Initializing The Fabric Os Encryption Engines - Brocade Communications Systems StoreFabric SN6500B Administrator's Manual
Brocade fabric os encryption administrator's guide v7.1.0 (53-1002721-01, march 2013)
Hide thumbs
Also See for StoreFabric SN6500B:
- User manual (1505 pages) ,
- Command reference manual (1168 pages) ,
- Reference (934 pages)
Table of Contents
Advertisement
20. Create and install an SKM/ESKM certificate. Refer to
NOTE
An SKM/ESKM cluster may have many members, but the Brocade encryption products support only
two as primary and secondary key vaults.
Initializing the Fabric OS encryption engines
You must perform a series of encryption engine initialization steps on every Brocade encryption
node (switch or blade) that is expected to perform encryption within the fabric.
NOTE
The initialization process overwrites any authentication data and certificates that reside on the node
and the security processor. If this is not a first-time initialization, make sure to export the master key
by running cryptocfg
initEE.
--
Complete the following steps to initialize an encryption engine.
1. Log in to the switch as Admin or SecurityAdmin.
2. Zeroize all critical security parameters (CSPs) on the switch by entering the cryptocfg
3. Synchronize the time on the switch and the key manager appliance. They should be within one
4. Initialize the node by entering the cryptocfg
5. Initialize the encryption engine using the cryptocfg
Fabric OS Encryption Administrator's Guide (SKM/ESKM)
53-1002721-01
ESKM server certificate"
exportmasterkey and cryptocfg
--
zeroizeEE command. Provide a slot number if the encryption engine is a blade.
--
SecurityAdmin:switch> cryptocfg --zeroizeEE
This will zeroize all critical security parameters
ARE YOU SURE
(yes, y, no, n): [no]y
Operation succeeded.
Zeroization leaves the switch or blade faulted. The switch or blade reboots automatically.
minute of each other. Differences in time can invalidate certificates and cause key vault
operations to fail.
generates the following security parameters and certificates:
•
Node CP certificate
•
Key Archive Client
KAC) certificate
(
NOTE
Node initialization overwrites any existing authentication data on the node.
SecurityAdmin:switch> cryptocfg --initnode
This will overwrite all identification and authentication data
ARE YOU SURE
(yes, y, no, n): [no] y
Notify SPM of Node Cfg
Operation succeeded.
if the encryption engine is a blade. This step generates critical security parameters (CSPs) and
certificates in the CryptoModule's security processor (SP). The CP and the SP perform a
certificate exchange to register respective authorization data.
Steps for connecting to an SKM or ESKM appliance
on page 139 for a description of this procedure.
initnode command. Successful execution
--
"Creating and installing the SKM or
export
scp
currentMK before running
–
-
-
initEE command. Provide a slot number
--
3
143
Advertisement
Table of Contents
Troubleshooting
