Brocade Fabric OS Encryption Administrator's Guide v6.3.0 (53-1001341-02, July 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch

111

112

113

114

115

116

117

118

119

120

Encryption Administrator’s Guide 93

53-1001341-02

Encryption switch initialization

• After issuing regEE.

• After issuing enableEE.

• After power cycling an FS8-18 blade.

• After power cycling a DCX or DCX-4S with one or more FS8-18 blades

• To diagnose a “split group” condition where the encryption group status shows DEGRADED but

the encryption engine shows online status. Refer to the section “Encryption group merge and

split use cases” on page 171 for more information.

Refer to Appendix A, Table 17 on page 189 for an explanation of encryption engine states (SP

states). Refer to Appendix, A, Table 18 on page 190 for an explanation of key encryption (KEK)

states.

Certificate Exchange

During the initialization phase a set of RSA key pairs and certificates are generated on every node.

These certificates are used for mutual identification and authentication with other group members

or with external devices such as key vaults. Every device must have a certificate in order to

participate in a deployment of encryption services. Some devices must have each other’s

certificates in order to communicate.

Certificates must be exchanged between the key management system you are using and the

encryption switch to enable mutual authentication. You must obtain a certificate from the key

manager, and import it into the encryption group leader. The encryption group leader exports the

certificate to other encryption group members.

A certificate signing request (CSR) must be exported from each switch or blade to an external

server or to an attached USB device for signing. The signed certificate must be imported into the

switch or blade that generated the CSR, and also must be made available to the key manager.

Refer to Appendix D, “Supported Key Management Systems” for specific procedures.

Exporting a certificate

1. Log into the switch on which the certificate was generated as Admin or SecurityAdmin.

2. Export the certificate from the local switch to an SCP-capable external host or to a mounted

USB device. The target server must be SCP-enabled. Enter the cryptocfg

--export command

with the appropriate parameters.

The following example exports a CP certificate from an encryption group member to an external

SCP-capable host.

SecurityAdmin:swicth>cryptocfg --export -scp CPcert \

192.168.38.245 mylogin /tmp/certs/enc_switch1_cp_cert.pem

Password:

Operation succeeded.

The following example exports a KAC certificate from the local node to USB storage.

SecurityAdmin:switch>cryptocfg --export -usb KACcert enc_switch1_kac_cert.pem

Operation succeeded.