Manualshelf

Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch
131132133134135136137138139140
114 Encryption Administrator’s Guide
53-1001201-04
Key vault configuration
3
Setting up an RKM key vault
At a high level, setting up an RKM key vault consists of the following steps:
Registering the encryption group leader and group member nodes with the RKM key vault by
registering their KAC certificates.
Registering the RKM key vault with the group leader by registering the key vault’s certificate
with the group leader.
Generating and exporting the master key to a secure location.
NOTE
The Brocade encryption platform supports RKM only on port 443 for HTTPS. Make sure that the SSL
port on your RKM Windows 2003 server and RKM appliance A1.6 is set to 443.
RKM configuration scenario
The following scenario describes the steps for configuring a primary RKM (opaque) key vault that
can be shared by the members of the encryption group "brocade." The encryption group has one
group leader and one member node.
1. Log into the group leader as Admin or SecurityAdmin.
2. Set the RKM key vault type by entering. the cryptocfg
--set -keyvault command with the RKM
option. Successful execution sets the key vault type for the entire encryption group.
SecurityAdmin:switch>cryptocfg --set -keyvault RKM
Set key vault status: Operation Succeeded.
3. Export the KAC certificate to a secure location.
SecurityAdmin:switch>cryptocfg --export -scp <certificate file> <host IP>
<host username> <host path>
4. Submit the KAC certificate to the RKM certificate authority (CA) for signing.
5. Get the signed KAC certificate and the CA certificate, and store it on the SCP-capable host.
6. Import the signed KAC certificate to the encryption group leader.
SecurityAdmin:switch>cryptocfg --import -scp <certificate file> <host IP>
<host username> <host path>
7. Register the KAC certificate.
SecurityAdmin:switch>cryptocfg --reg -KACcert <certificate file>
8. Export the KAC certificate to a Linux host.
SecurityAdmin:switch>cryptocfg --export -scp -KACcert <certificate file>
<host IP> <host username> <host path>
9. Download the KAC certificate and CA certificate for the CA that signed the KAC from the Linux
host to a workstation for the RKM key vault. You may use FTP or another file transfer utility.
10. From the same workstation, start a web browser, and connect to the setup page. You will need
the URL, and have the proper authority level, a user name, and a password.
11. Select the Operations tab.
12. Select Certificate Upload.