Brocade Fabric OS Encryption Administrator's Guide Supporting Fabric OS v6.2.0 (53-1001201-04, May 2009)
98 Encryption Administrator’s Guide
53-1001201-04
Encryption switch initialization
3
Encryption switch initialization
When setting up a Brocade Encryption Switch or FS8-18 blade for the first time during deployment
for encryption services, and before encryption can be enabled on the switch or blade, you must
perform a series of initialization steps. These steps are performed only once and must be executed
in the order indicated below. Initialization must be performed on every node that is expected to
perform encryption within the fabric.
A node is a Brocade Encryption Switch or a DCX or DCX-4S chassis containing one or more FS8-18
encryption blades. A node is identified by the switch IP address and by the switch WWN, which is
subsequently referred to as the node WWN.
NOTE
The initialization process overwrites any authentication data and certificates that reside on the node
and the security processor. This means that existing key encryption keys (KEKs) such as link keys or
master keys are erased. If this is not a first-time initialization, make sure to export the master key by
running cryptocfg
--exportmasterkey and cryptocfg –export -scp --currentMK before running
--initEE. If this encryption engine was configured with an LKM key vault, you will need to reconfigure
the key vault to regenerate the Trusted Link after running cryptocfg
--initEE. Refer to the section
“Key vault configuration” on page 107 for instructions.
Initializing an encryption switch
Take the following steps to initialize an encryption switch or blade.
1. Log into the switch as Admin or SecurityAdmin.
2. Zeroize all critical security parameters (CSPs) on the switch by entering the cryptocfg
--zeroizeEE command. Provide a slot number if the encryption engine is a blade.
SecurityAdmin:switch>cryptocfg --zeroizeEE
This will zeroize all critical security parameters
ARE YOU SURE (yes, y, no, n): [no]y
Operation succeeded.
3. Zeroization leaves the switch or blade faulted. Perform the appropriate action depending on
whether the encryption engine is a switch or a blade.
• When the encryption engine is a Brocade Encryption Switch, reboot the switch.
• When the encryption engine is an FS8-18 blade, issue the slotpoweroff slot number
command followed by the slotpoweron slot number command.
4. As needed, adjust the date and time of the node to be in sync with the encryption group that
it’s being added to prior to initializing the node.
NOTE
Changing the date or time to a date or time earlier than was in effect at node initialization will
invalidate all certificates and will cause key vault operations to fail for that member node.
5. Initialize the node by entering the cryptocfg
--initnode command. This step is not necessary
when adding a new blade to a DCX or DCX-4S consisting of previously configured encryption
engines. Successful execution generates the following security parameters and certificates:
• Node CP certificate
• Key authentication center (KAC) certificate