Brocade Fabric OS Command Reference Manual Supporting Fabric OS v7.0.0 (April 2011)
168 Fabric OS Command Reference
53-1001764-01
cryptoCfg
22
--reg -keyvault
Registers the specified key vault (primary or secondary) with the encryption
engines of all nodes present in an encryption group. Upon successful registration,
a connection to the key vault is automatically established. This command is valid
only on the group leader. Registered certificates are distributed from the group
leader to all member nodes in the encryption group. Each node in the encryption
group distributes the certificates to their respective encryption engines.
The following operands are required when registering a key vault:
cert_label
Specifies the key vault certificate label. This is a user-generated name for the
specified key vault. Use the cryptocfg --show -groupcfg command to view the
key vault label after registration is complete.
certfile
Specifies the certificate file. This file must be imported prior to registering the key
vault and reside in the predetermined directory where certificates are stored. In
the case of the HP SKM, this operand specifies CA file, which is the certificate of
the signing authority on the SKM. Use the --show -file -all command for a listing
of imported certificates.
hostname | ip_address
Specifies the key vault by providing either a host name or IP address. If you are
registering a key vault that is part of an RKM cluster, the value for ip_address is
the virtual IP address for the RKM cluster and not the address of the actual key
vault.
primary | secondary
Specifies the key vault as either primary or secondary. The secondary key vault
serves as backup.
--dereg -keyvault
Removes the registration for a specified key vault. The key vault is identified by
specifying the certificate label. Removing a key vault registration disconnects the
key vault. This command is valid only on the group leader.
cert_label
Specifies the key vault certificate label. This operand is required when removing
the registration for a key vault.
--reg -KACcert
Registers the signed node certificate. After being exported and signed by the
external signing authority, the signed node certificate must be imported back into
the node and registered for a successful two-way certificate exchange with the
key vault. This command is valid only on the group leader.
Registration functions need to be invoked on all the nodes in a DEK cluster for
their respective signed node certificates. The following operands are required:
signed_certfile
Specifies the name of the signed node certificate to be reimported.
primary | secondary
Specifies the signing key vault as primary or secondary. This operand is valid only
with the NCKA key vault, which requires the CSR to be signed by the primary or
secondary vault. If both primary and secondary vaults are configured, this
command must be run once for the primary and once for secondary key vault from
every node.
--set -keyvault
Sets the key vault type. This command is valid only on the group leader.