Manualshelf

Administrator's Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

ManualsBrandsBrocade ManualsComputer AccessoriesFabric OS Encryption
41424344454647484950
Fabric OS Encryption Administrator’s Guide (LKM/SSKM) 31
53-1002925-01
Steps for connecting to an LKM/SSKM appliance
2
Copyright (c) 2001-2009 NetApp, Inc.
All rights reserved
+--------------------------------+
| NetApp Appliance Management CLI |
| Authorized use only! |
+--------------------------------+
Cannot read termcapdatabase;
using dumb terminal settings.
Checking system tamper status:
No physical intrusion detected.
2. Add the group leader to the LKM/SSKM key sharing group. Enter lkmserver add --type
third-party
--key-sharing-group "/" followed by the group leader IP address.
NOTE
The Brocade Encryption Switch must be configured to the root group.
lkm-1>lkmserver add --type third-party --key-sharing-group \
"/" 10.32.244.71
NOTICE: LKM Server third-party 10.32.244.71 added.
Cleartext connections not allowed.
3. On the NetApp LKM/SSKM appliance terminal, enter sys cert getcert-v2 to display the
LKM/SSKM certificate content.
lkm-1> sys cert getcert-v2
-----BEGIN CERTIFICATE-----
[content removed]
-----END CERTIFICATE-----
4. Copy and paste the LKM/SSKM certificate content from the NetApp LKM/SSKM appliance
terminal into an editor buffer. Save the file as lkmcert.pem on the SCP-capable host. Save the
entire certificate, including the lines
-----BEGIN CERTIFICATE----- and -----END
CERTIFICATE-----.
5. If you are using Brocade Network Advisor, the path to the file must be specified ion the Select
Key Vault dialog box when creating a group leader. If the proper path is entered, the file is
imported.
Exporting and registering the switch KAC certificates on LKM/SSKM
1. Select Configure > Encryption from the menu task bar to display the Encryption Center
dialog box. (Refer to Figure 6 on page 14.)
2. Select a switch from the Encryption Center Devices table, then select Switch > Export
Certificate from the menu task bar.
The Export Switch Certificate dialog box allows you to export a switch public key certificate
signing request (CSR) to a location you specify. (Refer to Figure 15.) The procedures for
submitting a CSR for signing are determined by the Certificate Authority (CA).
The CSR must be submitted to a Certificate Authority CA for signing, then imported into the
switch and the key vault. The signed switch certificate may be imported directly by a key vault.