Obtaining and importing the lkm/sskm certificate, Obtaining and importing the, Lkm/sskm certificate – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 141

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

123

53-1002925-01

Steps for connecting to an LKM/SSKM appliance

4. Zeroize all critical security parameters (CSPs) on the switch by entering the cryptocfg

zeroizeEE command. Provide a slot number if the encryption engine is a blade.

SecurityAdmin:switch> cryptocfg --zeroizeEE

This will zeroize all critical security parameters

ARE YOU SURE (yes, y, no, n): [no]y

Operation succeeded.

Zeroization leaves the switch or blade in the fault state. The switch or blade is rebooted
automatically.

5. Initialize the encryption engine using the cryptocfg

initEE command. Provide a slot number

if the encryption engine is a blade. This step generates critical security parameters (CSPs) and
certificates in the CryptoModule’s security processor (SP). The CP and the SP perform a
certificate exchange to register respective authorization data.

SecurityAdmin:switch> cryptocfg --initEE

This will overwrite previously generated identification

and authentication data

ARE YOU SURE (yes, y, no, n): y

Operation succeeded.

6. Register the encryption engine by entering the cryptocfg

regEE command. Provide a slot

number if the encryption engine is a blade. This step registers the encryption engine with the
CP or chassis. Successful execution results in a certificate exchange between the encryption
engine and the CP through the FIPS boundary.

SecurityAdmin:switch> cryptocfg --regEE

Operation succeeded.

7. Enable the encryption engine by entering the cryptocfg

enableEE command.

SecurityAdmin:switch> cryptocfg --enableEE

Operation succeeded.

8. Repeat the above steps on every node that is expected to perform encryption.

Obtaining and importing the LKM/SSKM certificate

Certificates must be exchanged between LKM/SSKM and the encryption switch to enable mutual
authentication. You must obtain a certificate from LKM/SSKM, and import it into the encryption
group leader. The encryption group leader exports the certificate to other encryption group
members.

To obtain and import an LKM/SSKM certificate, complete the following steps:

1. Open an SSH connection to the NetApp LKM/SSKM appliance and log in.

host$ssh [email protected]

[email protected]'s password:

+--------------------------------+

| NetApp Appliance Management CLI |

| Authorized use only! |

+--------------------------------+

Cannot read termcapdatabase;