beautypg.com

Exporting and, Registering the switch kac certificates – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 142

background image

124

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

Steps for connecting to an LKM/SSKM appliance

3

using dumb terminal settings.

Checking system tamper status:

No physical intrusion detected.

2. Add the group leader to the LKM/SSKM key sharing group. Enter lkmserver add

--

type

third-party

--

key-sharing-group "/" followed by the group leader IP address.

lkm-1>lkmserver add --type third-party --key-sharing-group \

"/"

10.32.244.71

NOTICE: LKM Server third-party 10.32.244.71 added.

Cleartext connections not allowed.

3. On the NetApp LKM/SSKM appliance terminal, enter sys cert getcert-v2 to display the LKM

certificate content.

lkm-1> sys cert getcert-v2

-----BEGIN CERTIFICATE-----

[content removed]

-----END CERTIFICATE-----

4. Copy and paste the LKM/SSKM certificate content from the NetApp LKM/SSKM appliance

terminal into an editor buffer. Save the file as lkmcert.pem on the SCP-capable host. Save the
entire certificate, including the lines

-----BEGIN CERTIFICATE-----

and

-----END

CERTIFICATE-----.

5. On the group leader, import the previously saved LKM/SSKM certificate from the SCP-capable

host. Use the cryptocfg

--

import command with the

-

scp option. The following example

imports a certificate file named lkmcert.pem.

SecurityAdmin:switch> cryptocfg --import -scp lkmcert.pem 192.168.38.245 \

mylogin

/tmp/certs/lkmcert.pem

Password:

Operation succeeded.

Exporting and registering the switch KAC certificates

The switch’s KAC certificate must be registered on the LKM/SSKM appliance, and the LKM/SSKM
certificate must be registered on the switch.

1. Export the KAC certificate from the Brocade encryption node to an SCP-capable external host.

SecurityAdmin:enc1_switch> cryptocfg --export -scp -KACcert \

192.168.38.245 mylogin enc1_kac_lkm_cert.pem

Password:

Operation succeeded.

2. From the external host, register the KAC LKM/SSKM certificate you exported from the member

node with the NetApp LKM/SSKM appliance, using the third party IP address.

host$echo lkmserver certificate set 10.32.244.60

’cat enc1_kac_lkm_cert.pem’ | ssh-l admin 10.33.54.231

Pseudo-terminal will not be allocated because stdinis not a terminal.

[email protected]'s password:

Checking system tamper status:No physical intrusion detected.

ALERT: There are pending unapproved trustees.

NOTICE: LKM Peer '10.32.244.60' certificate is set

See also other documents in the category Brocade Computer Accessories: