beautypg.com

Dpm key vault high availability deployment – Brocade Network Advisor SAN + IP User Manual v12.3.0 User Manual

Page 1071

background image

Brocade Network Advisor SAN + IP User Manual

999

53-1003155-01

Steps for connecting to a DPM appliance

25

Uploading the KAC certificate onto the DPM appliance
(manual identity enrollment)

NOTE

The Brocade Encryption Switchswitch will not use the Identity Auto Enrollment feature supported
with DPM 3.x servers. You must complete the identity enrollment manually to configure the DPM 3.x
server with the Brocade Encryption Switchswitch as described in this section.

You need to install the switch public key certificate (KAC certificate). For each encryption node,
manually create an identity as follows:

1. Select the Identities tab.

2. Click Create.

3. Enter a label for the node in the Name field. This is a user-defined identifier.

4. Select the Hardware Retail Group in the Identity Groups field.

5. Select the Operational User role in the Authorization field.

6. Click Browse and select the imported certificate as the Identity certificate.

7. Click Save.

The CA certificate file referenced in the SSLCAcertificateFile field (

step 4

) must be imported and

registered on the switch designated as an encryption Group Leader. You may want to note this
location before proceeding to

“Loading the CA certificate onto the encryption group leader”

on

page 999.

DPM key vault high availability deployment

When dual DPM appliances are used for high availability, the DPM appliances must be clustered
and must operate in maximum availability mode, as described in the DPM appliance user
documentation.

When dual DPM appliances are clustered, they are accessed using an IP load balancer. For a
complete high availability deployment, the multiple IP load balancers are clustered, and the IP load
balancer cluster exposes a virtual IP address called a floating IP address. The floating IP address
must be registered on the encryption Group Leader.

Neither the secondary DPM appliance nor individual DPM appliance IP addresses should be
registered.

Loading the CA certificate onto the encryption
group leader

The certificate for the CA that signed the switch KAC CSRs must be loaded onto the encryption
Group Leader. The Group Leader can then distribute the CA certificate to the encryption group
members.