beautypg.com

Configuration parameters, High availability, User credentials – Brocade Network Advisor SAN User Manual v12.3.0 User Manual

Page 762: Certificate type

background image

710

Brocade Network Advisor SAN User Manual

53-1003154-01

Key Management Interoperability Protocol

20

Configuration parameters

The encryption group object has three additional properties that can be configured when the key
vault (KV) type is KMIP. These additional properties must be set by the user:

High availability

User credentials

Certificate type

High availability

The KMIP Key Authentication Center (KAC) adapter provides configurable HA support. HA for the
key vault should be set before you register the key vault. Three settings are supported; however,
certain settings are determined by the compliant key vault type that is being used:

Transparent: The client assumes the entire HA replication is implemented on the key vault. Key
archival and retrieval is performed without any additional key hardening or integrity checks.

Opaque: The primary and secondary key vaults are both registered on the switch. The client
archives the key to a single (primary) key vault and lets the KV pair internally perform the
replication. For disk operations, an additional key hardening and integrity check is done on the
secondary key vault before the key is used for encryption.

None: If no HA is selected, the primary and secondary key vaults are both registered on the
switch. The client archives keys to both key vaults and ensures that the archival process
succeeds before the key is used for encryption, including hardening and integrity checks.

By default, the HA mode is disabled and KAC login is not used. All parameters except log level are
configurable on the group leader only. All parameters except for logging are distributed to all nodes
in the encryption group. Log level, however, is configurable on a per-node basis.

User credentials

The switch has support for the optional credential structure used for username and password.
Username authentication can be defined after TLS connectivity to a client device is requested.
Three modes are available:

User Name: Only a user name is required to identify the client device.

User Name and Password: Both a user name and a password are required to identify the client
device.

None: No authentication is required.

Certificate type

The TLS certificates used between the switch and the key vault are either Self Signed or CA Signed.

See also other documents in the category Brocade Software: