Brocade Network Advisor SAN User Manual v12.0.0 (53-1002696-01, April 2013)

ManualsBrandsHP ManualsSoftwareHP B-series SAN Network Advisor Software

591

592

593

594

595

596

597

598

599

600

552 Brocade Network Advisor SAN User Manual

53-1002696-01

Steps for connecting to an LKM/SSKM appliance

Establishing the trusted link

You must generate the trusted link establishment package (TEP) on all nodes to obtain a trusted

acceptance package (TAP) before you can establish a trusted link between each node and the

NetApp LKM/SSKM appliance.

1. Select Configure > Encryption from the menu task bar to display the Encryption Center

dialog box. (Refer to Figure 185 on page 526.)

2. Select an LKM/SSKM group from the Encryption Center Devices table, then select Group >

Link Keys from the menu task bar.

The switch name displays in the link status table under Switch, with a Link Key Status of

Link Key requested, waiting for LKM approval.

3. Select the switch, then click Establish.

This sends a Trust Establishment Package (TEP) message to the LKM/SSKM, which is needed

to establish the trusted link between the switch and the LKM/SSKM appliance.

4. Launch the NetApp DataFort Management Console (DMC) and click the View Unapproved

Trustees tab.

The switch is listed as openkey_trustee_<ip address>, where the IP address is the switch

IP address.

5. Select the switch, then click Approve and Create TAP.

The Approve TEP dialog box displays. The TEP must be approved before a TAP can be created.

6. Provide a label in the dialog box, then click Approve to approve the TEP.

A list of recovery cards and recovery officers is displayed. TEP approval is done by a quorum of

recovery officers, using assigned recovery cards. Each recovery officer must individually insert

one of the listed recovery cards into a card reader attached to the PC or workstation, then

enter the password for that card and click Start. The procedure is repeated until a quorum of

recovery officers has approved the TEP.

7. Save the TAP to a file (location does not matter).

8. Select the Link Keys tab from the Encryption Group Properties dialog box.

9. Select the switch in the link key status table, then click Accept to retrieve the TAP from the

LKM/SSKM appliance.

10. Repeat the above steps for each of the remaining member nodes.

LKM/SSKM key vault high availability deployment

LKM/SSKM appliances can be clustered to provide high availability capabilities. You can deploy

and register one LKM/SSKM with an encryption switch or blade and later deploy and register

another LKM/SSKM at any time if LKM/SSKMs are clustered or linked together. Refer to

LKM/SSKM documentation to link or cluster the LKM/SSKMs.

When LKM/SSKM appliances are clustered, both LKM/SSKMs in the cluster must be registered

and configured with the link keys before starting any crypto operations. If two LKM/SSKM key

vaults are configured, they must be clustered. If only a single LKM/SSKM key vault is configured, it

may be clustered for backup purposes, but it is not directly used by the switch.