Administrator's Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

ManualsBrandsBrocade ManualsComputer AccessoriesFabric OS Encryption

141

142

143

144

145

146

147

148

149

150

124 Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

Steps for connecting to an LKM/SSKM appliance

using dumb terminal settings.

Checking system tamper status:

No physical intrusion detected.

2. Add the group leader to the LKM/SSKM key sharing group. Enter lkmserver add --type

third-party

--key-sharing-group "/" followed by the group leader IP address.

lkm-1>lkmserver add --type third-party --key-sharing-group \

"/" 10.32.244.71

NOTICE: LKM Server third-party 10.32.244.71 added.

Cleartext connections not allowed.

3. On the NetApp LKM/SSKM appliance terminal, enter sys cert getcert-v2 to display the LKM

certificate content.

lkm-1> sys cert getcert-v2

-----BEGIN CERTIFICATE-----

[content removed]

-----END CERTIFICATE-----

4. Copy and paste the LKM/SSKM certificate content from the NetApp LKM/SSKM appliance

terminal into an editor buffer. Save the file as lkmcert.pem on the SCP-capable host. Save the

entire certificate, including the lines

-----BEGIN CERTIFICATE----- and -----END

CERTIFICATE-----.

5. On the group leader, import the previously saved LKM/SSKM certificate from the SCP-capable

host. Use the cryptocfg

--import command with the -scp option. The following example

imports a certificate file named lkmcert.pem.

SecurityAdmin:switch> cryptocfg --import -scp lkmcert.pem 192.168.38.245 \

mylogin /tmp/certs/lkmcert.pem

Password:

Operation succeeded.

Exporting and registering the switch KAC certificates

The switch’s KAC certificate must be registered on the LKM/SSKM appliance, and the LKM/SSKM

certificate must be registered on the switch.

1. Export the KAC certificate from the Brocade encryption node to an SCP-capable external host.

SecurityAdmin:enc1_switch> cryptocfg --export -scp -KACcert \

192.168.38.245 mylogin enc1_kac_lkm_cert.pem

Password:

Operation succeeded.

2. From the external host, register the KAC LKM/SSKM certificate you exported from the member

node with the NetApp LKM/SSKM appliance, using the third party IP address.

host$echo lkmserver certificate set 10.32.244.60

’cat enc1_kac_lkm_cert.pem’ | ssh-l admin 10.33.54.231

Pseudo-terminal will not be allocated because stdinis not a terminal.

admin@10.33.54.231's password:

Checking system tamper status:No physical intrusion detected.

ALERT: There are pending unapproved trustees.

NOTICE: LKM Peer '10.32.244.60' certificate is set