No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor V5 Series V500R007

This document is applicable to OceanStor 5110 V5, 5110F V5, 5300 V5, 5300F V5, 5500 V5, 5500F V5, 5600 V5, 5600F V5, 5800 V5, 5800F V5, 6800 V5, 6800F V5, 18500 V5, 18500F V5, 18800 V5, and 18800F V5. It introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Key Management Server Cluster

Configuring a Key Management Server Cluster

After two key management servers with the same configurations are clustered, the two servers provide the encryption service together. If one of them becomes faulty or fails to provide the encryption service, the storage system automatically connects to the other one.

Backing Up the Configurations of the Source Key Management Server

When you configure a key management server cluster, make sure that the two key management servers have the same configurations. To achieve this, you need to back up the configurations of the configured key management server (source), and then restore the configurations to the other key management server (target).

Generating System Key Shares

System key shares must be generated to back up the system key to smart cards.

Context
  • Only a security officer can perform this operation.
  • Generate at least two system key shares.
Procedure
  1. Log in to the key management server's web interface as user officer.
  2. Click the System Key tab.

    Figure 3-31 Generating system key shares

  3. In the System Key Shares area, set Recoverable Shares to the number of system key shares to be generated.

    NOTE:

    Generate at least two system key shares.

  4. Click Generate Shares to generate system key shares.
Initializing a Smart Card

Smart cards back up the system key shares generated on the key management servers. Initialize smart cards before using them.

Prerequisites

At least two smart cards have been prepared.

Precautions

Save the smart cards and their personal identification numbers (PINs) securely. Confirm the mappings between smart cards and PINs.

Procedure
  1. Insert a smart card into the built-in card reader on the front panel of the key management server. Keep the chip face up. If the indicator is steady green, the smart card is correctly inserted.
  2. Log in to the key management server's management interface as an officer.

    Figure 3-32 Key management server's management interface

  3. Select Smart Card and press Enter.

    The Smart Card dialog box is displayed, as shown in Figure 3-33.

    Figure 3-33 Smart Card dialog box

  4. Erase smart card information.

    1. Select Erase and press Enter.

      The Confirm dialog box is displayed.

    2. Click Yes.

      The Info dialog box is displayed.

    3. Click OK.

      You are returned to the Smart Card main page.

  5. Record the smart card configuration.

    1. Select Prepare and press Enter.

      The Confirm dialog box is displayed, as shown in Figure 3-34.

      Figure 3-34 Smart card configuration

    2. Record the SmartCard Serial, PIN, and PUK of the smart card, and then click Yes.
      NOTE:

      You are advised to take a screenshot when generating a PIN and set the screenshot file name to the smart card serial number. Paste the serial number on the rear side of the smart card. Ensure that each PIN corresponds to a unique smart card.

      The Please Wait dialog box is displayed. Wait for the Info dialog box to display, as shown in Figure 3-35.

      Figure 3-35 Successfully initializing a smart card

    3. Confirm that the SmartCard Serial, PIN, and PUK of the smart card have been recorded, and then click Yes.

  6. Remove the smart card.
  7. Repeat 1 to 6 to initialize the other smart card.
Backing Up the Source Key Management Server's System Key to the Smart Card

You need to back up the system key of a key management server before high-risk operations.

Prerequisites

At least two smart cards have been erased and their configurations have been recorded.

Context
  • Only the recovery officers can perform this operation.
  • This document uses the recovery1 user preset in the key management server as an example.
Procedure
  1. Log in to the key management server's management interface as user recovery1, as shown in Figure 3-36.

    Figure 3-36 Management interface of the key management server

  2. Insert a smart card into the built-in card reader of the source key management server. Keep the chip face up. If the indicator is steady green, the smart card is correctly inserted.
  3. Select Export Share and press Enter.

    The Export Key Share page is displayed, as shown in Figure 3-37.

    Figure 3-37 Exporting the system key

  4. Enter the PIN of this smart card and click Read Card.

    The Info page is displayed indicating that no other share is on the current smart card.

  5. Click OK.
  6. In Save Share As, set the name of the share that is exported to the smart card. Choose OK and press Enter.

    The Info dialog box is displayed.

  7. Choose OK and press Enter.

    Record the mapping relationship between the recovery officers and smart cards. You must use the correct recovery officer to restore the system key from the smart card to the key management server.

  8. Log out user recovery1.
  9. Log in to the CLI through the serial port as user recovery2.
  10. Repeat 1 to 9, and export the system key to the second smart card.
  11. Check the export result.

    1. Log in to the web interface of the source key management server as an officer.
    2. Click the System Key tab. Check whether the value of Shares Exported is the same as the number of exported system keys, as shown in Figure 3-38.
    Figure 3-38 Checking the export result

Manually Backing Up the Configurations of a Key Management Server

To ensure that the configurations on the two key management servers are the same, you need to manually back up the configurations of the source key management server to a backup server, and then restore the configurations from the backup server to the target key management server.

Prerequisites

The backup server has been deployed and communicates properly with the key management servers.

Procedure
  1. Log in to the web interface of the source key management server as an officer.
  2. Click the Backup tab.

    The Backup page is displayed, as shown in Figure 3-39.

    Figure 3-39 Backup management page

    NOTE:

    You can back up the configuration information of a key management server using either the NFS or SCP protocol.

    • If you use the NFS protocol, go to Step 3.
    • If you use the SCP protocol, go to Step 4.

  3. Configure the NFS backup server.

    1. In the Device area, configure the NFS backup server information. Table 3-13 describes the parameters.
      Table 3-13 NFS backup server configurations

      Parameter

      Description

      Value

      Protocol

      Protocol used to upload configuration information to the backup server

      [Example]

      NFS

      NFS Server

      IP address of the NFS server

      [Example]

      192.168.17.81

      Folder

      Save path of the backup information on the NFS server

      [Example]

      /kabackup

      User ID

      Name of the user created on the NFS server

      [Example]

      710

      NOTE:

      You can click Test Connection to test the connection between the NFS and key management servers.

    2. Click Save Device to save the NFS server configuration.

  4. Configure the SCP backup server.

    1. In the Device area, configure the SCP backup server information. Table 3-14 describes the parameters.
      Table 3-14 SCP backup server configurations

      Parameter

      Description

      Value

      Protocol

      Protocol used to upload configuration information to the backup server

      [Example]

      SCP

      SCP Server

      IP address of the SCP server

      [Example]

      192.168.17.81

      Port

      Port used by the SCP server

      [Example]

      22

      Username

      User name for logging in to the SCP server

      [Example]

      admin

      Password

      Password for logging in to the SCP server

      [Example]

      Admin@

      Folder

      Save path of the backup information on the SCP server

      [Example]

      /home/admin/scp

      NOTE:

      You can click Test Connection to test the connection between the SCP and key management servers.

    2. Click Save Device to save the SCP server configuration.

  5. Click Backup Now.

    The system prompts you to start the backup. You need to view the backup result in the logs.

  6. Click the Logs tab and check the backup result based on time, as shown in Figure 3-40.

    Figure 3-40 Confirming the backup result

Restoring the Configurations to the Target Key Management Server

To ensure that the configurations of the two key management servers in a cluster are the same, you should restore the backup configurations of the source key management server to the target key management server.

Enabling the Maintenance Mode of the Key Management Servers

The cluster can be configured only when the maintenance mode of the key management servers is enabled. This section describes how to enable the mode.

Prerequisites

The Replication license has been imported.

Context
  • You must enable the maintenance mode on both key management servers.
  • To enable the maintenance mode, you must use user admin to initiate the request and then use user officer to approve the request.
  • If the maintenance mode of the key management servers is enabled, the key management service is stopped.
Procedure
  1. Log in to the system as user admin and initiate a request to enable the maintenance mode.

    1. Log in to the key management server's management interface as user admin.
    2. Select Maintenance Mode and press Enter.

      The Confirm page is displayed, as shown in Figure 3-41.

      Figure 3-41 Request of enabling the maintenance mode

    3. Select Yes and press Enter.

      The Confirmation page is displayed.

    4. Press Enter.

      The system returns to the key management server's management interface.

    5. Select Logout and press Enter.

      User admin is logged out.

  2. Approve the request for enabling the maintenance mode as user officer.

    1. Log in to the key management server's management interface as user officer.
    2. Select Replication Setting and press Enter.

      The Replication Settings page is displayed, as shown in Figure 3-42.

      Figure 3-42 Replication setting page

    3. Select Maintenance Mode. Select OK and press Enter.

      The Confirm page is displayed indicating that the request from the administrator for enabling the maintenance mode is received, as shown in Figure 3-43.

      Figure 3-43 Confirming the request for enabling the maintenance mode

    4. Select Yes and press Enter.

      The Confirm page is displayed. Confirm it again.

    5. Select Yes and press Enter.

      The Info page is displayed indicating that the maintenance mode is successfully enabled.

    6. Press Enter.

Restoring the Source System Key to the Target Key Management Server

After you have backed up the source key management server's system key to the smart cards, you can restore the system key from the smart cards to the target key management server to ensure consistency.

Prerequisites
  • The maintenance terminal has been connected to the target key management server through a serial port.
  • The system key restoration must be performed by user recovery1 and user recovery2, and then committed by user officer.
  • When performing the restoration, keep the mapping relationship between the recovery officers and smart cards the same way as that in exporting the system key. To be specific, user recovery1 restores the system key from the first smart card and user recovery2 restores the system key from the second smart card.
Procedure
  1. Use user recovery1 to restore the system key from the first smart card to the target key management server.

    1. Insert the first smart card into the built-in card reader on the target key management server. When the indicator light is steady green, the smart card is successfully connected to the key management server.
    2. Log in to the management interface of the target key management server as user recovery1 through a serial port.
    3. Select Recover Share and press Enter.

      The Recover Key Share window is displayed, as shown in Figure 3-44.

      Figure 3-44 Restoring the system key from the first smart card

    4. Enter the PIN of the first smart card, select Read Card, and press Enter.

      The information of the smart card is displayed in the Shares on Card list.

    5. Select OK and press Enter.

      The Info window is displayed.

    6. Press Enter.

      The system returns to the key management server's management interface.

    7. Remove the smart card and log out user recovery1.

  2. Use user recovery2 to restore the system key from the second smart card to the target key management server.

    1. Insert the second smart card into the built-in card reader of the target key management server. When the indicator light is steady green, the smart card is successfully connected to the key management server.
    2. Log in to the management interface of the target key management server as user recovery2 through a serial port.
    3. Select Recover Share and press Enter.

      The Recover Key Share window is displayed, as shown in Figure 3-45.

      Figure 3-45 Restoring the system key from the second smart card

    4. Enter the PIN of the second smart card, select Read Card, and press Enter.

      The information of the smart card is displayed in the Shares on Card list.

    5. Select OK and press Enter.

      The Info window is displayed.

    6. Press Enter.

      The system returns to the key management server's management interface.

    7. Remove the smart card and log out user recovery2.

  3. Use user officer to commit the system key restoration.

    1. Log in to the management interface of the target key management server as user officer through a serial port.
    2. Select System Key and press Enter.

      The System Key window is displayed, as shown in Figure 3-46.

      Figure 3-46 Committing the system key restoration

    3. Select Commit, select OK, and press Enter.

      The Warning dialog box is displayed, as shown in Figure 3-47.

      Figure 3-47 Warning

    4. Select Yes and press Enter.

      The Confirmation window is displayed.

    5. Press Enter to complete the restoration.

Restoring Configurations from the Backup Server to the Target Key Management Server

This section describes how to restore configurations from an NFS or SCP backup server to the target key management server.

Restoring Information from an NFS Server

Before performing the operation, ensure that:

  • The NFS server is communicating properly with the key management servers.
  • You have obtained the save path of the backup information on the NFS server.
  1. Log in as the admin user to the target key management server's management interface via the serial port.
  2. Select Restore and press Enter.

    The System Restore page is displayed, as shown in Figure 3-48.

    Figure 3-48 System Restore

  3. Configure restoration parameters.

    1. Set Protocol to NFS.
    2. Set Server to the IP address of the NFS server, Folder to the path where the backup file is stored on the NFS server, and NFS User ID to the user name used for backing up the configurations to the NFS server.
    3. Select Browse and press Enter.

      The Backup Platform page is displayed, as shown in Figure 3-49.

      Figure 3-49 Backup Platform

    4. Select the name of the current key management server from the Backup Platform and press Enter.

      The Backup Directory page is displayed, as shown in Figure 3-50.

      Figure 3-50 Backup Directory

    5. Select the path of the backup file and press Enter. Each path corresponds to the backup file generated at that point in time.

      The System Restore page is displayed, as shown in Figure 3-51.

      Figure 3-51 System Restore

    6. Deselect Restore all users, Restore licenses, Restore network settings, and Restore replication settings. Then select OK, and press Enter.

      The Confirmation page is displayed.

    7. Press Enter.
    8. Log out the admin user.

  4. Use user officer to approve the restoration.

    1. Log in as user officer to the key management server's management interface via the serial port.
    2. Select Restore and press Enter.

      The Confirm page is displayed.

      Figure 3-52 Confirming the operation

    3. Confirm the backup information, select OK, and press Enter.

      The Confirm page is displayed.

    4. Confirm again, select OK, and press Enter.

      The restoration is successful and the key management server restarts.

  5. Confirm the restoration result on the web management interface.

    1. Log in as user officer to the key management server's web interface.
    2. Select the Summary tab and confirm that the information in System last restored from is consistent with the backup information.
    Figure 3-53 Confirming restoration information

Restoring Information from an SCP Server

Before performing the operation, ensure that:

  • The communication between the SCP server and key management servers is normal.
  • You have obtained the save path of the backup information on the SCP server.
  1. Log in as the admin user to the key management server's management interface via the serial port.
  2. Select Restore and press Enter.

    The System Restore page is displayed, as shown in Figure 3-54.

    Figure 3-54 Backup restoration page

  3. Set the restoration parameters. Table 3-15 lists the parameters.

    Table 3-15 Restoration parameters

    Parameter

    Description

    Value

    Protocol

    Protocol used to transmit the backup information

    [Example]

    SCP

    Server

    IP address of the SCP server

    [Example]

    192.168.17.81

    Folder

    Save path of the backup information on the SCP server

    [Example]

    /home

    SCP Port

    Port used by the SCP server

    [Example]

    22

    SCP Username

    User name for logging in to the SCP server

    [Example]

    admin

    SCP Password

    Password for logging in to the SCP server

    [Example]

    Admin@123

    Backup Directory

    Directory name for the specific backup that you want to restore from

    [Example]

    /home/restore

    1. Select Browse and press Enter.

      The Backup Platform page is displayed, as shown in Figure 3-55.

      Figure 3-55 Backup Platform

    2. Select the name of the current key management server from the list on the backup platform and press Enter.

      The Backup Directory page is displayed, as shown in Figure 3-56.

      Figure 3-56 Backup Directory

    3. Select the path of the backup file and press Enter.
      NOTE:

      Each path corresponds to the backup file generated at that point in time.

      The System Restore page is displayed, as shown in Figure 3-57.

      Figure 3-57 System Restore

    4. Deselect Restore all users, Restore license, Restore Network Settings, and Restore Replication settings as shown in Figure 3-51, then select OK, and press Enter.

      The Confirmation page is displayed.

    5. Press Enter.
    6. Log out the admin user.

  4. Use the officer user to authorize the restoration.

    1. Log in as an officer to the key management server's management interface via the serial port.
    2. Select Restore and press Enter.

      The Confirm page is displayed, as shown in Figure 3-58.

      Figure 3-58 Confirming the operation

    3. Confirm the backup information, select OK, and press Enter.

      The Confirm page is displayed.

    4. Confirm again, select OK, and press Enter.

      The restoration is successful and the key management server restarts.

  5. Confirm the backup restoration result on the web management interface.

    1. Log in as an officer to the key management server's web interface.
    2. Select the Summary tab, confirm that the information in System last restored from is consistent with the backup information, as shown in Figure 3-59.
    Figure 3-59 Confirming backup restoration information

Adding a Replication Member

This section describes how to add one key management server as a replication member to the other key management server to cluster the two key management servers.

Prerequisites
  • IP addresses have been configured for the service network ports (Port1 on the rear panel) on both key management servers.
  • The maintenance mode of both key management servers has been enabled.
Context

You only need to add a replication member on one of the key management servers. After that, the other key management server will automatically add the peer server as its replication member.

Procedure
  1. Log in to the web interface of one key management server as user officer.
  2. Click the Replication tab.

    The Replication Members page is displayed, as shown in Figure 3-60.

    Figure 3-60 Replication management page

  3. Click Add Member.

    Figure 3-61 Adding replication members

  4. Set replication member information and click Add.

    • In Address, enter the IP address of Data Port 1 on the other key management server.
    • In Control port and Data port, enter the control port and data port of the cluster, respectively. Their default values are 37211 and 37210, respectively.

  5. Wait for several minutes and verify that the member has been added to the cluster.

    1. Log in to the web interfaces of both key management servers as user officer.
    2. Click the Replication tab.

      The Replication Members page is displayed, as shown in Figure 3-62.

    Figure 3-62 Confirming replication members

    1. Confirm that the added replication member exists in the list and its Status is OK.

Disabling the Maintenance Mode of the Key Management Servers

After the key management server cluster has been configured, you should disable the maintenance mode for the servers to provide replication and key management services properly.

Context
  • To disable the maintenance mode, you must use user admin to initiate the request and then use user officer to approve the request.
  • You must disable the maintenance mode on both key management servers.
  • If the maintenance mode of key management servers is disabled, the replication and key management services can run properly.
Procedure
  1. Use user admin to initiate a request to disable the maintenance mode.

    1. Log in to the key management server's management interface as user admin through the serial port.
    2. Select Maintenance Mode and press Enter.

      The Confirm page is displayed, as shown in Figure 3-63.

      Figure 3-63 Request of disabling the maintenance mode

    3. Select Yes and press Enter.

      The Confirmation page is displayed.

    4. Press Enter.

      The system returns to the key management server's management interface.

    5. Select Logout and press Enter.

      You have logged out of the device as user admin.

  2. Use user officer to approve the request for disabling the maintenance mode.

    1. Log in to the key management server's management interface as user officer through the serial port.
    2. Select Replication Setting and press Enter.

      The Replication Settings page is displayed, as shown in Figure 3-64.

      Figure 3-64 Replication setting page

    3. De-select Maintenance Mode. Select OK and press Enter.

      The Confirm page is displayed indicating that the request from the administrator for disabling the maintenance mode is received, as shown in Figure 3-65.

      Figure 3-65 Confirming to disable the maintenance mode

    4. Select Yes and press Enter.

      The Confirm page is displayed. Confirm it again.

    5. Select Yes and press Enter.

      The Info page is displayed indicating that the maintenance mode is successfully disabled.

    6. Press Enter.

Translation
Download
Updated: 2019-07-11

Document ID: EDOC1000181504

Views: 22958

Downloads: 181

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next