No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor Dorado V3 Series V300R001

This document is applicable to OceanStor Dorado5000 V3, Dorado6000 V3 and Dorado18000 V3. This document introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Connecting the Key Management Server with the Storage Array

Connecting the Key Management Server with the Storage Array

After a key management server cluster is created, you need to connect the key management server with the storage array so that the disk encryption service can be provided for the storage system.

Creating a Domain

You can create a domain to protect and limit usage of keys and security objects in a group and client that belongs to the domain. The domain can logically isolate key management on different devices.

Prerequisites

The number of domains created does not exceed the number supported by the license. You can log in to the system as a security officer to view the number of domains in the license.

Context

You only need to create a domain on either key management server in the cluster. After the domain is created, its information is synchronized to the other key management server automatically.

Procedure
  1. Log in to the key management server web interface as an officer.
  2. Click the Domains tab.

    The Domains page is displayed.

  3. Click Add Domain.

    The Add User page is displayed, as shown in Figure 3-66.

    Figure 3-66 Creating a domain

  4. Set the domain name and description.

    The domain name rule is as follows:

    • The domain name contains a maximum of 192 characters.
    • The domain name can consist of multi-level names. The format is node1.node2.nodeN.TLD. TLD indicates the top-level domain name, for example, com or org.
    • TLD contains at least two characters.
    • Each separate level of domain name contains a maximum of 63 characters and must start and end with a letter or digit.
    NOTE:

    In this example, set Name to test.com.

  5. Click Add Domain.

    The new domain is displayed in the domain list.

Creating a KMIP Group

The group is used to logically organize and manage keys and the KMIP client.

Prerequisites

A domain has been created on the key management server.

Context

You only need to create a group on either key management server in the cluster. After the domain is created, its information is synchronized to the other key management server automatically.

Procedure
  1. Log in to the key management server web interface as an officer.
  2. Click the Groups tab.

    The Groups page is displayed.

  3. Click Add Group.

    The Add Groups page is displayed, as shown in Figure 3-67.

    Figure 3-67 Creating a group

  4. Configure parameters of the group.

    Table 3-15 Parameters of the group

    Name

    Description

    Value

    Group type

    Group type, including KMIP and P1619. For Huawei storage devices, only KMIP is supported.

    [Example]

    KMIP

    Name

    Group name

    [Value range]

    • The value ranges from 5 to 255 characters, including letters, digits, dashes, and underscores.
    • Hexadecimal character strings are supported. The value must contain uppercase letters.

    [Example]

    admin

    Description

    Description of the group

    [Example]

    group

    Domain

    Domain specified for the group

    [Example]

    test.com

  5. Click Add Group.

    The new domain is displayed in the domain list.

Creating a Group Manager

A group manager is used to register and manage the KMIP client.

Prerequisites
  • A group has been created on the key management server.
  • Each group manager must be allocated to at least one group.
Context

You must create the Group Manager on both key management servers separately.

Procedure
  1. Add the group manager as user admin.

    1. Log in to the key management server web interface as user admin.
    2. Click the Users tab and select Add User.

      The Add User page is displayed, as shown in Figure 3-68.

      Figure 3-68 Creating a group manager

    3. Set the parameters.
      Table 3-16 Setting parameters of unassigned users

      Name

      Description

      Value

      Login name

      User name

      [Value range]

      The value can contain a maximum of 32 characters.

      [Example]

      groupmanager2

      Description

      User description

      [Example]

      user

      Role

      User role. Set the parameter to Unassigned.

      [Example]

      Unassigned

      Password expiration

      Password expiration date

      [Example]

      Never

      Auto-Logout

      Automatic log duration. If no operation is performed during this period, the user automatically logs out.

      [Example]

      5

      Email address

      Email address used by the new user to receive messages

      [Example]

      xxx@xxx.com

      Confirm Email address

    4. Click Add User.

      The new user will be added to the existing user list, and the system displays a random password for the new user. Record the password and save it properly, as shown in Figure 3-69.

    Figure 3-69 Group manager created successfully

  2. Assign a role and the permission for the new user as an officer.

    1. Log in to the key management server web interface as an officer.
    2. Click the Users tab.

      The Users page is displayed.

    3. Find the new user in the user list and click its name.

      The Edit User page is displayed, as shown in Figure 3-70.

      Figure 3-70 Setting user permission

    4. Set parameters.
      Table 3-17 Parameters for setting user permission

      Name

      Description

      Value

      User smart card authentication

      Whether to enable smart card authentication of the user

      [Example]

      Disable

      Role

      Specified user role

      • Officer: indicates a security officer
      • Manager: indicates a group manager
      • Recovery: indicates a recovery officer.
      • Audit: indicates an audit officer.

      Set the parameter to Manager.

      [Example]

      Manager

      Manageable group

      Select a group managed by the group manager.

      [Example]

      storagepoc.com/kmipgroup

      Visible group

      Select groups that can be viewed by the group manager. The group manager has read-only permission on the groups.

      [Example]

      storagepoc.com/kmipgroup2

    5. Click Save.

  3. Change the passwords of the created group manager users.

    1. Log in to the web interface using the user name of a created group manager and the recorded random password.
    2. Click the Users tab.

      The Change User Password page is displayed, as shown in Figure 3-71.

      Figure 3-71 Changing the password

    3. In Old password, enter the current login password. In New password and Confirm password, enter the new password. Click Change Password.

      You have finished changing the password.

Creating a KMIP Client

Storage devices (functioning as KMIP clients) need to be added to the key management server using the web management interface.

Prerequisites

The number of KMIP clients cannot exceed the maximum value allowed by the license.

Context

You must create the KMIP Client on both key management servers separately.

Procedure
  1. Log in to the key management server web interface as a group manager.
  2. Choose Clients > KMIP Clients.

    The KMIP Clients page is displayed.

  3. Click Add Client.

    The KMIP Clients page is displayed, as shown in Figure 3-72.

    Figure 3-72 Creating a KMIP client

  4. Set the parameters.

    Table 3-18 KMIP client parameters

    Name

    Description

    Value

    Name

    Client name.

    [Value range]

    Not longer than 32 characters.

    [Example]

    KMIP_Client_1

    Group

    Group to which the client belongs. A KMIP client belongs to only one group and cannot be reassigned to another group.

    [Example]

    kmipdomian1/kmipD1G1

    Description

    Client description.

    [Example]

    Adding KMIP Client to Group kmipD1G1

    Password

    Password for connecting to the client.

    [Example]

    KMIPClient_1

    Verify password

    Confirms the password for connecting to the client.

    [Example]

    KMIPClient_1

    Profile

    Manufacturer of the storage system. Select Huawei OceanStor.

    [Example]

    Huawei OceanStor

  5. Click Add Client.

    The new client will be added to the client list.

Certificate Signature Authentication

Generating and Exporting a Certificate on the Storage System

This section describes how to generate and export a certificate required to enable the disk encryption function on the storage system.

Context

The certificate generated on the storage system has no signatures, and the certificate takes effect only when it is signed on the key management server.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Credential Management.
  3. Select the certificate type as Certificate of KMC and the key algorithm as RSA 2048 or RSA 4096, and then click Generate and Export.
Signing a Key Management Server Certificate and Importing the Certificate

This section describes how to sign a key management server certificate and how to export the certificate.

Signing a Certificate
  1. Log in to the key management server web interface as a group manager.
  2. Click the Clients tab.
  3. Import the certificate you want to sign, as shown in the following figure.

  4. Import the to-be-signed certificate that is generated on the storage system and click Sign.

  5. Export the signed certificate.

Exporting a CA Certificate
  1. Log in to the key management server web interface as an officer.
  2. Click the Certificate tab.
  3. Click the CA Certificate tab.
  4. In the View/Export Certificate area, click Export Certificate.

Importing and Activating a Certificate on the Storage System

This section describes how to import and activate a certificate on the storage system, so that the disk encryption function can take effect.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Credential Management.
  3. Import and activate the certificate.

    1. After the certificate has been signed by the server, click Import and Activate.

      The Import Certificate dialog box is displayed.

    2. Set the certificate type to Certificate of KMC and import the signed certificate and CA certificate. Table 3-19 describes the parameters.
      Table 3-19 Parameters forimporting the certificate

      Parameter

      Description

      Value

      Certificate Type

      Type of a certificate

      [Example]

      Certificate of KMC

      Certificate File

      Certificate file that has been exported and signed

      [Example]

      signed.crt

      CA Certificate File

      Certificate file of a server

      [Example]

      hsm.mgmt_ca.crt

      Private Key File

      Private key file of a device

      [Example]

      None

    3. Click OK.

      The Warningdialog box is displayed.

    4. Carefully read the content in the dialog box, select I have read and understand the consequences associated with this question, and click OK.

      The Success dialog box is displayed.

    5. Click OK.

      The certificate is imported and activated successfully. In the Credential Management area, you can query the Status, Expire Time, and Expiration Warning Days of the certificate.

Configuring Key Management Servers on a Storage System

Configure key management servers on a storage system, and connect key management servers to the storage system, so that the disk encryption service can function.

Context

A storage system needs two key management servers.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Key Service.
  3. Select Enable the external key management service.
  4. Add key management servers.

    NOTE:

    A storage array can connect to a maximum of two key management servers that form a cluster. The following example adds either key management server in a cluster to the storage system.

    1. Click Add.

      The Add Server dialog box is displayed.

    2. Enter key management server parameters. Table 3-20 describes the parameters.
      Table 3-20 Key managementserver parameters

      Parameter

      Description

      Value

      Server type

      Type of a key management server

      [Example]

      Thales KMIP

      Address

      Key management server's domain name or service port IP address

      NOTE:

      This service port IP address is the same as the service port IP address of Data Port 1 that is set during 3.4.1.1 Configuring Network Information.

      [Example]

      192.168.100.11

      Port

      Port of the key management server

      NOTE:

      This port is the same as the KMIP Server Port that is set in Service Settings during 3.4.1.1 Configuring Network Information.

      [Value range]

      1 to 65535

      [Example]

      2334

    3. Click OK.
    4. Click Save.

      The Execution Result dialog box is displayed.

    5. Click Close.

  5. Repeat 4 to add the other key management server in the cluster.
  6. Optional: Select the key management server to be tested and click Test to check whether it is configured successfully.
Translation
Download
Updated: 2018-11-01

Document ID: EDOC1000159246

Views: 33215

Downloads: 201

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next