beautypg.com

Key management interoperability protocol, Setting encryption node initialization – Brocade Network Advisor SAN + IP User Manual v12.3.0 User Manual

Page 1063

background image

Brocade Network Advisor SAN + IP User Manual

991

53-1003155-01

Key Management Interoperability Protocol

25

Setting encryption node initialization

Encryption nodes are initialized by the Configure Switch Encryption wizard when you confirm a
configuration. Encryption nodes may also be initialized from the Encryption Center dialog box.

1. Select a switch from the Encryption Center Devices table, then select Switch > Init Node from

the menu task bar.

2. Select Yes after reading the warning message to initialize the node.

Key Management Interoperability Protocol

The Key Management Interoperability Protocol (KMIP) standardizes the communication between
an Enterprise key management system and an encryption device. The same key vault servers can
be used, only in a different mode. Currently, KMIP versions 1.0 and 1.1 are supported.

The initial deployment of the KMIP client is on the Brocade Encryption Switchswitch, where it will
replace multiple third-party implementations/vendor APIs. The interfaces of the KMIP client are
generic and are not tied to the key record formats used by the Brocade Encryption Switchswitch.
Any encryption solution should be able to use the KMIP client to communicate to a key server by
compiling it on Linux-based PPC or X 86 environments.

Currently, the Brocade Encryption Switchswitch supports the KMIP servers from SafeNet Key
Secure 6.1 and TEKA 4.0. All nodes in an encryption group should be running Fabric OS 7.1.0 and
later for the key vault type to be set to KMIP.

Although KMIP support is available from multiple key vaults, each key vault implementation is
different in terms of High Availability (HA) clustering support, certificate exchange, and
authentication. In the current Fabric OS implementation, each key vault uses a separate adapter at
the Key Authentication Center (KAC), which is implemented to suit the key vault feature
implementation.

NOTE

Currently, KMIP with SafeNet KeySecure 6.1 in native KMIP mode and Thales e-Security keyAuthority
running version 4.0 with the Brocade Encryption Switchswitch in KMIP mode are supported.

A generic KMIP 1.0 or 1.1 server is supported. The following KMIP servers can be configured on the
Brocade Encryption Switchswitch:

SafeNet KeySecure. The KeySecure is a KMIP-compliant server. (SSKM is the trusted mode
version of SafeNet which continues to use the LKM OpenKey Interfaces. These are mutually
exclusive use scenarios and cannot be used interchangeably.) This configuration is allowed
only for new installations. Refer to

“Steps for connecting to a KMIP-compliant SafeNet

KeySecure”

on page 1025.

TEKA 4.0. The Thales keyAuthority is a KMIP-compliant server that can be configured with the
Brocade Encryption Switchswitch; however, backward compatibility for keys created with Fabric
OS versions earlier than v7.2.0 is not supported. This configuration is allowed only for new
installations. For more information about configuring a KMIP-compliant keyAuthority, refer to
Chapter 3 of the Fabric OS Encryption Administrator’s Guide Supporting Key Management
Interoperability Protocol (KMIP) Key-Compliant Environments
.

Ensure that KMIP server is running on the key vault in order for the key vault to be configured as a
KMIP type on the Brocade Encryption Switchswitch.