No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor Dorado V3 Series V300R002

This document is applicable to OceanStor Dorado3000 V3, Dorado5000 V3, Dorado6000 V3 and Dorado18000 V3. This document introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Initializing Configurations

Initializing Configurations

Initialization includes initializing the network and time of the key management server, importing licenses, and configuring the KMIP and NTP servers.

Both key management servers need initial configurations.

Initializing a Key Management Server

You must set the management network port's IP address and the server time before using a key management server.

Prerequisites
  • The maintenance terminal has been connected to the key management server through the serial port.
NOTE:

If the maintenance terminal has no serial port, use the USB-to-serial cable to connect the maintenance terminal to the serial port of the key management server.

  • Management software that supports serial port communication has been installed on the maintenance terminal. This document uses PuTTY as an example.
Context

Both key management servers' configurations must be initialized.

Procedure
  1. Log in to the key management server's management interface through the serial port.

    1. Run PuTTY.
    2. Choose Connection > Serial.
      Figure 3-6 Serial port setting

    3. Set Serial line to connect to to the maintenance terminal's serial port connected to the key management server, and set Speed (baud) to 19200. Then click Open.

      The CLI of the key management server is displayed.

  2. Input y and press Enter.

    The system prompts you to set a password for user admin, as shown in Figure 3-7.

    Figure 3-7 Setting a password for user admin

  3. Set a password for user admin and input the password again.

    The system prompts that information of admin has been updated, as shown in Figure 3-8.

    Figure 3-8 Setting the password successfully

  4. Set the time zone, date, and time of the key management server.

    The system prompts that date and time have been set successfully, as shown in Figure 3-9.

    Figure 3-9 Setting the time zone, date, and time

  5. Set IP address, Subnet mask, Default gateway, and Hostname to the management network port's IP address, subnet mask, default gateway, and name of the key management server.

    Then you need to confirm the network configurations again, as shown in Figure 3-10.

    Figure 3-10 Configuring the network

  6. If the configurations are correct, enter y and press Enter.

    The system prompts that the network is configured successfully.

  7. Configure the port number used by web browsers to access the key management server. The default value is 9443. You are advised to keep the default setting.

    Figure 3-11 Port settings

  8. The key management server automatically restarts, which takes 5 to 10 minutes. After the restart, the initialization is complete.

    Figure 3-12 Completing the initialization

  9. Repeat 1 to 8 to initialize the other key management server.

Upgrading a Key Management Server

After initialization, upgrade the key management servers to the 8.6.0 version to ensure that follow-up configurations can be performed normally and functions of the key management servers can be used properly.

Prerequisites
The upgrade files have been saved under the local directory of the maintenance terminal.
  • You can download the upgrade package from SafeNet's official website. Access https://gemalto.service-now.com/, register and sign in. Subscribe the KeySecure update to obtain the upgrade package.
NOTE:

The email used to register the account is the same as that used to purchase the key management server.

  • You can identify the version from the upgrade package name. For example, a package named 630-010469-001_KeySecure_Field_Upgrade_PKG_V8.3.0_RevA.zip can upgrade the server to version 8.3.0.
  • The downloaded package is in the *.zip format. Decompress it and use the IEU file to perform the upgrade.

Context

The two key management servers in the cluster must be upgraded to the same version.

Currently, the version of delivered key management servers is 8.0.1. Upgrade the key management servers to 8.6.0 in the following sequence.

  1. 8.0.1 -> 8.3.0
  2. 8.3.0 -> 8.5.0
  3. 8.5.0 -> 8.6.0
Procedure
  1. Log in to the key management server's web interface as an administrator.
  2. Upgrade the server from 8.0.1 to 8.3.0.

    1. Choose Device > System Information & Upgrade.

      The System Information interface is displayed.

    2. In the Software & License Upgrade/Install area, set Source to Upload from browser and click Browse to upload the upgrade file from the local directory.
    3. Click Upgrade/Install.

      The system starts upgrading and will restart automatically after the upgrade is complete. The whole process takes approximately 10 minutes.

    4. Verify the server version after the upgrade.

      In the System Summary area on the Home page, verify that the value of Software Version is the same as the target version.

  3. Repeat 2.a to 2.d to upgrade the key management server from 8.3.0 to 8.5.0 and then from 8.5.0 to 8.6.0.

Importing License Files

You can use the key management server's functions properly only after licenses have been imported.

Prerequisites

The license files authenticated by SafeNet have been obtained. Access https://gemalto.service-now.com/ and register your account and email. Then you can receive the license files in your email.

NOTE:

The email used to register the account is the same as that used to purchase the key management server.

Context

You must import licenses to both key management servers separately.

Procedure
  1. Log in to the key management server's web interface as an administrator. For details, see Logging In to the Key Management Server's Web Interface Through the Management Port.
  2. Choose Home > Summary.

    Figure 3-13 Viewing license files

  3. Choose Device > System Information & Upgrade.

    The System Information interface is displayed.

  4. In the Software & License Upgrade/Install area, set Source to Upload from browser and click Browse to upload the license files from the local directory.
  5. Click Upgrade/Install.

    The Action Completed interface is displayed, as shown in Figure 3-14.

    Figure 3-14 Licenses have been installed successfully
    NOTE:

    After the licenses have been installed, the system restarts automatically, which takes 5 to 10 minutes.

  6. After the restart, log in to the key management server's web interface and choose Home > Summary. In the System Summary area, check information about the installed licenses.

    Figure 3-15 Confirming license information

    Licenses in Use indicates the number of licenses that have taken effect.

Configuring a KMIP Server

This section describes how to configure a KMIP server.

Prerequisites

The key management server has been initialized and the root CA certificate has been generated.

You can choose Security > Device CAs & SSL Certificates > Local CAs to query the root CA certificate.

Procedure
  1. Log in to the key management server's web interface as an administrator.
  2. Choose Device > Key Server.

    The Cryptographic Key Server Configuration page is displayed.

  3. In the Cryptographic Key Server Settings area, click Add under the server list.

    A new line will be added to the list, as shown in Figure 3-16.

    Figure 3-16 Configuring a KMIP server

  4. Configure the KMIP server parameters listed in Table 3-2. After the configuration is complete, click Save.

    Table 3-2 KMIP Server parameters

    Name

    Description

    Value

    Protocol

    Protocol used by the KMIP server.

    [Example]

    KMIP

    IP

    IP address of the management port on the KMIP server.

    [Example]

    192.168.100.101

    Port

    Communication port on the KMIP server. You are advised to keep the default value.

    [Default Value]

    5696

    Use SSL

    Indicates whether to enable SSL authentication. You are advised to select this parameter for security purposes.

    [Example]

    Enable

    Server Certificate

    Certificate of the KMIP server.

    [Example]

    nae_kmip_server

    After the KMIP server is created, it will be displayed in the server list in the Cryptographic Key Server Settings area.

  5. Optional: Select the KMIP server that has been configured and click Properties to query its properties and authentication parameters.

    To modify the KMIP server's properties, perform the following operations:

    Modifying configurations of the KMIP server will reset all connections of this server.

    1. In the Cryptographic Key Server Properties area, click Edit.

      Figure 3-17 shows the page that is displayed.

      Figure 3-17 Configuring server properties

    2. Modify the properties listed in Table 3-3.
      Table 3-3 KMIP server properties

      Name

      Description

      Value

      IP

      IP address of the management port on the KMIP server. It can be set to All or a specific IP address.

      NOTE:

      You are advised to set it to the IP address of the specified management port for security purposes.

      [Example]

      192.168.100.102

      Port

      Communication port on the KMIP server. You are advised to keep the default value.

      [Default Value]

      5696

      Use SSL

      Indicates whether to enable SSL.

      [Example]

      Enable

      Server Certificate

      Certificate of the KMIP server. It can be set to None or nae_kmip_server. You are advised to set it to nae_kmip_server.

      [Example]

      nae_kmip_server

      Connection Timeout (sec)

      Connection timeout interval. If no operation is performed on the client during this period, the KMIP server is disconnected.

      [Default Value]

      3600

      Allow Key and Policy Configuration Operations

      Indicates whether the KMIP server allows the key to be created, deleted, and imported.

      [Example]

      Enable

      Allow Key Export

      Indicates whether the KMIP server allows the key to be exported.

      [Example]

      Enable

    3. Click Save.

    To modify the KMIP server's authentication parameters, perform the following operations:

    1. In the Authentication Settings area, click Edit. Figure 3-18 shows the page that is displayed.
      Figure 3-18 Configuring authentication parameters of the KMIP server

    2. Modify the authentication parameters listed in Table 3-4.
      Table 3-4 Authentication parameters of the KMIP server

      Name

      Description

      Value

      Password Authentication

      Indicates whether password authentication is used.

      [Example]

      Not Used

      Client Certificate Authentication

      Authentication mode of the client certificate.

      [Example]

      Used for SSL session and username (most secure)

      Trusted CA List Profile

      List of trusted CA certificates.

      [Example]

      hsm_mgmt_ca_profile

      Username Field in Client Certificate

      User name field in the client certificate.

      NOTE:

      Set it to OU (Organization Unit).

      [Example]

      OU (Organization Unit)

      Require Client Certificate to Contain Source IP

      Indicates whether to require the client certificate contains the IP address which is the same as that on the key management server.

      [Example]

      Disable

    3. Click Save.

Configuring the NTP Server

To ensure that the key management server and the storage system have the same time, configure the same NTP server on the key management server as the storage system.

Prerequisites
  • The NTP server has been configured for the storage system.
  • The key management server and storage system use the same NTP server to synchronize time.
Procedure
  1. Log in to the key management server's web interface as user admin.
  2. Choose Device > Date & Time.

    Figure 3-19 NTP server configuration

  3. In the NTP Settings area, click Edit.

    The NTP server configuration page is displayed, as shown in Figure 3-20.

    Figure 3-20 Setting the NTP server

  4. Set NTP server parameters.

    1. Select Enable NTP.
    2. Set the IP address of the NTP server in NTP Server 1.
      NOTE:
      • The IP address of the NTP server configured on the key management server must be the same as that configured on the storage system.
      • If multiple NTP servers are configured on the storage system, configure NTP Server 2 or NTP Server 3 on the key management server until it has the same NTP servers as the storage system.
    3. Set the Poll Interval (min). The system will compare the time on the key management server with that on the NTP server periodically according to the interval. If the time is inconsistent, the system automatically synchronizes the time on the key management server with that on the NTP server. The default interval is 5 minutes, and you are advised to retain the default value.

  5. Click Save.

Creating the Periodic Backup Tasks

After the key management server is configured, you need to periodically back up its data, which can be used for recovery in the event of an exception.

Prerequisites
  • The SCP server has been configured.
  • The SCP server communicates with the key management server normally.
Context

Periodic backup must be configured for both key management servers.

This document uses the SCP server running Linux CentOS as an example.

NOTE:

A Linux CentOS host that supports the SSH protocol can be used as an SCP server.

Procedure
  1. Log in to the key management server's web interface as an administrator.
  2. Choose Device > Backup & Restore > Create Backup.

    The Security Items page is displayed, as shown in Figure 3-21.

    Figure 3-21 Security backup items

  3. On the Security Items page, click Select All and click Continue.

    The Device Items page is displayed, as shown in Figure 3-22.

    Figure 3-22 Device backup item settings

  4. On the Device Items page, click Select All and deselect Network. Then click Continue.

    The Backup Settings page is displayed, as shown in Figure 3-23.

    Figure 3-23 Backup settings

  5. On the Backup Settings page, set automatic backup parameters.

    1. Set basic backup parameters, including Backup Name, Backup Description, Backup Password, and Confirm Backup Password.
    2. Set Destination to SCP. The system will automatically perform remote backup and save the backup file to the SCP server.
    3. Set SCP backup parameters.
      Table 3-5 SCP backup parameters

      Parameter

      Description

      Setting

      Host

      IP address of the SCP server

      [Example]

      192.168.20.3

      Directory Name

      Save path of backup files

      [Example]

      BackupDirectory

      Username

      User name for logging in to the SCP server

      [Example]

      Admin

      Authentication

      Authentication mode of the SCP server

      [Example]

      Password

      Password

      Password for logging in to the SCP server

      This parameter is valid only when Authentication is Password.

      [Example]

      XXX

    4. Click Save Settings for Automated Remote Backup.

      The Confirmation Required dialog box is displayed, as shown in Figure 3-24.

      Figure 3-24 Confirming automatic backup settings

    5. Read contents in the dialog box and click Confirm.
    6. Click Continue.

      The Action Completed page is displayed.

  6. Configure a backup policy.

    1. Click Continue.

      The Automated Remote Backup Schedule page is displayed.

    2. Click Edit.

      Figure 3-25 shows the page that is displayed.

      Figure 3-25 Configuring a backup policy

    3. Set the backup period and time, and click Save.

      The periodic backup starts as configured. The periodic backup policy is updated to Last Automated Remote Backup Status.

  7. Repeat 1 to 6 to configure periodic backup for the other key management server.
Follow-up Procedure

Check the storage space on the SCP server periodically. You are advised to clear early backup files periodically to release the space.

Translation
Download
Updated: 2019-07-17

Document ID: EDOC1100049141

Views: 9502

Downloads: 63

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next