Skm Or Eskm Key Vault High Availability Deployment; Steps For Migrating From Skm To Eskm; Steps Required From The Bes Cli - Brocade Communications Systems Brocade 8/12c Administrator's Manual
Supporting hp secure key manager (skm) environments and hp enterprise secure key manager (eskm) environments
Hide thumbs
Also See for Brocade 8/12c:
- User manual (1301 pages) ,
- Command reference manual (1132 pages) ,
- Reference (362 pages)
Table of Contents
Advertisement
2
Steps for Migrating from SKM to ESKM
SKM or ESKM key vault high availability deployment
The SKM/ESKM key vault has high availability clustering capability. SKM/ESKM appliances can be
clustered together in a transparent manner to the end user. Encryption keys saved to one key vault
are synchronously hardened to the cluster pairs. Please refer to the HP SKM/ESKM appliance user
documentation for configuration requirements and procedures.
Configured primary and secondary HPSKM/ESKM appliances must be registered with the Brocade
encryption switch or blade to begin key operations. The user can register only a single SKM/ESKM
if desired. In that case, the HA features are lost, but the archived keys are backed up to any other
non-registered cluster members. Beginning with Fabric OS 6.3.0, the primary and secondary
appliances must be clustered.
Both the SKM/ESKM appliances in the cluster can be registered using the following command.
cryptocfg --reg -keyvault <cert label> <certfile> <hostname/ip address> <primary |
secondary>
Related Topics
•
•
•
Steps for Migrating from SKM to ESKM
The procedure for migrating SKM to ESKM assumes the following:
•
•
•
Steps required from the BES CLI
From the group leader BES:
1. Deregister SKM using the command cryptocfg
2. Import the CA certificate using the command cryptocfg
36
"Disk keys and tape pool keys support"
"Tape LUN support"
on page 132
"SKM or ESKM Key Vault Deregistration"
An encryption group already exists on the BES with SKM configured and connected.
ESKM has the following data transferred from SKM:
•
User group, users, CA information
•
SSL/FIPS settings
•
Key database
ESKM uses the same CA certificate that was used by SKM.
NOTE
If the CA changes on the ESKM, you must deregister the key vaults and redo the procedure for
configuring the key vault for the encryption group. To perform the steps using the GUI, see
"Steps for connecting to an SKM or ESKM appliance"
cli, see
"Steps for connecting to an SKM or ESKM appliance"
IP> <host name> <CAcert.cer>.
on page 131
on page 132
on page 26. To perform the steps using
on page 119.
dereg
keyvault.
--
-
import
scp <cert_name.pem> <host
–
–
Fabric OS Encryption Administrator's Guide
53-1002159-03
Advertisement
Table of Contents
Troubleshooting
