Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)
116 Encryption Administrator’s Guide
53-1001201-04
Key vault configuration
3
d. Select the Hardware Retail Group in the Identity Groups field.
e. Select the Operational User role in the Authorization field.
f. Click Browse and select the imported certificate <name>_kac_cert.pem> as the Identity
certificate.
g. Click Save.
NOTE
KAC certificates are listed as issued to and issued by kac.000000aabbccddee where
aabbccddee are the last five portions of the switch WWN. If the switch has been re-initialized,
make sure to delete the previously imported certificate before using the new certificate. Both
certificates will have the same WWN but they will have different creation dates.
19. Register the RKM key vault on the group leader using the CA certificate for the CA that signed
the RKM key vault certificate. The path to the file was entered in the SSLCAcertificateFile field
in step 13. The group leader automatically shares this information with other group members.
SecurityAdmin:switch>cryptocfg --import -scp <CA certificate file>
<host IP> <host username> <host path>
SecurityAdmin:switch>cryptocfg --reg -keyvault <CA certificate file>
<RKM IP> primary
20. Display the Display the group configuration, using the cryptocfg - - show -groupcfg command.
Generating and exporting the master key
You must generate a master key on the group leader, and export it to a backup location. This may
be on the RKM key vault, or on an SCP-capable host.
1. Generate the master key on the group leader.
SecurityAdmin:switch>cryptocfg --genmasterkey
Master key generated. The master key should be
exported before further operations are performed.
2. Export the master key to the key vault. Make a note of the key ID and the passphrase. You will
need the Key ID and passphrase should you have to restore the master key from the key vault.
SecurityAdmin:switch>cryptocfg --exportmasterkey
Enter the passphrase: passphrpase
Master key exported. Key ID:
8f:88:45:32:8e:bf:eb:44:c4:bc:aa:2a:c1:69:94:2
3. Save the master key to a file.
SecurityAdmin:switch>cryptocfg --exportmasterkey -file
Master key file generated.
4. Export the master key to an SCP-capable external host:
SecurityAdmin:switch>cryptocfg --export -scp -currentMK \
192.168.38.245 mylogin GL_MK.mk
Password:
Operation succeeded.
5. Display the group configuration.
SecurityAdmin:switch>cryptocfg --show -groupcfg
Encryption Group Name: brocade