No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor Dorado V3 Series V300R002

This document is applicable to OceanStor Dorado3000 V3, Dorado5000 V3, Dorado6000 V3 and Dorado18000 V3. This document introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Connecting the Key Management Server to the Storage System

Connecting the Key Management Server to the Storage System

After the key management server cluster has been created, you must connect the key management servers to the storage system to provide the disk encryption service.

Generating and Exporting a Certificate on the Storage System

This section describes how to generate and export a certificate required by the disk encryption function on the storage system.

Context

The certificate generated on the storage system is not signed. It must be signed on the key management server.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Credential Management.
  3. Select KMC certificate and click Export Request File. Set Certificate Key Algorithm to RSA 2048 or RSA 4096, and then click OK.

Creating a Local User

This section describes how to create a local user. When the key management server authenticates a storage system using the Key Management Interoperability Protocol (KMIP), it identifies the storage system based on the user.

Prerequisites

To ensure that the key management server can identify the storage system successfully, the local user name of the key management server must be set to Storage, which is the same as the OU value in the signed certificate of the storage system.

You can query the OU value as follows:

  1. Double-click the certificate.
  2. Click the Detail tab, and select User. You can view the OU value in the lower pane.

Context

Create at least one local user.

Procedure
  1. Log in as the admin user to the key management server's web interface.
  2. Choose Security > Users & Groups > Local Authentication > Local Users & Groups.

    The User & Group Configuration page is displayed, as shown in Figure 3-35.

    Figure 3-35 Local user page

  3. In the Local User area, click Add.

    Figure 3-36 shows the page that is displayed.

    Figure 3-36 Local user information setting page

  4. Set user information.

    Table 3-7 User parameters

    Parameter

    Description

    Setting

    Username

    Name of the new user. Set the value to Storage.

    [Example]

    Storage

    Password

    Password of the new user.

    [Example]

    admin@123

    User Administration Permission

    Permission to create, modify, and delete a user or user group.

    [Example]

    Not selected

    [Recommended value]

    Not selected

    Change Password Permission

    Permission to modify a user's own password.

    [Example]

    Not selected

    [Recommended value]

    Not selected

  5. Click Save.

    The new user is displayed in the user list.

Signing the Certificate on a Key Management Server and Exporting the Certificate

This section describes how to sign the certificate on a key management server and then export the certificate.

Signing the Certificate
  1. Log in to the key management server's web interface as an administrator.
  2. Choose Security > Local CAs.

    The Certificate and CA Configuration interface is displayed, as shown in Figure 3-37.

    Figure 3-37 CA certificate list

  3. Select the default CA certificate and click Sign Request.

    The Sign Certificate Request interface is displayed, as shown in Figure 3-38.

    Figure 3-38 Signing the certificate

  4. Set certificate request parameters.

    1. Set Sign with Certificate Authority to hsm_mgmt_ca (maximum xxxx days) (default value).
    2. Set Certificate Purpose to Client.
    3. Set Certificate Duration (days) to the validity period of the certificate. The value of this parameter must not be greater than xxx in hsm_mgmt_ca (maximum xxxx days).
    4. Copy the content of the certificate file exported from the storage system to the text box under Certificate Request.
    5. Click Sign Request.

      The CA Certificate Information page is displayed, as shown in Figure 3-39.

      Figure 3-39 CA certificate information

  5. Click Download to export the signed certificate.

    The signed certificate is named as signed.crt.

Exporting the CA Certificate
  1. Log in to the key management server's web interface as an administrator.
  2. Choose Security > Local CAs.

    The Certificate and CA Configuration interface is displayed, as shown in Figure 3-40.

    Figure 3-40 CA certificate list

  3. Click Download to export the CA certificate of the key management server.

Importing and Activating the Certificate on the Storage System

This section describes how to import and activate the certificate on the storage system.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Credential Management.
  3. Import and activate the certificate.

    1. After the certificate has been signed by the server, click Import and Activate.

      The Import and Activate dialog box is displayed.

    2. Select Certificate and import the signed certificate and CA certificate. Table 3-8 describes the parameters.
      Table 3-8 Parameters for importing the certificate

      Parameter

      Description

      Value

      Certificate File

      Certificate file that has been exported and signed

      [Example]

      signed.crt

      CA Certificate File

      Certificate file of a server

      [Example]

      hsm.mgmt_ca.crt

      Private Key File

      Private key file of a device

      [Example]

      None

    3. Click OK.

      The Warning dialog box is displayed.

    4. Carefully read the content in the dialog box, select I have read and understand the consequences associated with this question, and click OK.

      The Success dialog box is displayed.

    5. Click OK.

      The certificate is imported and activated successfully. In the Credential Management area, you can query the Status, Expire Time, and Expiration Warning Days of the certificate.

Configuring the Key Management Servers on the Storage System

You must configure the key management servers on the storage system to establish the connection between them.

Context

A storage system needs two key management servers.

Procedure
  1. Log in to DeviceManager.
  2. Choose Settings > Storage Settings > Value-added Service Settings > Key Service.
  3. Select Enable the external key management service.
  4. Add the key management servers.

    NOTE:

    A storage system can connect to a maximum of two key management servers in a cluster. The following example adds one key management server to the storage system.

    1. Click Add.

      The Add Server dialog box is displayed.

    2. Specify the parameters listed in Table 3-9.
      Table 3-9 Key management server parameters

      Parameter

      Description

      Value

      Server type

      Type of the key management server

      [Example]

      SafeNet KMIP

      Address

      Domain name or service IP address of the key management server

      NOTE:

      This service IP address is the one specified for the management port in Initializing a Key Management Server.

      [Example]

      192.168.141.128

      Port

      Port information of the server IP address

      [Value range]

      1 to 65535

      [Example]

      9443

    3. Click OK.
    4. Click Save.

      The Execution Result dialog box is displayed.

    5. Click Close.

  5. Repeat 4 to add the other key management server in the cluster.
  6. Optional: Select a key management server and click Test to check whether it is configured successfully.
Follow-up Procedure

After the storage system has connected to the key management servers, wait for 2 to 3 minutes before performing follow-up procedures.

Translation
Download
Updated: 2019-07-17

Document ID: EDOC1100049141

Views: 9522

Downloads: 63

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next