Brocade Network Advisor SAN User Manual v12.0.0 (53-1002696-01, April 2013)

ManualsBrandsHP ManualsSoftwareHP B-series Data Center Fabric Manager Enterprise Software

581

582

583

584

585

586

587

588

589

590

542 Brocade Network Advisor SAN User Manual

53-1002696-01

Supported encryption key manager appliances

HA support should be set before you register the key vault. Three settings are supported; however,

certain settings are determined by the compliant key vault type that is being used:

• Transparent: The client assumes the entire HA is implemented on the key vault. Key archival

and retrieval is performed without any additional hardening checks.

• Opaque: The primary and secondary key vaults are both registered on the Fabric OS encryption

switch. The client archives the key to a single (primary) key vault. For disk operations, an

additional hardening check is done on the secondary key vault before the key is used for

encryption.

• None: If no HA is selected, the primary and secondary key vaults are both registered on the

Fabric OS encryption switch. The client archives keys to both key vaults and ensures that the

archival succeeds before the key is used for encryption.

Username authentication can be defined after TLS connectivity to a client device is requested.

Three modes are available:

• User Name: Only a user name is required to identify the client device.

• User Name and Password: Both a user name and a password are required to identify the client

device.

• None: No authentication is required.

The TLS certificates used between the Fabric OS encryption switch and the key vault are be either

Self -Signed or CA Signed.

Table 66 identifies the supported KMIP key vault configurations and certificate formats.

Supported encryption key manager appliances

As stated under “Network connections” on page 539, a supported key management appliance

must be connected on the same LAN as the management port of the encryption switches, or of the

Backbone Chassis Control Processors (CPs) in the case of the encryption blade.

Secure communication between encryption nodes in an encryption group, and between encryption

nodes and key manager appliances requires an exchange of certificates that are used for mutual

authentication. Each supported key manager appliance has unique requirements for setting up a

secure connection and exchanging certificates.

TABLE 66 KMIP key vault configurations and certificate formats

Key vault type HA mode KAC certificate Username

authentication

after TLS

Certificate

format

TKLM No HA • Self signed

• CA signed

No DER

TEKA No HA CA signed No PEM

ESKM/SKM HA Opaque CA signed No PEM

DPM

• HA Transparent with IPLB

• HA Opaque without IPLB

1. IPLB = IP Load Balancer.

CA signed No PEM