beautypg.com

Configuration parameters, High availability, User credentials – Brocade Network Advisor SAN + IP User Manual v12.3.0 User Manual

Page 1064: Certificate type

background image

992

Brocade Network Advisor SAN + IP User Manual

53-1003155-01

Key Management Interoperability Protocol

25

Configuration parameters

The encryption group object has three additional properties that can be configured when the key
vault (KV) type is KMIP. These additional properties must be set by the user:

High availability

User credentials

Certificate type

High availability

The KMIP Key Authentication Center (KAC) adapter provides configurable HA support. HA for the
key vault should be set before you register the key vault. Three settings are supported; however,
certain settings are determined by the compliant key vault type that is being used:

Transparent: The client assumes the entire HA replication is implemented on the key vault. Key
archival and retrieval is performed without any additional key hardening or integrity checks.

Opaque: The primary and secondary key vaults are both registered on the Brocade Encryption
Switchswitch. The client archives the key to a single (primary) key vault and lets the KV pair
internally perform the replication. For disk operations, an additional key hardening and
integrity check is done on the secondary key vault before the key is used for encryption.

None: If no HA is selected, the primary and secondary key vaults are both registered on the
Brocade Encryption Switchswitch. The client archives keys to both key vaults and ensures that
the archival process succeeds before the key is used for encryption, including hardening and
integrity checks.

By default, the HA mode is disabled and KAC login is not used. All parameters except log level are
configurable on the group leader only. All parameters except for logging are distributed to all nodes
in the encryption group. Log level, however, is configurable on a per-node basis.

User credentials

The Brocade Encryption Switchswitch has support for the optional credential structure used for
username and password. Username authentication can be defined after TLS connectivity to a
client device is requested. Three modes are available:

User Name: Only a user name is required to identify the client device.

User Name and Password: Both a user name and a password are required to identify the client
device.

None: No authentication is required.

Certificate type

The TLS certificates used between the Brocade Encryption Switchswitch and the key vault are
either Self Signed or CA Signed.