beautypg.com

Lkm/sskm key vault high availability deployment, Figure 15 – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 50

background image

32

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

Steps for connecting to an LKM/SSKM appliance

2

FIGURE 15

Export switch certificate dialog box

3. Select Signed switch certificate (X.509), which allows you to export a signed switch certificate

to a location of your choosing. The default location is My Documents on your client PC. In most
cases, this certificate file should be in privacy email (.pem) format.

4. Click OK.

You are prompted to save the CSR, which can be saved to your SAN Management Program
client PC, or an external host of your choosing.

5. Register the signed KAC certificate that you exported from the member node with the NetApp

LKM/SSKM appliance.

LKM/SSKM key vault high availability deployment

LKM/SSKM appliances can be clustered to provide high availability capabilities. You can deploy
and register one LKM/SSKM with an encryption switch or blade and later deploy and register
another LKM/SSKM at any time if LKM/SSKMs are clustered or linked together. Refer to
LKM/SSKM documentation to link or cluster the LKM/SSKMs.

When LKM/SSKM appliances are clustered, both LKM/SSKMs in the cluster must be registered
and configured with the link keys before starting any crypto operations. If two LKM/SSKM key
vaults are configured, they must be clustered. If only a single LKM/SSKM key vault is configured, it
may be clustered for backup purposes, but it is not directly used by the switch.

When dual LKM/SSKMs are used with the encryption switch or blade, the dual LKM/SSKMs must
be clustered. There is no enforcement done at the encryption switch or blade to verify whether or
not the dual LKM/SSKMs are clustered, but key creation operations will fail if you register
non-clustered dual LKM/SSKMs with the encryption switch or blade.

Regardless of whether you deploy a single LKM/SSKM or clustered dual LKM/SSKMs, register only
the primary key vault with the encryption switch or blade. You do not need to register a secondary
key vault.

See also other documents in the category Brocade Computer Accessories: