No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor Dorado V3 Series V300R001

This document is applicable to OceanStor Dorado5000 V3, Dorado6000 V3 and Dorado18000 V3. This document introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Connecting the Key Management Server with the Storage Array

Connecting the Key Management Server with the Storage Array

After the key management server cluster is created, you need to connect the key management server with the storage array so that the disk encryption service can be provided for the storage system.

Generating and Exporting a Certificate on the Storage System

Creating a Local User

This section describes how to create a local user. When the key management server authenticates a storage system using the Key Management Interoperability Protocol (KMIP), it identifies the storage system based on the user.

Prerequisites

To ensure that the key management server can identify the storage system successfully, the local user name of the key management server must be set to Storage, which is the same as the OU value in the signed certificate of the storage system.

You can query the OU value as follows:

  1. Double-click the certificate.
  2. Click the Detail tab, and select User. You can view the OU value in the lower pane.

Context

Create at least one local user.

Procedure
  1. Log in as the admin user to the key management server's web interface.
  2. Choose Security > Users & Groups > Local Authentication > Local Users & Groups.

    The User & Group Configuration page is displayed, as shown in Figure 4-35.

    Figure 4-35 Local user page

  3. In the Local User area, click Add.

    Figure 4-36 shows the page that is displayed.

    Figure 4-36 Local user information setting page

  4. Set user information.

    Table 4-7 User parameters

    Parameter

    Description

    Setting

    Username

    Name of the new user. You are advised to set the value to Storage.

    [Example]

    Storage

    Password

    Password of the new user.

    [Example]

    admin@123

    User Administration Permission

    Permission to create, modify, and delete a user or user group.

    [Example]

    Not selected

    [Recommended value]

    Not selected

    Change Password Permission

    Permission to modify a user's own password.

    [Example]

    Not selected

    [Recommended value]

    Not selected

    The name of the new user must be the same as the value of OU (Storage by default) in the certificate signed in the storage system. If the name is different from the OU value, the storage system and key management server may fail to be authenticated.

  5. Click Save.

    The new user is displayed in the user list.

Signing a Key Management Server Certificate and Exporting the Certificate

This section describes how to sign a key management server certificate and how to export the certificate.

Signing a Certificate
  1. Log in to the key management server web interface as an administrator.
  2. Choose Security > Local CAs.

    The Certificate and CA Configuration interface is displayed, as shown in Figure 4-37.

    Figure 4-37 CA certificate list

  3. Select the default CA certificate and click Sign Request.

    The Sign Certificate Request interface is displayed, as shown in Figure 4-38.

    Figure 4-38 Signing the certificate

  4. Set certificate request parameters.

    1. Set Sign with Certificate Authority to hsm_mgmt_ca (maximum xxxx days) (default value).
    2. Set Certificate Purpose to Client.
    3. Set Certificate Duration (days) to the validity period of the certificate. The value of this parameter must not be greater than xxx in hsm_mgmt_ca (maximum xxxx days).
    4. Copy the content of the certificate file exported from the storage system to the text box under Certificate Request.
    5. Click Sign Request.

      The CA Certificate Information page is displayed, as shown in Figure 4-39.

      Figure 4-39 CA certificate information

  5. Click Download to export the signed certificate.

    The signed certificate is named as signed.crt.

Exporting the CA certificate
  1. Log in to the key management server web interface as an administrator.
  2. Choose Security > Local CAs.

    The Certificate and CA Configuration interface is displayed, as shown in Figure 4-40.

    Figure 4-40 CA certificate list

  3. Click Download to export the CA certificate of the key management server.

Importing and Activating a Certificate on the Storage System

This section describes how to import and activate a certificate on the storage system, so that the disk encryption function can take effect.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Credential Management.
  3. Import and activate the certificate.

    1. After the certificate has been signed by the server, click Import and Activate.

      The Import Certificate dialog box is displayed.

    2. Set the certificate type to Certificate of KMC and import the signed certificate and CA certificate. Table 4-8 describes the parameters.
      Table 4-8 Parameters forimporting the certificate

      Parameter

      Description

      Value

      Certificate Type

      Type of a certificate

      [Example]

      Certificate of KMC

      Certificate File

      Certificate file that has been exported and signed

      [Example]

      signed.crt

      CA Certificate File

      Certificate file of a server

      [Example]

      hsm.mgmt_ca.crt

      Private Key File

      Private key file of a device

      [Example]

      None

    3. Click OK.

      The Warningdialog box is displayed.

    4. Carefully read the content in the dialog box, select I have read and understand the consequences associated with this question, and click OK.

      The Successdialog box is displayed.

    5. Click OK.

      The certificate is imported and activated successfully. In the Credential Management area, you can query the Status, Expire Time, and Expiration Warning Days of the certificate.

Configuring Key Management Servers on a Storage System

Configure key management servers on a storage system, and connect key management servers to the storage system, so that the disk encryption service can function.

Context

A storage system needs two key management servers.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Key Service.
  3. Select Enable the external key management service.
  4. Add key management servers.

    NOTE:

    A storage array can connect to a maximum of two key management servers that form a cluster. The following example adds either key management server in a cluster to the storage system.

    1. Click Add.

      The Add Serverdialog box is displayed.

    2. Enter key server parameters. Table 4-9 describes the parameters.
      Table 4-9 Key serverparameters

      Parameter

      Description

      Value

      Server type

      Type of a key server

      [Example]

      SafeNet KMIP

      Address

      Domain name or service IP address of the key management server

      NOTE:

      The service IP address is the same as the IP address of the management port that is set during 4.4.1.1 Initializing a Key Management Server.

      [Example]

      8.46.141.128

      Port

      Port information of a server IP address

      [Value range]

      1 to 65535

      [Example]

      9443

    3. Click OK.
    4. Click Save.

      The Execution Result dialog box is displayed.

    5. Click Close.

  5. Repeat 4 to add the other key management server in the cluster.
  6. Optional: Select the key server to be tested and click Test, to verify whether the key server is configured successfully.
Follow-up Procedure

After the storage system has connected to the key management servers, wait for 2 to 3 minutes before performing follow-up procedures.

Translation
Download
Updated: 2018-11-01

Document ID: EDOC1000159246

Views: 33070

Downloads: 199

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next