Adding A Member Node To An Encryption Group - Brocade Communications Systems Brocade 8/12c Administrator's Manual
Supporting hp secure key manager (skm) environments and hp enterprise secure key manager (eskm) environments
Hide thumbs
Also See for Brocade 8/12c:
- User manual (1301 pages) ,
- Command reference manual (1132 pages) ,
- Reference (362 pages)
Table of Contents
Advertisement
3
Steps for connecting to an SKM or ESKM appliance
Tape LUN support
•
•
•
SKM or ESKM Key Vault Deregistration
Deregistration of either primary or secondary SKM/ESKM key vault from an encryption switch or
blade is allowed independently. Both the primary and secondary SKM should be moved to ESKM,
and a cluster must be formed on ESKM before any new encryption is done to avoid possible
failures.
•
•
Adding a member node to an encryption group
Before adding a member node to an encryption group, ensure that the node has been properly
initialized and that all encryption engines are in an enabled state. See
encryption engines"
After adding the member node to the encryption group, the following operations can still be
performed on the member node if necessary. Initially, these commands should not be necessary if
the initialization procedure was followed:
•
•
•
132
DEK Creation - The DEK is created and archived to the SKM/ESKM cluster using the cluster's
virtual IP address. The DEK is synchronized with other SKMs/ESKMs in the cluster. Upon
successful archival of the DEK to the SKM/ESKM cluster, the DEK can be used for encryption
of the tape LUN. If archival of the DEK to the SKM/ESKM cluster fails, an error is logged and
the operation is retried.
DEK retrieval - The DEK is retrieved from the SKM/ESKM cluster using the cluster's virtual IP
address. if DEK retrieval fails, it is retried.
DEK update - DEK update behavior is same as DEK Creation.
Deregistration of Primary SKM/ESKM - You can deregister the primary SKM/ESKM from an
encryption switch or blade without deregistering the backup or secondary SKM/ESKM for
maintenance or replacement purposes. However, when the primary SKM/ESKM is
deregistered, key creation operations will fail until either primary SKM/ESKM is reregistered or
the secondary SKM/ESKM is deregistered and reregistered as primary SKM/ESKM.
When the primary SKM/ESKM is replaced with a different SKM/ESKM, you must first
synchronize the DEKs from the secondary SKM/ESKM before reregistering the primary
SKM/ESKM.
Deregistration of Secondary SKM/ESKM - You can deregister the secondary SKM/ESKM
independently. Future key operations will use only the primary SKM/ESKM until the secondary
SKM/ESKM is reregistered on the encryption switch or blade.
When the secondary SKM/ESKM is replaced with a different SKM/ESKM, you must first
synchronize the DEKs from primary SKM/ESKM before reregistering the secondary
SKM/ESKM.
on page 126.
cryptocfg
initEE
--
cryptocfg
regEE
--
cryptocfg
enableEE
--
"Initializing the Brocade
Fabric OS Encryption Administrator's Guide
53-1002159-03
Advertisement
Table of Contents
Troubleshooting
