Data Center Fabric Manager Professional User Manual - Supporting DCFM 10.3.x (53-1001355-01, October 2009)

DCFM Professional User Manual 435
53-1001355-01
Establishing the trusted link
A
2. To add the encryption group leader to an LKM appliance third party key sharing group, enter
lkmserver add
--type third-party --key-sharing-group "/" followed by the group leader IP
address.
lkm-1>lkmserver add --type third-party --key-sharing-group \
"/" 10.32.244.71
NOTICE: LKM Server third-party 10.32.244.71 added.
Cleartext connections not allowed.
3. From the external host, enter echo lkmserver set <group leader IP address> ‘cat
kac_cert_lkm.pem’ | ssh -l admin <LKM IP address> to register the KAC LKM certificate you
exported from the group leader with the NetApp LKM appliance.
host$echo lkmserver certificate set 10.32.244.71 \
‘cat kac_lkm_cert.pem‘ | ssh -l admin 10.33.54.231
Pseudo-terminal will not be allocated because stdinis not a terminal.
admin@10.33.54.231's password:
Checking system tamper status:
No physical intrusion detected.
NOTICE: LKM Peer '10.32.244.71' certificate is set
4. Select the Link Keys tab on the Encryption Group Properties dialog box.
The switch name displays in the link status table under Switch, with a Link Key Status of Link
Key requested, pending LKM approval.
5. Select the switch, and click Establish.
This results in a Trusted link establishment package (TEP), which is needed to establish the
trusted link between the switch and the LKM appliance.
6. Launch the NetApp DataFort Management Console (DMC) and click the View Unapproved
Trustees tab.
The switch is listed as openkey_trustee_<ip address>, where the IP address is the switch IP
address entered in step 2.
7. Select the switch, and click Approve and Create TAP.
The Approve TEP dialog box displays. The TEP must be approved before a TAP can be created.
8. Provide a label in the dialog box and click Approve to approve the TEP.
A list of recovery cards and recovery officers is displayed. TEP approval is done by a quorum of
recovery officers, using assigned recovery cards. Each recovery officer must individually insert
one of listed recovery cards into a card reader attached to the PC or workstation, enter the
password for that card, and click Start. The procedure is repeated until a quorum of recovery
officers has approved the TEP.
9. Save the TAP to a file (location does not matter).
10. Select the Link Keys tab on the Encryption Group Properties dialog box.
11. Select the switch in the link key status table, and click Accept to retrieve the TAP from the LKM
appliance.
12. Repeat the above steps for the each of the remaining member nodes.