beautypg.com

Eskm/skm key vault deregistration, Encryption preparation – Brocade Fabric OS Encryption Administrator’s Guide Supporting HP Secure Key Manager (SKM) and HP Enterprise Secure Key Manager (ESKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 60

background image

40

Fabric OS Encryption Administrator’s Guide (SKM/ESKM)

53-1002923-01

Encryption preparation

2

ESKM/SKM key vault deregistration

Deregistration of either the primary or secondary ESKM/SKM key vault from an encryption switch
or blade is allowed independently.

Deregistration of Primary ESKM: You can deregister the primary ESKM/SKM from an
encryption switch or blade without deregistering the backup or secondary ESKM/SKM for
maintenance or replacement purposes. Future key operations will use only the secondary
ESKM/SKM until the primary ESKM/SKM is reregistered on the Brocade Encryption Switch or
blade.

When the primary ESKM/SKM is replaced with a different ESKM/SKM, you must first
synchronize the DEKs from the secondary ESKM/SKM before reregistering the primary
ESKM/SKM.

Deregistration of Secondary ESKM: You can deregister the secondary ESKM/SKM
independently. Future key operations will use only the primary ESKM/SKM until the secondary
ESKM/SKM is reregistered on the encryption switch or blade.

When the secondary ESKM/SKM is replaced with a different ESKM/SKM, you must first
synchronize the DEKs from primary ESKM/SKM before reregistering the secondary
ESKM/SKM.

Encryption preparation

Before you use the encryption setup wizard for the first time, you should have a detailed
configuration plan in place and available for reference. The encryption setup wizard assumes the
following:

You have a plan in place to organize encryption devices into encryption groups.

If you want redundancy and high availability in your implementation, you have a plan to create
high availability (HA) clusters of two encryption switches or blades to provide failover support.

All switches in the planned encryption group are interconnected on an I/O synch LAN.

The management ports on all encryption switches and DCX Backbone Chassis CPs that have
encryption blades installed, have a LAN connection to the SAN management program and are
available for discovery.

A supported key management appliance is connected on the same LAN as the encryption
switches, DCX Backbone Chassis CPs, and the SAN Management program.

An external host is available on the LAN to facilitate certificate exchange.

Switch KAC certificates have been signed by a CA and stored in a known location.

Key management system (key vault) certificates have been obtained and stored in a known
location.

See also other documents in the category Brocade Computer Accessories: