Brocade Fabric OS Encryption Administrator's Guide v6.3.0 (53-1001341-02, July 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch

111

112

113

114

115

116

117

118

119

120

Encryption Administrator’s Guide 95

53-1001341-02

Basic encryption group configuration

Viewing imported certificates

1. Log into the switch to which you imported the certificates.

2. Enter the cryptocfg

--show -file -all command to view all imported certificates.

The following example shows the member node CP certificate that was imported earlier to the

group leader.

SecurityAdmin:switch>cryptocfg --show -file -all

File name: enc_switch1_cp_cert.pem, size: 1338 bytes

NOTE

If the maximum number of certificates is exceeded, the following message is displayed.

Maximum number of certificates exceeded. Delete an unused certificate with the

‘cryptocfg –delete –file’ command and then try again.

Basic encryption group configuration

An encryption group consists of a set of member nodes that share the same key vault and are

managed as a group. At least one node is required to form an encryption group (an encryption

group of one would have one member acting as the group leader). An encryption group may include

one or more High Availability (HA) clusters and data encryption key (DEK) clusters. An encryption

group has the following properties:

• It is identified by a user-defined name.

• It is managed from a designated group leader.

• All group members must share the same key vault.

• When communicating with opaque key vaults, the same master key is used for all encryption

operations in the group.

• All encryption engines in a chassis are part of the same encryption group.

• An encryption group may contain up to sixteen encryption engines—up to four nodes with a

maximum of four encryption engines per node.

The basic encryption group configuration must be completed before you can set up a key vault or

configure a storage device.

Ensure that the following configuration tasks are completed before you create an encryption group:

• “Management port configuration” on page 87

• “Encryption switch initialization” on page 90

NOTE

If these configuration steps are not performed, you will not be able to create an HA cluster, perform

a first-time encryption, or initiate a re-keying session.

Creating an encryption group

1. Identify one node (a Brocade Encryption Switch or a Brocade DCX or Brocade DCX-4S with an

FS8-18 blade) as the designated group leader.

2. Log into the switch as Admin or SecurityAdmin.