beautypg.com

Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 303

background image

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

283

53-1002923-01

Brocade Encryption Switch removal and replacement

6

12. Recreate the EG with the same name as before using the following command.

Admin:switch> cryptocfg –create –encgroup

13. Invoke configdownload from the previous uploaded configuration.

14. Enable the switch using the switchenable command.

15. Deregister both key vaults using the following command.

Admin:switch> crypocfg –-dereg –keyvault

16. Export the KAC CSR from the new node and sign the CSR from the HP SKM/ESKM Local CA.

17. Import the signed CSR/Certificate onto the new node.

18. Register back the signed KAC CSR/Certificate onto the new node.

Admin:switch> cryptocfg --reg -KACcert

19. Register the new node KAC Certificate with the HP SKM/ESKM appliances and create a

username and password for this node on the HP SKM/ESKM appliances under the group
“Brocade.”

20. Create the username and password on the new node same as created on the HP SKM/ESKM

appliances using the following command:

Admin:switch> cryptocfg --reg -KACLogin

21. In the case where the new node is single node encryption group, register the HP SKM/ESKM

appliances IP and CA Certificate onto this node.

22. If a master key is not present, restore the master key from a backed up copy. Procedures will

differ depending on the backup media used (for example, recovery smart cards, from the key
vault, from a file on the network, or a file on a USB-attached device). Refer to Chapter 2,
“Configuring Encryption Using the Management Application.”

23. Check the encryption engine (EE) state using following command to ensure that the encryption

engine is online.

Admin:switch> cryptocfg --show -localEE

24. Set the defzone as allAccess on the new Brocade Encryption Switch, so the configuration from

the Fabric is pushed to new Brocade Encryption Switch.

25. Invoke the following command on the new Brocade Encryption Switch:

Admin:switch> cfgsave

26. Reconnect the FC Cables to the new Brocade Encryption Switch.

27. Invoke the cfgsave command on any switch in that fabric. The fabric configuration from the

existing fabric is merged into the new Brocade Encryption Switch.

28. Verify that defzone is set as no access.

29. If HA cluster membership for the old Brocade Encryption Switch was in place. Do the following

for moving container movement to the new Brocade Encryption Switch.

a. Replace the old EE with the new EE using the following command on the group leader.

Admin:switch> cryptocfg –replace

See also other documents in the category Brocade Computer Accessories: