No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor V5 Series V500R007

This document is applicable to OceanStor 5110 V5, 5110F V5, 5300 V5, 5300F V5, 5500 V5, 5500F V5, 5600 V5, 5600F V5, 5800 V5, 5800F V5, 6800 V5, 6800F V5, 18500 V5, 18500F V5, 18800 V5, and 18800F V5. It introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Connecting the Key Management Servers to the Storage System

Connecting the Key Management Servers to the Storage System

After the key management server cluster has been created, you must connect the key management servers to the storage system to provide the disk encryption service.

Creating a Domain

Domains can logically isolate key management on different devices. You can create a domain to protect and limit the usage of keys and security objects in the groups and clients that belong to this domain.

Prerequisites

The number of domains created does not exceed the number supported by the license. You can log in to the system as a security officer to view the number of domains supported by the license.

Context

You only need to create a domain on either key management server in the cluster. After the domain is created, its information is synchronized to the other key management server automatically.

Procedure
  1. Log in to the key management server's web interface as user officer.
  2. Click the Domains tab.

    The Domains page is displayed.

  3. Click Add Domain.

    The Add Domain page is displayed, as shown in Figure 3-66.

    Figure 3-66 Creating a domain

  4. Set the domain name and description.

    The domain name rule is as follows:

    • The domain name contains a maximum of 192 characters.
    • The domain name can consist of multi-level names. The format is node1.node2.nodeN.TLD. TLD indicates the top-level domain name, for example, com or org.
    • TLD contains at least two characters.
    • Each separate level of domain name contains a maximum of 63 characters and must start and end with a letter or digit.
    NOTE:

    In this example, set Name to test.com.

  5. Click Add Domain.

    The new domain is displayed in the domain list.

Creating a Group

The group is used to logically organize and manage keys and the KMIP client.

Prerequisites

A domain has been created on the key management servers.

Context

You only need to create a group on either key management server in the cluster. After the group is created, its information is synchronized to the other key management server automatically.

Procedure
  1. Log in to the key management server's web interface as user officer.
  2. Click the Groups tab.

    The Groups page is displayed.

  3. Click Add Group.

    The Add Group page is displayed, as shown in Figure 3-67.

    Figure 3-67 Creating a group

  4. Configure parameters of the group.

    Table 3-16 Parameters of the group

    Name

    Description

    Value

    Group type

    For Huawei storage devices, only KMIP is supported.

    [Example]

    KMIP

    Name

    Group name

    [Value range]

    • The value ranges from 5 to 255 characters, including letters, digits, dashes, and underscores.
    • Hexadecimal character strings are supported. The value must contain uppercase letters.

    [Example]

    admin

    Description

    Description of the group

    [Example]

    group

    Domain

    Domain specified for the group

    [Example]

    test.com

  5. Click Add Group.

    The new domain is displayed in the domain list.

Creating a Group Manager

A group manager is used to register and manage the KMIP client.

Prerequisites

A group has been created on the key management server.

Context

Each group manager must be allocated to at least one group.

You must create the group manager on both key management servers separately.

Procedure
  1. Add the group manager as user admin.

    1. Log in to the key management server's web interface as user admin.
    2. Click the Users tab and select Add User.

      The Add User page is displayed, as shown in Figure 3-68.

      Figure 3-68 Creating a group manager

    3. Set the parameters.
      Table 3-17 Setting parameters of unassigned users

      Name

      Description

      Value

      Login name

      User name

      [Value range]

      The value can contain a maximum of 32 characters.

      [Example]

      groupmanager2

      Description

      User description

      [Example]

      user

      Role

      User role. Set the parameter to Unassigned.

      [Example]

      Unassigned

      Password expiration

      Password expiration date

      [Example]

      Never

      Auto-Logout

      Automatic logout duration. If no operation is performed during this period, the user automatically logs out.

      [Example]

      5

      Email address

      Email address used by the new user to receive messages

      [Example]

      xxx@xxx.com

      Confirm Email address

    4. Click Add User.

      The new user will be added to the existing user list, and the system displays a random password for the new user. Record the password and save it properly.

    Figure 3-69 Group manager created successfully

  2. Use user officer to assign a role and the permission for the new user.

    1. Log in to the key management server's web interface as user officer.
    2. Click the Users tab.

      The Users page is displayed.

    3. Find the new user in the user list and click its name.

      The Edit User page is displayed, as shown in Figure 3-70.

      Figure 3-70 Setting user permission

    4. Set parameters.
      Table 3-18 Parameters for setting user permission

      Name

      Description

      Value

      User smart card authentication

      Indicates whether to enable smart card authentication of the user

      [Example]

      Disable

      Role

      Role of a user

      • Officer: indicates a security officer.
      • Manager: indicates a group manager.
      • Recovery: indicates a recovery officer.
      • Audit: indicates an auditor.

      Set the parameter to Manager.

      [Example]

      Manager

      Manageable group

      Group managed by the group manager.

      [Example]

      storagepoc.com/kmipgroup

      Visible group

      Groups that can be viewed by the group manager. The group manager has read-only permission on the groups.

      [Example]

      storagepoc.com/kmipgroup2

    5. Click Save.

  3. Change the password of the created group manager.

    1. Log in to the web interface using the created group manager and its random password.
    2. Click the Users tab.

      The Change User Password page is displayed, as shown in Figure 3-71.

      Figure 3-71 Changing the password

    3. In Old password, enter the current login password. In New password and Confirm password, enter the new password. Click Change Password.

      You have finished changing the password.

Creating a KMIP Client

Storage devices function as KMIP clients for the key management servers. The clients must be added using the web management interface.

Prerequisites

The number of KMIP clients cannot exceed the maximum value allowed by the license.

Context

You must create the KMIP client on both key management servers separately.

Procedure
  1. Log in to the key management server's web interface as a group manager.
  2. Choose Clients > KMIP Clients.

    The KMIP Clients page is displayed.

  3. Click Add Client.

    The Add Client page is displayed, as shown in Figure 3-72.

    Figure 3-72 Creating a KMIP client

  4. Set the parameters.

    Table 3-19 KMIP client parameters

    Name

    Description

    Value

    Name

    Client name.

    [Value range]

    Not longer than 32 characters.

    [Example]

    KMIP_Client_1

    Group

    Group to which the client belongs. A KMIP client belongs to only one group and cannot be reassigned to another group.

    [Example]

    kmipdomian1/kmipD1G1

    Description

    Client description.

    [Example]

    Adding KMIP Client to Group kmipD1G1

    Password

    Password for connecting to the client.

    [Example]

    KMIPClient_1

    Verify password

    Confirms the password for connecting to the client.

    [Example]

    KMIPClient_1

    Profile

    Manufacturer of the storage system. Select Huawei OceanStor.

    [Example]

    Huawei OceanStor

  5. Click Add Client.

    The new client will be added to the client list.

Certificate Signature Authentication

You must complete certificate signature authentication on the storage system and key management servers before using the disk encryption service.

Generating and Exporting a Certificate on the Storage System

This section describes how to generate and export a certificate required to enable the disk encryption function on the storage system.

Context

The certificate generated on the storage system has no signature. It takes effect only after it is signed on the key management server.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Credential Management.
  3. Select KMC certificate and click Export Request File. Set Certificate Key Algorithm to RSA 2048 or RSA 4096, and then click OK.
Signing the Certificate on a Key Management Server and Exporting the Certificate

This section describes how to sign the certificate on a key management server and then export the certificate.

Signing the Certificate
  1. Log in to the key management server's web interface as a group manager.
  2. Click the Clients tab.
  3. Import the certificate you want to sign, as shown in the following figure.

  4. Import the to-be-signed certificate that was generated on the storage system and click Sign.

  5. Export the signed certificate.

Exporting the CA Certificate
  1. Log in to the key management server's web interface as user officer.
  2. Click the Certificate tab.
  3. Click the CA Certificate tab.
  4. In the View/Export Certificate area, click Export Certificate.

Importing and Activating the Certificate on the Storage System

This section describes how to import and activate the certificate on the storage system.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Credential Management.
  3. Import and activate the certificate.

    1. After the certificate has been signed by the server, click Import and Activate.

      The Import and Activate dialog box is displayed.

    2. Select Certificate and import the signed certificate and CA certificate. Table 3-20 describes the parameters.
      Table 3-20 Parameters for importing the certificate

      Parameter

      Description

      Value

      Certificate File

      Certificate file that has been exported and signed

      [Example]

      signed.crt

      CA Certificate File

      Certificate file of a server

      [Example]

      hsm.mgmt_ca.crt

      Private Key File

      Private key file of a device

      [Example]

      None

    3. Click OK.

      The Warning dialog box is displayed.

    4. Carefully read the content in the dialog box, select I have read and understand the consequences associated with this question, and click OK.

      The Success dialog box is displayed.

    5. Click OK.

      The certificate is imported and activated successfully. In the Credential Management area, you can query the Status, Expire Time, and Expiration Warning Days of the certificate.

Configuring the Key Management Servers on the Storage System

You must configure the key management servers on the storage system to establish the connection between them.

Context

A storage system needs two key management servers.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Key Service.
  3. Select Enable the external key management service.
  4. Add the key management servers.

    NOTE:

    A storage system can connect to a maximum of two key management servers in a cluster. The following example adds one key management server to the storage system.

    1. Click Add.

      The Add Server dialog box is displayed.

    2. Specify the parameters listed in Table 3-21.
      Table 3-21 Key management server parameters

      Parameter

      Description

      Value

      Server Type

      Type of the key management server

      [Example]

      Thales KMIP

      Address

      Key management server's domain name or service port IP address

      NOTE:

      This service port IP address is the one specified for Data Port 1 in Configuring Network Information.

      [Example]

      192.168.100.11

      Port

      Port of the key management server

      NOTE:

      This is the value of the KMIP Server Port that was set in Service Settings in Configuring Network Information.

      [Value range]

      1 to 65535

      [Example]

      2334

    3. Click OK.
    4. Click Save.

      The Execution Result dialog box is displayed.

    5. Click Close.

  5. Repeat 4 to add the other key management server in the cluster.
  6. Optional: Select a key management server and click Test to check whether it is configured successfully.
Translation
Download
Updated: 2019-07-11

Document ID: EDOC1000181504

Views: 24119

Downloads: 194

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next