Brocade Fabric OS Command Reference Manual v6.2.0 (53-1001186-01, April 2009)
124 Fabric OS Command Reference
53-1001186-01
cryptoCfg
2
Note All EEs in the encryption group must be interconnected through a dedicated local area network
(LAN), preferably on the same subnet and on the same VLAN using the GbE Ports on the encryption
switch or blade. The two GbE Ports of each member node (Eth0 and Eth1) should be connected to
the same IP Network, the same subnet, and the same VLAN. Configure the GbE Ports (I/O sync
links) with an IP address for the eth0 Ethernet interface, and also configure a gateway for these I/O
sync links. Refer to the ipAddrSet help page for instructions on configuring the Ethernet interface.
These I/O sync link connections must be established before you enable the EEs for encryption. If
these configuration steps are not performed, you cannot create an HA cluster, perform a first-time
encryption, or initiate a re-keying session.
Operands The cryptoCfg group configuration function has the following operands:
--help -groupcfg Displays the synopsis for the group configuration function. This command is
valid on all nodes.
--create -encgroup
Creates an encryption group. The node on which this command is invoked
becomes the group leader. You must specify a name when creating an
encryption group.
encryption_group_name
Specifies the name of the encryption group to be created. The name can be
up to 15 characters long and include alphanumeric characters and
underscores. White space, hyphens, and other special characters are not
permitted.
--delete -encgroup
Deletes an encryption group with the specified name. This command is valid
only on the group leader. This command fails if the encryption group has
more than one node, or if any HA cluster configurations, CryptoTarget
container/LUN configurations, or tape pool configurations exist in the
encryption group. Remove excess member nodes and clear all HA cluster,
CryptoTarget container/LUN, or tape pool configurations before deleting an
encryption group.
encryption_group_name
Specifies the name of the encryption group to be deleted. This operand is
required when deleting an encryption group.
--reg -keyvault Registers the specified key vault (primary or secondary) with the encryption
engines of all nodes present in an encryption group. Upon successful
registration, a connection to the key vault is automatically established. This
command is valid only on the group leader. Registered certificates are
distributed from the group leader to all member nodes in the encryption
group. Each node in the encryption group distributes the certificates to their
respective encryption engines.
The following operands are required when registering a key vault:
cert_label Specifies the key vault certificate label. This is a user-generated name for the
specified key vault. Use cryptocfg --show -groupcfg to view the key vault
label after registration is complete.