Cisco AJ732A - MDS 9134 Fabric Switch Configuration Manual page 263

Appendix D RSA Key Manager and Cisco SME
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Run the following database scripts from the database administrative console:
Step 5
For the key catalog on PostgresSQL, run postgres-kmc-rkm-pre-migrate.sql.
•
For the key catalog on Oracle Express, run oracle-kmc-rkm-pre-migrate.sql.
•
These scripts are packaged in Cisco Fabric Manager CD as of NX-OS Software Release 4.1(1).
Install RKM on the system allocated for this purpose.
Step 6
RKM can be installed and configured separately. Ensure that RKM is ready prior to the start of the
migration in order to decrease downtime.
Configure the certificates for RKM and identify the following certificate files:
sme_rkm_client.jks
•
sme_rkm_trust.jks
•
Copy the two certificate files on the Cisco Fabric Manager Server system.
Step 7
Copy the two files in the certificate store directory. Go to the SME tab on the Fabric Manager Web Client
and choose Key Manager Settings to view the actual directory.
The default certificate store (Windows) is at C:\Program Files\Cisco Systems\MDS 9000\conf\cert\.
Note
Start Cisco Fabric Manager, which starts Cisco KMC.
Step 8
Go to the SME tab on the Fabric Manager Web Client and choose Key Manager Settings.
Step 9
Select RSA as the key manager and configure the IP address and port for RKM.
Step 10
Go to the Accounting Log and monitor the log messages until "Synchronization Complete for Cluster"
Step 11
is displayed.
Create and import all the volume group keys from the password-protected files.
Step 12
Run the following post-migration scripts to delete the keys in the Cisco KMC key database:
Step 13
• For the key catalog previously on PostgresSQL, run postgres-kmc-rkm-post-migrate.sql
• For the key catalog previously on Oracle Express, run oracle-kmc-rkm-post-migrate.sql
These scripts are packaged in the Cisco Fabric Manager CD as of NX-OS Software Release 4.1(1)
Restart any backup applications and jobs that were deactivated or suspended before the migration.
Step 14
In Cisco MDS 9000 SAN-OS Software Releases 3.2(3a) and 3.3(1a), the importing of the volume group
Note
leaves all the keys in a deactivated (archived) state, and after the migration, the tapes can be restored but
cannot be used for active encryption.
In Cisco MDS 9000 NX-OS Software Release 4.1(1c) and later, the keys are restored in the same state
Note
(active or deactivated) as before the migration.
OL-18091-01, Cisco MDS NX-OS Release 4.x
Cisco MDS 9000 Family Storage Media Encryption Configuration Guide
Migrating From Cisco KMC to RKM
D-9