Brocade Fabric OS Encryption Administrator's Guide v6.3.0 (53-1001341-02, July 2009)

ManualsBrandsHP ManualsStorageHP Encryption SAN Switch

251

252

253

254

255

256

257

258

259

260

Encryption Administrator’s Guide 235

53-1001341-02

Thales Encryption Manager for Storage

Registering the certificates

Examples below are for the two Thales key vaults installed. Commands assume the exported

signed certificates were saved as brcduser1@ncka-1 and brcduser1@ncka-2 for the primary and

secondary key vaults and the data port IP addresses are 10.32.44.112 and 10.32.44.114.

1. Set the key vault type.

cryptocfg --set -keyvault NCKA

2. Register the signed KAC certificates.

cryptocfg --reg -KACcert brcduser1@ncka-1.pem primary

cryptocfg -reg -KACcert brcduser1@ncka-2.pem secondary

3. Register the primary and secondary key vault certificates and data port IP addresses.

cryptocfg --reg -keyvault NCKA_CA1 brcduser1@ncka-1.pem 10.32.44.112 primary

cryptocfg --reg -keyvault NCKA_CA2 brcduser1@ncka-2.pem 10.32.44.114 secondary

NOTE

The signed certificate file contains both the client and keyvault CA certificates so the same file

name is used for both the keyvault and KACcert registration.

4. Repeat steps one and two for each encryption group member.

5. Display the group configuration to verify values

cryptocfg --show -groupcfg

NOTE

The Thales key vault has an active session limit of 32 clients. This includes the Brocade encryption

switch and blade, and all other clients. This is not configurable, but must be considered in planning

key vault usage.

Thales key vault high availability deployment

Both primary and secondary Thales key vaults must be installed and registered with the Brocade

encryption switch or FS8-18 blade before configuring any CryptoTarget containers or LUNs.

Installing or registering either primary or secondary Thales NCKA key vault after configuring

CryptoTarget containers or LUNs causes DEKs to be out of sync between the primary and

secondary key vaults. Thales KM appliances do not support clustering. Dual Thales appliances can

be registered with the encryption switch or blade using the following command:

cryptocfg --reg -keyvault <cert label> <certfile> <hostname/ip address> <primary |

secondary>

DEK Creation

DEKs are archived to both the primary and secondary Thales key vaults. Upon successful archival

of a DEK onto both primary and secondary KM Appliances, the DEK can be used for encrypting

LUNs or Tape-Pools. If archival of a DEK fails for either primary KM Appliance or secondary KM

Appliance, an error is logged and DEK creation is retried.