OceanStor Dorado 6.1 Disk Encryption User Guide
Uploaded by
jarekscribd23OceanStor Dorado 6.1 Disk Encryption User Guide
Uploaded by
jarekscribd23OceanStor Dorado
6.1.x
Disk Encryption User Guide
Issue 03
Date 2022-04-15
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2022. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior
written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: https://e.huawei.com
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. i
OceanStor Dorado
Disk Encryption User Guide About This Document
About This Document
Purpose
This document introduces how to install and configure key management servers
connected to the storage systems that use self-encrypting drives (SEDs).
NOTE
SEDs are not sold in the Chinese mainland.
The following table lists the product models that this document is applicable to.
Product Model Product Version
OceanStor Dorado 3000 6.1.0
6.1.2
OceanStor Dorado 5000
6.1.3
OceanStor Dorado 6000
OceanStor Dorado 8000
OceanStor Dorado 18000
NOTICE
This document is updated periodically with the software version. The operations
described in this document use the latest version as an example. Note that the
supported functions and features vary according to the software version. The
content in this document is for reference only.
Intended Audience
This document is intended for:
● Technical support engineers
● Maintenance engineers
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. ii
OceanStor Dorado
Disk Encryption User Guide About This Document
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates a hazard with a high level of risk which, if not
avoided, will result in death or serious injury.
Indicates a hazard with a medium level of risk which, if not
avoided, could result in death or serious injury.
Indicates a hazard with a low level of risk which, if not
avoided, could result in minor or moderate injury.
Indicates a potentially hazardous situation which, if not
avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
Supplements the important information in the main text.
NOTE is used to address information not related to personal
injury, equipment damage, and environment deterioration.
Change History
Changes between document issues are cumulative. The latest document issue
contains all the changes made in earlier issues.
Issue 03 (2022-04-15)
This issue is the third official release.
Optimized descriptions.
Issue 02 (2022-01-25)
This issue is the second official release.
Issue 01 (2021-09-30)
This issue is the first official release.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. iii
OceanStor Dorado
Disk Encryption User Guide Contents
Contents
About This Document................................................................................................................ ii
1 Overview....................................................................................................................................1
2 Configuring and Managing the Internal Key Management Service........................... 3
2.1 About the Internal Key Management Service............................................................................................................... 3
2.2 Logging In to DeviceManager.............................................................................................................................................4
2.3 Configuring the Internal Key Management Service.................................................................................................... 4
2.4 Managing the Internal Key Management Service....................................................................................................... 9
2.4.1 Updating a Key..................................................................................................................................................................... 9
2.5 FAQs.......................................................................................................................................................................................... 10
2.5.1 How Can I Recover Encryption Key Files of Disks?................................................................................................ 10
2.5.2 How Can I Recover Services If They Are Interrupted Due to the Loss of the Disk Encryption Key?.... 11
2.6 Appendix - Related Operations........................................................................................................................................ 12
2.6.1 Using the xlight FTP Tool to Deploy the FTP Backup Server............................................................................. 13
3 Configuring the Key Management Server (KeySecure (K250))................................. 15
3.1 About KeySecure Key Management Servers............................................................................................................... 15
3.2 Logging In to DeviceManager.......................................................................................................................................... 17
3.3 Configuration Process.......................................................................................................................................................... 18
3.4 Hardware Deployment........................................................................................................................................................ 18
3.5 Configuring a Key Management Server........................................................................................................................ 19
3.5.1 Initializing Key Management Servers and Configuring a Key Management Server Cluster................... 19
3.5.2 Connecting the Key Management Server to the Storage System.................................................................... 20
3.5.2.1 Generating and Exporting a Certificate on the Storage System....................................................................20
3.5.2.2 Creating a Local User................................................................................................................................................... 20
3.5.2.3 Signing the Certificate on a Key Management Server and Exporting the Certificate............................21
3.5.2.4 Importing and Activating the Certificate on the Storage System................................................................. 21
3.5.2.5 Configuring the Key Management Servers on the Storage System............................................................. 22
3.5.3 Creating a Self-encrypting Storage Pool................................................................................................................... 23
3.6 FAQs.......................................................................................................................................................................................... 26
3.6.1 What Can I Do If "Username entered does not match client certificate" Is Displayed When Logging
in to the Key Management Server's Web Interface?....................................................................................................... 26
3.6.2 The Storage System Connects to the Key Management Server Properly, But the Key Cannot Be
Created.............................................................................................................................................................................................26
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. iv
OceanStor Dorado
Disk Encryption User Guide Contents
4 Configuring and Managing the Key Management Server (Sansec SecKMS)......... 28
4.1 About Sansec SecKMS Key Management Servers..................................................................................................... 28
4.2 Configuration Process.......................................................................................................................................................... 31
4.3 Hardware Deployment........................................................................................................................................................ 31
4.4 Configuring the Key Management Server and Cluster............................................................................................ 32
4.5 Connecting the Key Management Server to the Storage System........................................................................32
4.5.1 Creating a Local CA.......................................................................................................................................................... 33
4.5.2 Adding the CA to the Trusted CA List.........................................................................................................................35
4.5.3 Creating an SSL Certificate.............................................................................................................................................37
4.5.4 Signing the SSL Certificate............................................................................................................................................. 39
4.5.5 Adding a Key Server......................................................................................................................................................... 43
4.5.6 Signing and Importing the Certificate for the Storage System......................................................................... 45
4.5.6.1 Generating and Exporting a Certificate on the Storage System....................................................................45
4.5.6.2 Signing the Certificate on a Key Management Server and Exporting the Certificate............................46
4.5.6.3 Importing and Activating the Certificate on the Storage System................................................................. 48
4.5.6.4 Configuring the Key Management Servers on the Storage System............................................................. 49
4.6 Creating a Self-encrypting Storage Pool...................................................................................................................... 51
5 Configuring and Managing the Key Management Server (KeySecure (K170v),
Applicable to 6.1.2 and Later)............................................................................................... 54
5.1 About KeySecure Key Management Servers............................................................................................................... 54
5.2 Configuration Process.......................................................................................................................................................... 56
5.3 Hardware Deployment........................................................................................................................................................ 56
5.4 Configuring the Key Management Server and Cluster............................................................................................ 57
5.4.1 Initializing the Key Management Servers and Configuring a Key Management Server Cluster........... 58
5.4.2 Connecting the Key Management Server to the Storage System.................................................................... 58
5.4.2.1 Generating and Exporting a Certificate on the Storage System....................................................................58
5.4.2.2 Creating a Local User................................................................................................................................................... 59
5.4.2.3 Creating Clients...............................................................................................................................................................62
5.4.2.3.1 Creating a Profile........................................................................................................................................................ 62
5.4.2.3.2 Creating a Registration Token................................................................................................................................ 64
5.4.2.3.3 Adding a Client............................................................................................................................................................ 66
5.4.2.4 Signing the Certificate on a Key Management Server and Exporting the Certificate............................68
5.4.2.5 Importing and Activating the Certificate on the Storage System................................................................. 69
5.4.2.6 Configuring the Key Management Servers on the Storage System............................................................. 70
5.5 Creating a Self-encrypting Storage Pool...................................................................................................................... 71
6 Configuring and Managing the Key Management Server (Utimaco, Applicable to
6.1.2 and Later)......................................................................................................................... 74
6.1 About Utimaco Key Management Servers................................................................................................................... 74
6.2 Configuration Process.......................................................................................................................................................... 76
6.3 Hardware Deployment........................................................................................................................................................ 76
6.4 Configuring the Key Management Server and Cluster............................................................................................ 77
6.5 Connecting the Key Management Server to the Storage System........................................................................77
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. v
OceanStor Dorado
Disk Encryption User Guide Contents
6.5.1 Generating and Exporting a Certificate on the Storage System....................................................................... 78
6.5.2 Signing the Certificate on a Key Management Server and Exporting the Certificate............................... 78
6.5.3 Creating a Local User....................................................................................................................................................... 81
6.5.4 Importing and Activating the Certificate on the Storage System.................................................................... 84
6.5.5 Configuring the Key Management Servers on the Storage System.................................................................85
6.6 Creating a Self-encrypting Storage Pool...................................................................................................................... 87
A How to Obtain Help............................................................................................................. 90
A.1 Preparations for Contacting Huawei............................................................................................................................. 90
A.1.1 Collecting Troubleshooting Information................................................................................................................... 90
A.1.2 Making Debugging Preparations................................................................................................................................. 90
A.2 How to Use the Document............................................................................................................................................... 91
A.3 How to Obtain Help from Website................................................................................................................................ 91
A.4 Ways to Contact Huawei................................................................................................................................................... 91
B Glossary................................................................................................................................... 92
C Acronyms and Abbreviations........................................................................................... 107
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. vi
OceanStor Dorado
Disk Encryption User Guide 1 Overview
1 Overview
OceanStor Dorado series storage systems support disk encryption, which provides
secure storage services without impacting storage performance.
NOTE
Only self-encrypting drives (SEDs) are supported for the disk encryption feature.
The disk encryption function has the following characteristics:
● Data in all disks is encrypted transparently without affecting other features
such as mirroring, snapshot, deduplication, and compression.
● Automatic key lifecycle management and the Key Management
Interoperability Protocol (KMIP) are supported, ensuring the openness of key
management systems.
If you enable Data Encryption when creating a storage pool, disk encryption is
enabled. The storage system activates the AutoLock function on SEDs and uses the
authentication keys (AKs) allocated by the key management server. SED access is
protected by the AutoLock function and only the storage system itself can access
its SEDs. When the storage system accesses an SED, it acquires an AK from the key
management server. If the AK's hash value is consistent with that on the SED, the
SED decrypts the data encryption key (DEK) for data encryption/decryption. If the
AKs' hash values are different, all read and write operations will fail.
If you do not enable Data Encryption when creating a storage pool, disk
encryption is disabled and the AutoLock function of SEDs is deactivated. In this
case, the SEDs use the default AKs and access to the SEDs is not restricted. The
SEDs can be read and written normally. Data written to the SEDs is encrypted
using DEKs, regardless of whether Disk Encryption is enabled.
Key management is critical for disk encryption. OceanStor Dorado series storage
systems support internal and external key management.
● Internal key management is to manage keys in the storage system's database.
● External key management is to manage keys on third-party external key
management servers.
Table 1-1 shows the external third-party key management servers supported
by the storage system.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 1
OceanStor Dorado
Disk Encryption User Guide 1 Overview
Table 1-1 External third-party key management servers
Device Reference Link
SafeNet KeySecure (K250) 3 Configuring the Key Management Server
(KeySecure (K250))
Sansec SecKMS 4 Configuring and Managing the Key
Management Server (Sansec SecKMS)
Thales CipherTrust 5 Configuring and Managing the Key
Manager (K170v) Management Server (KeySecure (K170v),
Applicable to 6.1.2 and Later)
Utimaco 6 Configuring and Managing the Key
Management Server (Utimaco, Applicable
to 6.1.2 and Later)
NOTE
The key management server has passed FIPS certification and provides key storage and
management functions. The server can be connected to storage systems to provide
interfaces and functions required by the KMIP protocol. The storage systems can invoke
these interfaces to create, update, destroy, and query keys required by the disk encryption
service.
NOTICE
You cannot use internal and external key management at the same time. When
you change from one method to the other, you must delete original services and
re-create self-encrypting storage pools. Otherwise, disk encryption cannot take
effect.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 2
OceanStor Dorado 2 Configuring and Managing the Internal Key
Disk Encryption User Guide Management Service
2 Configuring and Managing the Internal
Key Management Service
Internal key management is a lightweight encryption and decryption service
implemented by the built-in key management module of the storage systems. It
provides encryption and decryption for internal modules of the storage system
without requiring an external key management server.
2.1 About the Internal Key Management Service
2.2 Logging In to DeviceManager
2.3 Configuring the Internal Key Management Service
2.4 Managing the Internal Key Management Service
2.5 FAQs
2.6 Appendix - Related Operations
2.1 About the Internal Key Management Service
This section provides a brief introduction to the internal key management service.
The storage systems provide the internal key management service for disk
encryption. The service supports:
● Lifecycle management for disk encryption keys, such as creating, updating,
obtaining, and deleting keys.
● Backup and recovery of disk encryption keys.
When internal key management is enabled, the storage system uses the AES256
algorithm to encrypt private keys for storage. The keys are saved in the storage
system and backed up on all controllers. To ensure high reliability of the storage
system and prevent damage or loss of all keys and backups, you are advised to
enable automatic key backup, which automatically uploads a copy of the keys to
the specified FTP or SFTP server when the keys are created, updated, or deleted or
when the key backup configuration is changed (initial configuration or backup
server address change).
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 3
OceanStor Dorado 2 Configuring and Managing the Internal Key
Disk Encryption User Guide Management Service
NOTICE
If all keys are damaged or lost, the SEDs in the self-encrypting storage pool
cannot be identified, resulting in data loss.
2.2 Logging In to DeviceManager
DeviceManager is the integrated storage management software developed by
Huawei. DeviceManager is loaded to storage systems before delivery from the
factory. You can log in to DeviceManager to centrally manage storage resources.
For details about how to log in to DeviceManager, see section "Logging In to
DeviceManager" in the initialization guide of the corresponding product model.
2.3 Configuring the Internal Key Management Service
After the internal key management service is enabled and configured, keys of the
self-encrypting storage pool will be saved in the internal database of the storage
system.
Prerequisites
SEDs have been configured on the storage system. The AutoLock status of the
SEDs is Disable.
To query the AutoLock status of the SEDs, you can log in to the CLI of the storage
system and run the show disk general command.
admin:/>show disk general
ID Health Status Running Status Type Capacity Role Disk Domain ID Speed(RPM) Health
Mark Bar Code Item AutoLock State Key Expiration Time
------ ------------- -------------- -------- --------- --------- -------------- ---------- -----------
-------------------- -------- -------------- -------------------
DAE000.0 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000131 02350LGX OFF --
DAE000.1 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000124 02350LGX OFF --
DAE000.2 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000238 02350LGX OFF --
DAE000.3 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000228 02350LGX OFF --
DAE000.4 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10FA000227 02350LGX OFF --
DAE000.5 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10FA000187 02350LGX OFF --
DAE100.0 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000159 02350LGX OFF --
DAE100.1 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000161 02350LGX OFF --
DAE100.2 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10G3000505 02350LGX OFF --
DAE100.3 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000182 02350LGX OFF --
DAE100.4 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10G3000511 02350LGX OFF --
If AutoLock State is OFF, disk encryption is disabled.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 4
OceanStor Dorado 2 Configuring and Managing the Internal Key
Disk Encryption User Guide Management Service
Procedure
Step 1 Log in to DeviceManager and create a storage pool.
The Create Storage Pool page is displayed.
Figure 2-1 Creating a storage pool
NOTE
Use either of the following methods to go to the Create Storage Pool page:
● When you log in to the storage system for the first time, you can create a storage pool
in Custom mode in the initial configuration wizard. For details, see "Initially Configuring
a Storage Device" in the initialization guide specific to your product model.
● On the menu bar, choose System > Storage Pools and then click Create.
Step 2 Enable and configure the internal key service.
1. Select Advanced. Enable Data Encryption and click key service
configuration. Disk encryption is enabled for all SEDs in the storage pool.
Figure 2-2 Configuring the key service
NOTE
Alternatively, you can choose Settings > Key Service from the menu bar.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 5
OceanStor Dorado 2 Configuring and Managing the Internal Key
Disk Encryption User Guide Management Service
2. In the function pane on the right, click Modify. Then select Enable the
internal key service.
3. (Optional) Configure a key backup policy.
When a key changes, the storage system automatically backs up the key's
information on the backup server. If all keys and backup keys on the storage
system are damaged or lost, you can obtain the latest backup keys from the
backup server and import them to the storage system for restoration.
NOTE
The keys uploaded to the backup server are encrypted and signed to prevent
disclosure and tampering.
Before using the key backup function, ensure that the backup server has been
successfully configured and communicates properly with the storage system.
Table 2-1 lists the SSH key exchange algorithms supported by the storage
system. When deploying the backup server, use SFTP server tools that support
these key exchange algorithms, such as xlight FTP.
Table 2-1 SSH key exchange algorithms
Item Default Value
KexAlgorithms – ecdh-sha2-nistp256
– ecdh-sha2-nistp384
– ecdh-sha2-nistp521
– diffie-hellman-group-exchange-sha256
– diffie-hellman-group-exchange-sha1
– diffie-hellman-group14-sha1
NOTE
For details about how to use xlight FTP, see 2.6.1 Using the xlight FTP Tool to
Deploy the FTP Backup Server.
a. Enable Automatic Key Backup.
b. Set the parameters listed in Table 2-2.
Table 2-2 Key backup parameters
Parameter Description Setting
Protocol Used by the storage You can choose SFTP
system to back up or FTP.
keys to the backup NOTE
server. The storage systems
support FTP for
compatibility concerns.
You are advised to use
SFTP, however, to
ensure data
transmission security.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 6
OceanStor Dorado 2 Configuring and Managing the Internal Key
Disk Encryption User Guide Management Service
Parameter Description Setting
Backup Server IP address or domain [Example]
Address name of the SFTP or 192.168.20.3
FTP server used to
back up keys
Port Port for [Value range]
communication From 1 to 65535
between the backup
server and the storage [Example]
system 20
Backup Server Path for saving keys [Example]
Storage Path on the backup server innerkey_backup
Username Used to log in to the [Example]
backup server admin
Password Used to log in to the [Example]
backup server Admin@123
Figure 2-3 Key backup parameters
NOTE
Alternatively, you can choose Settings > Key Service from the menu bar and
click Modify.
c. Click Test to test the connectivity between the backup server and the
storage system.
4. Click Save to save the configurations of the internal key service.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 7
OceanStor Dorado 2 Configuring and Managing the Internal Key
Disk Encryption User Guide Management Service
– If Key Backup is not enabled, a security alert dialog box is displayed.
Select I have read and understand the consequences associated with
performing this operation and click OK. The Execution Result dialog
box is displayed, indicating that the operation succeeded.
– If Key Backup is enabled, the Execution Result dialog box is displayed,
indicating that the operation succeeded.
Step 3 Set other parameters of the storage pool. After the self-encrypting storage pool is
created, the storage system automatically generates encryption keys.
For the parameter description, see section "Creating a Storage Pool" in the Basic
Storage Service Configuration Guide for Block or Basic Storage Service
Configuration Guide for File of the specific product model.
Figure 2-4 Creating a storage pool
Click OK and confirm your operation as prompted.
Step 4 Export the encryption key.
1. Choose Settings > Key Service. In the function pane, click Export Internal
Keys.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 8
OceanStor Dorado 2 Configuring and Managing the Internal Key
Disk Encryption User Guide Management Service
2. Export the key file using the browser.
NOTE
Save the exported key file properly and do not make any change. When the key is
damaged, this file can be used for recovery.
----End
Follow-up Procedure
● After creating the self-encrypting storage pool, you can create LUNs or file
systems to allocate the storage space to application servers. For details, see
Basic Storage Service Configuration Guide for Block or Basic Storage Service
Configuration Guide for File of the corresponding product model.
NOTE
You can log in to Huawei's technical support website (https://support.huawei.com/
enterprise/) and enter the product model + document name in the search box to search
for, browse, and download the desired documents.
● When updating self-encrypting storage pool keys, export keys in time.
2.4 Managing the Internal Key Management Service
This section describes common operations on the internal key management
service, including updating keys.
2.4.1 Updating a Key
The validity period of the key is one year. The system automatically updates the
key 30 days before the key expires. In addition, the system allows you to manually
update the key to enhance key security.
Prerequisites
This operation can be performed only by the super administrator and
administrator.
Procedure
Step 1 Log in to DeviceManager.
Step 2 Choose System > Storage Pools.
Step 3 Click More on the right of the desired storage pool and choose Rekey.
Figure 2-5 Updating a key
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 9
OceanStor Dorado 2 Configuring and Managing the Internal Key
Disk Encryption User Guide Management Service
The Warning dialog box is displayed.
Step 4 Carefully read the contents. Then select I have read and understand the
consequences associated with performing this operation and click OK.
The Success dialog box is displayed.
NOTE
The Success dialog box only indicates that the key update operation is issued successfully. It
takes several minutes for the system to update the keys for all SEDs (depending on the
number of SEDs). After the update is complete, the system reports an event "succeeded in
updating the key of self-encrypting disks". If you want to perform other operations (for
example, deleting the storage pool) after the update operation is issued, ensure that you
perform these operations after the system has reported this event.
Step 5 Click OK.
----End
Follow-up Procedure
After the self-encrypting storage pool is updated, export keys in time.
2.5 FAQs
This section provides FAQs in the process of using the internal key management
service.
2.5.1 How Can I Recover Encryption Key Files of Disks?
Question
How can I recover encryption key files of disks?
Answer
NOTICE
Some operations must be performed in developer and minisystem modes on the
CLI. Therefore, it is recommended that you contact Huawei technical support
engineers to recover encryption key files of disks.
Step 1 Export the latest encryption key files of disks on the storage system.
1. Log in to DeviceManager.
2. Choose Settings > Key Service. In the function pane, click Export Internal
Keys to export the keys manually on the browser.
Step 2 Obtain the encryption keys on the backup server.
Use the user name and password configured in 2.3 Configuring the Internal Key
Management Service to log in to the backup server and obtain the encryption
key files from the set path.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 10
OceanStor Dorado 2 Configuring and Managing the Internal Key
Disk Encryption User Guide Management Service
Step 3 After analysis, select encryption key files that can be used for key recovery.
Step 4 Log in to the CLI and enter the developer mode. Run the import kms key
command to import the encryption key files and recover keys.
developer:/>import kms key ip=10.10.10.1 user=admin password=****** path=InnerKey.dat protocol=FTP
WARNING: You are about to import a key file of the internal key management service, which will overwrite
the original key data. If the operation is inappropriate, it may cause the internal key management service to
lose some key.
Suggestion:
1. Confirm that the key file to be imported is up-to-date, and back up the key of the internal key
management service of the current system before the import.
2. During the key import, creating, updating, and deleting the disk domain of self-encrypting disks are all
forbidden.
Have you read warning message carefully?(y/n)y
Are you sure you really want to perform the operation?(y/n)y
Password:**************
Command executed successfully.
NOTICE
When keys are being recovered, do not perform any operation on self-encrypting
storage pools.
----End
2.5.2 How Can I Recover Services If They Are Interrupted Due
to the Loss of the Disk Encryption Key?
Question
How can I recover services if the key of the self-encrypting storage pool is
damaged?
Answer
If the disk encryption key is lost, the storage system cannot access the SEDs after
a transient interruption occurs. This will result in a storage pool fault and service
interruption.
You can recover the services as follows:
NOTICE
Some operations must be performed in developer mode on the CLI. Therefore, it is
recommended that you contact Huawei technical support engineers to recover the
services.
Step 1 Restore a key.
For details, see 2.5.1 How Can I Recover Encryption Key Files of Disks?.
Step 2 Identify faulty disks.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 11
OceanStor Dorado 2 Configuring and Managing the Internal Key
Disk Encryption User Guide Management Service
On the CLI, run show disk general to check the status of each encrypted disk.
admin:/>show disk general
ID Health Status Running Status Type Capacity Role Disk Domain ID Speed(RPM) Health
Mark Bar Code Item AutoLock State Key Expiration Time
------ ------------- -------------- -------- --------- --------- -------------- ---------- -----------
-------------------- -------- -------------- -------------------
DAE000.0 Fault Online SSD SED 561.994GB Member Disk 0 10000 -- 210235G6BB1000000007 0235G6BB
ON 2020-12-31
DAE000.1 Fault Online SSD SED 561.994GB Member Disk 0 10000 -- 210235G6BB1000000007 0235G6BB
ON 2020-12-31
DAE000.2 Fault Online SSD SED 561.994GB Member Disk 0 10000 -- 210235G6BB1000000007 0235G6BB
ON 2020-12-31
NOTE
If the AutoLock State of a disk is ON and Health Status is Fault, this is a faulty disk.
Step 3 Power off and then power on all the faulty disks.
On the CLI, run poweroff disk and poweron disk in developer mode.
engineer:/>poweroff disk disk_id=DAE000.0
DANGER: You are about to power off the disk.
This operation causes the disk to be unreadable and unwritable for services. If the disk domain where the
disk resides is in the reconstruction or degradation state, this operation may cause reconstruction failure,
service interruption, and data loss.
Suggestion: Before performing this operation, check the disk properties and status of the disk domain that
houses the disk to avoid reconstruction failure, service interruption and data loss. Back up data before
powering off.
Have you read danger alert message carefully?(y/n)y
Are you sure you really want to perform the operation?(y/n)y
Command executed successfully.
engineer:/>poweron disk disk_id=DAE000.0
Command executed successfully.
NOTE
If a faulty disk is not a member of the involved storage pool, the disk's object will be
released after it is powered off. As a result, powering on the disk will fail.
Step 4 After all faulty disks have been powered on, check the health status.
On the CLI, run show disk_domain general to check the status.
admin:/>show disk_domain general
ID Name Health Status Running Status Total Capacity Free Capacity Hot Spare Capacity Used Hot Spare
Capacity
-- ---- ------------- -------------- -------------- ------------- ------------------ -----------------------
0 d0 Normal Online 4.055TB 556.242GB 524.312GB 0.000B
● If the Health Status is Normal or Degraded, services are being recovered.
● If the Health Status is other values, services are not recovered. Contact
Huawei engineers for assistance.
----End
2.6 Appendix - Related Operations
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 12
OceanStor Dorado 2 Configuring and Managing the Internal Key
Disk Encryption User Guide Management Service
2.6.1 Using the xlight FTP Tool to Deploy the FTP Backup
Server
This section describes how to deploy the FTP backup server by using the xlight FTP
tool. For details on how configure other FTP servers, see their respective
configuration documentation.
Prerequisites
● The FTP server software installation package is ready.
● The IP address to be configured can properly communicate with the storage
system.
Procedure
Step 1 Start the Xlight FTP server software.
The Xlight FTP Server page is displayed.
Step 2 Configure a virtual server.
1. On the Xlight FTP Server page, click .
The New Virtual Server dialog box is displayed.
2. In the New Virtual Server dialog box, set IP Address, Port, and Protocol to
the local IP address, 21, and FTP, respectively.
3. Click OK.
The added virtual server is displayed in the Xlight FTP Server page that is
displayed.
Step 3 Start the virtual server.
Select the added virtual server and click to start the server.
NOTE
You can also select the added virtual server, right-click, and choose Start Server to start the
server.
Step 4 Add a user.
1. On the Xlight FTP Server page, click .
The user list is displayed.
2. Click .
The adding users dialog box is displayed.
3. In the dialog box, enter Username and Password and set Home Directory.
4. Click OK.
The user is added, and user information is displayed on the user page.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 13
OceanStor Dorado 2 Configuring and Managing the Internal Key
Disk Encryption User Guide Management Service
Step 5 Set virtual directory permissions.
1. In the user list, select the added user and click .
The user name page is displayed.
2. On the navigation bar on the left, click .
The user directory management page is displayed.
3. Select the access directory of the added user and click .
The Virtual Directory dialog box is displayed.
4. In the Permission area, set permissions.
5. Click OK.
Virtual directory permissions are configured.
----End
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 14
OceanStor Dorado 3 Configuring the Key Management Server
Disk Encryption User Guide (KeySecure (K250))
3 Configuring the Key Management
Server (KeySecure (K250))
This chapter introduces how to install and configure KeySecure (K250) key
management servers of SafeNet.
3.1 About KeySecure Key Management Servers
3.2 Logging In to DeviceManager
3.3 Configuration Process
3.4 Hardware Deployment
3.5 Configuring a Key Management Server
3.6 FAQs
3.1 About KeySecure Key Management Servers
When configuring KeySecure key management servers, get some knowledge about
the hardware, networking, and user permission first to prepare for the
configuration.
Hardware
Figure 3-1 and Figure 3-2 show the front and rear panels of a KeySecure key
management server, respectively.
Figure 3-1 Front panel
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 15
OceanStor Dorado 3 Configuring the Key Management Server
Disk Encryption User Guide (KeySecure (K250))
Figure 3-2 Rear panel
Typical Networking
A storage system connects to two KeySecure key management servers that are
configured into a cluster in active/standby mode. Figure 3-3 shows the typical
networking.
Figure 3-3 Typical networking of key management servers
Figure 3-4 shows port connections between different components.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 16
OceanStor Dorado 3 Configuring the Key Management Server
Disk Encryption User Guide (KeySecure (K250))
Figure 3-4 Port connections
NOTE
On a KeySecure key management server, the management network port (used to access
the key management server's management interface) and the service network port (used
to connect to a storage array) share the eth1 port on the front panel.
To ensure that the key management servers can work properly, verify that the
network communication between the following components is normal:
● Storage system's management network port -> key management servers'
eth1
● Maintenance terminal -> key management servers' eth1
● Key management server 1's eth1 -> key management server 2's eth1
● Backup server's network port -> key management servers' eth1
User Roles and Permissions
By default, the key management server sets an admin user whose password needs
to be set in the initialization. This user has all configuration and management
permissions. This document takes the admin user as the example.
3.2 Logging In to DeviceManager
DeviceManager is the integrated storage management software developed by
Huawei. DeviceManager is loaded to storage systems before delivery from the
factory. You can log in to DeviceManager to centrally manage storage resources.
Before configuring a file system snapshot, log in to DeviceManager.
For details about how to log in to DeviceManager, see section "Logging In to
DeviceManager" in the initialization guide of the corresponding product model.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 17
OceanStor Dorado 3 Configuring the Key Management Server
Disk Encryption User Guide (KeySecure (K250))
3.3 Configuration Process
Before configuring key management servers, get familiar with the configuration
procedure to ensure a successful deployment.
Figure 3-5 shows the procedure of configuring key management servers.
Figure 3-5 Configuration process
Start
Install key management
servers.
Deploy hardware. Connect cables.
Power on key management
servers.
Initialize key management
servers.
Configure a key management
Configure key server cluster.
management servers.
Connect key management
servers to the storage system.
Create a self-encrypting
storage pool.
End
3.4 Hardware Deployment
This section describes how to install key management servers, connect their
cables, and power on the servers.
Prerequisites
● The installation positions of the two key management servers have been
determined.
● Cables and tools required for hardware installation have been prepared,
including:
– Serial cable (included in the product package)
– Power cable (included in the product package)
– Network cable (not included in the product package)
– Phillips screwdriver (not included in the product package)
– (Optional) USB-to-serial cable (not included in the product package)
NOTE
Prepare the USB-to-serial cable if the maintenance terminal has no serial port.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 18
OceanStor Dorado 3 Configuring the Key Management Server
Disk Encryption User Guide (KeySecure (K250))
Procedure
Step 1 Determine the installation positions.
The key management servers must be installed on standard 19-inch racks.
Determine proper positions on the rack to install the two key management
servers. Ensure that there is enough space in front of and behind the servers for
cable routing and connection, ventilation, and maintenance.
Step 2 Wear ESD gloves and ESD wrist straps.
Step 3 Unpack the key management server.
Step 4 Install the key management server on the rack.
Step 5 Use a network cable to connect the eth1 port of the key management server to
the management network port of the storage system through a switch.
Step 6 Insert one end of the power cable to the electric socket at the server back, and
insert the other end to the external AC power module.
Step 7 Press the power switch on the front panel.
Step 8 Put the baffle plate on the front panel, then insert and turn the key.
Step 9 Repeat Step 3 to Step 8 to install and power on the other key management
server.
Step 10 If the maintenance terminal has no serial port, use the USB-to-serial cable to
connect the USB port of the maintenance terminal to the serial port of the key
management server.
----End
3.5 Configuring a Key Management Server
This section describes general configurations on a key management server,
including initialization, cluster configuration, interconnection with a storage
system, and creation of a self-encrypting storage pool.
3.5.1 Initializing Key Management Servers and Configuring a
Key Management Server Cluster
Initialization includes initializing the network and time of the key management
server, importing licenses, configuring the KMIP and NTP servers, and configuring
scheduled backup. Both key management servers in a cluster need initial
configurations.
After two key management servers with the same configurations are clustered,
the two servers provide the encryption service together. If one of them becomes
faulty or fails to provide the encryption service, the storage system automatically
connects to the other one.
For details on how to initialize key management servers and create a cluster, refer
to the key management servers' user guide and consult technical support
engineers of the server manufacturer.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 19
OceanStor Dorado 3 Configuring the Key Management Server
Disk Encryption User Guide (KeySecure (K250))
3.5.2 Connecting the Key Management Server to the Storage
System
After the key management server cluster has been created, you must connect the
key management servers to the storage system to provide the disk encryption
service.
3.5.2.1 Generating and Exporting a Certificate on the Storage System
This section describes how to generate and export a certificate required by the
disk encryption function on the storage system.
Context
The certificate generated on the storage system is not signed. It must be signed on
the key management server.
Procedure
Step 1 Log in to DeviceManager.
Step 2 Choose Settings > Certificates.
Step 3 On the Certificate Management page, choose KMC certificate, and click Export
Request File. On the displayed page, set the Certificate Key Algorithm to RSA
2048 or RSA 4096, and then click OK.
NOTE
You can also click KMC certificate. On the Certificate Details page that is displayed, click
Operation > Export Request File, set the Certificate Key Algorithm to RSA 2048 or RSA
4096, and then click OK.
----End
3.5.2.2 Creating a Local User
This section describes the precautions for creating a local user on a key
management server. For details on how to create a local user, refer to the key
management server's user guide and consult technical support engineers of the
server manufacturer.
Precautions
To ensure that the key management server can identify the storage system
successfully, the local user name of the key management server must be set to
Storage, which is the same as the OU value in the signed certificate of the storage
system.
You can query the OU value as follows:
1. Double-click the certificate.
2. Click the Detail tab, and select User. You can view the OU value in the lower
pane.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 20
OceanStor Dorado 3 Configuring the Key Management Server
Disk Encryption User Guide (KeySecure (K250))
3.5.2.3 Signing the Certificate on a Key Management Server and Exporting
the Certificate
The certificate generated on the storage system must be signed on the key
management server and saved properly. In addition, you must also export the CA
certificate of the key management server. For details, refer to the key
management server's user guide and contact technical support engineers of the
key manufacturer.
3.5.2.4 Importing and Activating the Certificate on the Storage System
This section describes how to import and activate the certificate on the storage
system.
Procedure
Step 1 Log in to DeviceManager.
Step 2 Choose Settings > Certificates.
Step 3 Import and activate the certificate.
1. On the Certificate Management page, choose KMC certificate, and click
Import Certificate.
NOTE
You can also click KMC certificate. On the Certificate Details page that is displayed,
click Operation > Import Certificate.
2. Import the signed certificate and CA certificate. Table 3-1 describes the
parameters.
Table 3-1 Parameters for importing the certificate
Parameter Description Value
Certificate Certificate file that has been [Example]
File exported and signed signed.crt
CA Certificate Certificate file of a server [Example]
File hsm.mgmt_ca.crt
Private Key Private key file of a device [Example]
File None
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 21
OceanStor Dorado 3 Configuring the Key Management Server
Disk Encryption User Guide (KeySecure (K250))
3. Click OK.
The Warning dialog box is displayed.
4. Carefully read the content in the dialog box, select I have read and
understand the consequences associated with performing this operation,
and click OK.
The Success dialog box is displayed.
5. Click OK.
----End
3.5.2.5 Configuring the Key Management Servers on the Storage System
You must configure the key management servers on the storage system to
establish the connection between them.
Context
A storage system needs two key management servers.
Procedure
Step 1 Log in to DeviceManager.
Step 2 Choose Settings > Key Service. In the function pane on the right, click Modify.
Then select Enable the external key service.
Step 3 Specify the key management server parameters listed in Table 3-2.
NOTE
A storage system can connect to a maximum of two key management servers in a cluster.
The following example adds one key management server to the storage system.
Table 3-2 Key management server parameters
Parameter Description Value
Server Type Type of the key [Example]
management server SafeNet KMIP
● SafeNet KMIP refers to
the Thales CipherTrust
Manager key server and
KeySecure key server.
● Thales KMIP refers to the
Thales keyAuthority key
server.
● General KMIP is
compatible with SafeNet
KMIP and Utimaco
KMIP.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 22
OceanStor Dorado 3 Configuring the Key Management Server
Disk Encryption User Guide (KeySecure (K250))
Parameter Description Value
Address Domain name or service IP [Example]
address of the key 192.168.141.128
management server
Port Port information of the [Value range]
server IP address 1 to 65535
[Example]
9443
Step 4 Import the signed certificate and CA certificate. Table 3-3 describes the
parameters.
Table 3-3 Parameters for importing the certificate
Parameter Description Value
Certificate File Certificate file that has been [Example]
exported and signed signed.crt
CA Certificate File Certificate file of a server [Example]
hsm.mgmt_ca.crt
Private Key File Private key file of a device [Example]
None
Step 5 Click Save.
The Execution Result dialog box is displayed.
Step 6 Repeat Step 3 to add the other key management server in the cluster.
----End
Follow-up Procedure
After the storage system has connected to the key management servers, wait for 2
to 3 minutes before performing follow-up procedures.
3.5.3 Creating a Self-encrypting Storage Pool
After a self-encrypting storage pool is created on the storage system, an
encryption key is automatically generated.
Prerequisites
SEDs have been configured on the storage system. The AutoLock status of the
SEDs is OFF.
To query the AutoLock status of the SEDs, you can log in to the CLI of the storage
system and run the show disk general command.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 23
OceanStor Dorado 3 Configuring the Key Management Server
Disk Encryption User Guide (KeySecure (K250))
admin:/>show disk general
ID Health Status Running Status Type Capacity Role Disk Domain ID Speed(RPM) Health
Mark Bar Code Item AutoLock State Key Expiration Time
------ ------------- -------------- -------- --------- --------- -------------- ---------- -----------
-------------------- -------- -------------- -------------------
DAE000.0 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000131 02350LGX OFF --
DAE000.1 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000124 02350LGX OFF --
DAE000.2 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000238 02350LGX OFF --
DAE000.3 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000228 02350LGX OFF --
DAE000.4 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10FA000227 02350LGX OFF --
DAE000.5 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10FA000187 02350LGX OFF --
DAE100.0 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000159 02350LGX OFF --
DAE100.1 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000161 02350LGX OFF --
DAE100.2 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10G3000505 02350LGX OFF --
DAE100.3 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000182 02350LGX OFF --
DAE100.4 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10G3000511 02350LGX OFF --
If AutoLock State is OFF, disk encryption is disabled.
Procedure
Step 1 Log in to DeviceManager and create a storage pool.
The Create Storage Pool page is displayed.
Figure 3-6 Creating a storage pool
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 24
OceanStor Dorado 3 Configuring the Key Management Server
Disk Encryption User Guide (KeySecure (K250))
NOTE
Use either of the following methods to go to the Create Storage Pool page:
● When you log in to the storage system for the first time, you can create a storage pool
in Custom mode in the initial configuration wizard. For details, see "Initially Configuring
a Storage Device" in the initialization guide specific to your product model.
● On the menu bar, choose System > Storage Pools and then click Create.
Step 2 Create a self-encrypting storage pool and automatically generate encryption keys
on the storage system.
1. Select Advanced and enable Data Encryption. Disk encryption is enabled for
all SEDs in the storage pool.
Figure 3-7 Enabling Data Encryption
NOTE
After a storage pool has been created, data encryption cannot be enabled or disabled
for the storage pool.
2. Set other parameters for the storage pool.
For the parameter description, see section "Creating a Storage Pool" in the
Basic Storage Service Configuration Guide for Block or Basic Storage Service
Configuration Guide for File of the specific product model.
3. Click OK.
Confirm your operation as prompted.
----End
Follow-up Procedure
After creating the self-encrypting storage pool, you can create LUNs or file
systems to allocate the storage space to application servers. For details, see Basic
Storage Service Configuration Guide for Block or Basic Storage Service
Configuration Guide for File of the corresponding product model.
NOTE
You can log in to Huawei's technical support website (https://support.huawei.com/
enterprise/) and enter the product model + document name in the search box to search
for, browse, and download the desired documents.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 25
OceanStor Dorado 3 Configuring the Key Management Server
Disk Encryption User Guide (KeySecure (K250))
3.6 FAQs
This section provides the FAQs for the configuration and maintenance of the key
management server.
3.6.1 What Can I Do If "Username entered does not match
client certificate" Is Displayed When Logging in to the Key
Management Server's Web Interface?
Question
"Username entered does not match client certificate" is displayed when a user
logs in to the key management server's web interface.
Answer
Step 1 Log in to the key management server's management interface through the serial
port.
Step 2 Run the config command to enter the config mode.
Step 3 Run the edit ras settings command and enter n to close the client certificate
verification.
SafeNet-01 (config)# edit ras settings
Available IP addresses:
1. All
2. 172.17.7.29
Web Admin Server IP (1-2)[1]:1
Web Admin Server Port [9443]: 9443
Web Admin Client Certificate Authentication (y/n) [n]: n
Available IP addresses:
1. All
2. 172.17.7.29
SSH Admin Server IP (1-2)[1]:1
SSH Admin Server Port [22]: 22
Successfully changed Remote Admin Settings.
SafeNet-01 (config)# Connection to 172.17.7.29 closed by remote host.
Connection to 172.17.7.29 closed.
----End
3.6.2 The Storage System Connects to the Key Management
Server Properly, But the Key Cannot Be Created
Question
The storage system connects to the key management server properly, but the key
cannot be created. In the message log of the storage system, get uuid fail... may
be displayed.
Answer
Step 1 Log in to the key management server's web interface.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 26
OceanStor Dorado 3 Configuring the Key Management Server
Disk Encryption User Guide (KeySecure (K250))
Step 2 Check whether Username Field in Client Certificate of the KMIP server is OU
(Organization Unit).
1. Choose Device > Key Server.
2. In the Cryptographic Key Server area, select the KMIP server and click
Properties.
3. In the Authentication Settings area, check whether Username Field in
Client Certificate is OU (Organization Unit).
– If yes, go to the next step.
– If no, click Edit, set Username Field in Client Certificate to OU
(Organization Unit), and click Save. Then go to the next step.
Step 3 Check whether a local user named Storage is created.
1. Choose Security > Users & Groups > Local Users & Groups.
2. In the Local Users area, check whether a local user whose Username is
Storage exists.
– If yes, re-create the key on the storage system.
– If no, create a local user whose Username is Storage, then re-create the
key on the storage system.
----End
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 27
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
4 Configuring and Managing the Key
Management Server (Sansec SecKMS)
This chapter describes how to install the SecKMS key management server of
Sansec and how to connect it to the storage system.
NOTICE
The version of the SecKMS key management server must be 2.16.0 or later. If your
server is running an earlier version, contact the server manufacturer for the
upgrade files and upgrade method.
4.1 About Sansec SecKMS Key Management Servers
4.2 Configuration Process
4.3 Hardware Deployment
4.4 Configuring the Key Management Server and Cluster
4.5 Connecting the Key Management Server to the Storage System
4.6 Creating a Self-encrypting Storage Pool
4.1 About Sansec SecKMS Key Management Servers
This section describes the hardware and network connection of the SecKMS key
management server.
Hardware
The SecKMS key management server is a 2 U device. Figure 4-1 and Figure 4-2
show its front and rear panels, respectively.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 28
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Figure 4-1 Ports and indicators on the front panel
1 USB port 2 Network port status indicator
3 Disk status indicator 4 Power status indicator
5 Power button - -
Figure 4-2 Ports and indicators on the rear panel
A Power status indicator 2 Serial port
3 IPMI port 4 USB port
5 Network port 6 VGA port
Typical Networking
A storage system connects to two SecKMS key management servers that are
configured into a cluster in active/standby mode. Figure 4-3 shows the typical
networking.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 29
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Figure 4-3 Typical networking of key management servers
Figure 4-4 shows port connections between different components.
NOTE
On the SecKMS key management server, the management port (for accessing the server's
management console) and the service port (for connecting to a storage system) can either
share a physical network port or use different physical ports. In the following example, the
management and service ports share a physical network port (LAN1).
Figure 4-4 Port connections
To ensure that the key management servers can work properly, verify that the
network communication between the following components is normal:
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 30
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
● Storage system's management network port -> key management servers'
LAN1
● Maintenance terminal -> key management servers' LAN1
● Key management server 1's LAN1-> key management server 2's LAN1
● Backup server's network port -> key management servers' LAN1
4.2 Configuration Process
Before configuring key management servers, get familiar with the configuration
procedure to ensure a successful deployment.
Figure 4-5 shows the procedure of configuring key management servers.
Figure 4-5 Configuration process
Start
Install key management
servers.
Deploy hardware. Connect cables.
Power on key management
servers.
Initialize key management
servers.
Configure a key management
Configure key server cluster.
management servers.
Connect key management
servers to the storage system.
Create a disk domain.
End
4.3 Hardware Deployment
This section describes how to install key management servers, connect their
cables, and power on the servers.
Prerequisites
● The installation positions of the two key management servers have been
determined.
● Cables and tools required for hardware installation have been prepared,
including:
– Serial cable (included in the product package)
– Power cable (included in the product package)
– Network cable (not included in the product package)
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 31
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
– Phillips screwdriver (not included in the product package)
– (Optional) USB-to-serial cable (not included in the product package)
NOTE
Prepare the USB-to-serial cable if the maintenance terminal has no serial port.
Procedure
Step 1 Determine the installation positions.
The key management servers must be installed on standard 19-inch racks.
Determine proper positions on the rack to install the two key management
servers. Ensure that there is enough space in front of and behind the servers for
cable routing and connection, ventilation, and maintenance.
Step 2 Wear ESD gloves and ESD wrist straps.
Step 3 Unpack the key management server.
Step 4 Install the key management server on the rack.
Step 5 Use a network cable to connect the LAN1 port of the key management server to
the management network port of the storage system through a switch.
Step 6 Insert one end of the power cable to the electric socket at the server back, and
insert the other end to the external AC power module.
Step 7 Press the power switch on the front panel.
Step 8 Put the baffle plate on the front panel, then insert and turn the key.
Step 9 Repeat Step 3 to Step 8 to install and power on the other key management
server.
Step 10 If the maintenance terminal has no serial port, use the USB-to-serial cable to
connect the USB port of the maintenance terminal to the serial port of the key
management server.
----End
4.4 Configuring the Key Management Server and
Cluster
After hardware installation, initialize the key management server and create a
cluster by following instructions in the server user guide and consulting the
technical support engineer of the server manufacturer.
4.5 Connecting the Key Management Server to the
Storage System
After configuring the key management server, connect it to the storage system to
provide the encryption service.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 32
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
NOTICE
● Ensure that the key management server has been initialized and a cluster has
been created before connecting it to the storage system.
● The version of the SecKMS key management server must be 2.16.0 or later. If
your server is running an earlier version, contact the server manufacturer for
the upgrade files and upgrade method.
4.5.1 Creating a Local CA
This section describes how to create a local certificate authority (CA) on the key
management server.
Prerequisites
The key management server has been initialized and added to a cluster.
Procedure
Step 1 On the browser of the maintenance terminal, enter https://XXX.XXX.XXX.XXX:
9443/SecKMS in the address box and press Enter. Log in to the key management
server's web management page using the password or USB key authentication.
Step 2 Choose Device CAs > Local CAs from the navigation tree on the left.
The Local CAs page is displayed.
Figure 4-6 Local CAs
Step 3 Click in the lower part of the page.
The Create Local CA page is displayed, as shown in Figure 4-7.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 33
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Figure 4-7 Creating a local CA
Step 4 Set the local CA parameters.
The Certificate Authority Name, Common Name, Organization Name,
Organization Unit Name, Locality Name, State or Province Name, and Country
Name can contain a maximum of 256 characters, which can only be letters, digits,
periods (.), underscores (_), hyphens (-), and spaces.
Table 4-1 Local CA parameters
Parameter Description Example
Certificate Formal name of the new certificate. hsm_mgmt_ca
Authority Name
Common Name Common name of the new certificate. hsm_mgmt_ca
This can be the same as the
Certificate Authority Name.
Organization Name of the organization that uses HW
Name the certificate.
Organization Unit Name of the unit that uses the ST
Name certificate.
Locality Name Name of the locality where the CD
certificate is used.
State or Province Name of the province where the SC
Name certificate is used.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 34
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Parameter Description Example
Country Name Name of the country where the CN
certificate is used.
Email Address Email address for receiving the [email protected]
certificate. m
Key Size Length of the key. 2048
CA Duration Validity period of the certificate, which 365
(days) cannot exceed 3650 days.
Step 5 Click Submit.
The new CA is displayed in the CA list.
----End
4.5.2 Adding the CA to the Trusted CA List
This section describes how to add the created local CA to the trusted CA list on
the key management server.
Prerequisites
A local CA has been created on the key management server.
Procedure
Step 1 On the browser of the maintenance terminal, enter https://XXX.XXX.XXX.XXX:
9443/SecKMS in the address box and press Enter. Log in to the key management
server's web management page using the password or USB key authentication.
Step 2 Choose Device CAs > Trusted CAs from the navigation tree on the left.
The Trusted CA Lists page is displayed.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 35
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Figure 4-8 Trusted CA list
Step 3 Click in the lower part of the page.
The Choose Local CAs & Known CAs page is displayed, as shown in Figure 4-9.
Figure 4-9 Choosing a local CA or a known CA
Step 4 Select the local CA created in 4.5.1 Creating a Local CA and enter the profile
name.
Step 5 Click Submit.
The CA is displayed in the trusted CA list.
----End
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 36
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
4.5.3 Creating an SSL Certificate
SSL certificates are used for identity authentication when SSL connections are
established between the client application and key management server. This
section describes how to create an SSL certificate on the key management server.
Prerequisites
The key management server has been initialized and added to a cluster.
Procedure
Step 1 On the browser of the maintenance terminal, enter https://XXX.XXX.XXX.XXX:
9443/SecKMS in the address box and press Enter. Log in to the key management
server's web management page using the password or USB key authentication.
Step 2 Choose SSL Certificates > SSL Certificates from the navigation tree on the left.
The SSL Certificate List page is displayed.
Figure 4-10 SSL certificate list
Step 3 Click in the lower part of the page.
The Create Certificate Request page is displayed, as shown in Figure 4-11.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 37
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Figure 4-11 Creating a certificate request
Step 4 Set the certificate request parameters.
The Certificate Name, Common Name, Organization Name, Organization Unit
Name, Locality Name, State or Province Name, and Country Name can contain
a maximum of 256 characters, which can only be letters, digits, periods (.),
underscores (_), hyphens (-), and spaces.
Table 4-2 SSL certificate parameters
Parameter Description Example
Certificate Name Formal name of the new certificate. hsm_mgmt_ssl
Common Name Common name of the new certificate. hsm_mgmt_ssl
This can be the same as the
Certificate Name.
Organization Name of the organization that uses HW
Name the certificate.
Organization Unit Name of the unit that uses the ST
Name certificate.
Locality Name Name of the locality where the CD
certificate is used.
State or Province Name of the province where the SC
Name certificate is used.
Country Name of the country where the CN
certificate is used.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 38
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Parameter Description Example
Email Address Email address for receiving the [email protected]
certificate. m
Key Size Length of the key. The value can be 2048
1024 or 2048.
Step 5 Click Submit.
The new SSL certificate is displayed in the certificate list.
----End
4.5.4 Signing the SSL Certificate
The SSL certificate must be signed by the local CA to take effect. This section
describes how to sign the SSL certificate on the key management server.
Prerequisites
● A local CA has been created on the key management server and added to the
trusted CA list.
● An SSL certificate has been created on the key management server.
Procedure
Step 1 On the browser of the maintenance terminal, enter https://XXX.XXX.XXX.XXX:
9443/SecKMS in the address box and press Enter. Log in to the key management
server's web management page using the password or USB key authentication.
Step 2 Choose SSL Certificates > SSL Certificates from the navigation tree on the left.
The SSL Certificate List page is displayed.
Figure 4-12 SSL certificate list
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 39
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Step 3 Select the SSL certificate created in 4.5.3 Creating an SSL Certificate and click
in the lower part of the page to download the certificate.
Open the downloaded certificate and copy its content.
Step 4 Choose Device CAs > Local CAs from the navigation tree on the left.
The Local CAs page is displayed.
Figure 4-13 Local CAs
Step 5 Select the CA created in 4.5.1 Creating a Local CA and click in the lower part
of the page to issue a signature request.
Table 4-3 describes the signature request parameters. Set Certificate Purpose to
Server, Certificate Duration (Days) to a value no greater than the validity period
of the local CA, and Certificate Request to the SSL certificate content copied in
Step 3, as shown in Figure 4-14.
Table 4-3 Signature request parameters
Parameter Description Example
Certificate Local CA that signs the certificate. hsm_mgmt_ca
Authority
Certificate Purpose of the certificate (server Server
Purpose certificate or client certificate).
CA Remaining Validity period of the local CA. 365
Days
Certificate Validity period of the certificate. 365
Duration (Days)
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 40
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Parameter Description Example
Certificate Content of the SSL certificate to be -
Request signed
Figure 4-14 Signature request
Step 6 Click Sign. The system returns to the Local CAs page.
Step 7 Select the CA used in Step 5 and click in the lower part of the page.
The Local Signed Certificate page is displayed.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 41
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Figure 4-15 Local signed certificate list
Step 8 Select the local signed certificate and click in the lower part of the page to
download the certificate.
Open the downloaded certificate and copy its content.
Step 9 Choose SSL Certificates > SSL Certificates from the navigation tree on the left.
The SSL Certificate List page is displayed.
Select the SSL certificate created in 4.5.3 Creating an SSL Certificate and click
in the lower part of the page to install the certificate.
Figure 4-16 SSL certificate list
Step 10 Paste the certificate content copied in Step 8 to the blank area.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 42
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Figure 4-17 SSL certificate management
Step 11 Click Submit. The SSL certificate has been signed.
----End
4.5.5 Adding a Key Server
A key server provides key services for users. This section describes how to add a
key server on the key management server.
Prerequisites
● A local CA has been created on the key management server and added to the
trusted CA list.
● An SSL certificate has been created and signed on the key management
server.
Procedure
Step 1 On the browser of the maintenance terminal, enter https://XXX.XXX.XXX.XXX:
9443/SecKMS in the address box and press Enter. Log in to the key management
server's web management page using the password or USB key authentication.
Step 2 Choose Server Management > Server List from the navigation tree on the left.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 43
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
The Show All KMS Server page is displayed.
Step 3 Check whether the status of KMIP_TCP is run. If it is not, click in the lower part
of the page to start the KMIP_TCP service.
Figure 4-18 Starting the KMIP_TCP service
Step 4 Choose Key Management > Key Servers from the navigation tree on the left.
The Key Server page is displayed.
Figure 4-19 Key server
Step 5 Click in the lower part of the page.
The Add Key Server page is displayed.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 44
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Figure 4-20 Adding a key server
Step 6 Set the key server parameters.
● Server Type: KMIP_TCP
● Port: 5696 (value range: 1–65535; default value: 5696)
● Use SSL: yes
● Server Certificate: Select the SSL certificate created in 4.5.3 Creating an SSL
Certificate.
● Client authentication: yes
● CA: Select the trusted CA list created in 4.5.2 Adding the CA to the Trusted
CA List.
Step 7 Click Submit.
The new key server is displayed in the server list.
----End
4.5.6 Signing and Importing the Certificate for the Storage
System
After the key management server cluster has been created, you must connect the
key management servers to the storage system to provide the encryption service.
4.5.6.1 Generating and Exporting a Certificate on the Storage System
This section describes how to generate and export a certificate required by the
disk encryption function on the storage system.
Context
The certificate generated on the storage system is not signed. It must be signed on
the key management server.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 45
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Procedure
Step 1 Log in to DeviceManager.
Step 2 Choose Settings > Certificates.
Step 3 On the Certificate Management page, choose KMC certificate, and click Export
Request File. On the displayed page, set the Certificate Key Algorithm to RSA
2048 or RSA 4096, and then click OK.
NOTE
You can also click KMC certificate. On the Certificate Details page that is displayed, click
Operation > Export Request File, set the Certificate Key Algorithm to RSA 2048 or RSA
4096, and then click OK.
----End
4.5.6.2 Signing the Certificate on a Key Management Server and Exporting
the Certificate
This section describes how to sign the certificate on a key management server and
then export the certificate.
Procedure
Step 1 On the browser of the maintenance terminal, enter https://XXX.XXX.XXX.XXX:
9443/SecKMS in the address box and press Enter. Log in to the key management
server's web management page using the password or USB key authentication.
Step 2 Choose Device CAs > Local CAs from the navigation tree on the left.
The Local CAs page is displayed.
Figure 4-21 Local CAs
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 46
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Step 3 Select the CA created in section 4.5.1 Creating a Local CA and click in the
lower part of the page to issue a signature request.
Table 4-4 describes the signature request parameters. Set Certificate Purpose to
Client, Certificate Duration (Days) to a value no greater than the validity period
of the local CA, and Certificate Request to the content of the storage system
certificate obtained in 4.5.6.1 Generating and Exporting a Certificate on the
Storage System, as shown in Figure 4-22.
Table 4-4 Signature request parameters
Parameter Description Example
Certificate Local CA that signs the certificate. hsm_mgmt_ca
Authority
Certificate Purpose of the certificate (server Client
Purpose certificate or client certificate).
CA Remaining Validity period of the local CA. 365
Days
Certificate Validity period of the certificate. 365
Duration (Days)
Certificate Content of the storage system -
Request certificate to be signed
Figure 4-22 Signature request
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 47
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Step 4 Click Sign. The system returns to the Local CAs page.
Step 5 Select the CA certificate used for the signature and click in the lower part of
the page to download the certificate.
Change the certificate file name extension to .crt.
Step 6 Click in the lower part of the page. The Local Signed Certificate page is
displayed.
Figure 4-23 Local signed certificate list
Step 7 Select the local signed certificate and click in the lower part of the page to
download the certificate.
Change the certificate file name extension to .crt.
----End
4.5.6.3 Importing and Activating the Certificate on the Storage System
This section describes how to import and activate the certificate on the storage
system.
Procedure
Step 1 Log in to DeviceManager.
Step 2 Choose Settings > Certificates.
Step 3 Import and activate the certificate.
1. On the Certificate Management page, choose KMC certificate, and click
Import Certificate.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 48
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
NOTE
You can also click KMC certificate. On the Certificate Details page that is displayed,
click Operation > Import Certificate.
2. Import the signed certificate and CA certificate. Table 4-5 describes the
parameters.
Table 4-5 Parameters for importing the certificate
Parameter Description Value
Certificate Certificate file that has been [Example]
File exported and signed signed.crt
CA Certificate Certificate file of a server [Example]
File hsm.mgmt_ca.crt
Private Key Private key file of a device [Example]
File None
3. Click OK.
The Warning dialog box is displayed.
4. Carefully read the content in the dialog box, select I have read and
understand the consequences associated with performing this operation,
and click OK.
The Success dialog box is displayed.
5. Click OK.
----End
4.5.6.4 Configuring the Key Management Servers on the Storage System
You must configure the key management servers on the storage system to
establish the connection between them.
Context
A storage system needs two key management servers.
Procedure
Step 1 Log in to DeviceManager.
Step 2 Choose Settings > Key Service. In the function pane on the right, click Modify.
Then select Enable the external key service.
Step 3 Specify the key management server parameters listed in Table 4-6.
NOTE
A storage system can connect to a maximum of two key management servers in a cluster.
The following example adds one key management server to the storage system.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 49
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Table 4-6 Key management server parameters
Parameter Description Value
Server Type Type of the key [Example]
management server Sansec KMIP
● SafeNet KMIP refers to
the Thales CipherTrust
Manager key server and
KeySecure key server.
● Thales KMIP refers to the
Thales keyAuthority key
server.
● General KMIP is
compatible with SafeNet
KMIP and Utimaco
KMIP.
Address Domain name or service IP [Example]
address of the key 192.168.141.128
management server
Port Port information of the [Value range]
server IP address 1 to 65535
This port must be the same
[Example]
as the port used in 4.5.5
Adding a Key Server. 5696
Step 4 Import the signed certificate and CA certificate. Table 4-7 describes the
parameters.
Table 4-7 Parameters for importing the certificate
Parameter Description Value
Certificate File Certificate file that has been [Example]
exported and signed signed.crt
CA Certificate File Certificate file of a server [Example]
hsm.mgmt_ca.crt
Private Key File Private key file of a device [Example]
None
Step 5 Click Save.
The Execution Result dialog box is displayed.
Step 6 Repeat Step 3 to add the other key management server in the cluster.
----End
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 50
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Follow-up Procedure
After the storage system has connected to the key management servers, wait for 2
to 3 minutes before performing follow-up procedures.
4.6 Creating a Self-encrypting Storage Pool
After a self-encrypting storage pool is created on the storage system, an
encryption key is automatically generated.
Prerequisites
SEDs have been configured on the storage system. The AutoLock status of the
SEDs is OFF.
To query the AutoLock status of the SEDs, you can log in to the CLI of the storage
system and run the show disk general command.
admin:/>show disk general
ID Health Status Running Status Type Capacity Role Disk Domain ID Speed(RPM) Health
Mark Bar Code Item AutoLock State Key Expiration Time
------ ------------- -------------- -------- --------- --------- -------------- ---------- -----------
-------------------- -------- -------------- -------------------
DAE000.0 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000131 02350LGX OFF --
DAE000.1 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000124 02350LGX OFF --
DAE000.2 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000238 02350LGX OFF --
DAE000.3 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000228 02350LGX OFF --
DAE000.4 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10FA000227 02350LGX OFF --
DAE000.5 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10FA000187 02350LGX OFF --
DAE100.0 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000159 02350LGX OFF --
DAE100.1 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000161 02350LGX OFF --
DAE100.2 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10G3000505 02350LGX OFF --
DAE100.3 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000182 02350LGX OFF --
DAE100.4 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10G3000511 02350LGX OFF --
If AutoLock State is OFF, disk encryption is disabled.
Procedure
Step 1 Log in to DeviceManager and create a storage pool.
The Create Storage Pool page is displayed.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 51
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
Figure 4-24 Creating a storage pool
NOTE
Use either of the following methods to go to the Create Storage Pool page:
● When you log in to the storage system for the first time, you can create a storage pool
in Custom mode in the initial configuration wizard. For details, see "Initially Configuring
a Storage Device" in the initialization guide specific to your product model.
● On the menu bar, choose System > Storage Pools and then click Create.
Step 2 Create a self-encrypting storage pool and automatically generate encryption keys
on the storage system.
1. Select Advanced and enable Data Encryption. Disk encryption is enabled for
all SEDs in the storage pool.
Figure 4-25 Enabling Data Encryption
NOTE
After a storage pool has been created, data encryption cannot be enabled or disabled
for the storage pool.
2. Set other parameters for the storage pool.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 52
OceanStor Dorado 4 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Sansec SecKMS)
For the parameter description, see section "Creating a Storage Pool" in the
Basic Storage Service Configuration Guide for Block or Basic Storage Service
Configuration Guide for File of the specific product model.
3. Click OK.
Confirm your operation as prompted.
----End
Follow-up Procedure
After creating the self-encrypting storage pool, you can create LUNs or file
systems to allocate the storage space to application servers. For details, see Basic
Storage Service Configuration Guide for Block or Basic Storage Service
Configuration Guide for File of the corresponding product model.
NOTE
You can log in to Huawei's technical support website (https://support.huawei.com/
enterprise/) and enter the product model + document name in the search box to search
for, browse, and download the desired documents.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 53
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
5Configuring and Managing the Key
Management Server (KeySecure (K170v),
Applicable to 6.1.2 and Later)
This chapter introduces how to install and configure KeySecure (K170v) key
management servers of SafeNet.
NOTE
SafeNet KeySecure (K170v) is also called CipherTrust Manager (K170v).
5.1 About KeySecure Key Management Servers
5.2 Configuration Process
5.3 Hardware Deployment
5.4 Configuring the Key Management Server and Cluster
5.5 Creating a Self-encrypting Storage Pool
5.1 About KeySecure Key Management Servers
When configuring key management servers, get some knowledge about the
hardware, networking, user permission, and management interface first to prepare
for the configuration.
Typical Networking
A storage system connects to two key management servers that are configured
into a cluster in active/standby mode. Figure 5-1 shows the typical networking.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 54
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
Figure 5-1 Typical networking of key management servers
Figure 5-2 shows port connections between different components.
Figure 5-2 Port connections
NOTE
On a key management server, the management network port (used to access the key
management server's management interface) and the service network port (used to
connect to a storage array) share the eth1 port on the front panel.
To ensure that the key management servers can work properly, verify that the
network communication between the following components is normal:
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 55
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
● Storage system's management network port -> key management servers'
eth1
● Maintenance terminal -> key management servers' eth1
● Key management server 1's eth1 -> key management server 2's eth1
● Backup server's network port -> key management servers' eth1
User Roles and Permissions
By default, the key management server sets an admin user whose password needs
to be set in the initialization. This user has all configuration and management
permissions. This document takes the admin user as the example.
5.2 Configuration Process
Before configuring key management servers, get familiar with the configuration
procedure to ensure a successful deployment.
Figure 5-3 shows the procedure of configuring key management servers.
Figure 5-3 Configuration process
Start
Install key management
servers.
Deploy hardware. Connect cables.
Power on key management
servers.
Initialize key management
servers.
Configure a key management
Configure key server cluster.
management servers.
Connect key management
servers to the storage system.
Create a disk domain.
End
5.3 Hardware Deployment
This section describes how to install key management servers, connect their
cables, and power on the servers.
Prerequisites
● The installation positions of the two key management servers have been
determined.
● Cables and tools required for hardware installation have been prepared,
including:
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 56
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
– Serial cable (included in the product package)
– Power cable (included in the product package)
– Network cable (not included in the product package)
– Phillips screwdriver (not included in the product package)
– (Optional) USB-to-serial cable (not included in the product package)
NOTE
Prepare the USB-to-serial cable if the maintenance terminal has no serial port.
Procedure
Step 1 Determine the installation positions.
The key management servers must be installed on standard 19-inch racks.
Determine proper positions on the rack to install the two key management
servers. Ensure that there is enough space in front of and behind the servers for
cable routing and connection, ventilation, and maintenance.
Step 2 Wear ESD gloves and ESD wrist straps.
Step 3 Unpack the key management server.
Step 4 Install the key management server on the rack.
Step 5 Use a network cable to connect the eth1 port of the key management server to
the management network port of the storage system through a switch.
Step 6 Insert one end of the power cable to the electric socket at the server back, and
insert the other end to the external AC power module.
Step 7 Press the power switch on the front panel.
Step 8 Put the baffle plate on the front panel, then insert and turn the key.
Step 9 Repeat Step 3 to Step 8 to install and power on the other key management
server.
Step 10 If the maintenance terminal has no serial port, use the USB-to-serial cable to
connect the USB port of the maintenance terminal to the serial port of the key
management server.
----End
5.4 Configuring the Key Management Server and
Cluster
After hardware installation, initialize the key management server and create a
cluster by following instructions in the user guide and consulting technical support
engineers of the server vendor.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 57
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
5.4.1 Initializing the Key Management Servers and
Configuring a Key Management Server Cluster
The initialization includes initializing the network and time, importing licenses,
configuring the KMIP and NTP servers, and configuring scheduled backup for both
key management servers used to form a cluster.
After two key management servers with the same configurations are clustered,
the two servers provide the encryption service together. If one of them becomes
faulty or fails to provide the encryption service, the storage system automatically
connects to the other one.
For details about how to initialize key management servers and create a cluster,
refer to the user guide and consult technical support engineers of the server
vendor.
NOTICE
When configuring the key management server, select Enable hard delete, as
shown in Figure 5-4.
Figure 5-4 Selecting Enable hard delete
Procedure: Log in to the web management page of the key management server as
user admin, choose Admin Settings > System > Interfaces, click on the
right of the kmip line, and click Edit.
5.4.2 Connecting the Key Management Server to the Storage
System
After the key management server cluster has been created, you must connect the
key management servers to the storage system to provide the encryption service.
5.4.2.1 Generating and Exporting a Certificate on the Storage System
This section describes how to generate and export a certificate required by the
disk encryption function on the storage system.
Context
The certificate generated on the storage system is not signed. It must be signed on
the key management server.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 58
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
Procedure
Step 1 Log in to DeviceManager.
Step 2 Choose Settings > Certificates.
Step 3 On the Certificate Management page, choose KMC certificate, and click Export
Request File. On the displayed page, set the Certificate Key Algorithm to RSA
2048 or RSA 4096, and then click OK.
NOTE
You can also click KMC certificate. On the Certificate Details page that is displayed, click
Operation > Export Request File, set the Certificate Key Algorithm to RSA 2048 or RSA
4096, and then click OK.
----End
5.4.2.2 Creating a Local User
This section describes how to create a local user. When the key management
server authenticates a storage system using the Key Management Interoperability
Protocol (KMIP), it identifies the storage system based on the user.
NOTICE
● Create at least one local user.
● Add the local users to the Key Admins and Key Users groups.
Precautions
To ensure that the key management server can identify the storage system
successfully, the local user name of the key management server must be set to
Storage, which is the same as the OU value in the signed certificate of the storage
system.
You can query the OU value as follows:
1. Double-click the certificate.
2. Click the Detail tab, and select User. You can view the OU value in the lower
pane.
Procedure
Step 1 Log in to the web management page of the key management server as user
admin.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 59
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
Step 2 Choose Keys & Access Management > Users, and click Create New User.
Figure 5-5 Clicking Create New User
Step 3 Enter Storage in the Username field and set the password.
NOTE
The name of the local user created on the key management server must be the same as
the OU value (Storage) in the certificate file signed on the storage system.
Figure 5-6 Entering the information about the new user
Step 4 Click Create. The new user is displayed on the Users page.
Figure 5-7 User created successfully
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 60
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
Step 5 Click user Storage to display the user information. Click on the right of a
group.
Figure 5-8 Information about user Storage
Step 6 Search for groups Key Admins and Key Users.
Figure 5-9 Searching for group Key Admins and Key Users
Step 7 Click Add on the right of groups Key Admins and Key Users.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 61
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
Figure 5-10 Clicking Add
----End
5.4.2.3 Creating Clients
This section describes how to create clients for storage systems on the key
management server.
Precautions
If the key management server is connected to multiple storage devices, a client is
required for each storage device.
Procedure
Step 1 Log in to the web management page of the key management server as user
admin.
Step 2 Choose KMIP.
Step 3 Create a profile. For details, see 5.4.2.3.1 Creating a Profile.
Step 4 Create a registration token. For details, see 5.4.2.3.2 Creating a Registration
Token.
Step 5 Add a client. For details, see 5.4.2.3.3 Adding a Client.
----End
5.4.2.3.1 Creating a Profile
This section describes how to create a profile.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 62
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
Prerequisites
The key management server must have been added to a cluster.
Procedure
Step 1 Log in to the web management page of the key management server as user
admin.
Step 2 Choose KMIP > Client Profiles, and click Add Profile.
Figure 5-11 Clicking Add Profile
Step 3 Enter a Profile Name, select OU for Username Location in Certificate, and click
on the right of Certificate Details. In the CSR field, input the certificate file of
the storage system exported in 5.4.2.1 Generating and Exporting a Certificate
on the Storage System.
Figure 5-12 Setting the profile information
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 63
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
Step 4 Click Save. The profile is displayed on the Client Profiles page.
Figure 5-13 Profile created successfully
----End
5.4.2.3.2 Creating a Registration Token
This section describes how to create a registration token.
Prerequisites
● The key management server has been added to a cluster.
● A profile has been created.
Procedure
Step 1 Choose KMIP > Registration Token, and click New Registration Token.
Figure 5-14 Clicking New Registration Token
Step 2 Click Begin, and create a registration token following the wizard.
Figure 5-15 Registration token creation wizard
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 64
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
1. On the Configure Token page, set the Name Prefix and Token lifetime. You
can click to view the rules. It is recommended that the Name Prefix be
kept the same as the profile name. You can use the default token lifetime or
set a value based on actual requirements. Click Next.
Figure 5-16 Configuring the token
2. On the Select CA page, select the default CA and click Select Profile.
Figure 5-17 Selecting the CA
3. On the Select Profile page, select the created profile from the drop-down list,
and click Create Token.
Figure 5-18 Selecting the profile
4. On the Create Token page, click Copy to copy the certificate information, and
click Done.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 65
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
NOTE
You can also copy the certificate information on the Registration Token page in Step
5.
Figure 5-19 Copying the certificate information
5. The new registration token is displayed on the Registration Token page.
Figure 5-20 Token created successfully
----End
5.4.2.3.3 Adding a Client
This section describes how to add a client.
Prerequisites
● The key management server has been added to a cluster.
● A profile has been created.
● A registration token has been created.
Procedure
Step 1 Choose KMIP > Registered Clients, and click Add Client.
Figure 5-21 Clicking Add Client
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 66
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
Step 2 Set the Name and fill in the Registration Token field with the certificate
information copied in Step 4. You can click to view the rules. It is
recommended that the client name be the same as the profile name. Click Save.
Figure 5-22 Setting the client information
Step 3 Click Save Certificate to download the file Certificate.pem.
Figure 5-23 Saving the certificate
Step 4 Click Close. The new client is displayed on the Registered Clients page.
Figure 5-24 Client created successfully
----End
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 67
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
5.4.2.4 Signing the Certificate on a Key Management Server and Exporting
the Certificate
This section describes how to sign the certificate on a key management server and
then export the certificate.
Procedure
Step 1 Log in to the web management page of the key management server as user
admin.
Step 2 Choose Keys & Access Management > CA, and click on the right of the
subject in the Local Certificate Authorities area. Click Download to obtain the
file Certificate.pem.
Figure 5-25 Obtaining Certificate.pem
Step 3 Choose KMIP > Registered Clients, and click on the right. Click Save
Certificate to obtain the file Cert.pem.
NOTE
If you have saved the file Cert.pem in Step 3, skip this step.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 68
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
Figure 5-26 Obtaining Cert.pem
----End
5.4.2.5 Importing and Activating the Certificate on the Storage System
This section describes how to import and activate the certificate on the storage
system.
Procedure
Step 1 Log in to DeviceManager.
Step 2 Choose Settings > Certificates.
Step 3 Import and activate the certificate.
1. On the Certificate Management page, choose KMC certificate, and click
Import Certificate.
NOTE
You can also click KMC certificate. On the Certificate Details page that is displayed,
click Operation > Import Certificate.
2. Import the signed certificate and CA certificate. Table 5-1 describes the
parameters.
Table 5-1 Parameters for importing the certificate
Parameter Description Value
Certificate Certificate file that has been [Example]
File exported and signed Cert.pem
CA Certificate Certificate file of a server [Example]
File Certificate.pem
Private Key Private key file of a device [Example]
File None
3. Click OK.
The Warning dialog box is displayed.
4. Carefully read the content in the dialog box, select I have read and
understand the consequences associated with performing this operation,
and click OK.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 69
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
The Success dialog box is displayed.
5. Click OK.
----End
5.4.2.6 Configuring the Key Management Servers on the Storage System
You must configure the key management servers on the storage system to
establish the connection between them.
Context
A storage system needs two key management servers.
Procedure
Step 1 Log in to DeviceManager.
Step 2 Choose Settings > Key Service. In the function pane on the right, click Modify.
Then select Enable the external key service.
Step 3 Specify the key management server parameters listed in Table 5-2.
NOTE
A storage system can connect to a maximum of two key management servers in a cluster.
The following example adds one key management server to the storage system.
Table 5-2 Key management server parameters
Parameter Description Value
Server Type Type of the key [Example]
management server SafeNet KMIP
● SafeNet KMIP refers to
the Thales CipherTrust
Manager key server and
KeySecure key server.
● Thales KMIP refers to the
Thales keyAuthority key
server.
● General KMIP is
compatible with SafeNet
KMIP and Utimaco
KMIP.
Address Domain name or service IP [Example]
address of the key 192.168.141.128
management server
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 70
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
Parameter Description Value
Port Port information of the [Value range]
server IP address 1 to 65535
[Example]
9443
Step 4 Import the signed certificate and CA certificate. Table 5-3 describes the
parameters.
Table 5-3 Parameters for importing the certificate
Parameter Description Value
Certificate File Certificate file that has been [Example]
exported and signed signed.crt
CA Certificate File Certificate file of a server [Example]
hsm.mgmt_ca.crt
Private Key File Private key file of a device [Example]
None
Step 5 Click Save.
The Execution Result dialog box is displayed.
Step 6 Repeat Step 3 to add the other key management server in the cluster.
----End
Follow-up Procedure
After the storage system has connected to the key management servers, wait for 2
to 3 minutes before performing follow-up procedures.
5.5 Creating a Self-encrypting Storage Pool
After a self-encrypting storage pool is created on the storage system, an
encryption key is automatically generated.
Prerequisites
SEDs have been configured on the storage system. The AutoLock status of the
SEDs is OFF.
To query the AutoLock status of the SEDs, you can log in to the CLI of the storage
system and run the show disk general command.
admin:/>show disk general
ID Health Status Running Status Type Capacity Role Disk Domain ID Speed(RPM) Health
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 71
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
Mark Bar Code Item AutoLock State Key Expiration Time
------ ------------- -------------- -------- --------- --------- -------------- ---------- -----------
-------------------- -------- -------------- -------------------
DAE000.0 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000131 02350LGX OFF --
DAE000.1 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000124 02350LGX OFF --
DAE000.2 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000238 02350LGX OFF --
DAE000.3 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000228 02350LGX OFF --
DAE000.4 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10FA000227 02350LGX OFF --
DAE000.5 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10FA000187 02350LGX OFF --
DAE100.0 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000159 02350LGX OFF --
DAE100.1 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000161 02350LGX OFF --
DAE100.2 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10G3000505 02350LGX OFF --
DAE100.3 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000182 02350LGX OFF --
DAE100.4 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10G3000511 02350LGX OFF --
If AutoLock State is OFF, disk encryption is disabled.
Procedure
Step 1 Log in to DeviceManager and create a storage pool.
The Create Storage Pool page is displayed.
Figure 5-27 Creating a storage pool
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 72
5 Configuring and Managing the Key Management
OceanStor Dorado Server (KeySecure (K170v), Applicable to 6.1.2 and
Disk Encryption User Guide Later)
NOTE
Use either of the following methods to go to the Create Storage Pool page:
● When you log in to the storage system for the first time, you can create a storage pool
in Custom mode in the initial configuration wizard. For details, see "Initially Configuring
a Storage Device" in the initialization guide specific to your product model.
● On the menu bar, choose System > Storage Pools and then click Create.
Step 2 Create a self-encrypting storage pool and automatically generate encryption keys
on the storage system.
1. Select Advanced and enable Data Encryption. Disk encryption is enabled for
all SEDs in the storage pool.
Figure 5-28 Enabling Data Encryption
NOTE
After a storage pool has been created, data encryption cannot be enabled or disabled
for the storage pool.
2. Set other parameters for the storage pool.
For the parameter description, see section "Creating a Storage Pool" in the
Basic Storage Service Configuration Guide for Block or Basic Storage Service
Configuration Guide for File of the specific product model.
3. Click OK.
Confirm your operation as prompted.
----End
Follow-up Procedure
After creating the self-encrypting storage pool, you can create LUNs or file
systems to allocate the storage space to application servers. For details, see Basic
Storage Service Configuration Guide for Block or Basic Storage Service
Configuration Guide for File of the corresponding product model.
NOTE
You can log in to Huawei's technical support website (https://support.huawei.com/
enterprise/) and enter the product model + document name in the search box to search
for, browse, and download the desired documents.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 73
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
6
Configuring and Managing the Key
Management Server (Utimaco, Applicable to
6.1.2 and Later)
This chapter describes how to install and configure the Utimaco key management
server.
6.1 About Utimaco Key Management Servers
6.2 Configuration Process
6.3 Hardware Deployment
6.4 Configuring the Key Management Server and Cluster
6.5 Connecting the Key Management Server to the Storage System
6.6 Creating a Self-encrypting Storage Pool
6.1 About Utimaco Key Management Servers
This section describes the network connection of the Utimaco key management
server.
Typical Networking
A storage system connects to two Utimaco key management servers that are
clustered in hot backup mode. Figure 6-1 shows the typical networking.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 74
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
Figure 6-1 Typical networking of key management servers
Figure 6-2 shows port connections between different components.
Figure 6-2 Port connections
To ensure that the key management servers can work properly, verify that the
network communication between the following components is normal:
● Storage system's management network port -> key management servers'
LAN1
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 75
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
● Maintenance terminal -> key management servers' LAN1
● Key management server 1's LAN1-> key management server 2's LAN1
● Backup server's network port -> key management servers' LAN1
6.2 Configuration Process
Before configuring key management servers, get familiar with the configuration
procedure to ensure a successful deployment.
Figure 6-3 shows the procedure of configuring key management servers.
Figure 6-3 Configuration process
Start
Install key management
servers.
Deploy hardware. Connect cables.
Power on key management
servers.
Initialize key management
servers.
Configure a key management
Configure key server cluster.
management servers.
Connect key management
servers to the storage system.
Create a disk domain.
End
6.3 Hardware Deployment
This section describes how to install key management servers, connect their
cables, and power on the servers.
Prerequisites
● The installation positions of the two key management servers have been
determined.
● Cables and tools required for hardware installation have been prepared,
including:
– Serial cable (included in the product package)
– Power cable (included in the product package)
– Network cable (not included in the product package)
– Phillips screwdriver (not included in the product package)
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 76
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
– (Optional) USB-to-serial cable (not included in the product package)
NOTE
Prepare the USB-to-serial cable if the maintenance terminal has no serial port.
Procedure
Step 1 Determine the installation positions.
The key management servers must be installed on standard 19-inch racks.
Determine proper positions on the rack to install the two key management
servers. Ensure that there is enough space in front of and behind the servers for
cable routing and connection, ventilation, and maintenance.
Step 2 Wear ESD gloves and ESD wrist straps.
Step 3 Unpack the key management server.
Step 4 Install the key management server on the rack.
Step 5 Use a network cable to connect the LAN1 port of the key management server to
the management network port of the storage system through a switch.
Step 6 Insert one end of the power cable to the electric socket at the server back, and
insert the other end to the external AC power module.
Step 7 Press the power switch on the front panel.
Step 8 Put the baffle plate on the front panel, then insert and turn the key.
Step 9 Repeat Step 3 to Step 8 to install and power on the other key management
server.
Step 10 If the maintenance terminal has no serial port, use the USB-to-serial cable to
connect the USB port of the maintenance terminal to the serial port of the key
management server.
----End
6.4 Configuring the Key Management Server and
Cluster
After hardware installation, initialize the key management server and create a
cluster by following instructions in the server user guide and consulting the
technical support engineer of the server manufacturer.
6.5 Connecting the Key Management Server to the
Storage System
After the key management server cluster has been created, you must connect the
key management servers to the storage system to provide the disk encryption
service.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 77
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
6.5.1 Generating and Exporting a Certificate on the Storage
System
This section describes how to generate and export a certificate required by the
disk encryption function on the storage system.
Context
The certificate generated on the storage system is not signed. It must be signed on
the key management server.
Procedure
Step 1 Log in to DeviceManager.
Step 2 Choose Settings > Certificates.
Step 3 On the Certificate Management page, choose KMC certificate, and click Export
Request File. On the displayed page, set the Certificate Key Algorithm to RSA
2048 or RSA 4096, and then click OK.
NOTE
You can also click KMC certificate. On the Certificate Details page that is displayed, click
Operation > Export Request File, set the Certificate Key Algorithm to RSA 2048 or RSA
4096, and then click OK.
----End
6.5.2 Signing the Certificate on a Key Management Server and
Exporting the Certificate
This section describes how to sign a key management server certificate and how
to export the certificate. The certificate generated on the storage system must be
signed on the key management server and saved properly. In addition, you must
also export the CA certificate of the key management server.
Signing the Certificate
Step 1 Log in to the key management server's web interface as an administrator.
Step 2 Choose Security > Certificates & CAs > Local CAs.
The Certificate and CA Configuration interface is displayed, as shown in Figure
6-4.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 78
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
Figure 6-4 CA certificate list
Step 3 Select the default CA certificate and click Sign Request.
The Sign Certificate Request interface is displayed, as shown in Figure 6-5.
Figure 6-5 Signing the certificate
Step 4 Set certificate request parameters.
1. Set Sign with Certificate Authority to ESKMCA (maximum xxxx days)
(default value).
2. Set Certificate Purpose to Client.
3. Set Certificate Duration (days) to the validity period of the certificate. The
value of this parameter must not be greater than xxx in ESKMCA (maximum
xxxx days).
4. Copy the *.csr content of the certificate file exported from the storage system
in 6.5.1 Generating and Exporting a Certificate on the Storage System to
the text box under Certificate Request.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 79
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
5. Click Sign Request.
The CA Certificate Information page is displayed, as shown in Figure 6-6.
Figure 6-6 CA certificate information
Step 5 Click Download to export the signed certificate.
The signed certificate is named as signed.crt.
----End
Exporting the CA Certificate
Step 1 Log in to the key management server's web interface as an administrator.
Step 2 Choose Security > Certificates & CAs > Local CAs.
The Certificate and CA Configuration interface is displayed, as shown in Figure
6-7.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 80
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
Figure 6-7 CA certificate list
Step 3 Select the default CA certificate, and click Download to export the CA certificate
of the key management server.
----End
6.5.3 Creating a Local User
This section describes the precautions for creating a local user on a key
management server. This user is used by the key management server to
authenticate a storage system using the Key Management Interoperability
Protocol (KMIP).
Precautions
To ensure that the key management server can identify the storage system
successfully, the local user name of the key management server must be set to
Storage, which is the same as the OU value in the signed certificate of the storage
system.
You can query the OU value as follows:
1. Double-click the certificate.
2. Click the Detail tab, and select User. You can view the OU value in the lower
pane.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 81
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
Context
Create at least one local user.
Procedure
Step 1 Log in as the admin user to the key management server's web interface.
Step 2 Choose Security > Users & Groups > Local Users & Groups > Local Users.
The User & Group Configuration page is displayed, as shown in Figure 6-8.
Figure 6-8 Local user page
Step 3 In the Local User area, click Add.
Figure 6-9 shows the page that is displayed.
Figure 6-9 Local user information setting page
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 82
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
Step 4 Set user information.
NOTICE
Enter the signed.crt certificate content downloaded in Step 5 in the KMIP Client
Certificate area.
Table 6-1 User parameters
Parameter Description Setting
Username Name of the new user. [Example]
Set the value to Storage. Storage
Password Password of the new [Example]
user. admin@123
Confirm Password Enter the password [Example]
again. admin@123
License Type License type of the key [Example]
management server. To Storage
connect to a storage
device, select Storage.
User Administration Permission to create, [Example]
Permission modify, and delete a user Not selected
or user group.
Change Password Permission to modify a [Example]
Permission user's own password. Not selected
Enable KMIP The KMIP protocol that [Example]
should be selected for Selected
storage system
authentication.
NOTE
For Map non-existent Object Group to x-Object Group, KMIP User Group, and KMIP
Object Group, use the default values.
Step 5 Click Create.
The new user is displayed in the user list, as shown in Figure 6-10.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 83
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
Figure 6-10 New user
----End
6.5.4 Importing and Activating the Certificate on the Storage
System
This section describes how to import and activate the certificate on the storage
system.
Procedure
Step 1 Log in to DeviceManager.
Step 2 Choose Settings > Certificates.
Step 3 Import and activate the certificate.
1. On the Certificate Management page, choose KMC certificate, and click
Import Certificate.
NOTE
You can also click KMC certificate. On the Certificate Details page that is displayed,
click Operation > Import Certificate.
2. Import the signed certificate and CA certificate. Table 6-2 describes the
parameters.
Table 6-2 Parameters for importing the certificate
Parameter Description Value
Certificate Certificate file that has been [Example]
File exported and signed signed.crt
CA Certificate Certificate file of a server [Example]
File ESKMCA.crt
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 84
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
Parameter Description Value
Private Key Private key file of a device [Example]
File None
3. Click OK.
The Warning dialog box is displayed.
4. Carefully read the content in the dialog box, select I have read and
understand the consequences associated with performing this operation,
and click OK.
The Success dialog box is displayed.
5. Click OK.
----End
6.5.5 Configuring the Key Management Servers on the
Storage System
You must configure the key management servers on the storage system to
establish the connection between them.
Context
A storage system needs two key management servers.
Procedure
Step 1 Log in to DeviceManager.
Step 2 Choose Settings > Key Service. In the function pane on the right, click Modify.
Then select Enable the external key service.
Step 3 Specify the key management server parameters listed in Table 6-3.
NOTE
A storage system can connect to a maximum of two key management servers in a cluster.
The following example adds one key management server to the storage system.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 85
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
Table 6-3 Key management server parameters
Parameter Description Value
Server Type Type of the key [Example]
management server Utimaco KMIP
● SafeNet KMIP refers
to the Thales
CipherTrust Manager
key server and
KeySecure key server.
● Thales KMIP refers to
the Thales
keyAuthority key
server.
● General KMIP is
compatible with
SafeNet KMIP and
Utimaco KMIP.
Address Domain name or service [Example]
IP address of the key 192.168.141.128
management server
Port Port information of the [Value range]
server IP address 1 to 65535
[Example]
5696
Step 4 Import the signed certificate and CA certificate. Table 6-4 describes the
parameters.
Table 6-4 Parameters for importing the certificate
Parameter Description Value
Certificate File Certificate file that has been [Example]
exported and signed signed.crt
CA Certificate Certificate file of a server [Example]
File ESKMCA.crt
Private Key Private key file of a device [Example]
File None
Step 5 Click Save.
The Execution Result dialog box is displayed.
Step 6 Repeat Step 3 to add the other key management server in the cluster.
----End
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 86
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
Follow-up Procedure
After the storage system has connected to the key management servers, wait for 2
to 3 minutes before performing follow-up procedures.
6.6 Creating a Self-encrypting Storage Pool
After a self-encrypting storage pool is created on the storage system, an
encryption key is automatically generated.
Prerequisites
SEDs have been configured on the storage system. The AutoLock status of the
SEDs is OFF.
To query the AutoLock status of the SEDs, you can log in to the CLI of the storage
system and run the show disk general command.
admin:/>show disk general
ID Health Status Running Status Type Capacity Role Disk Domain ID Speed(RPM) Health
Mark Bar Code Item AutoLock State Key Expiration Time
------ ------------- -------------- -------- --------- --------- -------------- ---------- -----------
-------------------- -------- -------------- -------------------
DAE000.0 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000131 02350LGX OFF --
DAE000.1 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000124 02350LGX OFF --
DAE000.2 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FB000238 02350LGX OFF --
DAE000.3 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000228 02350LGX OFF --
DAE000.4 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10FA000227 02350LGX OFF --
DAE000.5 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10FA000187 02350LGX OFF --
DAE100.0 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000159 02350LGX OFF --
DAE100.1 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000161 02350LGX OFF --
DAE100.2 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10G3000505 02350LGX OFF --
DAE100.3 Normal Online SSD-SED 366.965GB Free Disk -- -- --
2102350LGX10FA000182 02350LGX OFF --
DAE100.4 Normal Online SSD-SED 371.965GB Free Disk -- -- --
2102350LGX10G3000511 02350LGX OFF --
If AutoLock State is OFF, disk encryption is disabled.
Procedure
Step 1 Log in to DeviceManager and create a storage pool.
The Create Storage Pool page is displayed.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 87
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
Figure 6-11 Creating a storage pool
NOTE
Use either of the following methods to go to the Create Storage Pool page:
● When you log in to the storage system for the first time, you can create a storage pool
in Custom mode in the initial configuration wizard. For details, see "Initially Configuring
a Storage Device" in the initialization guide specific to your product model.
● On the menu bar, choose System > Storage Pools and then click Create.
Step 2 Create a self-encrypting storage pool and automatically generate encryption keys
on the storage system.
1. Select Advanced and enable Data Encryption. Disk encryption is enabled for
all SEDs in the storage pool.
Figure 6-12 Enabling Data Encryption
NOTE
After a storage pool has been created, data encryption cannot be enabled or disabled
for the storage pool.
2. Set other parameters for the storage pool.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 88
OceanStor Dorado 6 Configuring and Managing the Key Management
Disk Encryption User Guide Server (Utimaco, Applicable to 6.1.2 and Later)
For the parameter description, see section "Creating a Storage Pool" in the
Basic Storage Service Configuration Guide for Block or Basic Storage Service
Configuration Guide for File of the specific product model.
3. Click OK.
Confirm your operation as prompted.
----End
Follow-up Procedure
After creating the self-encrypting storage pool, you can create LUNs or file
systems to allocate the storage space to application servers. For details, see Basic
Storage Service Configuration Guide for Block or Basic Storage Service
Configuration Guide for File of the corresponding product model.
NOTE
You can log in to Huawei's technical support website (https://support.huawei.com/
enterprise/) and enter the product model + document name in the search box to search
for, browse, and download the desired documents.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 89
OceanStor Dorado
Disk Encryption User Guide A How to Obtain Help
A How to Obtain Help
If a tough or critical problem persists in routine maintenance or troubleshooting,
contact Huawei for technical support.
A.1 Preparations for Contacting Huawei
To better solve the problem, you need to collect troubleshooting information and
make debugging preparations before contacting Huawei.
A.1.1 Collecting Troubleshooting Information
You need to collect troubleshooting information before troubleshooting.
You need to collect the following information:
● Name and address of the customer
● Contact person and telephone number
● Time when the fault occurred
● Description of the fault phenomena
● Device type and software version
● Measures taken after the fault occurs and the related results
● Troubleshooting level and required solution deadline
A.1.2 Making Debugging Preparations
When you contact Huawei for help, the technical support engineer of Huawei
might assist you to do certain operations to collect information about the fault or
rectify the fault directly.
Before contacting Huawei for help, you need to prepare the boards, port modules,
screwdrivers, screws, cables for serial ports, network cables, and other required
materials.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 90
OceanStor Dorado
Disk Encryption User Guide A How to Obtain Help
A.2 How to Use the Document
Huawei provides guide documents shipped with the device. The guide documents
can be used to handle the common problems occurring in daily maintenance or
troubleshooting.
To better solve the problems, use the documents before you contact Huawei for
technical support.
A.3 How to Obtain Help from Website
Huawei provides users with timely and efficient technical support through the
regional offices, secondary technical support system, telephone technical support,
remote technical support, and onsite technical support.
Contents of the Huawei technical support system are as follows:
● Huawei headquarters technical support department
● Regional office technical support center
● Customer service center
● Technical support website: https://support.huawei.com/enterprise/
You can query how to contact the regional offices at https://
support.huawei.com/enterprise/.
A.4 Ways to Contact Huawei
Huawei Technologies Co., Ltd. provides customers with comprehensive technical
support and service. For any assistance, contact our local office or company
headquarters.
Huawei Technologies Co., Ltd.
Address: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's
Republic of China
Website: https://e.huawei.com/
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 91
OceanStor Dorado
Disk Encryption User Guide B Glossary
B Glossary
A
AC power module The module that transfers the external AC power
supply into the power supply for internal use.
Application server A service processing node (a computer device) on the
network. Application programs of data services run
on the application server.
Asynchronous remote A kind of remote replication. When the data at the
replication primary site is updated, the data does not need to be
updated synchronously at the mirroring site to finish
the update. In this way, performance is not reduced
due to data mirroring.
Air baffle It optimizes the ventilation channels and improves
the heat dissipation capability of the system.
Audit log guarantee A mode for recording audit logs. This mode
mode preferentially ensures that the audit log function is
normal and no audit log is missing.
Audit log non- A mode for recording audit logs. In this mode,
guarantee mode services are running properly. Audit logs may be
missing.
B
Backup A collection of data stored on (usually removable)
non-volatile storage media for purposes of recovery
in case the original copy of data is lost or becomes
inaccessible; also called a backup copy. To be useful
for recovery, a backup must be made by copying the
source data image when it is in a consistent state.
The act of creating a backup.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 92
OceanStor Dorado
Disk Encryption User Guide B Glossary
Backup window An interval of time during which a set of data can be
backed up without seriously affecting applications
that use the data.
Bandwidth The numerical difference between the upper and
lower frequencies of a band of electromagnetic
radiation. A deprecated synonym for data transfer
capacity that is often incorrectly used to refer to
throughput.
Baud rate The maximum rate of signal state changes per
second on a communications circuit. If each signal
state change corresponds to a code bit, then the
baud rate and the bit rate are the same. It is also
possible for signal state changes to correspond to
more than one code bit, so the baud rate may be
lower than the code bit rate.
Bit error An incompatibility between a bit in a transmitted
digital signal and the corresponding bit in the
received digital signal.
Bit error rate The probability that a transmitted bit will be
erroneously received. The bit error rate (BER) is
measured by counting the number of bits in error at
the output of a receiver and dividing by the total
number of bits in the transmission. BER is typically
expressed as a negative power of 10.
Bonding Bonding of multiple independent physical network
ports into a logical port, which ensures the high
availability of server network connections and
improves network performance.
Boundary scan A test methodology that uses shift registers in the
output connections of integrated circuits (ICs). One IC
is often connected to the next IC. A data pattern is
passed through the chain and the observed returned
data stream affected by the circuit conditions gives
an indication of any faults present. The system is
defined under IEEE standard 1149.1 and is also
known as Joint Test Action Group (JTAG).
Browser/Server Architecture that defines the roles of the browser and
server. The browser is the service request party and
the server is the service provider.
Built-in FRU Alarm It indicates errors on the built-in FRUs of a controller,
indicator such as errors on fans or memory modules.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 93
OceanStor Dorado
Disk Encryption User Guide B Glossary
C
Cache hit ratio The ratio of the number of cache hits to the number
of all I/Os during a read task, usually expressed as a
percentage.
Captive screw Specially designed to lock into place on a parent
board or motherboard, allowing for easy installation
and removal of attached pieces without release of
the screw.
Challenge Handshake A password-based authentication protocol that uses a
Authentication challenge to verify that a user has access rights to a
Protocol system. A hash of the supplied password with the
challenge is sent for comparison so the cleartext
password is never sent over the connection.
Compliance mode A protection mode of WORM. In compliance mode,
files within their protection period cannot be changed
or deleted by either the file user or by the system
administrator. Files with expired protection periods
can be deleted but not changed by the file user or
the system administrator.
Controller The control logic in a disk or tape that performs
command decoding and execution, host data transfer,
serialization and deserialization of data, error
detection and correction, and overall management of
device operations. The control logic in a storage
subsystem that performs command transformation
and routing, aggregation (RAID, mirroring, striping, or
other), high-level error recovery, and performance
optimization for multiple storage devices.
Controller enclosure An enclosure that accommodates controllers and
provides storage services. It is the core component of
a storage system and generally consists of
components, such as controllers, power supplies, and
fans.
Copying A pair state. The state indicates that the source LUN
data is being synchronized to the target LUN.
Container root Space used to store the metadata for running
directory container images and container instances.
Container image An image is a special file system, which provides the
programs, libraries, resources, and configuration files
required for running containers. It also contains
configuration parameters, for example, for
anonymous disks, environment variables, and users.
The image does not contain dynamic data, and its
content will not be modified after construction.
Containerized An image can start multiple containers, and an
application application can contain one or a group of containers.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 94
OceanStor Dorado
Disk Encryption User Guide B Glossary
Container node Controller that runs the container service.
Configuration item list A series of modifiable configuration items defined in
the Helm chart of the container.
Container service Containerized application management service, which
manages the lifecycle of containerized applications.
D
Data compression The process of encoding data to reduce its size. Lossy
compression (i.e., compression using a technique in
which a portion of the original information is lost) is
acceptable for some forms of data (e.g., digital
images) in some applications, but for most IT
applications, lossless compression (i.e., compression
using a technique that preserves the entire content of
the original data, and from which the original data
can be reconstructed exactly) is required.
Data flow A process that involves processing data extracted
from the source system. These processes include:
filtering, integration, calculation, and summary,
finding and solving data inconsistency, and deleting
invalid data so that the processed data meets the
requirements of the destination system for the input
data.
Data migration A movement of data or information between
information systems, formats, or media. Migration is
performed for reasons such as possible decay of
storage media, obsolete hardware or software
(including obsolete data formats), changing
performance requirements, the need for cost
efficiencies etc.
Data source A system, database (database user; database
instance), or file that can make BOs persistent.
Deduplication The replacement of multiple copies of data — at
variable levels of granularity — with references to a
shared copy in order to save storage space and/or
bandwidth.
Dirty data Data that is stored temporarily on the cache and has
not been written onto disks.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 95
OceanStor Dorado
Disk Encryption User Guide B Glossary
Disaster recovery The recovery of data, access to data and associated
processing through a comprehensive process of
setting up a redundant site (equipment and work
space) with recovery of operational data to continue
business operations after a loss of use of all or part
of a data center. This involves not only an essential
set of data but also an essential set of all the
hardware and software to continue processing of that
data and business. Any disaster recovery may involve
some amount of down time.
Disk array A set of disks from one or more commonly accessible
disk subsystems, combined with a body of control
software. The control software presents the disks'
storage capacity to hosts as one or more virtual disks.
Control software is often called firmware or
microcode when it runs in a disk controller. Control
software that runs in a host computer is usually
called a volume manager.
Disk domain A disk domain consists of the same type or different
types of disks. Disk domains are isolated from each
other. Therefore, services carried by different disk
domains do not affect each other in terms of
performance and faults (if any).
Disk enclosure Consists of the following parts in redundancy:
expansion module, disk, power module, and fan
module. System capacity can be expanded by
cascading multiple disk enclosures.
Disk location The process of locating a disk in the storage system
by determining the enclosure ID and slot ID of the
disk.
Disk utilization The percentage of used capacity in the total available
capacity.
E
eDevLUN Logical storage array space created by a third-party
storage array.
Expansion module A component used for expansion.
Expansion Connects a storage system to more disk enclosures
through connection cables, expanding the capacity of
the storage system.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 96
OceanStor Dorado
Disk Encryption User Guide B Glossary
F
Field replaceable unit A unit or component of a system that is designed to
be replaced in the field, i.e., without returning the
system to a factory or repair depot. Field replaceable
units may either be customer-replaceable or their
replacement may require trained service personnel.
Firmware Low-level software for booting and operating an
intelligent device. Firmware generally resides in read-
only memory (ROM) on the device.
Flash Translation Layer Flash Translation Layer (FTL) organizes and manages
host data, enables host data to be allocated to NAND
flash chips of SSDs in an orderly manner, maintains
the mapping relationship between logical block
addresses (LBAs) and physical block addresses
(PBAs), and implements garbage collection, wear
leveling, and bad block management.
Front-end port The port that connects the controller enclosure to the
service side and transfers service data. There are
three types of front-end ports: Fibre Channel and
iSCSI.
Front-end interconnect On a storage device, all controllers share the front-
I/O module (FIM) end interface modules.
G
Garbage collection The process of reclaiming resources that are no
longer in use. Garbage collection has uses in many
aspects of computing and storage. For example, in
flash storage, background garbage collection can
improve write performance by reducing the need to
perform whole block erasures prior to a write.
Gateway A device that receives data via one protocol and
transmits it via another.
Global garbage With a view to defragmentation of storage arrays
collection and garbage collection of disks, global garbage
collection reduces garbage of disks by enabling
storage arrays to inform disks of not implementing
invalid data relocation and of controlling space
release so that disks and controllers consume less
space, reducing costs and prolonging the useful life
of storage arrays.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 97
OceanStor Dorado
Disk Encryption User Guide B Glossary
Global system for The second-generation mobile networking standard
mobile defined by the European Telecommunications
communications Standards Institute (ETSI). It is aimed at designing a
standard for global mobile phone networks. GSM
consists of three main parts: mobile switching
subsystem (MSS), base station subsystem (BSS), and
mobile station (MS).
Global wear leveling With a view to individual characteristics of a single
disk, global wear leveling uses space allocation and
write algorithms to achieve wear leveling among
disks, preventing a disk from losing efficacy due to
excessive writes and prolonging the useful life of the
disk.
H
Hard disk tray The tray that bears the hard disk.
Heartbeat Heartbeat supports node communication, fault
diagnosis, and event triggering. Heartbeats are
protocols that require no acknowledgement. They are
transmitted between two devices. The device can
judge the validity status of the peer device.
Hit ratio The ratio of directly accessed I/Os from the cache to
all I/Os.
Hot swap The substitution of a replacement unit (RU) in a
system for a defective unit, where the substitution
can be performed while the system is performing its
normal functioning normally. Hot swaps are physical
operations typically performed by humans.
HyperMetro A value-added service of storage systems.
HyperMetro means two datasets (on two storage
systems) can provide storage services as one dataset
to achieve load balancing among applications and
failover without service interruption.
HyperMetro domain A HyperMetro configuration object generally; made
up of two storage arrays and one quorum server.
HyperMetro services can be created on a HyperMetro
domain.
HyperMetro vStore A HyperMetro vStore pair consists of two vStores,
pair that is, two tenants. After a HyperMetro relationship
is set up for a pair of vStores, the datasets in the two
vStores work in redundancy mode and provide
storage services in one dataset view, achieving hitless
service failover.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 98
OceanStor Dorado
Disk Encryption User Guide B Glossary
HyperMetro-Inner On an eight-controller network, with HyperMetro-
Inner, continuous mirroring, back-end global sharing,
and three-copy technologies, a storage system can
tolerate one-by-one failures of seven controllers
among eight controllers, concurrent failures of two
controllers, and failure of a controller enclosure.
Handle A handle resides on the structural part of a module. It
is used to insert or remove a module into or from a
chassis, not helpful in saving efforts.
Helm chart A Helm chart is in TAR format. It is similar to the deb
package of APT or the rpm package of Yum. It
contains a group of yaml files that define Kubernetes
resources.
I
In-band management The management control information of the network
and the carrier service information of the user
network are transferred through the same logical
channel. In-band management enables users to
manage storage arrays through commands.
Management commands are sent through service
channels, such as I/O write and read channels. The
advantages of in-band management include high
speed, stable transfer, and no additional
management network ports required.
Initiator The system component that originates an I/O
command over an I/O interconnect. The endpoint
that originates a SCSI I/O command sequence. I/O
adapters, network interface cards, and intelligent I/O
interconnect control ASICs are typical initiators.
I/O Shorthand for input/output. I/O is the process of
moving data between a computer system's main
memory and an external device or interface such as a
storage device, display, printer, or network connected
to other computer systems. This encompasses
reading, or moving data into a computer system's
memory, and writing, or moving data from a
computer system's memory to another location.
Interface module A replaceable field module that accommodates the
service or management ports.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 99
OceanStor Dorado
Disk Encryption User Guide B Glossary
L
Load balance A method of adjusting the system, application
components, and data to averagely distribute the
applied I/Os or computing requests to physical
resources of the system.
Logical unit The addressable entity within a SCSI target that
executes I/O commands.
Logical unit number The SCSI identifier of a logical unit within a target.
Industry shorthand, when phrased as "LUN", for the
logical unit indicated by the logical unit number.
LUN formatting The process of writing 0 bits in the data area of the
logical drive and generating related parity bits so that
the logical drive can be in the ready state.
LUN mapping A storage system maps LUNs to application servers
so that application servers can access storage
resources.
LUN migration A method for the LUN data to migrate between
different physical storage spaces while ensuring data
integrity and uninterrupted operation of host
services.
LUN snapshot A type of snapshot created for a LUN. This snapshot
is both readable and writable and is mainly used to
provide a snapshot LUN from point-in-time LUN
data.
Lever A lever resides on the structural part of a module. It
is used to insert or remove a module into or from a
chassis, saving efforts.
Local image repository A private repository used to store the container
images and Helm charts imported by users. It is
different from the standard image repository. The
imported images and Helm charts must meet the
compatibility requirements of the system.
M
Maintenance terminal A computer connected through a serial port or
management network port. It maintains the storage
system.
Management interface The module that integrates one or more
module management network ports.
Management network An entity that provides means to transmit and
process network management information.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 100
OceanStor Dorado
Disk Encryption User Guide B Glossary
Management network The network port on the controller enclosure
port connected to the maintenance terminal. It is provided
for the remote maintenance terminal. Its IP address
can be modified with the change of the customer's
environment.
N
NVM Express A host controller interface with a register interface
and command set designed for PCI Express-based
SSDs.
NVMe SSD A solid state disk (SSD) with a non-volatile memory
express (NVMe) interface. Compared with other
SSDs, such SSDs can deliver higher performance and
shorter latency.
O
Out-of-band A management mode used during out-of-band
management networking. The management and control
information of the network and the bearer service
information of the user network are transmitted
through different logical channels.
P
Power failure When an external power failure occurs, the AC PEM
protection depends on the battery for power supply. This
ensures the integrity of the dirty data in the cache.
Pre-copy When the system monitors a failing member disk in a
RAID group, the system copies the data from the disk
to a hot spare disk in advance.
Palm-sized NVMe SSD A palm-sized NVMe SSD is a type of NVMe SSD of
which the dimensions (H x W x D) are 160 mm x 79.8
mm x 9.5 mm (neither 3.5-inch nor 2.5-inch).
Q
Quorum server A server that can provide arbitration services for
clusters or HyperMetro to prevent the resource access
conflicts of multiple application servers.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 101
OceanStor Dorado
Disk Encryption User Guide B Glossary
Quorum Server Mode A HyperMetro arbitration mode. When a HyperMetro
arbitration occurs, the quorum server decides which
site wins the arbitration.
R
RAID level The application of different redundancy types to a
logical drive. A RAID level improves the fault
tolerance or performance of the logical drive but
reduces the available capacity of the logical drive.
You must specify a RAID level for each logical drive.
Reconstruction The regeneration and writing onto one or more
replacement disks of all of the user data and check
data from a failed disk in a mirrored or RAID array. In
most arrays, a rebuild can occur while applications
are accessing data on the array's virtual disks.
Redundancy The inclusion of extra components of a given type in
a system (beyond those required by the system to
carry out its function) for the purpose of enabling
continued operation in the event of a component
failure.
Remote replication A core technology for disaster recovery and a
foundation that implements remote data
synchronization and disaster recovery. This
technology remotely maintains a set of data mirrors
through the remote data connection function of the
storage devices that are separated in different places.
Even when a disaster occurs, the data backup on the
remote storage device is not affected. Remote
replication can be divided into synchronous remote
replication and asynchronous remote replication.
Reverse The process of restoring data from the redundancy
synchronization machine (RM) when the services of the production
machine (PM) are recovering.
Route The path that network traffic takes from its source to
its destination. On a TCP/IP network, each IP packet
is routed independently. Routes can change
dynamically.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 102
OceanStor Dorado
Disk Encryption User Guide B Glossary
S
Script A parameterized list of primitive I/O interconnect
operations intended to be executed in sequence.
Often used with respect to ports, most of which are
able to execute scripts of I/O commands
autonomously (without policy processor assistance).
A sequence of instructions intended to be parsed and
carried out by a command line interpreter or other
scripting language. Perl, VBScript, JavaScript and Tcl
are all scripting languages.
Serial port An input/output location (channel) that sends and
receives data (one bit at a time) to and from the CPU
of a computer or a communications device. Serial
ports are used for serial data communication and as
interfaces for some peripheral devices, such as mouse
devices and printers.
Service data The user and/or network information required for the
normal functioning of services.
Service network port The network port that is used to store services.
Simple network An IETF protocol for monitoring and managing
management protocol systems and devices in a network. The data being
monitored and managed is defined by an MIB. The
functions supported by the protocol are the request
and retrieval of data, the setting or writing of data,
and traps that signal the occurrence of events.
Single point of failure One component or path in a system, the failure of
which would make the system inoperable.
Slot A position defined by an upper guide rail and the
corresponding lower guide rail in a frame. A slot
houses a board.
Small computer system A collection of ANSI standards and proposed
interface standards that define I/O interconnects primarily
intended for connecting storage subsystems or
devices to hosts through host bus adapters. Originally
intended primarily for use with small (desktop and
desk-side workstation) computers, SCSI has been
extended to serve most computing needs, and is
arguably the most widely implemented I/O
interconnect in use today.
Snapshot A point in time copy of a defined collection of data.
Clones and snapshots are full copies. Depending on
the system, snapshots may be of files, LUNs, file
systems, or any other type of container supported by
the system.
Snapshot copy A copy of a snapshot LUN.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 103
OceanStor Dorado
Disk Encryption User Guide B Glossary
Source LUN The LUN where the original data is located.
Static Priority Mode A HyperMetro arbitration mode. When a HyperMetro
arbitration occurs, the preferred site always wins the
arbitration.
Storage system An integrated system that consists of the following
parts: controller, storage array, host bus adapter,
physical connection between storage units, and all
control software.
Storage unit An abstract definition of backup storage media for
storing backup data. The storage unit is connected to
the actual storage media used to back up data.
Streaming media Streaming media is media continuously streamed
over the network. Combining technologies
concerning streaming media data collection,
compression, encoding, storage, transmission,
playback, and network communications, streaming
media can provide high-quality playback effects in
real time at low bandwidth.
Subnet A type of smaller network that forms a larger
network according to a rule, such as, forming a
network according to different districts. This
facilitates the management of a large network.
Smart disk enclosure Being compared with traditional disk enclosures, the
smart disk enclosures are equipped with Arm chips
and DDR memories or other computing modules to
achieve powerful computing capabilities. With such
capabilities, the smart disk enclosures can help
controllers to share some computing loads,
accelerating data processing.
Share authentication During vStore configuration synchronization, the
share authentication information (including the share
information and domain controller configuration) is
synchronized to the secondary end.
T
Target The endpoint that receives a SCSI I/O command
sequence.
Target LUN The LUN on which target data resides.
Thin LUN A logic disk that can be accessed by hosts. It
dynamically allocates storage resources from the thin
pool according to the actual capacity requirements of
users.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 104
OceanStor Dorado
Disk Encryption User Guide B Glossary
Topology The logical layout of the components of a computer
system or network and their interconnections.
Topology deals with questions of what components
are directly connected to other components from the
standpoint of being able to communicate. It does not
deal with questions of physical location of
components or interconnecting cables. The
communication infrastructure that provides Fibre
Channel communication among a set of PN_Ports
(e.g., a Fabric, an Arbitrated Loop, or a combination
of the two).
Trim A method by which the host operating system may
inform a storage device of data blocks that are no
longer in use and can be reclaimed. Many storage
protocols support this functionality via various
names, e.g., ATA TRIM and SCSI UNMAP.
U
User interface The space where users interact with a machine.
U-shaped bracket It is an optional structural part like letter "U". It is
located between the mounting ear of a chassis and
the mounting bar of a cabinet or bay and is used to
adjust the locations of the chassis and mounting bar
of the cabinet or bay.
W
Wear leveling A set of algorithms utilized by a flash controller to
distribute writes and erases across the cells in a flash
device. Cells in flash devices have a limited ability to
survive write cycles. The purpose of wear leveling is
to delay cell wear out and prolong the useful life of
the overall flash device.
Write amplification Increase in the number of write operations by the
device beyond the number of write operations
requested by hosts.
Write amplification The ratio of the number of write operations on the
factor device to the number of write operations requested
by the host.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 105
OceanStor Dorado
Disk Encryption User Guide B Glossary
Write back A caching technology in which the completion of a
write request is signaled as soon as the data is in the
cache. Actual writing to non-volatile media occurs at
a later time. Write back includes inherent risks: an
application will take action predicated on the write
completion signal, and a system failure before the
data is written to non-volatile media will cause
media contents to be inconsistent with that
subsequent action. For these reasons, sufficient write
back implementations include mechanisms to
preserve cache contents across system failures
(including power failures) and a flushed cache at
system restart time.
Write Once Read Many A type of storage, designed for fixed content, that
preserves what is written to it in an immutable
fashion. Optical disks are an example of WORM
storage.
Write through A caching technology in which the completion of a
write request is not signaled until data is safely
stored on non-volatile media. Write performance
equipped with the write through technology is
approximately that of a non-cached system. However,
if the written data is also held in a cache, subsequent
read performance may be dramatically improved.
Z
Zone A collection of Fibre Channel N_Ports and/or
NL_Ports (i.e., device ports) that are permitted to
communicate with each other via the fabric. Any two
N_Ports and/or NL_Ports that are not members of at
least one common zone are not permitted to
communicate via the fabric. Zone membership may
be specified by: 1) port location on a switch, (i.e.,
Domain_ID and port number); or, 2) the device's
N_Port_Name; or, 3) the device's address identifier;
or, 4) the device's Node_Name. Well-known
addresses are implicitly included in every zone.
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 106
OceanStor Dorado
Disk Encryption User Guide C Acronyms and Abbreviations
C Acronyms and Abbreviations
C
CPU Central Processing Unit
I
I/O Input/Output
IOPS Input/Output Operations Per Second
L
LUN Logical Unit Number
R
RAID Redundant Array of Independent Disks
RTO Recovery Time Objective
S
SAS Serial Attached SCSI
Issue 03 (2022-04-15) Copyright © Huawei Technologies Co., Ltd. 107
You might also like
- Best Practices of OceanStor Dorado Oriented To Oracle Database Deploymen...No ratings yetBest Practices of OceanStor Dorado Oriented To Oracle Database Deploymen...81 pages
- Educational Material - ICAI Valuation Standard 103 - Valuation Approaches and MethodsNo ratings yetEducational Material - ICAI Valuation Standard 103 - Valuation Approaches and Methods172 pages
- OceanStor Dorado 6.1 Basic Storage Service Configuration Guide For BlockNo ratings yetOceanStor Dorado 6.1 Basic Storage Service Configuration Guide For Block266 pages
- OceanStor Dorado 6.1 Administrator GuideNo ratings yetOceanStor Dorado 6.1 Administrator Guide376 pages
- OceanStor Dorado3000 V3, Dorado5000 V3, and Dorado6000 V3 V300R002 Installation Guide PDFNo ratings yetOceanStor Dorado3000 V3, Dorado5000 V3, and Dorado6000 V3 V300R002 Installation Guide PDF614 pages
- 11-04-23 Habeas Corpus in The United States - The Case of Richard Isaac Fine - Review100% (2)11-04-23 Habeas Corpus in The United States - The Case of Richard Isaac Fine - Review9 pages
- Botnet Analysis Report Final Unclassified v2.0No ratings yetBotnet Analysis Report Final Unclassified v2.0195 pages
- OceanStor Dorado 6.1.x Disk Encryption User GuideNo ratings yetOceanStor Dorado 6.1.x Disk Encryption User Guide156 pages
- OceanStor Dorado 6.1.x Security Configuration GuideNo ratings yetOceanStor Dorado 6.1.x Security Configuration Guide222 pages
- Dorado V6 Series 6.1.x Basic Storage Service Configuration Guide For FileNo ratings yetDorado V6 Series 6.1.x Basic Storage Service Configuration Guide For File685 pages
- OceanStor Dorado V6 6.0.0 Initial ConfigurationNo ratings yetOceanStor Dorado V6 6.0.0 Initial Configuration33 pages
- OceanStor Dorado 6.1.x Basic Storage Service Configuration Guide For BlockNo ratings yetOceanStor Dorado 6.1.x Basic Storage Service Configuration Guide For Block304 pages
- OceanStor Dorado 6.1.x Initialization GuideNo ratings yetOceanStor Dorado 6.1.x Initialization Guide249 pages
- OceanStor Dorado 6.1.x HyperLock Feature GuideNo ratings yetOceanStor Dorado 6.1.x HyperLock Feature Guide124 pages
- OceanStor Dorado 6.1.x Container User GuideNo ratings yetOceanStor Dorado 6.1.x Container User Guide138 pages
- OceanStor Dorado 6.1.x Administrator GuideNo ratings yetOceanStor Dorado 6.1.x Administrator Guide422 pages
- OceanStor Dorado 6.1.x CloudBackup Feature GuideNo ratings yetOceanStor Dorado 6.1.x CloudBackup Feature Guide120 pages
- OceanStor Dorado 6.0.0 Basic Storage Service Configuration GuideNo ratings yetOceanStor Dorado 6.0.0 Basic Storage Service Configuration Guide140 pages
- OceanStor Dorado 3000 6.x Installation GuideNo ratings yetOceanStor Dorado 3000 6.x Installation Guide155 pages
- OceanStor Dorado 6.x & OceanStor 6.x Host Connectivity Guide For Connecting To Linux Hosts Using NFS Over RDMANo ratings yetOceanStor Dorado 6.x & OceanStor 6.x Host Connectivity Guide For Connecting To Linux Hosts Using NFS Over RDMA52 pages
- OceanStor Dorado 6.1.3 Command ReferenceNo ratings yetOceanStor Dorado 6.1.3 Command Reference1,939 pages
- OceanStor Dorado 6.1.x Basic Storage Service Configuration Guide For BlockNo ratings yetOceanStor Dorado 6.1.x Basic Storage Service Configuration Guide For Block288 pages
- Storage Training Session (OceanStor Dorado Brief Introduction & Planning & Design)No ratings yetStorage Training Session (OceanStor Dorado Brief Introduction & Planning & Design)42 pages
- OceanStor Dorado 6.1.x IP Address Failover Deployment GuideNo ratings yetOceanStor Dorado 6.1.x IP Address Failover Deployment Guide88 pages
- OceanStor Dorado 6.1 HyperLock Feature GuideNo ratings yetOceanStor Dorado 6.1 HyperLock Feature Guide104 pages
- Best Practices of OceanStor Dorado & OceanStor For VMware in SAN ScenariosNo ratings yetBest Practices of OceanStor Dorado & OceanStor For VMware in SAN Scenarios47 pages
- OceanStor Dorado 6.1.x SmartMigration Feature Guide For BlockNo ratings yetOceanStor Dorado 6.1.x SmartMigration Feature Guide For Block96 pages
- OceanStor Dorado 6.1.x HyperSnap Feature Guide For FileNo ratings yetOceanStor Dorado 6.1.x HyperSnap Feature Guide For File65 pages
- OceanStor Dorado 6.1.x SmartCache Feature GuideNo ratings yetOceanStor Dorado 6.1.x SmartCache Feature Guide56 pages
- OceanStor Dorado 6.1 Initialization GuideNo ratings yetOceanStor Dorado 6.1 Initialization Guide246 pages
- OceanStor Dorado 6.1.x HyperReplication Feature Guide For BlockNo ratings yetOceanStor Dorado 6.1.x HyperReplication Feature Guide For Block286 pages
- OceanStor Dorado 6.1.x SmartMove Feature GuideNo ratings yetOceanStor Dorado 6.1.x SmartMove Feature Guide56 pages
- OceanStor Dorado 6.x & OceanStor 6.x Host Connectivity Guide For WindowsNo ratings yetOceanStor Dorado 6.x & OceanStor 6.x Host Connectivity Guide For Windows119 pages
- OceanStor Dorado 6.1.x SmartQoS Feature GuideNo ratings yetOceanStor Dorado 6.1.x SmartQoS Feature Guide70 pages
- OceanProtect Backup Storage 1.5.0 Acceptance Test GuideNo ratings yetOceanProtect Backup Storage 1.5.0 Acceptance Test Guide78 pages
- OceanStor Dorado 6.1.3 Documentation IntroductionNo ratings yetOceanStor Dorado 6.1.3 Documentation Introduction35 pages
- OceanStor Dorado 6.1.x 3DC Configuration For FileNo ratings yetOceanStor Dorado 6.1.x 3DC Configuration For File153 pages
- OceanStor Dorado 6.1.x HyperCDP Feature Guide For FileNo ratings yetOceanStor Dorado 6.1.x HyperCDP Feature Guide For File100 pages
- HCIA-Storage Scenario-Based Practice of Storage FundamentalsNo ratings yetHCIA-Storage Scenario-Based Practice of Storage Fundamentals19 pages
- OceanStor Dorado 6.1.x NDMP Feature GuideNo ratings yetOceanStor Dorado 6.1.x NDMP Feature Guide168 pages
- Dorado V6 Series 6.1.x Best Practices of OceanStor Dorado & OceanStor For NAS Microsoft Hyper-VNo ratings yetDorado V6 Series 6.1.x Best Practices of OceanStor Dorado & OceanStor For NAS Microsoft Hyper-V52 pages
- OceanStor Dorado 6.1.x CloudVxLAN Feature GuideNo ratings yetOceanStor Dorado 6.1.x CloudVxLAN Feature Guide65 pages
- OceanStor Dorado 6.1.x SmartMulti-Tenant Feature Guide For FileNo ratings yetOceanStor Dorado 6.1.x SmartMulti-Tenant Feature Guide For File269 pages
- OceanStor Dorado 6.1.x HyperCDP Feature Guide For BlockNo ratings yetOceanStor Dorado 6.1.x HyperCDP Feature Guide For Block119 pages
- OceanStor Dorado 6.1.x HyperSnap Feature Guide For BlockNo ratings yetOceanStor Dorado 6.1.x HyperSnap Feature Guide For Block142 pages
- ESDK Enterprise Storage Plugins 2.6.RC2 User Guide (SRA) 02No ratings yetESDK Enterprise Storage Plugins 2.6.RC2 User Guide (SRA) 0257 pages
- OceanStor Dorado 6.1.x 3DC Configuration For BlockNo ratings yetOceanStor Dorado 6.1.x 3DC Configuration For Block296 pages
- OceanStor Dorado 6.1.x HyperClone Feature Guide For BlockNo ratings yetOceanStor Dorado 6.1.x HyperClone Feature Guide For Block106 pages
- OceanStor Dorado 6.1.x SmartMulti-Tenant Feature Guide For BlockNo ratings yetOceanStor Dorado 6.1.x SmartMulti-Tenant Feature Guide For Block139 pages
- OceanStor Dorado V6 6.0.0 Documentation IntroductionNo ratings yetOceanStor Dorado V6 6.0.0 Documentation Introduction31 pages
- OceanStor Dorado V3 Series V300R001 Documentation GuideNo ratings yetOceanStor Dorado V3 Series V300R001 Documentation Guide3 pages
- OceanStor Dorado3000 V3 Storage Systems V300R002C10SPC100 Release Notes 01No ratings yetOceanStor Dorado3000 V3 Storage Systems V300R002C10SPC100 Release Notes 0126 pages
- OceanStor Dorado 6.1.x SmartVirtualization Feature GuideNo ratings yetOceanStor Dorado 6.1.x SmartVirtualization Feature Guide267 pages
- OceanStor BCManager 8.1.0 EBackup User Guide (Virtualization) 03No ratings yetOceanStor BCManager 8.1.0 EBackup User Guide (Virtualization) 03456 pages
- OceanStor Dorado 6.1.x HyperClone Feature Guide For FileNo ratings yetOceanStor Dorado 6.1.x HyperClone Feature Guide For File64 pages
- 02 OIF032007 OceanStor V3 Deployment and Configuration ISSUE 1.00No ratings yet02 OIF032007 OceanStor V3 Deployment and Configuration ISSUE 1.0049 pages
- Best Practices of OceanStor Dorado & OceanStor For VMware in NAS ScenariosNo ratings yetBest Practices of OceanStor Dorado & OceanStor For VMware in NAS Scenarios46 pages
- OceanStor Dorado 6.x & OceanStor 6.x DM-Multipath Configuration Guide For FusionComputeNo ratings yetOceanStor Dorado 6.x & OceanStor 6.x DM-Multipath Configuration Guide For FusionCompute24 pages
- OceanStor S2600T&S5500T&S5600T&S5800T&S6800T Storage System V200R001 Command Reference 06No ratings yetOceanStor S2600T&S5500T&S5600T&S5800T&S6800T Storage System V200R001 Command Reference 06487 pages
- CompTIA Security+ SY0-601 Exam Practice TestsFrom EverandCompTIA Security+ SY0-601 Exam Practice TestsNo ratings yet
- OceanStor Dorado 6.1.x SmartDedupe and SmartCompression Feature Guide For BlockNo ratings yetOceanStor Dorado 6.1.x SmartDedupe and SmartCompression Feature Guide For Block51 pages
- OceanStor Dorado Backup Features Comparison (HyperSnap, HyperClone, and HyperCDP)No ratings yetOceanStor Dorado Backup Features Comparison (HyperSnap, HyperClone, and HyperCDP)6 pages
- OceanStor Dorado 6.x & OceanStor 6.x DM-Multipath Configuration Guide For Red Hat RHV 4.xNo ratings yetOceanStor Dorado 6.x & OceanStor 6.x DM-Multipath Configuration Guide For Red Hat RHV 4.x10 pages
- Huawei OceanStor Dorado 6.1.6 Storage Simplified Interoperability Matrix For FileNo ratings yetHuawei OceanStor Dorado 6.1.6 Storage Simplified Interoperability Matrix For File11 pages
- OceanStor Dorado and OceanStor 6.1.6 Deep DiveNo ratings yetOceanStor Dorado and OceanStor 6.1.6 Deep Dive27 pages
- OceanStor Dorado 6.1.x SmartDedupe and SmartCompression Feature Guide For FileNo ratings yetOceanStor Dorado 6.1.x SmartDedupe and SmartCompression Feature Guide For File46 pages
- Owning Controllers of Interface Module Ports On OceanStor Dorado 4 U Controller EnclosureNo ratings yetOwning Controllers of Interface Module Ports On OceanStor Dorado 4 U Controller Enclosure13 pages
- OceanStor Dorado Disk Health Prediction PrinciplesNo ratings yetOceanStor Dorado Disk Health Prediction Principles6 pages
- 37.christensen 2010 Archaeology and Activism of Past and Present (CONTEMPORARY)No ratings yet37.christensen 2010 Archaeology and Activism of Past and Present (CONTEMPORARY)10 pages
- ADVERSE POSSESSION by SMT SRIDEVI SHANKER PRL JCJ SIRICILLANo ratings yetADVERSE POSSESSION by SMT SRIDEVI SHANKER PRL JCJ SIRICILLA15 pages
- Differnce Bewtween Sale and Agreement To SellNo ratings yetDiffernce Bewtween Sale and Agreement To Sell5 pages
- Exclusive: Despite Murder of Khashoggi UNESCO Has Training MOU With MiSK Foundation of MBS Like GuterresNo ratings yetExclusive: Despite Murder of Khashoggi UNESCO Has Training MOU With MiSK Foundation of MBS Like Guterres5 pages
- The Closing Ceremony of The Northern Mindanao Regional Athletic Association 2019 Hosted by Lanao Del Norte The Land of Beauty and BountyNo ratings yetThe Closing Ceremony of The Northern Mindanao Regional Athletic Association 2019 Hosted by Lanao Del Norte The Land of Beauty and Bounty2 pages
- The Tripura Building Lease and Rent Control Act 1975No ratings yetThe Tripura Building Lease and Rent Control Act 197523 pages
- United States v. Covington, 4th Cir. (2001)No ratings yetUnited States v. Covington, 4th Cir. (2001)2 pages
- Whirley Crane Opportunity To Contribute With PlansNo ratings yetWhirley Crane Opportunity To Contribute With Plans15 pages
