Brocade Fabric OS Encryption Administrator's Guide v6.3.0 (53-1001341-02, July 2009)
216 Encryption Administrator’s Guide
53-1001341-02
The RSA Key Manager
D
h. Click Next.
i. Repeat a. through h. for each key class.
j. Click Finish.
9. For each node, create an identity as follows.
a. Select the Identities tab.
b. Click Create.
c. Enter a label for the node in the Name field. This is a user-defined identifier.
d. Select the Hardware Retail Group in the Identity Groups field.
e. Select the Operational User role in the Authorization field.
f. Click Browse and select the imported certificate <name>_kac_cert.pem> as the Identity
certificate.
g. Click Save.
10. Register the RKM key vault on the group leader using the CA certificate for the CA that signed
the RKM key vault certificate. The path to the file was entered in the SSLCAcertificateFile field.
The group leader automatically shares this information with other group members.
SecurityAdmin:switch>cryptocfg --import -scp <CA certificate file>
<host IP> <host username> <host path>
SecurityAdmin:switch>cryptocfg --reg -keyvault <CA certificate file>
<RKM IP> primary
11. Display the group configuration, using the cryptocfg - - show -groupcfg command
RKM key vault high availability deployment
When dual RKM appliances are used for high availability, the RKM appliances must be clustered,
and must operate in maximum availability mode, as described in the RKM appliance user
documentation.
When dual RKM appliances are clustered, they are accessed using an IP load balancer. For a
complete high availability deployment, the multiple IP load balancers are clustered, and the IP load
balancer cluster exposes a virtual IP address called a floating IP address. The floating IP address
must be registered on the encryption switch or blade using the cryptocfg --reg -keyvault command.
The secondary RKM appliance must not be registered, and also individual RKM appliance IP
addresses must not be registered. The command to register a secondary RKM appliance is
blocked, beginning with Fabric OS version 6.3.0.
DEK Creation
A newly created DEK is archived to the floating IP Address of the Clustered RKM appliances, or IP
Load Balancer Cluster. The load balancer of the RKM Appliance Cluster routes the request to the
primary RKM Appliance The DEK gets archived to primary RKM Appliance, and then is
synchronized to secondary RKM Appliance in the Cluster by the RKM Cluster Key Sync software.
Upon successful archival of the DEK to RKM Cluster, the DEK can be used for encryption of a Disk
LUN, tape LUN, or Tape Pool. If archival of the DEK to the RKM Cluster fails, an error is logged and
the operation is retried.