No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor Dorado V3 Series V300R001

This document is applicable to OceanStor Dorado5000 V3, Dorado6000 V3 and Dorado18000 V3. This document introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Key Management Server Cluster

Configuring a Key Management Server Cluster

After two key management servers with the same configurations are clustered, the two servers provide the encryption service together. If one of them becomes faulty or the encryption service is abnormal, the storage automatically connects to another one that can provide the encryption service.

Backing Up Configurations of the Source Key Management Server

When you configure a key management server cluster, make sure that the two key management servers have the same configuration information. In this case, you need to back up the configuration information of the configured key management server (source key management server), and then restore the configuration information to the key management server to be synchronized (target key management server).

Generating System Key Shares

Generate system key shares to export the system key to smart cards, thus to back up the system key.

Prerequisites

Only a security officer can perform this operation.

Context

Generate at least two system key shares.

Procedure
  1. Log in to the key management server web interface as user officer.
  2. Click the System Key tab.

    See Figure 3-31.

    Figure 3-31 Generating system key shares

  3. In the System Key Share area, set Recoverable Shares to the number of system key shares to be generated.

    NOTE:

    Generate at least two system key shares.

  4. Click Generate Share to generate system key shares.
Initializing a Smart Card

Smart cards back up the system keys generated on key management servers. Initialize smart cards before using them.

Prerequisites

Prepare at least two smart cards.

Precautions

Save the smart cards and their personal identification numbers (PINs) securely. Confirm the mappings between smart cards and PINs.

Procedure
  1. Insert a smart card into the built-in card reader on the front panel of the key management server. Make the chip face up. If the indicator is steady green, the smart card is correctly inserted.
  2. Log in to the key management server management interface as an officer.

    See Figure 3-32.

    Figure 3-32 Key management server management interface

  3. Select Smart Card and press Enter.

    The Smart Card dialog box is displayed, as shown in Figure 3-33.

    Figure 3-33 Smart Card dialog box

  4. Erase smart card information.

    1. Select Erase and press Enter.

      The Confirm dialog box is displayed.

    2. Click Yes.

      The Info dialog box is displayed.

    3. Click OK.

      You are returned to the Smart Card main page.

  5. Record the smart card configuration.

    1. Select Prepare and press Enter.

      The Confirm dialog box is displayed, as shown in Figure 3-34.

      Figure 3-34 Smart card configuration

    2. Record the SmartCard Serial, PIN, and PUK of the smart card, and then click Yes.
      NOTE:

      You are advised to take a screenshot when generating a PIN. Save the screenshot file after the Smart Card serial number. Paste the serial number on the rear side of the Smart Card. Ensure that each PIN corresponds to a unique smart card.

      The Please Wait dialog box is displayed. Wait for the Info dialog box to display, as shown in Figure 3-35.

      Figure 3-35 Successfully initializing a smart card

    3. Confirm that the SmartCard Serial, PIN, and PUK of the smart card have been recorded, and then click Yes.

  6. Remove the smart card.
  7. Repeat Initializing a Smart Card to Initializing a Smart Card to initialize another smart card.
Backing Up the Source Key Management Server System Key to the Smart Card

You need to back up the system key of the source key management server before high-risk operations.

Prerequisites
  • Only the recovery officer users can perform this operation.
  • At least two smart cards have been initialized and their configurations have been recorded.
Context

This document uses the recovery1 user preset in the key management server as the example.

Procedure
  1. Log in to the key management server management interface as user recovery1,

    as shown in Figure 3-36.

    Figure 3-36 Management interface of the key management server

  2. Insert a smart card into the built-in card reader of the source key management server. Make the chip face up. If the indicator is steady green, the smart card is correctly inserted.
  3. Select Export Share and press Enter.

    The Export Key Share page is displayed, as shown in Figure 3-37.

    Figure 3-37 Exporting the system key

  4. Enter the PIN of this smart card and click Read Card.

    The Info page is displayed indicating that no other share is on the current smart card.

  5. Click OK.
  6. In Save Share As, set the name of the share that is exported to the smart card. Click OK and press Enter.

    The Info dialog box is displayed.

  7. Click OK and press Enter.

    Record the mapping relationship between the recovery officer users and smart cards. You need to use a recovery officer user to restore the key system of the corresponding smart card to the key management server during later system key restoration.

  8. Log out as user recovery1.
  9. Log in to CLI through the serial port as user recovery2.
  10. Repeat Backing Up the Source Key Management Server System Key to the Smart Card to Backing Up the Source Key Management Server System Key to the Smart Card, and export the system key to the second smart card.
  11. Check the export result.

    1. Log in to the web interface of the source key management server as an officer.
    2. Click the System Key tab. Check whether the value of Shares Exported is the same as the number of exported system keys, as shown in Figure 3-38.
    Figure 3-38 Checking the export result

Manually Backing Up Configurations of a Key Management Server

To ensure that the configurations on two key management servers are the same, you need to manually back up configurations of the source key management server to a backup server and then restore the configurations from the backup server to the target key management server.

Prerequisites

The backup server has been deployed and communicates properly with the key management servers.

Context

Both NFS and SCP backup servers are supported. The SCP backup server is recommended.

Procedure
  1. Log in to the web interface of the source key management server as an officer.
  2. Click the Backup tab.

    The Backup page is displayed, as shown in Figure 3-39.

    Figure 3-39 Backup management page

    NOTE:

    You can back up the configuration information of a key management server using either the NFS or SCP protocol.

    • If you use the NFS protocol, go to Step 3.
    • If you use the SCP protocol, go to Step 4.

  3. Configure the NFS backup server.

    1. In the Device area, configure the NFS backup server information. Table 3-12 describes the parameters.
      Table 3-12 NFS backup server configurations

      Parameter

      Description

      Value

      Protocol

      Protocol used to upload configuration information to the backup server

      [Example]

      NFS

      NFS Server

      IP address of the NFS server

      [Example]

      192.168.17.81

      Folder

      Save path of the backup information on the NFS server

      [Example]

      /kabackup

      User ID

      Name of the user created on the NFS server

      [Example]

      710

      NOTE:

      You can click Test Connection to test the connection between the NFS and key management servers.

    2. Click Save Device to save the NFS server configuration.

  4. Configure the SCP backup server.

    1. In the Device area, configure the SCP backup server information. Table 3-13 describes the parameters.
      Table 3-13 SCP backup server configurations

      Parameter

      Description

      Value

      Protocol

      Protocol used to upload configuration information to the backup server

      [Example]

      SCP

      SCP Server

      IP address of the SCP server

      [Example]

      192.168.17.81

      Port

      Port used by the SCP server

      [Example]

      22

      Username

      User name for logging in to the SCP server

      [Example]

      admin

      Password

      Password for logging in to the SCP server

      [Example]

      Admin@

      Folder

      Save path of the backup information on the SCP server

      [Example]

      /home/admin/scp

      NOTE:

      You can click Test Connection to test the connection between the SCP and key management servers.

    2. Click Save Device to save the SCP server configuration.

  5. Click Backup Now.

    The system prompts you to start the backup. You need to view the backup result in the logs.

  6. Click the Logs tab. On the page that is displayed, view the backup result based on time, as shown in Figure 3-40.

    Figure 3-40 Confirming the backup result

Restoring the Target Key Management Server Configuration

To ensure that the configurations of two key management servers are the same in a key management server cluster, restore the backup configuration of the source key management server to the target key management server.

Enabling the Maintenance Mode of Key Management Servers

The cluster can be configured only when the maintenance mode of key management servers is enabled. This section describes how to enable the mode.

Prerequisites

The maintenance mode can be enabled only when the replication license is imported.

Context
  • The maintenance mode of both key management servers has been enabled.
  • The maintenance mode of key management servers can be successfully enabled only after user admin has sent the requirement to disable it and the officer user has granted the permission.
  • If the maintenance mode of key management servers has been enabled, the key management service is stopped.
Procedure
  1. Log in to the system as user admin and send a requirement to enable the maintenance mode.

    1. Log in to the key management server management interface as user admin.
    2. Select Maintenance Mode and press Enter.

      The Confirm page is displayed, as shown in Figure 3-41.

      Figure 3-41 Request of enabling the maintenance mode

    3. Select Yes and press Enter.

      The Confirmation page is displayed.

    4. Press Enter.

      The key management server management interface is displayed.

    5. Select Logout and press Enter.

      User admin is logged out.

  2. Grant permission to enable the maintenance mode as user officer.

    1. Log in to the key management server management interface as user officer.
      NOTE:

      If you log in to the server for the first time, the system will prompt you to change your password.

    2. Select Replication Setting and press Enter.

      The Replication Settings page is displayed, as shown in Figure 3-42.

      Figure 3-42 Replication setting page

    3. Select Maintenance Mode. Select OK and press Enter.

      The Confirm page is displayed indicating that the request from the administrator for enabling the maintenance mode is received, as shown in Figure 3-43.

      Figure 3-43 Confirming the request of enabling the maintenance mode

    4. Select Yes and press Enter.

      The Confirm page is displayed. Confirm it again.

    5. Select Yes and press Enter.

      The Info page is displayed indicating that the maintenance mode is successfully enabled.

    6. Press Enter.

Restoring the Source System Key to the Target Key Management Server

Export the system key of the source key management server to smart cards, and then restore the system key from the smart cards to the target key management server, ensuring that system keys on the two servers are consistent.

Prerequisites
  • The maintenance terminal is connected to the target key management server through a serial port.
  • The system key restoration must be performed by user recovery1 and user recovery2, and then submitted by user officer to complete the operation.
  • When performing the restoration operation, keep the corresponding relationship between users and smart cards the same way used in exporting the system key. Namely, use user recovery1 to restore the system key from the first smart card to the target key management server, and the use user recovery2 to restore the system key from the second smart card to the target key management server.
Procedure
  1. Use user recovery1 to restore the system key from the first smart card to the target key management server.

    1. Insert the first smart card into the built-in card reader on the target key management server. When the indicator light is steady green, the smart card is successfully connected to the key management server.
    2. Log in to the management interface of the target key management server as user recovery1 through a serial port.
    3. Select Recover Share and press Enter.

      The Recover Key Share window is displayed, as shown in Figure 3-44.

      Figure 3-44 Restoring the system key from the first smart card

    4. Enter the PIN of the first smart card, select Read Card, and press Enter.

      The information of the smart card is displayed in the Shares on Card list.

    5. Select OK and press Enter.

      The Info window is displayed.

    6. Press Enter.

      You are returned to the key management server management interface.

    7. Remove the smart card and log out user recovery1.

  2. Use user recovery2 to restore the system key from the second smart card to the target key management server.

    1. Insert the second smart card into the built-in card reader of the target key management server. When the indicator light is steady green, the smart card is successfully connected to the key management server.
    2. Log in to the management interface of the target key management server as user recovery2 through a serial port.
    3. Select Recover Share and press Enter.

      The Recover Key Share window is displayed, as shown in Figure 3-45.

      Figure 3-45 Restoring the system key from the second smart card

    4. Enter the PIN of the second smart card, select Read Card, and press Enter.

      The information of the smart card is displayed in the Shares on Card list.

    5. Select OK and press Enter.

      The Info window is displayed.

    6. Press Enter.

      You are returned to the key management server management interface.

    7. Remove the smart card and log out user recovery2.

  3. Use user officer to submit the system key restoration.

    1. Log in to the management interface of the target key management server as user officer through a serial port.
    2. Select System Key and press Enter.

      The System Key window is displayed, as shown in Figure 3-46.

      Figure 3-46 Submitting the system key restoration

    3. Select Commit, select OK, and press Enter.

      The Warning dialog box is displayed, as shown in Figure 3-47.

      Figure 3-47 The warning window about submitting the system key restoration

    4. Select Yes and press Enter.

      The Confirmation window is displayed.

    5. Press Enter to complete the submission.

Restoring Information from the Backup Server to the Target Key Management Server

This section describes how to restore information from an NFS or SCP backup server to the target key management server.

Restoring Information from an NFS Server

Before performing the operation, ensure that:

  • The NFS server is communicating properly with key management servers.
  • You have obtained the save path of the backup information on the NFS server.
  1. Log in as the admin user to the target key management server's management interface via the serial port.
  2. Select Restore and press Enter.

    The System Restore page is displayed, as shown in Figure 3-48.

    Figure 3-48 System Restore

  3. Configure backup restoration parameters.

    1. Set Protocol to NFS.
    2. Set Server to the IP address of the NFS server, set Folder to the path where the backup file is stored on the NFS server, and set NFS User ID to the user name used for backing up the setting information on the NFS server.
    3. Select Browse and press Enter.

      The Backup Platform page is displayed, as shown in Figure 3-49.

      Figure 3-49 Backup Platform

    4. Select the name of the current key management server from the list on the backup platform and press Enter.

      The Backup Directory page is displayed, as shown in Figure 3-50.

      Figure 3-50 Backup Directory

    5. Select the path of the backup file and press Enter. Each path corresponds to the backup file generated at that point in time.

      The System Restore page is displayed, as shown in Figure 3-51.

      Figure 3-51 System Restore

    6. Deselect Restore all users, Restore licenses, Restore network settings, and Restore replication settings as shown in Figure 3-51, then select OK, and press Enter.

      The Confirmation page is displayed.

    7. Press Enter.
    8. Log out the admin user.

  4. Use user officer to perform the restoration.

    1. Log in as an officer to the key management server's management interface via the serial port.
    2. Select Restore and press Enter.

      The Confirm page is displayed.

      Figure 3-52 Confirming the operation

    3. Confirm the backup information, select OK, and press Enter.

      The Confirm page is displayed.

    4. Confirm again, select OK, and press Enter.

      The restoration is successful and the key management server restarts.

  5. Confirm the backup restoration result on the web management interface.

    1. Log in as an officer to the key management server's web interface.
    2. Select the Summary tab, confirm that the information in System last restored from is consistent with the backup information, as shown in Figure 3-52.
    Figure 3-53 Confirming backup restoration information

Restoring Information from an SCP Server

efore performing the operation, ensure that:

  • The communication between the SCP server and key management servers is normal.
  • You have obtained the save path of the backup information on the SCP server.
  1. Log in as the admin user to the key management server's management interface via the serial port.
  2. Select Restore and press Enter.

    The System Restore page is displayed, as shown in Figure 3-54.

    Figure 3-54 Backup restoration page

  3. Set the restoration parameters. Table 3-14 lists the parameters.

    Table 3-14 Restoration parameters

    Parameter

    Description

    Value

    Protocol

    Protocol used to transmit the backup information

    [Example]

    SCP

    Server

    IP address of the SCP server

    [Example]

    192.168.17.81

    Folder

    Save path of the backup information on the SCP server

    [Example]

    /home

    SCP Port

    Port used by the SCP server

    [Example]

    22

    SCP Username

    User name for logging in to the SCP server

    [Example]

    admin

    SCP Password

    Password for logging in to the SCP server

    [Example]

    Admin@123

    Backup Directory

    Directory name for the specific backup that you want to restore from

    [Example]

    /home/restore

    1. Select Browse and press Enter.

      The Backup Platform page is displayed, as shown in Figure 3-55.

      Figure 3-55 Backup Platform

    2. Select the name of the current key management server from the list on the backup platform and press Enter.

      The Backup Directory page is displayed, as shown in Figure 3-56.

      Figure 3-56 Backup Directory

    3. Select the path of the backup file and press Enter.
      NOTE:

      Each path corresponds to the backup file generated at that point in time.

      The System Restore page is displayed, as shown in Figure 3-57.

      Figure 3-57 System Restore

    4. Deselect Restore all users, Restore license, Restore Network Settings, and Restore Replication settings as shown in Figure 3-51, then select OK, and press Enter.

      The Confirmation page is displayed.

    5. Press Enter.
    6. Log out the admin user.

  4. Use the officer user to authorize the restoration.

    1. Log in as an officer to the key management server's management interface via the serial port.
    2. Select Restore and press Enter.

      The Confirm page is displayed, as shown in Figure 3-58.

      Figure 3-58 Confirming the operation

    3. Confirm the backup information, select OK, and press Enter.

      The Confirm page is displayed.

    4. Confirm again, select OK, and press Enter.

      The restoration is successful and the key management server restarts.

  5. Confirm the backup restoration result on the web management interface.

    1. Log in as an officer to the key management server's web interface.
    2. Select the Summary tab, confirm that the information in System last restored from is consistent with the backup information, as shown in Figure 3-59.
    Figure 3-59 Confirming backup restoration information

Adding Replication Members

This section describes how to add replication members to a key management server so as to cluster two key management servers.

Prerequisites
  • IP addresses have been configured for the service network ports (Port1 on the rear panel) on both key management servers.
  • The maintenance mode of both key management servers has been enabled.
Context

Add replication members on one of the key management servers. After that, the added replication members are bottom added to the other one.

Procedure
  1. Log in to the web interface of one key management server as an officer.
  2. Click the Replication tab.

    The Replication Members page is displayed, as shown in Figure 3-60.

    Figure 3-60 Replication management page

  3. Click Add Member.

    The Add Member page is displayed, as shown in Figure 3-61.

    Figure 3-61 Adding replication members

  4. Set replication member information and click Add.

    • In Address, enter the IP address of Data Port 1 on the other key management server.
    • In Control port and Data Port, enter the control port and data port of the cluster, respectively. Their default values are 37211 and 37210, respectively.

  5. Wait for several minutes and check whether the members are added to the cluster.

    1. Log in to the web interfaces of both key management servers as an officer.
    2. Click the Replication tab.

      The Add Member page is displayed, as shown in Figure 3-62.

    Figure 3-62 Confirming replication members

  6. In the Replication Member list, confirm that the added replication members are in the list and Status is OK.
Disabling the Maintenance Mode of Key Management Servers

Replication and key management services can be used only after the maintenance mode of key management servers in a cluster is disabled.

Prerequisites
  • The maintenance mode of key management servers can be successfully disabled only after user admin has sent the requirement to disable it and the officer user has granted the permission.
  • The maintenance mode of both key management servers has been disabled.
Context

If the maintenance mode of key management servers has been disabled, the replication and key management services can run properly.

Procedure
  1. Use user admin to send a requirement to disable the maintenance mode.

    1. Log in to the key management server management interface through the serial port as user admin.
    2. Select Maintenance Mode and press Enter.

      The Confirm page is displayed, as shown in Figure 3-63.

      Figure 3-63 Request of disabling the maintenance mode

    3. Select Yes and press Enter.

      The Confirmation page is displayed.

    4. Press Enter.

      The key management server management interface is displayed.

    5. Select Logout and press Enter.

      You have logged out of the device as user admin.

  2. Use user officer to grant permission to enable the maintenance mode.

    1. Log in to the key management server management interface through the serial port as user officer.
    2. Select Replication Setting and press Enter.

      The Replication Settings page is displayed, as shown in Figure 3-64.

      Figure 3-64 Replication setting page

    3. De-select Maintenance Mode. Select OK and press Enter.

      The Confirm page is displayed indicating that the request from the administrator for enabling the maintenance mode is received, as shown in Figure 3-65.

      Figure 3-65 Confirming to disable the maintenance mode

    4. Select Yes and press Enter.

      The Confirm page is displayed. Confirm it again.

    5. Select Yes and press Enter.

      The Info page is displayed indicating that the maintenance mode is successfully disabled.

    6. Press Enter.

Translation
Download
Updated: 2018-11-01

Document ID: EDOC1000159246

Views: 33175

Downloads: 201

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next