No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor Dorado V3 Series V300R002

This document is applicable to OceanStor Dorado3000 V3, Dorado5000 V3, Dorado6000 V3 and Dorado18000 V3. This document introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Key Management Server Cluster

Configuring a Key Management Server Cluster

After two key management servers with the same configurations are configured into a cluster, the two servers provide the encryption service together. If one of them becomes faulty or fails to provide the encryption service, the storage system automatically connects to the other one.

Before creating a cluster, you can choose Security > Device CAs & SSL Certificates > Local CAs to query the root CA certificate.

Check whether the two key management servers have the same root CA certificate.

(Optional) Manually Backing Up the Configurations of a Key Management Server

When configuring a key management server cluster, ensure that the configurations of the two key management servers are that same. To achieve this, you can back up the configurations of one key management server (source), and then restore the configurations to the other key management server (target).

Procedure
  1. Log in to the key management server's web interface as an administrator.
  2. Choose Device > Backup & Restore > Create Backup.

    The Security Items page is displayed, as shown in Figure 3-26.

    Figure 3-26 Security backup item settings

  3. Click Select All and click Continue.

    The Device Items page is displayed, as shown in Figure 3-27.

    Figure 3-27 Device backup item settings

  4. Click Select All and deselect Network. Click Continue.

    The Backup Settings page is displayed, as shown in Figure 3-28.

    Figure 3-28 Backup settings

  5. Specify the backup name, description, and password, and set Destination to Download to browser, then click Backup Now.

    The backup files are saved under the local directory of the maintenance terminal.

(Optional) Restoring the Backup Configurations to the Target Key Management Server

After you back up the configurations of the source key management server, you can restore the configurations to the target key management server to ensure consistency between the source and target. This section uses the backup files on the SCP server as an example.

Prerequisites
  • The communication between the SCP server and key management server is normal.
  • You have obtained the path saving the backup information on the SCP server.
Procedure
  1. Log in to the target key management server's web interface as a user that has the permission for restoration.
  2. Choose Device > Backup & Restore > Restore Backup.

    Figure 3-29 Backup restoration page

  3. In Source, select SCP. Enter the IP address of the SCP server, backup file name, and login user name of the SCP server. Set Authentication to Password and configure the password. Then, enter the backup password in Backup Password.
  4. Click Restore.

    The Backup Restore Information page is displayed, as shown in Figure 3-30.

    Figure 3-30 Setting the backup restoration information

  5. Select the information to be restored.

    NOTE:

    To prevent the old key information in the backup file from overwriting new key information on the key management server, select Only import new managed objects in Security Items.

  6. Enter the backup password, and click Restore.

    The Action Completed page is displayed, as shown in Figure 3-31.

    Figure 3-31 Backup restoration completed

  7. Click Continue.

    The server page is displayed.

  8. In the Restart/Halt drop-down list, select Restart and click Commit.

Creating a Key Management Server Cluster

After two key management servers with the same configurations are added to a cluster, they provide the encryption service together. If one of them becomes faulty or fails to provide the encryption service, the storage system automatically connects to the other one.

Procedure
  1. Log in to one key management server's web interface as an administrator.
  2. Choose Device > Device Configuration > Cluster > Configuration.

    The Cluster Configuration interface is displayed, as shown in Figure 3-32.

    Figure 3-32 Cluster creation interface

  3. Set the cluster parameters listed in Table 3-6.

    Table 3-6 Cluster parameters

    Parameter

    Description

    Setting

    Local IP

    IP address of the cluster

    It is the service IP address of the key management server and is the same as the IP address of the management port that is set in Initializing a Key Management Server.

    [Example]

    192.168.141.128

    Local Port

    Port used by the cluster

    [Example]

    9001

    Cluster Password

    Password of the cluster

    A cluster key is protected by a cluster password. This password must be provided when devices attempt to join a cluster, or when an administrator attempts to restore a cluster backup.

    [Example]

    admin@123

    Confirm Cluster Password

  4. Click Create.

    The new cluster will be displayed in the cluster list in the Cluster Members area. The Cluster Settings interface is displayed, as shown in Figure 3-33.

    Figure 3-33 Cluster settings interface

  5. Click Download Cluster Key to export the cluster key and save it locally. The cluster key contains authentication information for exchange between cluster members. The default name is ing_cluster.
Follow-up Procedure

After the cluster is successfully created on a key management server, add the other key management server to this cluster.

Adding the Other Key Management Server to the Cluster

This section describes how to add the other key management server to the cluster.

Prerequisites

A key management server cluster has been created.

Procedure
  1. Use the admin account to log in to the web interface of the key management server that you want to add to the cluster.
  2. Choose Device > Cluster > Configuration > Join Cluster.

    The Join Cluster interface is displayed.

  3. In Cluster Member IP and Cluster Member Port, enter the cluster IP address and port (which is generally set to 9001).
  4. Click Browse on the right side of Cluster Key File, and import the cluster key file (whose default name is ing_cluster) that was exported when the cluster was created.
  5. In Cluster Password, enter the cluster password and click Join.

    Information about the cluster will be displayed in the cluster list in Cluster Members.

  6. In Cluster Members, confirm that two key management servers have been configured in the cluster, as shown in Figure 3-34.

    Figure 3-34 Checking the cluster status

Translation
Download
Updated: 2019-07-17

Document ID: EDOC1100049141

Views: 8920

Downloads: 57

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next