Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

151

53-1002923-01

Steps for connecting to an SKM or ESKM appliance

3

5. Use the cryptocfg

--

import command to import the CP certificates to the group leader node.

You must import the CP certificate of each node you want to add to the encryption group.

The following example imports a CP certificate named “enc_switch1_cp_cert.pem” that was
previously exported to the external host 192.168.38.245. Certificates are imported to a
predetermined directory on the group leader.

SecurityAdmin:switch> cryptocfg --import -scp enc_switch1_cp_cert.pem \

192.168.38.245 mylogin /tmp/certs/enc_switch1_cp_cert.pem

Password:

Operation succeeded.

The following example imports a CP certificate named “enc_switch1_cp_cert.pem” that was
previously exported to USB storage.

SecurityAdmin:switch> cryptocfg --import -usb enc_switch1_cp_cert.pem \

enc_switch1_cp_cert.pem

Operation succeeded.

NOTE

If the maximum number of certificates is exceeded, you are prompted to delete any unused
certificates using the cryptocfg

–-

delete

–

file command and then try again.

6. Enter the cryptocfg

--

show

-

file

-

all command on the group leader to verify that you have

imported all necessary certificates.

The following example shows the member node CP certificate that was imported earlier to the
group leader.

SecurityAdmin:switch> cryptocfg --show -file -all

File name: enc_switch1_cp_cert.pem, size: 1338 bytes

7. On the group leader, register each node you are planning to include in the encryption group.

Enter the cryptocfg

--

reg

-

membernode command with appropriate parameters to register

the member node. Specify the member node’s WWN, Certificate filename, and IP address
when executing this command. Successful execution of this command distributes all
necessary node authentication data to the other members of the group.

SecurityAdmin:switch> cryptocfg --reg -membernode \

10:00:00:05:1e:39:14:00 enc_switch1_cert.pem 10.32.244.60

Operation succeeded.

NOTE

The order in which member node registration is performed defines group leader succession. At
any given time there is only one active group leader in an encryption group. The group leader
succession list specifies the order in which group leadership is assumed if the current group
leader is not available.

8. Display encryption group member information. This example shows the encryption group

brocade with two member nodes, one group leader and one regular member. No key vault or
HA cluster is configured, and the values for master key IDs are zero.

SecurityAdmin:switch> cryptocfg --show -groupmember -all

NODE LIST

Total Number of defined nodes:2

Group Leader Node Name: 10:00:00:05:1e:41:9a:7e

Encryption Group state: CLUSTER_STATE_CONVERGED