Administrator's Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

ManualsBrandsBrocade ManualsComputer AccessoriesFabric OS Encryption

131

132

133

134

135

136

137

138

139

140

122 Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

Steps for connecting to an LKM/SSKM appliance

To connect to an LKM/SSKM appliance, you must complete the following steps:

1. Initialize the Brocade encryption engines. Refer to “Initializing the Fabric OS encryption

engines” on page 122.

2. Obtain and import the LKM/SSKM certificate. Refer to “Obtaining and importing the

LKM/SSKM certificate” on page 123.

3. Export and register the encryption node certificates on LKM/SSKM. Refer to “Exporting and

registering the switch KAC certificates” on page 124.

4. Register LKM/SSKM on the encryption group leader. Refer to “Registering LKM/SSKM on the

encryption group leader” on page 125.

5. Install and launch the NetApp DataFort Management Console. Refer to “Launching the NetApp

DataFort Management Console” on page 126.

6. Establish the trusted link. Refer to “Establishing the trusted link” on page 127.

Additional information for consideration includes the following:

• “LKM/SSKM key vault high availability deployment” on page 128

• “Creating Brocade encryption group leader” on page 129

• “Adding a member node to an encryption group” on page 130

Initializing the Fabric OS encryption engines

You must perform a series of encryption engine initialization steps on every Fabric OS encryption

node (switch or blade) that is expected to perform encryption within the fabric.

NOTE

The initialization process overwrites any authentication data and certificates that reside on the node

and the security processor.

To initialize an encryption engine, complete the following steps:

1. Log in to the switch as Admin or SecurityAdmin.

2. Synchronize the time on the switch and the key manager appliance. They should be within one

minute of each other. Differences in time can invalidate certificates and cause key vault

operations to fail.

3. Initialize the node by entering the cryptocfg

--initnode command. Successful execution

generates the following security parameters and certificates:

• Node CP certificate

• Key Archive Client (KAC) certificate

NOTE

Node initialization overwrites any existing authentication data on the node.

SecurityAdmin:switch> cryptocfg --initnode

This will overwrite all identification and authentication data

ARE YOU SURE (yes, y, no, n): [no] y

Notify SPM of Node Cfg

Operation succeeded.