beautypg.com

Brocade Fabric OS Encryption Administrator’s Guide Supporting Key Management Interoperability Protocol (KMIP) Key-Compliant Environments (Supporting Fabric OS v7.1.0) User Manual

Page 180

background image

162

Fabric OS Encryption Administrator’s Guide (KMIP)

53-1002747-02

Adding a member node to an encryption group

3

NOTE

If the maximum number of certificates is exceeded, the following message is displayed.

Maximum number of certificates exceeded. Delete an unused certificate with the
‘cryptocfg –-delete –file’ command and then try again

.

6. Enter the cryptocfg

--

show

-

file

-

all command on the group leader to verify that you have

imported all necessary certificates.

The following example shows the member node CP certificate that was imported earlier to the
group leader.

SecurityAdmin:switch> cryptocfg --show -file -all
File name: enc_switch1_cp_cert.pem, size: 1338 bytes

7. On the group leader, register each node you are planning to include in the encryption group.

Enter the cryptocfg

--

reg

-

membernode command with appropriate parameters to register

the member node. Specify the member node’s WWN, Certificate filename, and IP address
when executing this command. Successful execution of this command distributes all
necessary node authentication data to the other members of the group.

SecurityAdmin:switch> cryptocfg --reg -membernode \
10:00:00:05:1e:39:14:00 enc_switch1_cert.pem 10.32.244.60
Operation succeeded.

NOTE

The order in which member node registration is performed defines group leader succession. At
any given time there is only one active group leader in an encryption group. The group leader
succession list specifies the order in which group leadership is assumed if the current group
leader is not available.

8. Check the status of the encryption group to ensure correct state. This example shows the

encryption group KMIP with two member nodes, one group leader and one regular member.

SecurityAdmin:switch> cryptocfg --show -groupcfg
Encryption Group Name: TEKA
Failback mode: Auto
Replication mode: Disabled
Heartbeat misses: 3
Heartbeat timeout: 2
Key Vault Type: KMIP
System Card: Disabled

Primary Key Vault:
IP address: 10.18.228.38
Certificate ID: SAN32BE42TEKA
Certificate label: KMIP
State: Connected
Type: KMIP

Secondary Key Vault not configured

Additional Primary Key Vault Information::
Key Vault/CA Certificate Validity: Yes
Port for Key Vault Connection: 5696
Time of Day on Key Server: N/A
Server SDK Version: SSKM 2.0.0.0 KMIP 1.0 BUILD 201

See also other documents in the category Brocade Computer Accessories: