWN

-

cleanup command.

3. Log in as Admin or SecurityAdmin.

4. Export the certificate from the local switch to an SCP-capable external host or to a mounted

USB device. Enter the cryptocfg

--

export command with the appropriate parameters. When

exporting a certificate to a location other than your home directory, you must specify a fully
qualified path that includes the target directory and file name. When exporting to USB storage,
certificates are stored by default in a predetermined directory, and you only need to provide a
file name for the certificate. The file name must be given a .pem (privacy enhanced mail)
extension. Use a character string that identifies the certificate’s originator, such as the switch
name or IP address.

The following example exports a CP certificate from an encryption group member to an external
SCP-capable host and stores it as enc_switch1_cp_cert.pem.

SecurityAdmin:switch> cryptocfg --export -scp CPcert \

192.168.38.245 mylogin /tmp/certs/enc_switch1_cp_cert.pem

Password:

Operation succeeded.

The following example exports a CP certificate from the local node to USB storage.

SecurityAdmin:switch> cryptocfg --export -usb CPcert enc_switch1_cp_cert.pem

Operation succeeded.

See also other documents in the category Brocade Computer Accessories: