No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor Dorado V3 Series V300R001

This document is applicable to OceanStor Dorado5000 V3, Dorado6000 V3 and Dorado18000 V3. This document introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Initializing Configurations

Initializing Configurations

Initializing configurations includes initializing the network and time of the key management server, imported licenses, KMIP server configurations and NTP servers.

To ensure that the two key management servers both can provide key management services, you need to initialize configurations on both key management servers.

Initializing a Key Management Server

You need to initialize the key management server before using it, including changing the management network port IP address and time.

Prerequisites
  • The maintenance terminal has been connected to the key management server through the serial port.
NOTE:

If the maintenance terminal has no serial port, use the USB-to-serial cable to connect the maintenance terminal to the serial port of the key management server.

  • The maintenance terminal has serial ports that are not in use.
  • Serial port communication software has been installed on the maintenance terminal. This document uses PuTTY as an example.
Context

Two key management servers' configurations all need to be initialized.

Procedure
  1. Log in to the key management server web interface through the serial port.

    1. Run PuTTY.
    2. Choose Connection > Serial.

      Enter the PuTTY configuration interface, as shown in Figure 4-6.

      Figure 4-6 Serial port setting

    3. Set Serial line to connect to as the serial port of the current maintenance terminal that is connected to the key management server, and set Speed (baud) as 19200, then click Open.

      The CLI of the key management server is displayed.

  2. Input y and press Enter.

    Then you need to enter the password of user admin, as shown in Figure 4-7.

    Figure 4-7 Setting a password for the user

  3. Set a password for user admin and input the password again.

    The system displays that information of admin has been updated, as shown in Figure 4-8.

    Figure 4-8 Setting the password successfully

  4. Adjust the time zone, data, and time of the key management server.

    The system displays that date and time have been set successfully, as shown in Figure 4-9.

    Figure 4-9 Setting the time zone, date, and time

  5. Set IP address, Subnet mask, Default gateway, and Hostname as the management network port IP address, subnet mask, default gateway, and name of the key management server.

    Then you need to confirm the network configurations again, as shown in Figure 4-10.

    Figure 4-10 Configuring the network

  6. If configurations are correct, enter y and press Enter.

    The system displays that the network is configured successfully.

  7. Configure the port number for accessing the key management server using the web administration tool. The default value is 9443. You are advised to keep the default setting, as shown in Figure 4-11.

    Figure 4-11 Port settings

  8. The key management server automatically restarts, which takes 5 to 10 minutes. After the restart, the system displays that the device has now been configured.

    The key management server configurations have been initialized, as shown in Figure 4-12.

    Figure 4-12 Completing the initialization

  9. Repeat Step 1 to Step 8 to initialize configurations of another key management server.

Upgrading a Key Management Server

After initializing the configuration, update the key management server to the 8.6.0 version to ensure that later configurations can be normally performed and functions of the key management server can be normally used.

Prerequisites
  • The upgrade files have been saved under the local directory of the maintenance terminal.
    • You can download the upgrade package from SafeNet's official website. Access https://gemalto.service-now.com/, register and sign in. Subscribe the KeySecure update to obtain the upgrade package.
NOTE:

The email used to register the account is the same as that used to purchase the key management server.

  • You can identify the version from the upgrade package name. For example, a package named 630-010469-001_KeySecure_Field_Upgrade_PKG_V8.3.0_RevA.zip can upgrade the server to version 8.3.0.
  • The downloaded package is in the *.zip format. Decompress it and use the IEU file to perform the upgrade.

  • Two key management servers in the cluster need to be upgraded to the same version.
Context

Currently, the version of delivered key management servers is 8.0.1. Upgrade the key management server to the 8.6.0 version in the following sequence.

  1. 8.0.1 -> 8.3.0
  2. 8.3.0 -> 8.5.0
  3. 8.5.0 -> 8.6.0
Procedure
  1. Log in to the key management server web interface as an administrator.
  2. Upgrade the server from 8.0.1 to 8.3.0.

    1. Choose Device > System Information & Upgrade.

      The System Information interface is displayed.

    2. In the Software & License Upgrade/Install area, set Source to Upload from browser and click Browse to upload the upgrade file from the local directory.
    3. Click Upgrade/Install.

      The system starts upgrading and will restart automatically after the upgrade is complete. The whole process takes approximately 10 minutes.

    4. Verify the server version after the upgrade.

      In the System Summary area on the Home page, verify that the value of Software Version is the same as the target version.

  3. Repeat Upgrading a Key Management Server to Upgrading a Key Management Server to upgrade the key management server from 8.3.0 to 8.5.0 and then from 8.5.0 to 8.6.0.

Importing License Files

You can use the key management server's functions properly only after licenses have been imported.

Prerequisites

The license files authenticated by SafeNet have been obtained. Access https://gemalto.service-now.com/ and register your account and email. Then you can receive the license files in your email.

NOTE:

The email used to register the account is the same as that used to purchase the key management server.

Context

You must import a license for both key management servers separately.

Procedure
  1. Log in to the key management server web interface as an administrator. For details, see Logging In to the Key Management Server Web Interface Through a Management Port.
  2. Choose Home > Summary.

    Figure 4-13 shows the interface that is displayed.

    Figure 4-13 Viewing license files

  3. Choose Device > System Information & Upgrade.

    The System Information interface is displayed.

  4. In the Software & License Upgrade/Install area, set Source to Upload from browser and click Browse to upload the license files from the local directory.
  5. Click Upgrade/Install.

    NOTE:

    After the licenses have been installed, the system restarts automatically, which takes 5 to 10 minutes.

    The Action Completed interface is displayed, as shown in Figure 4-14.

    Figure 4-14 The licenses have been installed successfully

  6. The key management server automatically restarts.
  7. Log in to the key management server web interface after the restart and choose Home > Summary. In the System Summary area, check information about the installed licenses.

    See Figure 4-15.

    Figure 4-15 Confirming license information

    Licenses in Use indicates the number of licenses that have taken effect.

Configuring a KMIP Server

This section describes how to configure a KMIP server.

Prerequisites

The key management server has been initialized and the root CA certificate has been generated.

You can choose Security > Device CAs & SSL Certificates > Local CAs to query the root CA certificate.

Procedure
  1. Log in to the key management server web interface as an administrator.
  2. Choose Device > Key Server.

    The Cryptographic Key Server Configuration page is displayed.

  3. In the Cryptographic Key Server Settings area, under the server list, click Add.

    A new line will be added to the list, as shown in Figure 4-16.

    Figure 4-16 Configuring a KMIP server

  4. Configure the KMIP server, as shown in Table 4-2. After the configuration is complete, click Save.

    Table 4-2 KMIP Server parameter

    Name

    Description

    Value

    Protocol

    Protocol used by the key management server.

    Example

    KMIP

    IP

    Management port IP address of the key management server.

    Example

    172.168.100.101

    Port

    Communication port on the key management server. You are advised to keep the default value.

    Default Value

    5696

    Use SSL

    Indicates whether to enable SSL authentication. You are advised to select this parameter for security purposes.

    Example

    Enable

    Server Certificate

    Certificate of the key management server.

    Example

    nae_kmip_server

    After the key management server is displayed, it will be displayed in the key management server list.

  5. Optional: Select the key management server that has been configured and click Properties to query its properties and authentication parameters.

    To modify the key management server's properties, perform the following operations:

    Modifying configurations of the key management server will reset all connections of this server.

    1. In the Cryptographic Key Server Properties area, click Edit.

      Figure 4-17 shows the page that is displayed.

      Figure 4-17 Configuring server properties

    2. Modify property parameters of the key management server. Table 4-3 describes the parameters.
      Table 4-3 Property parameters of the key management server

      Name

      Description

      Value

      IP

      Management port IP address of the key management server. It can be configured as ALL or a specific IP address.

      NOTE:

      You are advised to configure it as the specified management port IP address to ensure safety.

      Example

      172.168.100.101

      Port

      Communication port on the key management server. You are advised to keep the default value.

      Example

      The default value is 5696.

      Use SSL

      Whether to enable SSL.

      Example

      Enable

      Server Certificate

      Certificate of the key management server. It can be configured as None or nae_kmip_server. You are advised to configure it as nae_kmip_server.

      Example

      nae_kmip_server

      Connection Timeout (sec)

      Time during which no operation being performed on the client is allowed before the key management server is disconnected.

      Example

      The default value is 3600.

      Allow Key and Policy Configuration Operations

      Whether the key management server allows the key to be created, deleted, and imported.

      Example

      Enable

      Allow Key Export

      Whether the key management server allows the key to be exported.

      Example

      Enable

    3. Click Save.

    To modify the key management server's authentication parameters, perform the following operations:

    1. In the Authentication Settings area, click Edit. Figure 4-18 shows the page that is displayed.
      Figure 4-18 Configuring authentication parameters of the key management server

    2. Modify authentication parameters, as shown in Table 4-4.
      Table 4-4 Authentication parameters of the key management server

      Name

      Description

      Value

      Password Authentication

      Whether password authentication is adopted.

      Example

      Not Used

      Client Certificate Authentication

      Authentication mode of the client certificate.

      Example

      Used for SSL session and username (most secure)

      Trusted CA List Profile

      List of trusted CA certificates.

      Example

      hsm_mgmt_ca_profile

      Username Field in Client Certificate

      User name field in the client certificate.

      NOTE:

      Configure it as OU (Organization Unit).

      Example

      OU (Organization Unit)

      Require Client Certificate to Contain Source IP

      Whether to require the client certificate contains the IP address which is the same as that on the key management server.

      Example

      Disable.

    3. Click Save.

Configuring the NTP Server on a Key Management Server

To ensure that the key management server and the storage system have the same time, configure the same NTP server on the key management server as the storage system.

Prerequisites
  • The NTP server has been configured on the storage system.
  • The key management server and storage system use the same NTP server for time synchronization to ensure time consistency.
Procedure
  1. Log in to the key management server web interface as user admin.
  2. Choose Device > Date & Time, as shown in Figure 4-19.

    Figure 4-19 NTP server configuration

  3. In the NTP Settings area, click Edit.

    The NTP server configuration page is displayed, as shown in Figure 4-20.

    Figure 4-20 Setting the NTP server

  4. Set NTP server parameters.

    1. Select Enable NTP.
    2. Set the IP address of the NTP server in NTP Server 1.
      NOTE:
      • The IP address of the NTP server configured on the key management server must be the same as that configured on the storage system.
      • If multiple NTP servers are configured on the storage system, configure NTP Server 2 or NTP Server 3 on the key management server until it has the same NTP servers as the storage system.
    3. Set the poll interval in Poll Interval (min). The system will compare the time on the key management server with that on the NTP server periodically according to the interval. If the time is inconsistent, the system automatically synchronizes the time on the key management server with that on the NTP server. The default interval is 5 minutes, and you are advised to configure it as the default value.

  5. Click Save.

Creating the Periodic Backup Tasks

After the key management server is configured, you need to periodically back up information about the key management server to recover the device when exceptions occur.

Prerequisites
  • The SCP server has been configured.
  • The SCP server has been configured and its communication with the key management server is normal.
  • The two key management servers both need to be configured with periodic backup.
Context

This document describes the SCP server on Linux CentOS hosts.

NOTE:

The Linux CentOS host that supports SSH protocol can be used as an SCP server.

Procedure
  1. Log in to the key management server web interface as an administrator.
  2. Choose Device > Backup & Restore > Create Backup.

    Enter the Security Items page, as shown in Figure 4-21.

    Figure 4-21 Security backup item settings

  3. In the Security Items page, click Select All and click Continue.

    Enter the Device Items page, as shown in Figure 4-22.

    Figure 4-22 Device backup item settings

  4. In the Device Items page, click Select All and deselect Network. Then click Continue.

    Enter the Backup Settings page, as shown in Figure 4-23.

    Figure 4-23 Backup settings

  5. In the Backup Settings page, set automatic backup parameters.

    1. Set basic backup parameters, including Backup Name, Backup Description, Backup Password, and Confirm Backup Password.
    2. Set Destination to SCP. The system will automatically perform remote backup and save the backup file to the SCP server.
    3. Set SCP backup parameters.
      Table 4-5 SCP backup parameters

      Parameter

      Description

      Setting

      Host

      IP address of the SCP server

      [Example]

      192.168.20.3

      Directory Name

      Save path of backup files

      [Example]

      BackupDirectory

      Username

      User name for logging in to the SCP server

      [Example]

      Admin

      Authentication

      Authentication mode of the SCP server

      [Example]

      Password

      Password

      Password for logging in to the SCP server

      This parameter is valid only when Authentication is Password.

      [Example]

      XXX

    4. Click Save Settings for Automated Remote Backup.

      The Confirmation Required dialog box is displayed, as shown in Figure 4-24.

      Figure 4-24 Confirming automatic backup settings

    5. Read contents in the dialog box and click Confirm.
    6. Click Continue.

      The Action Completed page is displayed.

  6. Configure a backup policy.

    1. Click Continue.

      The Automated Remote Backup Schedule page is displayed.

    2. Click Edit.

      Figure 4-25 shows the page that is displayed.

      Figure 4-25 Configuring a backup policy

    3. Set the backup period and time, and click Save.

      The periodic backup starts as configured. The periodic backup policy is updated to Last Automated Remote Backup Status.

  7. Repeat Creating the Periodic Backup Tasks to Creating the Periodic Backup Tasks to configure periodic backup for another key management server.
Follow-up Procedure

After setting the periodic backup, you need to periodically check whether the SCP server has enough storage space. You are advised to clear early backup files periodically to avoid backup failure caused by insufficient space.

Translation
Download
Updated: 2018-11-01

Document ID: EDOC1000159246

Views: 32837

Downloads: 199

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next