No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor Dorado V3 Series V300R001

This document is applicable to OceanStor Dorado5000 V3, Dorado6000 V3 and Dorado18000 V3. This document introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Initializing a Key Management Server

Initializing a Key Management Server

Initializing a key management server includes configuring the network and time, generating a system key, generating CA and SSL certificates, importing licenses, configuring the NTP server, and configuring the NFS server.

NOTE:

Both of the two key management servers need initial configurations.

Configuring Network Information

Before using the key management server, users need to configure network information including ports.

Prerequisites

Only administrators can configure the key management server network.

Context

The default user name and password of the administrator role are admin and password123 respectively. The following procedure uses the default user name as an example.

Procedure
  1. Log in to the key management server management interface as an administrator. For details, see Logging In to the Key Management Server Management Interface Through the Serial Port.
  2. Select Network and press Enter.

    The Network Properties dialog box is displayed, as shown in Figure 3-10.

    Figure 3-10 Network Properties

  3. Set network parameters.

    1. On the Management Interface tab page, enter the management port IP address, subnet mask, and gateway of the key management server.
      NOTE:

      Check that the management port IP address of the key management server can communicate with that of the storage system.

    2. On the Data Port 1 tab page, enter the service port IP address, subnet mask, and gateway of the key management server.
      NOTE:

      Check that the service port IP addresses of the two key management servers can communicate with each other.

    3. On the Common Settings tab page, set the host name and domain name.
    4. On the Service Settings tab page, enable SSH, HTTPS, and KMIP services, and set their ports to 22, 443, and 5696.
    NOTE:

    If the license is not imported or has expired, the KMIP service may not be started. Refer to Importing a License File to import the license and start this service.

  4. Click OK.

    The Please Wait dialog box is displayed. Wait for the Confirmation dialog box to display, as shown in Figure 3-11.

    Figure 3-11 Successful network configuration

  5. Click OK.

    You have completed the network configuration.

Configuring the Time of Key Management Servers

The time zone, date, and time of the key management servers must be the same as those of the storage system to ensure proper data encryption and decryption.

Prerequisites

Only administrators can configure time of the key management servers.

Procedure
  1. Log in as the admin user to the key management server's management interface via the serial port.
  2. Select Date & Time and press Enter.

    The Date & Time page is displayed, as shown in Figure 3-12.

    Figure 3-12 Time configuration page

  3. Configure the Time Zone, Date, and Time.

    NOTE:

    Configure these parameters based on the current time to avoid security certificate expiration.

  4. Select OK and press Enter.

    The Please Wait dialog box is displayed. Wait until the Confirmation dialog box is displayed, as shown in Figure 3-13.

    Figure 3-13 Time configured successfully

  5. Press Enter.

    The time configuration is completed.

Follow-up Procedure

Configuring the NTP Server to ensure that the time of the key management server and the storage system is the same.

Generating a System Key

A system key is used to encrypt information on a key management server, which is important for the disk encryption service. After being generated, the system key is stored on the key management server.

Prerequisites

Only a security officer can perform this operation.

Precautions

The key management server has built-in batteries, but if the external power source is cut off, the system key will be automatically destroyed five days later. The key management server cannot work properly after being powered on again unless the system key is restored. Therefore, the system key needs to be backed up in a timely manner. For details, see Backing Up the Source Key Management Server System Key to the Smart Card.

Procedure
  1. Log in to the key management server management interface as user officer through a serial port.

    See Figure 3-14.

    Figure 3-14 Key management server management interface

  2. Select System Key and press Enter.

    The System Key window is displayed, as shown in Figure 3-15.

    Figure 3-15 Generating a system key

  3. Select Generate New and click OK.

    The Warning window is displayed.

  4. Click Yes.

    The Please Wait dialog box is displayed. Wait till the Messages dialog box is displayed, as shown in Figure 3-16.

    Figure 3-16 Successful configuration

  5. Click OK.

    The system key is generated successfully.

Generating a CA Root Certificate

The CA root certificate is used to sign certificates exported from the key management server and storage system, authenticating the communication between the key management server and the storage system.

Prerequisites
Precautions

Changing the root certificate will make all certificates on the key management server become invalid. Exercise caution when performing this operation.

Procedure
  1. Log in as an officer to the key management server's management interface via the serial port.

    Figure 3-17 shows the management interface.

    Figure 3-17 Management interface of the key management server

  2. Select CA Certificate and press Enter.

    The Warning page is displayed.

  3. Click OK.

    The CA Certificate page is displayed, as shown in Figure 3-18.

    Figure 3-18 Management interface of the CA root certificate

  4. Configure CA root certificate parameters. Table 3-3 describes the parameters.

    NOTE:

    You can press Tab to move to the next parameter.

    Table 3-3 CA root certificate parameters

    Parameter

    Description

    Value

    Country

    ISO country code of the CA certificate user

    [Example]

    CN

    State

    Province where the CA certificate user locates

    [Example]

    SC

    City

    City where the CA certificate user locates

    [Example]

    CD

    Organization

    Organization that uses the CA root certificate

    [Example]

    HW

    Department

    Department that uses the CA root certificate

    The value cannot contain slashes, periods, or commas.

    [Example]

    ST

    Common Name

    Name of the CA root certificate

    [Example]

    thales170_ssl

    Email

    Email used to receive the CA root certificate

    [Example]

    test@thalessec.com

    Days

    Validity period of the CA root certificate. Communication will fail if the certificate expires. Update it in time.

    [Default value]

    730

    [Recommended value]

    3650

  5. Select Generate Certificate and click OK.

    The Confirm page is displayed.

  6. Click OK.

    The Confirmation page is displayed.

  7. Click OK.

    The Please Wait dialog box is displayed. Wait until the Messages dialog box is displayed, as shown in Figure 3-19.

    Figure 3-19 CA certificate generated successfully

  8. Click OK.

    The CA certificate is generated successfully.

    NOTE:

    After the CA certificate is generated, the CA service is activated concurrently.

Generating an SSL Certificate

An SSL certificate is used to ensure communication between a key management server and a storage system through the TLS protocol, and to allow the access to a key management server through web browsers.

Prerequisites
Procedure
  1. Log in as an officer to the key management server's management interface via the serial port.

    See Figure 3-20.

    Figure 3-20 Key management server's management interface

  2. Select SSL Certificate and press Enter.

    The Warning dialog box is displayed.

  3. Click OK.

    The SSL Certificate window is displayed, as shown in Figure 3-21.

    Figure 3-21 SSL certificate

  4. Configure parameters for the SSL certificate.

    • Set Country to your country code defined by ISO, such as CN and US.
    • Set Common Name to the SSL certificate name.
    • Set Days indicate the certificate validity period, which is 730 days by default. Renew your certificate in time, because communication will be affected, if the certificate expires.
    NOTE:

    The Common Name of the SSL certificate cannot be the same as the CA name. If they are the same, the HTTPS service cannot be enabled.

  5. Select Generate certificate and Use for web server, and click OK.

    NOTE:

    If Use for web server is not selected, logins to the key management server through HTTP will fail.

    The Confirmation window is displayed.

  6. Click OK.

    The Please Wait dialog box is displayed. Wait till the Confirmation window is displayed, as shown in Figure 3-22.

    Figure 3-22 Successfully generating an SSL certificate

  7. Click OK.

    The SSL certificate is generated successfully.

Importing a License File

A key management server can function properly only after the required licenses are imported to it.

Prerequisites
  • Only security officers can perform this operation.
  • You have obtained the license compressed files.
  • Each key management server requires the matched license files.
Context

The license for a key management server has two types of license files: Replication and Domain Code integrated in the same license file, or Replication and Domain Code presented in separate license files. The former type requires importing one license file and the latter requires importing both of the two files.

Procedure
  1. Log in to the key management server web interface as an officer. For details, see Logging In to the Key Management Server Through the Management Port.
  2. Select Summary and confirm the key management server information.
  3. Decompress the matched license files and obtain the license file serial numbers from the decompressed .txt files.

    NOTE:

    The name of the license compressed file is EM-002210.rar. Choose the package base on the real circumstances.

  4. Click the Licensing tab.

    See Figure 3-23.

    Figure 3-23 Importing a license file

  5. In the Add License area, enter the license file serial number in License Code.
  6. Click Add.

    The system indicates that the license file has been imported, and the license will be added to the license list.

Verifying the Service Status

Only when services are enabled on a key management server can its functions work normally. To guarantee smooth functioning, ensure that services are enabled.

Prerequisites

Only a security officer can perform this operation.

Procedure
  1. Log in to the key management server management interface as user officer through a serial port.
  2. Select Services and press Enter.

    The Services window is displayed, as shown in Figure 3-24.

    Figure 3-24 Service status

  3. Check the status of each service, and make sure they are consistent with the status in the network configuration.

Configuring the NTP Server

To ensure that the key management server and the storage system have the same time, configure the same NTP server on the key management server as the storage system.

Prerequisites
  • Only administrators can perform this operation.
  • The NTP server has been configured on the storage system.
  • The key management server and the storage system use the same NTP server to synchronize time.
Procedure
  1. Log in to the key management server web interface as an administrator.
  2. Click the Date & Time tab.

    Figure 3-25 shows the Date & Time tab page.

    Figure 3-25 NTP server configuration

  3. Under NTP Configuration area, configure the NTP server parameters. and

    1. Select Enable.
    2. Enter the NTP server IP address in Add Host or IP, and then click Add.
    NOTE:

    If multiple NTP servers are configured on the storage system, configure the same NTP servers on the key management servers.

    The added NTP servers will appear on the NTP server list of the key management server web interface.

  4. Click Save to save the NTP server configuration.

Configuring the Backup Server

To back up the key management server configuration, configure a backup server for the key management servers.

Prerequisites
  • Only security officers can perform this operation.
  • The backup server has been deployed and communicates properly with the key management servers.
NOTE:

Both NFS and SCP servers are supported. You must configure the NFS server properly. For details, see Configuring the Linux NFS Server or Configuring the Solaris NFS Server.

Context

Configure the same NFS server for the two key management servers.

Procedure
  1. Log in to the key management server web interface as an officer using a browser.
  2. Click the Backup tab.

    Figure 3-26 shows the Backup tab page.

    Figure 3-26 NFS server configuration

  3. Under Device, set Protocol to NFS. In NFS Server, Folder, and User ID, enter the IP address, backup path, and user name of the NFS server.
  4. Click Test Connection to test the connection between the NFS and the key management servers.
  5. Click Save Device to save the NFS server configuration.

Configuring Alarm Notification

The key management server collects events and logs when services are running. In addition, events and logs can be forwarded to the SNMP or Syslog server, facilitating fault analysis when a fault occurs.

Creating an Audit User

Create a user Audit Officer for the subsequent configuration of alarm notification.

Prerequisites

Create at least two users in the role of security officer and two users in the role of recovery officer. Then you can manage and configure the key management server using the newly created users, in case that passwords of user officer and user recovery are forgotten.

Procedure
  1. Add users using user admin.

    1. Log in to the key management server web interface as user admin.
    2. Click the Users tab and click Add User.

      The Add User window is displayed, as shown in Figure 3-27.

      Figure 3-27 Creating a user

    3. Set parameters.
      Table 3-4 Unassigned user parameters

      Name

      Description

      Value

      Login name

      User name

      [Value range]

      The user name can contain a maximum of 32 characters.

      [Example]

      admin2

      Description

      User description

      [Example]

      User

      Role

      Role of a user. Possible values are as follows:

      • Administrator
      • Unassigned

      In this case, set the role to Unassigned.

      [Example]

      Unassigned

      Password expiration

      Password validity period

      [Example]

      120 days

      Auto-Logout

      Automatic logout time If no operations are performed on the system in the set duration time, the user automatically logs out.

      [Value range]

      5 minutes to 50 minutes

      [Example]

      5

      Email address

      Email address used by the new user to receive messages

      [Example]

      xxx@xxx.com

      Confirm Email address

    4. Click Add User.

      The newly created users will be added to the existing user list. Passwords are randomly generated and prompted on the interface. Record the passwords for follow-up use, as shown in Figure 3-28.

    Figure 3-28 Successfully creating a user

  2. Use user officer to assign roles and permissions to the new users.

    1. Log in to the key management server web interface as user officer.
    2. Click the User tab.

      The Users window is displayed.

    3. Find a newly created user in the user list and click its user name.

      The Edit User window is displayed, as shown in Figure 3-29.

      Figure 3-29 Configuring user permissions

    4. Set parameters.
      Table 3-5 User parameters

      Name

      Description

      Value

      User smart card authentication

      Enable or disable user smart card authentication.

      [Example]

      Disable

      Role

      Specify a role for a user.

      • Officer: The user's role is a security officer.
      • Manager: The user's role is a group manager.
      • Recovery: The user's role is a recovery officer.
      • Audit: The user's role is an audit officer.

      [Example]

      Manager

      Manageable group

      Select groups to be managed by a group manager.

      [Example]

      storagepoc.com/kmipgroup2

      Visible group

      Select groups to be visible to a group manager. A group manager only has the read permission for these groups.

      [Example]

      storagepoc.com/kmipgroup

    5. Click Save.

  3. Log in to the key management server web interface using a newly created user and the system generated password, and change the passwords following the Changing Passwords.
Configuring the SNMP Server

After an SNMP server is configured, events and logs generated on the key management server will be forwarded to the SNMP server.

Prerequisites
  • An SNMP server has been deployed and it communicates with the key management server properly.
  • Only an auditor can perform this operation.
Procedure
  1. Log in to the key management server web interface as an auditor.
  2. Choose Remote Notification > SNMP.

    The SNMP Trapsink Configuration dialog box is displayed.

  3. Configure parameters for the SNMP server. Table 3-6 shows the parameters.

    Table 3-6 SNMP server parameters

    Parameter

    Description

    Setting

    Host or IP

    Host name or IP address of the SNMP server

    [Example]

    192.168.20.3

    Community

    Community name of the SNMP server

    [Example]

    public

    Port

    Port on the SNMP server for receiving alarm information

    [Example]

    162

  4. Click Add.

    The added SNMP server is displayed in the SNMP Trapsink Configuration dialog box.

  5. Set a type and level of logs that are to be forwarded to the SNMP server.

    NOTE:

    All SNMP servers use the same log type and level.

    1. In Host or IP, click the IP address of any SNMP server.

      A page is displayed prompting you to set the log type and level.

    2. Select Event Component and the corresponding Severity.
      • The key management server collects logs and events from various internal sub-systems that are called components. For example, a sub-system whose Event Component is labeled as Backup/Restore will trigger the logs and events corresponding to backup operations.
      • Each event or log has a level, which can be Information, Warning, Error, Critical, or Emergency.
      NOTE:

      You are advised to set Severity to Error or a higher level.

    3. Click Save.

Follow-up Procedure

After the SNMP server is configured, you can use a third-party trap NMS to view the logs and events to be forwarded. Set the SNMP protocol of the third-party trap NMS to SNMPv2.

Configuring Syslog Notification

After a Syslog server is configured, events and logs generated on the key management server will be forwarded to the Syslog server.

Prerequisites
  • A Syslog server has been deployed and it communicates with the key management server properly.
  • Only an auditor can perform this operation.
Procedure
  1. Log in to the key management server web interface as an auditor.
  2. Choose Remote Notification > Remote Syslog.

    The Remote Syslog Configuration dialog box is displayed.

  3. In the Add Remote Syslog Server area, configure parameters of the Syslog server. Table 3-7 shows the parameters.

    Table 3-7 Syslog server parameters

    Parameter

    Description

    Setting

    Host or IP

    Host name or IP address of the Syslog server

    [Example]

    192.168.20.3

    Secure

    Secure TLS connections established between the Syslog server and the key management server

    NOTE:

    When you create the TLS connection, you need to import the SSL certificate signed by the third-party CA to the key management server.

    [Example]

    Enable

  4. Click Add.

    The added Syslog server is displayed in the Remote Syslog Configuration dialog box.

  5. Set a type and level of logs that are to be forwarded to the Syslog server.

    NOTE:

    All Syslog servers use the same log type and level.

    1. In Host or IP, click the IP address of any Syslog server.

      A page is displayed prompting you to set the log type and level.

    2. Select Event Component and the corresponding Severity.
      • The key management server collects logs and events from various internal sub-systems that are called components. For example, a sub-system whose Event Component is labeled as Backup/Restore will trigger the logs and events corresponding to backup operations.
      • Each event or log has a level, which can be Information, Warning, Error, Critical, or Emergency.
      NOTE:

      You are advised to set Severity to Error or a higher level.

    3. Click Save.

Periodically Backing Up Configuration Information of a Key Management Server

After a key management server is configured, you need to periodically back up its data so that you can restore the data if an exception occurs.

Prerequisites

An NFS server or SCP server has been configured and the communication between the NFS server and key management server is normal.

Procedure
  1. Log in to the web interface of the source key management server as an officer.
  2. Click the Backup tab.

    The Backup page is displayed, as shown in Figure 3-30.

    Figure 3-30 Backup management page

    NOTE:

    You can back up the configuration information of a key management server using either the NFS or SCP protocol.

    • If you use the NFS protocol, go to Step 3.
    • If you use the SCP protocol, go to Step 4.

  3. Configure the NFS backup server and backup schedule.

    1. In the Device area, configure the NFS backup server information. Table 3-8 describes the parameters.
      Table 3-8 NFS backup server configurations

      Parameter

      Description

      Setting

      Protocol

      Protocol used to upload configuration information to the backup server

      [Example]

      NFS

      NFS Server

      IP address of the NFS server

      [Example]

      192.168.17.81

      Folder

      Save path of the backup information on the NFS server

      [Example]

      /kabackup

      User ID

      Name of the user created on the NFS server

      [Example]

      710

      Click Save Device to save the configurations.

      NOTE:

      You can click Test Connection to test the connection between the NFS and key management servers.

    2. In the Scheduling area, configure a backup schedule. Table 3-9 describes the parameters.
    Table 3-9 Backup schedule

    Parameter

    Description

    Setting

    Days

    Days on which the backup is performed

    NOTE:

    You can press Ctrl to select multiple days in a week.

    [Example]

    Sundays

    Time

    Time at which the backup is performed on the specified days

    [Example]

    12 noon

    Click Save Scheduling to save the configurations. The key management server will automatically back up configuration information to the specified path on the NFS server at the configured point in time.

  4. Configure the SCP backup server and backup schedule.

    1. In the Device area, configure the SCP backup server information. Table 3-10 describes the parameters.
      Table 3-10 SCP backup server configurations

      Parameter

      Description

      Setting

      Protocol

      Protocol used to upload configuration information to the backup server

      [Example]

      SCP

      SCP Server

      IP address of the SCP server

      [Example]

      192.168.17.81

      Port

      Port used by the SCP server

      [Example]

      22

      Username

      User name for logging in to the SCP server

      [Example]

      admin

      Password

      Password for logging in to the SCP server

      [Example]

      Admin@

      Folder

      Save path of the backup information on the SCP server

      [Example]

      /home/admin/scp

      Click Save Device to save the configurations.

      NOTE:

      You can click Test Connection to test the connection between the SCP and key management servers.

    2. In the Scheduling area, configure a backup schedule. Table 3-11 describes the parameters.
    Table 3-11 Backup schedule

    Parameter

    Description

    Setting

    Days

    Days on which the backup is performed

    NOTE:

    You can press Ctrl to select multiple days in a week.

    [Example]

    Sundays

    Time

    Time at which the backup is performed on the specified days

    [Example]

    12 noon

    Click Save Scheduling to save the configurations. The key management server will automatically back up configuration information to the specified path on the SCP server at the configured point in time.

  5. After the settings are complete, click Backup Now.
  6. Optional: Click the Logs tab to view the backup information generated in the specified point in time.
Translation
Download
Updated: 2018-11-01

Document ID: EDOC1000159246

Views: 33021

Downloads: 199

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next