Brocade Network Advisor SAN User Manual v12.0.0 (53-1002696-01, April 2013)

ManualsBrandsHP ManualsSoftwareHP B-series Data Center Fabric Manager Enterprise Software

591

592

593

594

595

596

597

598

599

600

544 Brocade Network Advisor SAN User Manual

53-1002696-01

Steps for connecting to a DPM appliance

All switches that you plan to include in an encryption group must have a secure connection to the

RSA Data Protection Manager (DPM). The following is a suggested order of steps needed to create

a secure connection to the DPM.

NOTE

The Fabric OS encryption switch uses the manual enrollment of identities with client registration to

connect with DPM 3.x servers. Client registration is done automatically when you upgrade to

Fabric OS 7.1.0 from an earlier version; no user interaction is required.

Once completed, client registration occurs after key vault registration, when the Fabric OS

encryption switch attempts to connect to the DPM server for the first time.

1. Export the KAC CSR to a location accessible to a CA for signing. Refer to “Exporting the KAC

certificate signing request (CSR)” on page 544.

2. Submit the KAC CSR for signing by a CA. Refer to “Submitting the CSR to a certificate authority”

on page 545.

3. Set the KAC certificate registration expiry. Refer to “KAC certificate registration expiry” on

page 545.

4. Import the signed certificate into the Fabric OS encryption node. Refer to “Importing the signed

KAC certificate” on page 546.

5. Upload the signed KAC and CA certificates onto the DPM appliance and select the appropriate

key classes. Refer to the following:

• “Uploading the CA certificate onto the DPM appliance (and first-time configurations)” on

page 546.

• “Uploading the KAC certificate onto the DPM appliance (manual identity enrollment)” on

page 548.

6. If dual DPM appliances are used for high availability, the DPM appliances must be clustered,

and must operate in maximum availability mode, as described in the DPM appliance user

documentation. Refer to “DPM key vault high availability deployment” on page 548.

Exporting the KAC certificate signing request (CSR)

1. Export the KAC CSR to a temporary location prior to submitting the KAC CSR to a CA for signing.

2. Synchronize the time on the switch and the key manager appliance. Time settings should be

within one minute of each other. Differences in time can invalidate certificates and cause key

vault operations to fail.

3. Select a switch from the Encryption Center Devices table, then select Switch > Properties from

the menu task bar to display the Properties dialog box.

NOTE

You can also select a switch from the Encryption Center Devices table, then click the

Properties icon.