Adding a member node to an encryption group – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

130

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

Steps for connecting to an LKM/SSKM appliance

3

Adding a member node to an encryption group

During the initialization phase a set of key pairs and certificates are generated on every node.
These certificates are used for mutual identification and authentication with other group members
and with LKM/SSKM. Every device must have a certificate in order to participate in a deployment
of encryption services. Some devices must have each other’s certificates in order to communicate.

NOTE

Before adding a member node to an encryption group, ensure that the node has been properly
initialized and that all encryption engines are in an enabled state

1. Log in to the switch on which the certificate was generated as Admin or FabricAdmin.

2. Execute the cryptocfg

--

reclaimWWN

-

cleanup command.

3. Log in as Admin or SecurityAdmin.

4. Export the certificate from the local switch to an SCP-capable external host or to a mounted

USB device. Enter the cryptocfg

--

export command with the appropriate parameters. When

exporting a certificate to a location other than your home directory, you must specify a fully
qualified path that includes the target directory and file name. When exporting to USB storage,
certificates are stored by default in a predetermined directory, and you only need to provide a
file name for the certificate. The file name must be given a .pem (privacy enhanced mail)
extension. Use a character string that identifies the certificate’s originator, such as the switch
name or IP address.

The following example exports a CP certificate from an encryption group member to an external
SCP-capable host and stores it as enc_switch1_cp_cert.pem.

SecurityAdmin:switch> cryptocfg --export -scp CPcert \

192.168.38.245 mylogin /tmp/certs/enc_switch1_cp_cert.pem

Password:

Operation succeeded.

The following example exports a CP certificate from the local node to USB storage.

SecurityAdmin:switch> cryptocfg --export -usb CPcert enc_switch1_cp_cert.pem

Operation succeeded.

5. Use the cryptocfg

--

import command to import the CP certificates to the group leader node.

You must import the CP certificate of each node you wish to add to the encryption group.

6. The following example imports a CP certificate named “enc_switch1_cp_cert.pem” that was

previously exported to the external host 192.168.38.245. Certificates are imported to a
predetermined directory on the group leader.

SecurityAdmin:switch> cryptocfg --import -scp enc_switch1_cp_cert.pem \

192.168.38.245 mylogin /tmp/certs/enc_switch1_cp_cert.pem

Password:

Operation succeeded.

The following example imports a CP certificate named “enc_switch1_cp_cert.pem” that was
previously exported to USB storage.

SecurityAdmin:switch> cryptocfg --import -usb enc_switch1_cp_cert.pem \

enc_switch1_cp_cert.pem

Operation succeeded.