Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch

111

112

113

114

115

116

117

118

119

120

Encryption Administrator’s Guide 101

53-1001201-04

Encryption switch initialization

• After issuing regEE.

• After issuing enableEE.

• After power cycling an FS8-18 blade.

• After power cycling a DCX or DCX-4S with one or more FS8-18 blades

• To diagnose a “split group” condition where the encryption group status shows DEGRADED but

the encryption engine shows online status. Refer to the section “Encryption group merge and

split use cases” on page 168 for more information.

Refer to Appendix A, Table 12 on page 201 for an explanation of encryption engine states (SP

states). Refer to Appendix, A, Table 13 on page 202 for an explanation of key encryption (KEK)

states.

Certificate Exchange

During the initialization phase a set of RSA key pairs and certificates are generated on every node.

These certificates are used for mutual identification and authentication with other group members

or with external devices such as key vaults. Every device must have a certificate in order to

participate in a deployment of encryption services. Some devices must have each other’s

certificates in order to communicate.

Some of the certificates must be exchanged manually by first exporting the certificates to an

external server or to an attached USB device and then importing the certificates to the target

device. Refer to Table 7 for a listing of certificates that need to be exchanged manually.

All certificates are exported and imported in privacy enhanced mail (PEM) format and conform to

the ANSI X.509 specification.

TABLE 7 Certificates

Certificate file name Description

cp_cert.pem CP certificate, created during node initialization (cryptocfg --initnode). This

certificate is exchanged with the group leader. It is used for authenticating a

member node with the group leader.

kac_cert_lkm.pem Key authentication center (KAC) certificate, created during node initialization

(cryptocfg --initnode). The KAC certificate is exchanged with the NetApp

Lifetime Key Management (LKM) key vault. It is used to establish a TSL

session with the key vault. The LKM KAC certificate is in PEM format.

kac_rsa_cert.pem KAC certificate generated for authentication with the RSA Key Manager (RKM)

key vault.

lkmcert.pem LKM certificate, created by the NetApp Lifetime Key Management (LKM)

appliance during initialization.

PE-Lab.pem Refer to the RKM product documentation for instructions on how to generate

this certificate.

hpskm_ca1.pem Refer to “Downloading the local CA certificate file” on page 122 for

instructions on how to generate this certificate.