Configuring For Encryption (Optional); Summary Of Procedure - IBM System Storage SAN384B-2 Installation, Service And User Manual

v There is no support of Cisco switches at this time by IBM. The section in the
v The use of Smart Cards provides additional encryption security management,
v The Top Talker feature is not compatible with redirection zones. The Top Talker
v Alias zoning is not supported in encryption environments. You must use the real
v Refer to the "Steps for connecting to a TKLM appliance" section of the Fabric OS

Configuring for encryption (optional)

Summary of procedure

The optional FS8-18 encryption blade requires configuration to enable the
configuration functions. This section provides a brief overview of those
configuration steps. Refer to the Fabric OS Encryption Administrator's Guide (TKLM
Key Management) for the detailed procedures to configure the encryption functions.
Note:
If the encryption blade (FS8-18) is being configured for the first time for encryption
services, you will need to perform several pre-initialization tasks related to
configuring the encryption node (switch), including:
v Generating the Critical Security Parameters (CSPs) and certificates
v Loading and setting up the certificates
46
SAN384B-2 Installation, Service, and User Guide
Fabric OS Encryption Administrator's Guide Supporting Tivoli Key Lifecycle Manager
(TKLM) Environments related to Cisco Fabric connectivity does not currently
apply.
and is highly recommended. Smart cards can be ordered as FRUs through IBM.
feature should not be enabled when an encryption switch or blade is present in
the fabric.
WWPN.
Encryption Administrator's Guide Supporting Tivoli Key Lifecycle Manager (TKLM)
Environments for detailed information on initial setup. That section includes the
information:
– All switches you plan to include in an encryption group must have a secure
connection to the Tivoli Key Lifecycle Manager (TKLM). A local LINUX host
must be available to transfer certificates.
– Be sure that the clock time on the TKLM server and on the Brocade
encryption nodes are the same. A difference of only a few minutes can cause
the TLS connectivity to fail.
– Repeat the same steps for configuring both the primary and the secondary
key vault.
– Both the primary and secondary key vaults should be registered before
exporting MK or encrypting LUNs. If the secondary key vault is registered
midway after encryption is done for some of the LUNs, then the key database
should be backed up and restored on the secondary TKLM from the already
registered primary TKLM before registering the secondary TKLM.
– The is a suggested order for the initial steps needed to create a secure
connection to TKLM. (Refer to the "Steps for connecting to a TKLM
appliance" section of the Fabric OS Encryption Administrator's Guide Supporting
Tivoli Key Lifecycle Manager (TKLM) Environments for additional steps.)
1. Initialize all encryption nodes to generate Key authentication center (KAC)
certificates and export the signed KAC certificates to a local LINUX host.
2. Obtain the necessary user credentials and log in to the TKLM server
appliance from the TKLM management web console.