Steps For Connecting To A Tklm Appliance - Brocade Communications Systems StoreFabric SN6500B User Manual

20

Steps for connecting to a TKLM appliance

Steps for connecting to a TKLM appliance
All switches you plan to include in an encryption group must have a secure connection to the Tivoli
Key Lifecycle Manager (TKLM). A local LINUX host must be available to transfer certificates.
NOTE
Ensure that the time zone and clock time setting on the TKLM server and encryption nodes are the
same. A difference of only a few minutes can cause the TLS connectivity to fail.
Repeat the same steps for configuring both the primary and secondary key vaults.
NOTE
The primary and secondary key vaults should be registered before you export the master key or
encrypting LUNs. If the secondary key vault is registered after encryption is done for some of the
LUNs, then the key database should be backed up and restored on the secondary TKLM from the
registered primary TKLM before registering the secondary TKLM.
The following is a suggested order for the steps needed to create a secure connection to TKLM:
1. Initialize all encryption nodes to generate KAC certificates and export the signed KAC
2. Obtain the necessary user credentials and log in to the TKLM server appliance from the TKLM
3.
4. Create a default key store on TKLM. Refer to
5. Create a device group named BRCD_ENCRYPTOR with device family LTO.
6. Add devices to the group. Refer to
7.
8. Import the node KAC certificates. Refer to
9. Export the server CA certificate to a LINUX or Windows host. Refer to
10. Add encryption group members as needed. The first node added to an encryption group
11. Import the server CA certificate and register TKLM on the encryption group leader nodes. Refer
12. Enable the encryption engines.
570
certificates to a local LINUX host. Refer to
certificates" on page 571.
management web console.
"Converting the KAC certificate format"
on TKLM" on page 571.
Create a certificate for the TKLM server. Refer to
on page 572.
certificates to TKLM" on page 572.
self-signed server certificate"
functions as the group leader. It is valid to have only one node in an encryption group.
to the following:
-
"Importing the Fabric OS encryption node KAC certificates to TKLM"
-
"Importing the TKLM certificate into the group leader"
"Exporting the Fabric OS node self-signed KAC
on page 571.
"Establishing a default key store and device group
"Adding a device to the device group"
"Creating a self-signed certificate for TKLM"
"Importing the Fabric OS encryption node KAC
on page 572.
on page 571.
"Exporting the TKLM
on page 572.
on page 573.
Brocade Network Advisor SAN User Manual
53-1002696-01