Signing The Brocade Encryption Node Kac Certificates - Brocade Communications Systems Brocade 8/12c Administrator's Manual
Supporting hp secure key manager (skm) environments and hp enterprise secure key manager (eskm) environments
Hide thumbs
Also See for Brocade 8/12c:
- User manual (1301 pages) ,
- Command reference manual (1132 pages) ,
- Reference (362 pages)
Table of Contents
Advertisement
6. Initialize the encryption engine using the cryptocfg --initEE command. Provide a slot number if
7.
8. Repeat the above steps on every node that is expected to perform encryption.
Signing the Brocade encryption node KAC certificates
The KAC certificate signing request generated when the encryption node is initialized must be
exported for each encryption node and signed by the Brocade local CA on SKM/ESKM. The signed
certificate must then be imported back into the encryption node.
1. Export the KAC sign request to an SCP-capable host.
2. Open the exported file and copy the contents, beginning with
3. Launch the SKM/ESKM administration console in a web browser and log in.
4. Select the Security tab.
5. Select Local CAs under Certificates & CAs.
6. Under Local Certificate Authority List, select the Brocade CA name.
7.
8. Select Sign with Certificate Authority using the Brocade CA name with the maximum of 3649
9. Select Client as Certificate Purpose.
10. Allow Certificate Duration to default to 3649.
11. Paste the file contents that you copied in step 3 in the Certificate Request Copy area.
12. Select Sign Request.
Fabric OS Encryption Administrator's Guide
53-1002159-03
the encryption engine is a blade. This step generates critical security parameters (CSPs) and
certificates in the CryptoModule's security processor (SP). The CP and the SP perform a
certificate exchange to register respective authorization data.
SecurityAdmin:switch>cryptocfg --initEE
This will overwrite previously generated identification
and authentication data
ARE YOU SURE (yes, y, no, n): y
Operation succeeded.
Register the encryption engine by entering the cryptocfg
number if the encryption engine is a blade. This step registers the encryption engine with the
CP or chassis. Successful execution results in a certificate exchange between the encryption
engine and the CP through the FIPS boundary.
SecurityAdmin:switch>cryptocfg --regEE
Operation succeeded.
SecurityAdmin:switch>cryptocfg --export -scp -KACcsr
192.168.38.245 mylogin /tmp/certs/kac_skm.csr
and ending with
REQUEST---
extra characters.
The Certificate and CA Configuration page displays.
Select Sign Request.
The Sign Certificate Request page is displayed.
days option.
Steps for connecting to an SKM or ESKM appliance
---END CERTIFICATE REQUEST---
regEE command. Provide a slot
--
---BEGIN CERTIFICATE
. Be careful not to include any
3
127
Advertisement
Table of Contents
Troubleshooting
