Exporting And Registering The Switch Kac Certificates On Lkm; Lkm Key Vault High Availability Deployment; Disk Keys And Tape Pool Keys (Brocade Native Mode Support) - Brocade Communications Systems Brocade BladeSystem 4/24 User Manual
Supporting dcfm 10.4.x
Hide thumbs
Also See for Brocade BladeSystem 4/24:
- User manual (830 pages) ,
- Command reference manual (894 pages) ,
- Documentation update (271 pages)
Table of Contents
Advertisement
20
Exporting and registering the switch KAC certificates on LKM
Exporting and registering the switch KAC certificates on LKM
The encryption switch self-signed KAC certificates must exported and then registered on the LKM
appliance.
1. From the Encryption Center, select Switch > Export Certificate.
2. Select Self-signed switch certificate (X.509) and click OK.
3. Register the self-signed KAC certificate you exported from the member node with the NetApp
LKM key vault high availability deployment
LKM appliances can be clustered together to provide high availability capabilities. You can deploy
and register one LKM with an encryption switch or blade and later deploy and register another LKM
at any time, if LKMs are clustered or linked together. Please refer to LKM documentation to link or
cluster the LKMs.
When LKM appliances are clustered, both LKMs in the cluster must be registered and configured
with the link keys before starting any crypto operations. If two LKM key vaults are configured, they
must be clustered. If only a single LKM key vault is configured, it may be clustered for backup
purposes, but it will not be directly used by the switch.
When dual LKMs are used with the encryption switch or blade, the dual LKMs must be clustered.
There is no enforcement done at the encryption switch or blade to verify whether or not the dual
LKMs are clustered, but key creation operations will fail if you register non-clustered dual LKMs
with the encryption switch or blade.
Regardless of whether you deploy a single LKM or clustered dual LKMs, register only the primary
key vault with the encryption switch or blade. You do not need to register a secondary key vault.
Disk keys and tape pool keys (Brocade native mode support)
DEK creation, retrieval, and update for disk and tape pool keys in Brocade native more are as
follows:
•
•
•
510
The Export Switch Certificate dialog box displays.
A dialog box displays that allows you to save the CSR to your SAN Management Program client
PC, or an external host of your choosing.
LKM appliance.
DEK creation - The DEK is archived into the primary LKM. Upon successful archive of DEK onto
primary LKM, the DEK is read from secondary LKM until it is synchronized to the secondary
LKM, or a timeout of 10 seconds occurs (2 seconds with 5 retries). If successful, then the DEK
created can be used for encrypting disk LUNs or tape pool in Brocade native mode. If key
archival of the DEK to primary LKM fails, an error is logged and the operation is retried. If the
failure happens after archival of the DEK to the primary LKM, but before synchronization to the
secondary, a VAULT_OFFLINE error is logged and the operation is retried. Any DEK archived to
the primary in this case is not used.
DEK retrieval - The DEK is retrieved from the primary LKM if the primary LKM is online and
reachable. If the registered primary LKM is not online or not reachable, the DEK is retrieved
from a clustered secondary LKM.
DEK Update - DEK Update behavior is same as DEK Creation.
DCFM Enterprise User Manual
53-1001775-01
Advertisement
Chapters
Table of Contents
Troubleshooting
