Brocade Fabric OS Encryption Administrator's Guide v6.3.0 (53-1001341-02, July 2009)
96 Encryption Administrator’s Guide
53-1001341-02
Basic encryption group configuration
3
3. Enter the cryptocfg --create -encgroup command followed by a name of your choice. The
name can be up to 15 characters long, and it can include any alphanumeric characters and
underscores. White space or other special characters are not permitted. Successful execution
creates an encryption group with the specified name and assigns the role of the group leader
to the local node.
The following example creates the encryption group "brocade".
SecurityAdmin:switch>cryptocfg --create -encgroup brocade
Encryption group create status: Operation Succeeded.
The switch on which you create the encryption group becomes the designated group leader. Once
you have created an encryption group, all group-wide configurations, including key vault
configuration, adding member nodes, configuring failover policy settings, and setting up storage
devices, as well as all encryption management operations, are performed on the group leader.
Setting the key vault type
1. Log into the group leader as Admin or SecurityAdmin.
2. Set the key vault type by entering the cryptocfg --set -keyvault command. The options are
LKM, RKM. SKM, and NCKA. Successful execution sets the key vault type for the entire
encryption group. The following example sets the keyvault type to LKM.
SecurityAdmin:switch>cryptocfg --set -keyvault LKM
Set key vault status: Operation Succeeded.
Adding a member node to an encryption group
1. Use the cryptocfg --export -CPcert command on each node you wish to include in the
encryption group and export the CP certificates to an SCP-capable external host or to USB
storage. Refer to the section “Exporting a certificate” on page 93 for instructions.
2. Log into the group leader as Admin or SecurityAdmin.
3. Use the cryptocfg
--import command to import the CP certificates to the group leader node.
You must import the CP certificate of each node you wish to add to the encryption group. Refer
to the section “Importing a certificate” on page 94 for instructions.
4. Enter the cryptocfg
--show -file -all command on the group leader to verify that you have
imported all necessary certificates.
5. On the group leader, register each node you are planning to include in the encryption group.
Enter the cryptocfg
--reg -membernode command with appropriate parameters to register the
member node. Specify the member node’s WWN, Certificate filename, and IP address when
executing this command. Successful execution of this command distributes all necessary node
authentication data to the other members of the group.
SecurityAdmin:switch>cryptocfg --reg -membernode \
10:00:00:05:1e:39:14:00 enc_switch1_cert.pem 10.32.244.60
Operation succeeded.
NOTE
The order in which member node registration is performed defines group leader succession. At
any given time there is only one active group leader in an encryption group. The group leader
succession list specifies the order in which group leadership is assumed if the current group
leader is not available.