Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)
110 Encryption Administrator’s Guide
53-1001201-04
Key vault configuration
3
j. Display the registered key vault on the member node. The LKM key vault is shown as "not
responding" because certificates have not been exchanged.
SecurityAdmin:enc1_switch>cryptocfg --show -groupcfg
Encryption Group Name: brocade
Failback mode: Manual
Heartbeat misses: 3
Heartbeat timeout: 2
Key Vault Type: LKM
Primary Key Vault:
IP address: 10.33.54.231
Certificate ID: lkm-1
Certificate label: LKM1
State: Not responding
Type: LKM
Secondary Key Vault not configured
NODE LIST
Total Number of defined nodes: 2
Group Leader Node Name: 10:00:00:05:1e:41:7e
Encryption Group state: CLUSTER_STATE_CONVERGED
Node Name IP address Role
10:00:00:05:1e:41:9a:7e 10.32.244.71 GroupLeader
10:00:00:05:1e:39:14:00 10.32.244.60 MemberNode (current node)
k. Exchange certificates between the LKM key vault and the member node, starting with
exporting the KAC certificate from the member node to an SCP-capable external host.
SecurityAdmin:enc1_switch>cryptocfg --export -scp -KACcert \
192.168.38.245 mylogin enc1_kac_lkm_cert.pem
Password:
Operation succeeded.
l. Open an SSH connection to the NetApp LKM appliance and add the member node IP
address.
lkm-1> lkmserver add --type third-party --key-sharing-group "/" \
10.32.244.60
NOTICE: LKM Server third-party 10.32.244.60 added.
Cleartext connections not allowed.
m. On the external host, register the KAC LKM certificate you exported from the member node
in step j. with the NetApp LKM appliance.
host$echo lkmserver certificate set 10.32.244.60
’cat enc1_kac_lkm_cert.pem’ | ssh-l admin 10.33.54.231
Pseudo-terminal will not be allocated because stdinis not a terminal.
admin@10.33.54.231's password:
Checking system tamper status:No physical intrusion detected.
ALERT: There are pending unapproved trustees.
NOTICE: LKM Peer '10.32.244.60' certificate is set