Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch

141

142

143

144

145

146

147

148

149

150

Encryption Administrator’s Guide 125

53-1001201-04

Key vault configuration

Adding an HP SKM appliance to a cluster

1. Open a new browser window, while keeping the browser window from“Copying the local CA

certificate” open.

2. Log in to the HP SKM Key Manager console of the HP SKM appliance that is being added.

3. Select the Security tab.

4. Select Known CAs under Certificates & CAs.

The Certificate and CA Configuration page is displayed.

5. Type the certificate name in the Certificate Name field under Install CA certificate.

6. Paste the certificate data you copied previously in the “Copying the local CA certificate”

procedure. If you kept the browser window open as suggested in “Copying the local CA

certificate”, the same data is available in the that browser window.

7. Sel ec t Install.

8. From the HP SKM key manager main page, select the Device tab.

9. Select Cluster under Device Configuration.

10. Select Join Cluster.

11. Type the original cluster member’s IP address into Cluster Member IP. This is the IP address

designated as the local IP address that you recorded for this step in “Creating an SKM Key

vault High Availability cluster”

12. Type or browse to the location of the temporary cluster key file that you copied in “Creating an

SKM Key vault High Availability cluster” for Cluster Key File.

13. Type the cluster password you recorded in “Creating an SKM Key vault High Availability cluster”

as the Cluster Password.

14. Select Join.

15. You are prompted to confirm the operation. Select Confirm.

The Cluster Configuration page displays, showing the cluster members.

Repeat the procedure to add more members, as needed. Delete the temporary cluster key file

when finished. You should also verify that the same server certificate configured for all cluster

members by selecting the Device tab, and Selecting KMS Server Settings.

Signing the KAC certificate

The KAC certificate exported by the encryption switch or blade must be signed using the certificate

authority created in the “Setting up the local certificate authority” procedure.

1. Go to the location where the kac_skm_req.csr file was downloaded on an SCP-capable host.

You should have this location recorded and available, as described in “Exporting the KAC

certificate request”.

2. Open the file and copy contents, beginning with

---BEGIN CERTIFICATE REQUEST--- and

ending with

---END CERTIFICATE REQUEST---. Be careful not to include any extra

characters.

3. On the SKM key manager main page, select the Security tab.

4. Select Local CAs under Certificates & CAs.