Skm Key Vault High Availability Deployment - Brocade Communications Systems Brocade 8/12c User Manual
Brocade network advisor san user manual v11.1x (53-1002167-01, may 2011)
Hide thumbs
Also See for Brocade 8/12c:
- Command reference manual (1132 pages) ,
- Reference (362 pages) ,
- Administrator's manual (282 pages)
Table of Contents
Advertisement
18
Steps for connecting to an SKM appliance
1. Select a switch from the Encryption Center Devices table, then select Switch > Import
FIGURE 168
2. Browse to the location where the signed certificate is stored.
3. Click OK.
SKM key vault high availability deployment
The SKM key vault has high availability clustering capability. SKM appliances can be clustered
together in a transparent manner to the end user. Encryption keys saved to one key vault are
synchronously hardened to the cluster pairs. Please refer to the HP SKM Appliance user
documentation for configuration requirements and procedures.
Configured primary and secondary HPSKM appliances must be registered with the Brocade
encryption switch or blade to begin key operations. The user can register only a single SKM if
desired. In that case, the HA features are lost, but the archived keys are backed up to any other
non-registered cluster members. Beginning with Fabric OS version 6.3.0, the primary and
secondary appliances must be clustered.
Both the SKM Appliances in the cluster can be registered using the following command.
cryptocfg --reg -keyvault <cert label> <certfile> <hostname/ip address> <primary |
secondary>
Disk keys and tape pool keys support
DEK creation, retrieval, and update for disk and tape pool keys are as follows:
•
•
•
462
Certificate from the menu task bar, or right-click a switch and select Import Certificate.
The Import Signed Certificate dialog box displays
Import Signed Certificate dialog box
The signed certificate is stored on the switch.
DEK creation - The DEK is first archived to the virtual IP address of the SKM cluster. The
request gets routed to the primary or secondary SKM, and is synchronized with other SKMs in
the cluster. If archival is successful, the DEK is read from both the primary or secondary SKMs
in the cluster until the DEK is read successfully from both. If successful, then the DEK created
can be used for encrypting disk LUNs or tape pools in Brocade native mode. If key archival of
the DEK to the SKM cluster fails, an error is logged and the operation is retried. If the failure
occurs after archival to one of the SKMs, but synchronization to all SKMS in the cluster times
out, then an error is logged and the operation is retried. Any DEK archived in this case is not
used.
DEK retrieval - The DEK is retrieved from the SKM cluster using the cluster's virtual IP address.
If DEK retrieval fails, it is retried.
DEK Update - DEK Update behavior is the same as DEK Creation.
(Figure
168).
Brocade Network Advisor SAN User Manual
53-1002167-01
Advertisement
Chapters
Table of Contents
Troubleshooting
