No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor Dorado V3 Series V300R001

This document is applicable to OceanStor Dorado5000 V3, Dorado6000 V3 and Dorado18000 V3. This document introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Key Management Server Cluster

Configuring a Key Management Server Cluster

After two key management servers with the same configurations are configured into a cluster, the two servers provide the encryption service together. If one of them becomes faulty or the encryption service is abnormal, the storage automatically connects to another one that can provide the encryption service.

Before creating a cluster, you can choose Security > Device CAs & SSL Certificates > Local CAs to query the root CA certificate.

Check whether the two key management servers have the same root CA certificates.

(Optional) Creating Manual Backup Tasks

When configuring key management server clusters, ensure that configurations of the two key management servers are that same. Manually back up the backup information on the source key management server and restore it to the target key management server.

Procedure
  1. Log in to the key management server web interface as an administrator.
  2. Choose Device > Backup & Restore > Create Backup.

    Enter the Security Items page, as shown in Figure 4-26.

    Figure 4-26 Security backup item settings

  3. Click Select All and click Continue.

    Enter the Device Items page, as shown in Figure 4-27.

    Figure 4-27 Device backup item settings

  4. Click Select All and deselect Network. Click Continue.

    Enter the Backup Settings page, as shown in Figure 4-28.

    Figure 4-28 Backup settings

  5. Set the backup name, description, and password, and set the backup mode to Download to browser, then click Backup Now.

    The backup files are saved under the local directory of the maintenance terminal.

(Optional) Restore Backup Information from the Source Key Management Server to the Target Key Management Server

Backup information needs to be restored from the source key management server to the target key management server after configuration information of the source key management server is backed up so that the two key management servers have the same configuration information. This section uses how to back up the configuration information to the SCP server as an example.

Prerequisites
  • The communication between the SCP server and key management server is normal.
  • You have obtained the path saving the backup information on the SCP server.
Procedure
  1. Log in to the target key management server web interface as a user that has the permission for restoration.
  2. Choose Device > Backup & Restore > Restore Backup.

    The Restore Backup page is displayed, as shown in Figure 4-29.

    Figure 4-29 Backup restoration page

  3. In Source, select SCP. Enter the IP address of the key management server, backup file name, and login user name of the SCP server. Set Authentication to Password and configure the password. Then, enter the backup password in Backup Password.
  4. Click Restore.

    The Backup Restore Information page is displayed, as shown in Figure 4-30.

    Figure 4-30 Setting the backup restoration information

  5. Select the information to be restored.

    NOTE:

    To prevent the old key information of the backup file from overwriting new key information of the key management server, you can select Only import new managed objects in Security Items.

  6. Enter the backup password, and press Restore.

    The Action Completed page is displayed, as shown in Figure 4-31.

    Figure 4-31 Backup restoration completed

  7. Click Continue.

    The server page is displayed.

  8. In the drop-down menu of Restart/Halt, select Restart and click Commit.

Creating Key Management Server Clusters

After the cluster is created, add two key management servers with the same configurations into the cluster. The two servers provide the encryption service together. If one of them becomes faulty or the encryption service is abnormal, the storage automatically connects to another one that can provide the encryption service.

Procedure
  1. Log in to one key management server web interface as an administrator.
  2. Choose Device > Device Configuration > Cluster > Configuration.

    The Cluster Configuration interface is displayed, as shown in Figure 4-32.

    Figure 4-32 Cluster creation interface

  3. Table 4-6 describes the cluster parameters.

    Table 4-6 Cluster parameters

    Parameter

    Description

    Setting

    Local IP

    IP address of the cluster

    It is the service IP address of the key management server and is the same as the IP address of the management port that is set during Initializing a Key Management Server.

    [Example]

    8.46.141.128

    Local Port

    Port used by the cluster

    [Example]

    9001

    Cluster Password

    Password of the cluster

    A cluster key is protected by a cluster password. This password must be provided when devices attempt to join a cluster, or when an administrator attempts to restore a cluster backup.

    [Example]

    admin@123

    Confirm Cluster Password

  4. Click Create.

    The new cluster will be displayed in the cluster list in the Cluster Members area. The Cluster Settings interface is displayed, as shown in Figure 4-33.

    Figure 4-33 Cluster settings interface

  5. Click Download Cluster Key to export the cluster key and save it locally. The cluster key contains authentication information used when passing information between cluster members. The default name is ing_cluster.
Follow-up Procedure

After the cluster is successfully created on a key management server, this server is automatically added to the cluster. You need to add another key management server to this cluster.

Adding the Server to a Cluster

This section describes how to add a key management server to a cluster.

Prerequisites

The cluster of key management servers has been created.

Procedure
  1. Use the admin account to log in to the web UI of a key management server that you want to add to the cluster.
  2. Choose Device > Cluster > Configuration > Join Cluster.

    The Join Cluster interface is displayed.

  3. In Cluster Member IP and Cluster Member Port, enter the cluster IP address and port (which is generally set to 9001).
  4. Click Browse of the Cluster Key File, import the Cluster Key file (whose default name is ing_cluster) exported when creating the cluster into the system.
  5. In Cluster Password, enter the cluster password and click Join.

    Information about the cluster will be displayed in the cluster list in Cluster Members.

  6. In Cluster Members, check two key management servers that have been configured in the cluster, as shown in Figure 4-34.

    Figure 4-34 Checking the cluster status

Translation
Download
Updated: 2018-11-01

Document ID: EDOC1000159246

Views: 33194

Downloads: 201

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next