beautypg.com

Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual

Page 167

background image

Fabric OS Encryption Administrator’s Guide (KMIP)

149

53-1002747-02

Steps for connecting to a KMIP appliance (SafeNet KeySecure)

3

From the standpoint of external SAN management application operations, the FIPS crypto officer,
FIPS user, and node CP certificates are transparent to users. The KAC certificates are required for
operations with key managers. In most cases, KAC certificate signing requests must be sent to a
Certificate Authority (CA) for signing to provide authentication before the certificate can be used. In
all cases, signed KACs must be present on each switch.

1. Initialize the Brocade Encryption Switch node.

SecurityAdmin:switch> cryptocfg --initnode
Operation succeeded.

2. Initialize the new encryption engine.

SecurityAdmin:switch> cryptocfg --initEE [slotnumber]
Operation succeeded.

3. Register the encryption engine.

SecurityAdmin:switch> cryptocfg --regEE [slotnumber]
Operation succeeded.

4. Enable the encryption engine.

SecurityAdmin:switch> cryptocfg --enableEE [slotnumber]
Operation succeeded.

5. Check the encryption engine state using following command to ensure encryption engine is

online:

SecurityAdmin:switch> cryptocfg --show -localEE

Steps for connecting to a KMIP appliance (SafeNet KeySecure)

After installing the SSKM KeySecure appliance, you must complete the following steps before the
Brocade Encryption Switch can be configured with the SSKM appliance. Once these steps are
completed, proceed to

“Configuring the Brocade Encryption Switch key vault setup (SafeNet

KeySecure)”

on page 152.

NOTE

If you are configuring two key secure nodes, you must complete step 1 through step 6 on the primary
node, then complete step 7 on the secondary node. If only a single node is being configured, step 7
is not needed.

The following is a suggested order of steps needed to create a secure connection to the KMIP
appliance.

1. Set FIPS compliance. (Refer to

“Setting FIPS compliance”

on page 150.)

2. Create a local CA. (Refer to

“Creating a local CA”

on page 150.)

3. Create a server certificate. (Refer to

“Creating a server certificate”

on page 150.)

4. Create a cluster. (Refer to

“Creating a cluster”

on page 150.)

5. Back up the certificates (Refer to

“Backing up the certificates”

on page 151.)