Brocade Fabric OS Command Reference (Supporting Fabric OS v7.3.0) User Manual

Page 219

background image

Fabric OS Command Reference

189

53-1003131-01

cryptoCfg

2

--delete -encgroup

Deletes an encryption group with the specified name. This command is valid only
on the group leader. This command fails if the encryption group has more than
one node, or if any HA cluster configurations, CryptoTarget container/LUN
configurations, or tape pool configurations exist in the encryption group. Remove
excess member nodes and clear all HA cluster, CryptoTarget container/LUN, or
tape pool configurations before deleting an encryption group.

encryption_group_name

Specifies the name of the encryption group to be deleted. This operand is required
when deleting an encryption group.

--reg -keyvault

Registers the specified key vault (primary or secondary) with the encryption
engines of all nodes present in an encryption group. Upon successful registration,
a connection to the key vault is automatically established. This command is valid
only on the group leader. Registered certificates are distributed from the group
leader to all member nodes in the encryption group. Each node in the encryption
group distributes the certificates to their respective encryption engines.

The following operands are required when registering a key vault:

cert_label

Specifies the key vault certificate label. This is a user-generated name for the
specified key vault. Use the cryptocfg --show -groupcfg command to view the
key vault label after registration is complete.

certfile

Specifies the certificate file. This file must be imported prior to registering the key
vault and reside in the predetermined directory where certificates are stored. In
the case of the HP SKM, this operand specifies CA file, which is the certificate of
the signing authority on the SKM. Use the --show -file -all command for a listing
of imported certificates.

hostname | ip_address

Specifies the key vault by providing either a host name or IP address. If you are
registering a key vault that is part of an DPM cluster, the value for ip_address is
the virtual IP address for the DPM cluster and not the address of the actual key
vault.

primary | secondary

Specifies the key vault as either primary or secondary. The secondary key vault
serves as backup.

--dereg -keyvault

Removes the registration for a specified key vault. The key vault is identified by
specifying the certificate label. Removing a key vault registration disconnects the
key vault. This command is valid only on the group leader.

cert_label

Specifies the key vault certificate label. This operand is required when removing
the registration for a key vault.

--reg -KACcert

Registers the signed node certificate. After being exported and signed by the
external signing authority, the signed node certificate must be imported back into
the node and registered for a successful two-way certificate exchange with the
key vault. This command is valid only on the group leader.

Registration functions need to be invoked on all the nodes in a DEK cluster for
their respective signed node certificates. The following operands are required:

signed_certfile

Specifies the name of the signed node certificate to be reimported.