beautypg.com

Establishing the trusted link – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 145

background image

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

127

53-1002925-01

Steps for connecting to an LKM/SSKM appliance

3

Establishing the trusted link

You must generate the trusted link establishment package (TEP) on all nodes to obtain a trusted
acceptance package (TAP) before you can establish a trusted link between each node and the
NetApp LKM/SSKM appliance.

NOTE

Complete all steps required to establish a trusted link between LKM/SSKM and the encryption
group members for each node before proceeding to the next node.

1. Issue a Diffie-Hellman challenge to the LKM/SSKM IP address.

SecurityAdmin:switch> cryptocfg --dhchallenge

2. Launch the NetApp DataFort Management Console (DMC) and log in.

3. Click the View Unapproved Trustees tab.

The switch is listed as openkey_trustee_, where the IP address is the switch IP
address.

4. Select the switch, and select Approve and Create TAP.

The Approve TEP dialog box displays. The TEP must be approved before a TAP can be created.

5. Provide a label in the dialog box and click Approve to approve the TEP.

A smart card dialog box may display, requiring TEP approval to be done by a quorum of recovery
officers, using assigned recovery cards.

a. Insert the first card, and enter and verify the password. Wait for the Verify Password box to

go gray before continuing.

b. Select Enable Remote Authorization.

c. Wait for the Start button to become highlighted and then select Start.

d. Repeat The procedure until a quorum of recovery officers has approved the TEP.

When the TEP is approved, that TAP is created.

6. Issue a Diffie-Hellman response to the LKM/SSKM IP address to obtain the TAP from

LKM/SSKM.

SecurityAdmin:switch> cryptocfg --dhresponse

7. At this point, the trusted link should be established. Enter the cryptocfg

--

show

-

groupcfg

command on the encryption node.

SecurityAdmin:enc1_switch> cryptocfg --show -groupcfg

Encryption Group Name:

brocade

Failback mode:

Manual

Heartbeat misses:

3

Heartbeat timeout:

2

Key Vault Type:

LKM

Primary Key Vault:

IP address:

10.33.54.231

Certificate ID:

lkm-1

Certificate label:

LKM1

State:

Connected

Type: LKM

See also other documents in the category Brocade Computer Accessories: