Steps for connecting to a kmip-compliant safenet, Keysecure, Steps for connecting to a – Brocade Network Advisor SAN + IP User Manual v12.1.0 User Manual

Brocade Network Advisor SAN + IP User Manual

901

53-1002949-01

Steps for connecting to a KMIP-compliant SafeNet KeySecure

25

Importing the TKLM certificate into the group leader

The TKLM certificate must be imported from the location on the host to the encryption Group
Leader node. The encryption Group Leader exports the certificate to group member switches.

1. Select Configure > Encryption from the menu task bar to display the Encryption Center

dialog box. (Refer to

Figure 303

on page 852.)

2. Select a switch from the Encryption Center Devices table, then select Switch > Import

Certificate from the menu task bar.

The Import Signed Certificate dialog box displays. (Refer to

Figure 323

.)

FIGURE 323

Import Signed Certificate dialog box

3. Browse to the location where the signed certificate is stored, then click OK.

The signed certificate is stored on the switch.

Steps for connecting to a KMIP-compliant SafeNet KeySecure

With the introduction of Fabric OS 7.1.0, the Key Management Interoperability Protocol (KMIP)
KeySecure Management Console can be used on the switch. Any KMIP-compliant server can be
reregistered as a KMIP key vault on the switch after setting the key vault type to KMIP.

Currently, KMIP with SafeNet KeySecure 6.1 in native KMIP mode with the Brocade Encryption
Switch in KMIP mode is supported. All nodes in an encryption group should be running Fabric OS
7.1.0 and later for the key vault type to be set to KMIP.

After installing the SafeNet KeySecure appliance (also referred to as the KeySecure), you must
complete the following steps before the switch can be configured with the KeySecure. These steps
must be performed only once, in preparation for first-time configuration.

NOTE

If you are configuring two KeySecure nodes, you must complete step 1 through step 6 on the primary
node, then complete step 7 on the secondary node. If only a single node is being configured, step 7
is not needed.

The following suggested order of steps must be completed to create a secure connection to the
SafeNet KeySecure.

1. Set FIPS compliance. (Refer to

“Setting FIPS compliance”

on page 902.)

2. Create a local CA. (Refer to

“Creating a local CA”

on page 903.)

3. Create a server certificate. (Refer to

“Creating a server certificate”

on page 904.)

4. Create a cluster. (Refer to

“Creating a cluster”

on page 909.)

5. Create a Brocade group on the KeySecure appliance. (Refer to

“Configuring a Brocade group

on the KeySecure”

on page 910.)