Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual

158

Fabric OS Encryption Administrator’s Guide (KMIP)

53-1002747-02

Configuring the Brocade Encryption Switch key vault setup (SafeNet KeySecure)

3

Notify SPM of Node Cfg
Operation succeeded.

5. Initialize the encryption engine using the cryptocfg

--

initEE command. Provide a slot number

if the encryption engine is a blade. This step generates critical security parameters (CSPs) and
certificates in the CryptoModule’s security processor (SP). The CP and the SP perform a
certificate exchange to register respective authorization data.

SecurityAdmin:switch> cryptocfg --initEE
This will overwrite previously generated identification
and authentication data
ARE YOU SURE (yes, y, no, n): y
Operation succeeded.

6. Register the encryption engine by entering the cryptocfg

--

regEE command. Provide a slot

number if the encryption engine is a blade. This step registers the encryption engine with the
CP or chassis. Successful execution results in a certificate exchange between the encryption
engine and the CP through the FIPS boundary.

SecurityAdmin:switch> cryptocfg --regEE
Operation succeeded.

7. Enable the encryption engine by entering the cryptocfg

--

enableEE command.

SecurityAdmin:switch> cryptocfg --enableEE
Operation succeeded.

8. Repeat the above steps on every node that is expected to perform encryption.

Registering KMIP on a Brocade encryption group leader

An encryption group consists of one or more encryption engines. Encryption groups can provide
failover/failback capabilities by organizing encryption engines into Data Encryption Key (DEK)
clusters. An encryption group has the following properties:

•

It is identified by a user-defined name.

•

When there is more than one member, the group is managed from a designated group leader.

•

All group members must share the same key manager.

•

The same master key is used for all encryption operations in the group.

•

In the case of FS8-18 blades:

-

All encryption engines in a chassis are part of the same encryption group.

-

An encryption group may contain up to four DCX Backbone nodes with a maximum of four
encryption engines per node, forming a total of 16 encryption engines.

You will need to know the download location for the CA certificate.

1. Identify one node (a Brocade Encryption Switch or a Brocade DCX Backbone chassis with an

FS8-18 blade) as the designated group leader and log in as Admin or SecurityAdmin.

2. Enter the cryptocfg

--

create

-

encgroup command followed by a name of your choice. The

name can be up to 15 characters long, and it can include any alphanumeric characters and
underscores. White space or other special characters are not permitted.