No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor V5 Series V500R007

This document is applicable to OceanStor 5110 V5, 5110F V5, 5300 V5, 5300F V5, 5500 V5, 5500F V5, 5600 V5, 5600F V5, 5800 V5, 5800F V5, 6800 V5, 6800F V5, 18500 V5, 18500F V5, 18800 V5, and 18800F V5. It introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Initializing a Key Management Server

Initializing a Key Management Server

Initializing a key management server includes configuring the network and time, generating a system key, generating CA and SSL certificates, importing licenses, configuring the NTP server, and configuring the NFS server.

Both key management servers need initial configurations. Table 3-3 lists the initialization procedure.

Table 3-3 Initialization procedure

Operation

Where to Perform the Operation

Role to Perform the Operation

Configuring network information

Console interface

Administrator

Configuring the time

Generating a system key

Security Officer

Generating a CA root certificate

Generating an SSL certificate

Verifying the service status

Creating an auditor

Web interface

Administrator/Security Officer

Importing licenses

Security Officer

Configuring the NTP server

Administrator

Configuring the NFS server

Security Officer

Configuring alarm notification

Auditor

Periodically backing up configuration information

Security Officer

NOTE:
  • The default user name and password of the administrator are admin and password123, respectively. This document uses the default administrator as an example.
  • The default user name and password of the security officer are officer and password123, respectively. This document uses the default security officer as an example.
  • The key management server does not have default auditors. You must create an auditor account.

Configuring Network Information

Before using the key management server, you must configure network information (such as ports).

Prerequisites

Only administrators can configure the key management server network.

Context

The default user name and password of the administrator role are admin and password123 respectively. The following procedure uses the default user name as an example.

Procedure
  1. Log in to the key management server's management interface as an administrator. For details, see Logging In to the Key Management Server's Management Interface Through the Serial Port.
  2. Select Network and press Enter.

    The Network Properties dialog box is displayed, as shown in Figure 3-10.

    Figure 3-10 Network properties

  3. Set network parameters.

    1. On the Management Interface tab page, enter the IP address, subnet mask, and gateway of the management port on the key management server.
      NOTE:

      Check that the IP address of the management port on the key management server can communicate with that of the storage system.

    2. On the Data Port 1 tab page, enter the IP address, subnet mask, and gateway of the service port on the key management server.
      NOTE:

      Check that the IP addresses of the service ports on the two key management servers can communicate with each other.

    3. On the Common Settings tab page, set the host name and domain name.
    4. On the Service Settings tab page, enable SSH, HTTPS, and KMIP services, and set their ports to 22, 443, and 5696.
    NOTE:

    If the license is not imported or has expired, the KMIP service may not be started. Refer to Importing License Files to import the license and start this service.

  4. Click OK.

    The Please Wait dialog box is displayed. Wait for the Confirmation dialog box to display, as shown in Figure 3-11.

    Figure 3-11 Successful network configuration

  5. Click OK.

    You have completed the network configuration.

Configuring the Time of Key Management Servers

The time zone, date, and time of the key management servers must be the same as those of the storage system to ensure proper data encryption and decryption.

Prerequisites

Only administrators can configure time of the key management servers.

Procedure
  1. Log in as the admin user to the key management server's management interface via the serial port.
  2. Select Date & Time and press Enter.

    The Date & Time page is displayed, as shown in Figure 3-12.

    Figure 3-12 Time configuration page

  3. Configure the Time Zone, Date, and Time.

    NOTE:

    Configure these parameters based on the current time to prevent security certificate expiration.

  4. Select OK and press Enter.

    The Please Wait dialog box is displayed. Wait until the Confirmation dialog box is displayed, as shown in Figure 3-13.

    Figure 3-13 Time configured successfully

  5. Press Enter.

    The time configuration is completed.

Follow-up Procedure

Configure the NTP Server to ensure that the time of the key management server and the storage system is the same. For details, see Configuring the NTP Server.

Generating a System Key

A system key is used to encrypt information on a key management server, which is important for the disk encryption service. After being generated, the system key is stored on the key management server.

Prerequisites

Only a security officer can perform this operation.

Precautions

The key management server has built-in batteries, but if the external power source is cut off, the system key will be automatically destroyed five days later. The key management server cannot work properly after being powered on again unless the system key is restored. Therefore, the system key needs to be backed up in a timely manner. For details, see Backing Up the Source Key Management Server's System Key to the Smart Card.

Procedure
  1. Log in to the key management server's management interface as user officer via a serial port.

    Figure 3-14 Key management server's management interface
    NOTE:

    If you log in to the server for the first time, the system will prompt you to change your password.

  2. Select System Key and press Enter.

    The System Key window is displayed, as shown in Figure 3-15.

    Figure 3-15 Generating a system key

  3. Select Generate New and click OK.

    The Warning window is displayed.

  4. Click Yes.

    The Please Wait dialog box is displayed. Wait until the Messages dialog box is displayed, as shown in Figure 3-16.

    Figure 3-16 Successful configuration

  5. Click OK.

    The system key is generated successfully.

Generating a CA Root Certificate

The CA root certificate is used to sign certificates exported from the key management server and storage system, authenticating the communication between the key management server and the storage system.

Prerequisites
Precautions

Changing the root certificate will make all certificates on the key management server become invalid. Exercise caution when performing this operation.

Procedure
  1. Log in as an officer to the key management server's management interface via the serial port.

    Figure 3-17 Management interface of the key management server

  2. Select CA Certificate and press Enter.

    The Warning page is displayed.

  3. Click OK.

    The CA Certificate page is displayed, as shown in Figure 3-18.

    Figure 3-18 Management interface of the CA root certificate

  4. Configure CA root certificate parameters. Table 3-4 describes the parameters.

    NOTE:

    You can press Tab to move to the next parameter.

    Table 3-4 CA root certificate parameters

    Parameter

    Description

    Value

    Country

    ISO country code of the CA certificate user

    [Example]

    CN

    State

    Province where the CA certificate user locates

    [Example]

    SC

    City

    City where the CA certificate user locates

    [Example]

    CD

    Organization

    Organization that uses the CA root certificate

    [Example]

    HW

    Department

    Department that uses the CA root certificate

    The value cannot contain slashes, periods, or commas.

    [Example]

    ST

    Common Name

    Name of the CA root certificate

    [Example]

    thales170_ssl

    Email

    Email used to receive the CA root certificate

    [Example]

    test@thalessec.com

    Days

    Validity period of the CA root certificate. Communication will fail if the certificate expires. Update it in time.

    [Default value]

    730

    [Recommended value]

    3650

  5. Select Generate Certificate and click OK.

    The Confirm page is displayed.

  6. Click OK.

    The Confirmation page is displayed.

  7. Click OK.

    The Please Wait dialog box is displayed. Wait until the Messages dialog box is displayed, as shown in Figure 3-19.

    Figure 3-19 CA certificate generated successfully

  8. Click OK.

    The CA certificate is generated successfully.

    NOTE:

    After the CA certificate is generated, the CA service is activated concurrently.

Generating an SSL Certificate

An SSL certificate is used to ensure communication between a key management server and a storage system using the TLS protocol, and to allow the access to a key management server on web browsers.

Prerequisites
Procedure
  1. Log in as an officer to the key management server's management interface via the serial port.

    Figure 3-20 Key management server's management interface

  2. Select SSL Certificate and press Enter.

    The Warning dialog box is displayed.

  3. Click OK.

    The SSL Certificate window is displayed, as shown in Figure 3-21.

    Figure 3-21 SSL certificate

  4. Configure parameters for the SSL certificate.

    Set Country to your country code defined by ISO, such as CN and US. Set Common Name to the SSL certificate name. Days indicate the certificate validity period, which is 730 days by default. Renew your certificate in time, because communication will be affected if the certificate expires.

    NOTE:

    The Common Name of the SSL certificate cannot be the same as the CA name. If they are the same, the HTTPS service cannot be enabled.

  5. Select Generate certificate and Use for web server, and click OK.

    NOTE:

    If Use for web server is not selected, logins to the key management server through HTTP will fail.

    The Confirmation window is displayed.

  6. Click OK.

    The Please Wait dialog box is displayed. Wait until the Confirmation window is displayed, as shown in Figure 3-22.

    Figure 3-22 Successfully generating an SSL certificate

  7. Click OK.

    The SSL certificate is generated successfully.

Importing License Files

A key management server can function properly only after the required licenses are imported to it.

Prerequisites
  • Only security officers can perform this operation.
  • You have obtained the compressed license files.
  • Each key management server requires the matched license files.
Context

There are two types of licenses for a key management server: Replication and Domain Code integrated in one license file, or Replication and Domain Code presented in separate license files. The former type requires importing one license file and the latter requires importing both of the two files.

Procedure
  1. Log in to the key management server's web interface as an officer. For details, see Logging In to the Key Management Server Through the Management Port.
  2. Select Summary and confirm the key management server information.
  3. Decompress the matched license files (for example, EM-002210.rar) and obtain the license files' serial numbers from the decompressed .txt files.
  4. Click the Licensing tab.

    Figure 3-23 Importing a license file

  5. In the Add License area, enter the license files' serial numbers in License Code.
  6. Click Add.

    The system indicates that the license files have been imported. The licenses will be added to the license list.

Verifying the Service Status

A key management server can work normally only when the required services are enabled. Verify the service status to guarantee smooth functioning.

Prerequisites

Only a security officer can perform this operation.

Procedure
  1. Log in to the key management server's management interface as user officer via a serial port.
  2. Select Services and press Enter.

    The Services window is displayed, as shown in Figure 3-24.

    Figure 3-24 Service status

  3. Check the status of each service, and make sure they are consistent with the status in the network configuration.

Configuring the NTP Server

To ensure that the key management server and the storage system have the same time, configure the same NTP server on the key management server as the storage system.

Prerequisites
  • Only administrators can perform this operation.
  • The NTP server has been configured for the storage system.
  • The key management server and the storage system use the same NTP server to synchronize time.
Procedure
  1. Log in to the key management server's web interface as an administrator.
  2. Click the Date & Time tab.

    Figure 3-25 NTP server configuration

  3. Under NTP Configuration, select Enable and enter the NTP server's IP address in Add Host or IP. Click Add.

    NOTE:

    If multiple NTP servers are configured on the storage system, configure the same NTP servers on the key management servers.

    The added NTP servers will appear in the NTP server list of the key management server's web interface.

  4. Click Save to save the NTP server configuration.

Configuring the Backup Server

To back up the key management server configuration, configure a backup server for the key management servers.

Prerequisites
  • Only security officers can perform this operation.
  • The backup server has been deployed and communicates properly with the key management servers.
NOTE:

Both NFS and SCP servers are supported. The NFS server must be configured according to Configuring the Linux NFS Server or Configuring the Solaris NFS Server.

Context

The two key management servers must use the same backup server.

This section uses the NFS server as an example.

Procedure
  1. Log in to the key management server's web interface as an officer.
  2. Click the Backup tab.

    Figure 3-26 NFS server configuration

  3. Under Device, set Protocol to NFS. In NFS Server, Folder, and User ID, enter the IP address, backup path, and user name of the NFS server.
  4. Click Test Connection to test the connection between the NFS and the key management servers.
  5. Click Save Device to save the NFS server configuration.

Configuring Alarm Notification

The key management server collects events and logs when services are running. In addition, events and logs can be forwarded to the SNMP or Syslog server, facilitating fault analysis when a fault occurs.

Creating an Auditor

A user of the auditor role must be created for the subsequent configuration of alarm notification.

Context

Create at least two users of the security officer role and two users of the recovery officer role. If you forget the password of user officer or user recovery, you can manage and configure the key management server using the newly created users.

Procedure
  1. Add users using user admin.

    1. Log in to the key management server's web interface as user admin.
    2. Click the Users tab and click Add User.

      The Add User window is displayed, as shown in Figure 3-27.

      Figure 3-27 Creating a user
    3. Set parameters.
      Table 3-5 Unassigned user parameters

      Name

      Description

      Value

      Login name

      User name

      [Value range]

      The user name can contain a maximum of 32 characters.

      [Example]

      admin2

      Description

      User description

      [Example]

      User

      Role

      Role of a user. Possible values are as follows:

      • Administrator
      • Unassigned

      In this case, set the role to Unassigned.

      [Example]

      Unassigned

      Password expiration

      Password validity period

      [Example]

      120 days

      Auto-Logout

      Automatic logout time. If no operations are performed on the system during this period, the user automatically logs out.

      [Value range]

      5 minutes to 50 minutes

      [Example]

      5

      Email address

      Email address used by the new user to receive messages

      [Example]

      xxx@xxx.com

      Confirm Email address

    4. Click Add User.

      The newly created users will be added to the existing user list. Passwords are randomly generated and prompted on the interface. Record the passwords for follow-up use.

      Figure 3-28 Successfully creating a user

  2. Use user officer to assign roles and permissions to the new users.

    1. Log in to the key management server's web interface as user officer.
    2. Click the Users tab.

      The Users window is displayed.

    3. Find a newly created user in the user list and click its user name.

      The Edit User window is displayed, as shown in Figure 3-29.

      Figure 3-29 Configuring user permissions

    4. Set parameters.
      Table 3-6 User parameters

      Name

      Description

      Value

      Use smart card authentication

      Indicates whether to enable user smart card authentication.

      [Example]

      Disable

      Role

      Role of a user.

      • Officer: The user's role is a security officer.
      • Manager: The user's role is a group manager.
      • Recovery: The user's role is a recovery officer.
      • Audit: The user's role is an auditor.

      [Example]

      Manager

      Manageable group

      Groups to be managed by a group manager.

      [Example]

      storagepoc.com/kmipgroup2

      Visible group

      Groups visible to a group manager. A group manager only has the read permission for these groups.

      [Example]

      storagepoc.com/kmipgroup

    5. Click Save.

  3. Log in to the key management server's web interface using a newly created user and the system generated password, and change the passwords by following instructions in Changing Passwords.
Configuring the SNMP Server

After an SNMP server is configured, events and logs generated on the key management server will be forwarded to the SNMP server.

Prerequisites
  • An SNMP server has been deployed and it communicates with the key management server properly.
  • Only an auditor can perform this operation.
Procedure
  1. Log in to the key management server's web interface as an auditor.
  2. Choose Remote Notification > SNMP.

    The SNMP Trapsink Configuration page is displayed.

  3. Configure parameters for the SNMP server. Table 3-7 shows the parameters.

    Table 3-7 SNMP server parameters

    Parameter

    Description

    Setting

    Host or IP

    Host name or IP address of the SNMP server

    [Example]

    192.168.20.3

    Community

    Community name of the SNMP server

    [Example]

    public

    Port

    Port on the SNMP server for receiving alarm information

    [Example]

    162

  4. Click Add.

    The added SNMP server is displayed in the SNMP Trapsink Configuration dialog box.

  5. Set a type and level for the logs to be forwarded to the SNMP server.

    NOTE:

    All SNMP servers use the same log type and level.

    1. In Host or IP, click the IP address of any SNMP server.

      A page is displayed prompting you to set the log type and level.

    2. Select Event Component and the corresponding Severity.
      • The key management server collects logs and events from various internal sub-systems that are called components. For example, a sub-system whose Event Component is labeled as Backup/Restore will trigger the logs and events corresponding to backup operations.
      • Each event or log has a level, which can be Information, Warning, Error, Critical, or Emergency.
      NOTE:

      You are advised to set Severity to Error or a higher level.

    3. Click Save.

Follow-up Procedure

After the SNMP server is configured, you can use a third-party trap NMS to view the logs and events to be forwarded. Set the SNMP protocol of the third-party trap NMS to SNMPv2.

Configuring Syslog Notification

After a Syslog server is configured, events and logs generated on the key management server will be forwarded to the Syslog server.

Prerequisites
  • A Syslog server has been deployed and it communicates with the key management server properly.
  • Only an auditor can perform this operation.
Procedure
  1. Log in to the key management server's web interface as an auditor.
  2. Choose Remote Notification > Remote Syslog.

    The Remote Syslog Configuration dialog box is displayed.

  3. In the Add Remote Syslog Server area, configure parameters of the Syslog server. Table 3-8 shows the parameters.

    Table 3-8 Syslog server parameters

    Parameter

    Description

    Setting

    Host or IP

    Host name or IP address of the Syslog server

    [Example]

    192.168.20.3

    Secure

    Secure TLS connections established between the Syslog server and the key management server

    NOTE:

    When you create the TLS connection, you need to import the SSL certificate signed by the third-party CA to the key management server.

    [Example]

    Enable

  4. Click Add.

    The added Syslog server is displayed in the Remote Syslog Configuration dialog box.

  5. Set a type and level for the logs to be forwarded to the Syslog server.

    NOTE:

    All Syslog servers use the same log type and level.

    1. In Host or IP, click the IP address of any Syslog server.

      A page is displayed prompting you to set the log type and level.

    2. Select Event Component and the corresponding Severity.
      • The key management server collects logs and events from various internal sub-systems that are called components. For example, a sub-system whose Event Component is labeled as Backup/Restore will trigger the logs and events corresponding to backup operations.
      • Each event or log has a level, which can be Information, Warning, Error, Critical, or Emergency.
      NOTE:

      You are advised to set Severity to Error or a higher level.

    3. Click Save.

Periodically Backing Up Configuration Information of a Key Management Server

After a key management server is configured, you need to periodically back up its data so that you can restore the data if an exception occurs.

Prerequisites

A backup server has been configured and communicates properly with the key management server.

Procedure
  1. Log in to the web interface of the source key management server as an officer.
  2. Click the Backup tab.

    The Backup page is displayed, as shown in Figure 3-30.

    Figure 3-30 Backup management page

    NOTE:

    You can back up the configuration information of a key management server using either the NFS or SCP protocol.

    • If you use the NFS protocol, go to Step 3.
    • If you use the SCP protocol, go to Step 4.

  3. Configure the NFS backup server and backup schedule.

    1. In the Device area, configure the NFS backup server information. Table 3-9 describes the parameters.
      Table 3-9 NFS backup server configurations

      Parameter

      Description

      Setting

      Protocol

      Protocol used to upload configuration information to the backup server

      [Example]

      NFS

      NFS Server

      IP address of the NFS server

      [Example]

      192.168.17.81

      Folder

      Save path of the backup information on the NFS server

      [Example]

      /kabackup

      User ID

      Name of the user created on the NFS server

      [Example]

      710

      Click Save Device to save the configurations.

      NOTE:

      You can click Test Connection to test the connection between the NFS and key management servers.

    2. In the Scheduling area, configure a backup schedule. Table 3-10 describes the parameters.
    Table 3-10 Backup schedule

    Parameter

    Description

    Setting

    Days

    Days on which the backup is performed

    NOTE:

    You can press Ctrl to select multiple days in a week.

    [Example]

    Sundays

    Time

    Time at which the backup is performed on the specified days

    [Example]

    12 noon

    Click Save Scheduling to save the configurations. The key management server will automatically back up configuration information to the specified path on the NFS server at the configured point in time.

  4. Configure the SCP backup server and backup schedule.

    1. In the Device area, configure the SCP backup server information. Table 3-11 describes the parameters.
      Table 3-11 SCP backup server configurations

      Parameter

      Description

      Setting

      Protocol

      Protocol used to upload configuration information to the backup server

      [Example]

      SCP

      SCP Server

      IP address of the SCP server

      [Example]

      192.168.17.81

      Port

      Port used by the SCP server

      [Example]

      22

      Username

      User name for logging in to the SCP server

      [Example]

      admin

      Password

      Password for logging in to the SCP server

      [Example]

      Admin@

      Folder

      Save path of the backup information on the SCP server

      [Example]

      /home/admin/scp

      Click Save Device to save the configurations.

      NOTE:

      You can click Test Connection to test the connection between the SCP and key management servers.

    2. In the Scheduling area, configure a backup schedule. Table 3-12 describes the parameters.
    Table 3-12 Backup schedule

    Parameter

    Description

    Setting

    Days

    Days on which the backup is performed

    NOTE:

    You can press Ctrl to select multiple days in a week.

    [Example]

    Sundays

    Time

    Time at which the backup is performed on the specified days

    [Example]

    12 noon

    Click Save Scheduling to save the configurations. The key management server will automatically back up configuration information to the specified path on the SCP server at the configured point in time.

  5. After the settings are complete, click Backup Now.
  6. Optional: Click the Logs tab to view the backup information generated at the specified point in time.
Translation
Download
Updated: 2019-07-11

Document ID: EDOC1000181504

Views: 23046

Downloads: 181

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next