Integration Guide. Dell EMC Data Domain Operating System and Gemalto KeySecure. DD OS and Gemalto KeySecure Integration. Version 6.

Similar documents
CloudLink Key Management for VMware vcenter Server Configuration Guide

CloudLink SecureVM. Administration Guide. Version 4.0 P/N REV 01

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N Rev 01 July, 2012

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Partner Information. Integration Overview Authentication Methods Supported

Novell Identity Manager

Product Support Notice

IceWarp SSL Certificate Process

Dell SonicWALL SonicOS 6.2

Cisco Expressway Authenticating Accounts Using LDAP

How to Import a Certificate When Using Microsoft Windows OS

DEPLOYMENT GUIDE. SSL Insight Certificate Installation Guide

Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS)

BIG-IP System: Migrating Devices and Configurations Between Different Platforms. Version

Secure IIS Web Server with SSL

Best Practices for Security Certificates w/ Connect

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

How to Enable Client Certificate Authentication on Avi

MSE System and Appliance Hardening Guidelines

Evaluation Guide Host Access Management and Security Server 12.4 SP1 ( )

QuickStart Guide for Mobile Device Management. Version 8.7

Using SSL to Secure Client/Server Connections

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at

Creating and Installing SSL Certificates (for Stealthwatch System v6.10)

SAML-Based SSO Configuration

Integration Guide. SafeNet Authentication Service. Strong Authentication for Juniper Networks SSL VPN

Oracle iplanet Web Server Integration Guide

SafeNet Authentication Client

Configuring Administrator Usernames and Passwords. Information About Configuring Administrator Usernames and Passwords

Configuring SSL. SSL Overview CHAPTER

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

Dell Storage Center Update Utility Administrator s Guide

Authenticating Cisco VCS accounts using LDAP

Changing default password of root user for idrac9 by using Dell EMC License Manager

Third-Party Client (s3fs) User Guide

July SonicWall SonicOS 6.2 Upgrade Guide

App Orchestration 2.6

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

EMC Voyence Payment Card Industry Advisor. User s Guide. Version P/N REV A01

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Third-Party Client (s3fs) User Guide

Configuring Certificate Authorities and Digital Certificates

Using vrealize Operations Tenant App as a Service Provider

Vaultive and SafeNet KeySecure KMIP Integration Guide v1.0. September 2016

Dell Storage Compellent Integration Tools for VMware

Resource Manager System Upgrade Guide

RealPresence Access Director System Administrator s Guide

Mac OSX Certificate Enrollment Procedure

UCS Manager Communication Services

Send documentation comments to

Installing and Configuring vcloud Connector

Server Installation ZENworks Mobile Management 2.6.x January 2013

CLEO VLTrader Made Simple Guide

Restoring data from a backup

AT&T Business Messaging Account Management

DISCOVERY AND INVENTORY OF DELL EMC DEVICES BY USING DELL EMC OPENMANAGE ESSENTIALS (OME)

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

Acano solution. Virtualized Deployment R1.2 Installation Guide. Acano. December G

Configuring SSL CHAPTER

Abstract. Avaya Solution & Interoperability Test Lab

DELL EMC DATA DOMAIN ENCRYPTION

Deploying a Dialogic 4000 Media Gateway as a Survivable Branch Appliance for Microsoft Lync Server 2010

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

Installing Dell EMC OpenManage Essentials

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

User Guide. Version R94. English

AMS Device View Installation Guide. Version 2.0 Installation Guide May 2018

Wired Dot1x Version 1.05 Configuration Guide

Sending Secure and Encrypted Messages with GroupWise 6.5: User s Guide

V1.0 Nonkoliseko Ntshebe October 2015 V1.1 Nonkoliseko Ntshebe March 2018

Installing an SSL certificate on your server

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Dell EMC Ready System for VDI on XC Series

Entrust Connector (econnector) Venafi Trust Protection Platform

Installing and Configuring vcenter Multi-Hypervisor Manager

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

Technical Note. Restoring Dell EMC Avamar Checkpoint Backups from a Dell EMC Data Domain System After a Single Node Avamar Failure

Configuring Cisco Unified MeetingPlace Web Conferencing Security Features

One Identity Active Roles 7.2. Azure AD and Office 365 Management Administrator Guide

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Tableau Server

VMware AirWatch Integration with RSA PKI Guide

HP JetAdvantage Security Manager. User Guide

DELL EMC OPENMANAGE ESSENTIALS (OME) SNMPV3 SUPPORT

SSL Certificate Based VPN

APP NOTES Onsight Rugged Smart Camera Wireless Network Configuration

Yubico with Centrify for Mac - Deployment Guide

Managing Users and Configuring Role-Based Access Control

VSP16. Venafi Security Professional 16 Course 04 April 2016

Changing unique password of root user for idrac9 by using Dell EMC License Manager

FUJITSU Cloud Service S5. Introduction Guide. Ver. 1.3 FUJITSU AMERICA, INC.

Horizon Cloud with On-Premises Infrastructure Administration Guide. VMware Horizon Cloud Service Horizon Cloud with On-Premises Infrastructure 1.

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

SafeNet Authentication Service

Migration Guide. McAfee File and Removable Media Protection 5.0.0

OpenManage Integration for VMware vcenter Version 4.2. Web Client User's Guide

Alliance Key Manager AKM for AWS Quick Start Guide. Software version: Documentation version:

Transcription:

Dell EMC Data Domain Operating System and Gemalto KeySecure Version 6.1 DD OS and Gemalto KeySecure Integration P/N 302-003-978 REV 01 June 2017 This document describes how to configure Gemalto KeySecure on Data Domain Operating System (DD OS) version 6.1. Topics include: Overview... 2 Accessing the KeySecure server...2 Installing a KeySecure license... 4 Enabling FIPS compliance...6 Creating a certificate authority (CA)... 6 Configuring a trusted CA on KeySecure... 12 Creating and installing a KeySecure KMIP server certificate... 17 Importing the signed server certificate... 29 Configuring KMIP service on KeySecure...30 Creating a local user... 32 Creating and installing the host certificate... 33 Importing the CA certificate to a Data Domain system... 36 Creating the KeySecure encryption key...37 Configuring KMIP on the Data Domain system... 39

Overview This document describes how to create keys in Gemalto KeySecure and use them on a Data Domain system. Note Pay attention to the order in which steps are completed in this guide. The order of execution is extremely important. Terminology This document uses the following terminology: Table 1 Terminology Acronym KMIP CA Description Key Management Interoperability Protocol Certificate Authority Accessing the KeySecure server Complete the following steps to access the KeySecure server. Procedure 1. In a browser window, access the KeySecure web interface using the default port 9443. Note The web admin server port listens for requests from port 9443. The Gemalto KeySecure login screen appears. 2. Log in with the following username, and create the default password during initial configuration. Username: admin 2 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration Note The system creates a default administrative account with this name. Password: <password> Note Use the password that is configured during KeySecure setup, or as provided by the customer. After login, the System Summary screen appears if a KeySecure license is installed. If a KeySecure license is not installed, the system displays a warning. After you finish If the KeySecure license is already installed, go to Enabling FIPS compliance on page 6. Accessing the KeySecure server 3

Installing a KeySecure license If the KeySecure license is not already installed, go to Installing a KeySecure license on page 4. Complete the following steps to install a KeySecure license. Procedure 1. Get a permanent license from Gemalto KeySecure. 2. In the left-most pane, select Device > Maintenance > System Information & Upgrade. 4 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration 3. Under Software & License Upgrade/Install, select Upload from browser to upload the license through the web browser. 4. Click Browse to locate the file on a local or network drive. 5. Click Upgrade/Install. 6. Click Confirm. If the license uploads successfully, the system displays a success message and reboots. Installing a KeySecure license 5

Note The newly installed license takes effect automatically after the current demo or temporary license expires. Enabling FIPS compliance Complete the following steps to enable FIPS compliance. Procedure 1. From the left-most pane, select Security > Advanced Security > High Security The High Security Configuration screen appears. 2. In the FIPS Compliance section, click Set FIPS Compliance. The system displays Is FIPS Compliance: Yes. Creating a certificate authority (CA) There are three ways to handle/create the CA in KeySecure. Create a local CA. Import a CA. 6 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration Import a hierarchical CA. Note Setup with a hierarchical CA is beyond the scope of this document and requires Gemalto support. Creating a local CA Complete the following steps to create a local CA. Procedure 1. From the left-most pane, select Security > Local CAs. 2. Click Local CAs. (Image shows "No Local Certificate Authorities" and the dialog boxes for creating a new CA.) 3. Specify the following information: Creating a local CA 7

Certificate Authority Name: <Local CA Name> Common Name: <Local CA Name> Note Match the Common Name to the Certificate Authority Name. Organization Name: <Your Organization> Organizational Unit Name: <Your Organizational Unit> Locality Name: <City> State: <State> Country Name Email Address: <Email Address> Key Size: 2048 Note Recommended minimum size to create a 256-bit encryption. 4. Click Create to create the KeySecure local CA. 8 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration Importing a CA Complete the following steps to import a CA. Procedure 1. From the left-most pane, select Security > Known CAs. Importing a CA 9

2. In the Install CA Certificate pane, specify the certificate name in the Certificate Name field. 3. In the Certificate field, paste the CA certificate text. 10 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration 4. Click Install. Importing a CA 11

Configuring a trusted CA on KeySecure Complete the following steps to configure the trusted CA. Procedure 1. In the left-most pane, select Security > Trusted CA Lists. 2. Select Default. 3. Click Properties. 12 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration 4. Click Edit. The next screen provides the ability to select which CAs to trust. Configuring a trusted CA on KeySecure 13

5. Use the arrow buttons to move Local CA to the Trusted CAs list. 14 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration 6. Click Add. Configuring a trusted CA on KeySecure 15

7. Click Save. 16 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration Creating and installing a KeySecure KMIP server certificate Complete the following steps to create the server SSL certificate. Procedure 1. In the left-most pane, select Security > SSL Certificates. Creating and installing a KeySecure KMIP server certificate 17

2. Specify the following information: Certificate Name: <SSL Certificate Name> Common Name: <SSL Certificate Name> Organization Name: <Your Organization> Organizational Unit Name: <Your Organizational Unit> Locality Name: <City> State: <State> Country Name Email Address: <Email Address> Key Size: 2048 18 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration 3. Click Create Certificate Request. Creating and installing a KeySecure KMIP server certificate 19

The SSL certificate is created, but is in a Request Pending state because it has yet to be signed by the local CA. 4. Click the newly created certificate to open it. 20 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration 5. Copy the CSR text. Note The first and last lines of the CSR text, that say BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST must be included when the CSR text is copied. Do not include any extra white space when copying the CSR text. The CSR text should look like: -----BEGIN CERTIFICATE REQUEST----- MIIC3zCCAccCAQAwgZkxGjAYBgNVBAMUEVNlcnZlcl9DZXJ0XzE1Nl8yMQwwCgYD VQQKEwNFTUMxEzARBgNVBAsTCkRhdGFEb21haW4xFDASBgNVBAcTC1NhbnRhIENs YXJhMQswCQYDVQQIEwJDQTELMAkGA1UEBhMCVVMxKDAmBgkqhkiG9w0BCQEWGWpv c2vwlndvbm9zyxb1dhjhqgvtyy5jb20wggeima0gcsqgsib3dqebaquaa4ibdwaw ggekaoibaqdcs95v6hrszfxugs02w1bsrjrmurzdy7c2njbtgx9nmfhwvnhtsawu 1cFaBRmwMK/W201XNEtmx1TOZy3Q/hx7bm9g9JjRvBD/ss6+E9CJXnOrL3/aymKs bhyucy9yiwtg7/n8b5lxosvpe5b4npoucx8m/jmpfghcih5vrrgv34wpr+4bzyaa Creating and installing a KeySecure KMIP server certificate 21

2uRmBITwbeq6HyJs2P8iV5fbfaitQK8rVuTh+TaHXkzXlFsoMj/Fu+enQthCTwMP kfasrbgqop78x0nbbafd9/nugikjlifutb+hon6qcrepzpzftpy3wswbs45y33a0 70nKmUI/ogBniER/+h5w9dgIpqVjYalHAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC AQEAwSZSndTHQmI4ySk/74LxJ5VYz8AztbCwbajdm/jGJuqdrTjYRFQMoRmu8ley N2xw+9IkZuqlLY/R3AkNn4etAPpzx5NYOYvFAl5Vi7gO99oWSnJQ/K7Ol6Fv/sKw 9UlSEmIiAxkGoJEiCYa9hrrLhP1XllUUEO2XG/B6gx72F9+/Bf+yuFAMhzXNu43I o67ng8ao6jvv905qmwzst9utzby+vbgne44bx3ldgpff3abk6eskpvf7krysbuw/ 3RUL//Ae4QdWVJRp8mMCTDi2N8wZ9TuQ+R0QtFR6cO/Pxt+oQwvDBLYX/QvbS8PG uqebclnd8+xgy66gbdcstekm4q== -----END CERTIFICATE REQUEST----- 6. From the left-most pane, select Security > Local CAs. 22 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration 7. Click Local CAs. 8. Select the local CA, and click Sign Request. 9. Specify Server for the Certificate Purpose. 10. Paste the CSR text into the Certificate Request field Creating and installing a KeySecure KMIP server certificate 23

11. Click Sign Certificate. 12. Copy the signed certificate. Note The first and last lines of the CSR text, that say BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST must be included when the CSR text is copied. Do not include any extra white space when copying the CSR text. The signed certificate text should look like: -----BEGIN CERTIFICATE----- MIIDyzCCArOgAwIBAgICKlYwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT MQswCQYDVQQIEwJDQTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAKBgNVBAoTA0VN QzEUMBIGA1UECxMLRGF0YSBEb21haW4xFDASBgNVBAMTC0pXLUtNSVAtQ0EyMSgw JgYJKoZIhvcNAQkBFhlqb3NlcC53b25vc2FwdXRyYUBlbWMuY29tMB4XDTE3MDEx NzAwMTYyMloXDTI3MDExNTAwMTYyMlowgZkxCzAJBgNVBAYTAlVTMQswCQYDVQQI EwJDQTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAKBgNVBAoTA0VNQzETMBEGA1UE CxMKRGF0YURvbWFpbjEaMBgGA1UEAxQRU2VydmVyX0NlcnRfMTU2XzIxKDAmBgkq hkig9w0bcqewgwpvc2vwlndvbm9zyxb1dhjhqgvtyy5jb20wggeima0gcsqgsib3 DQEBAQUAA4IBDwAwggEKAoIBAQDCS95v6HRSzfXUgS02W1bSrjrmurZdY7C2njbt GX9NMfhwvnhtSawu1cFaBRmwMK/W201XNEtmx1TOZy3Q/hx7bm9g9JjRvBD/ss6+ E9CJXnOrL3/aymKsbhyUCY9YiwTG7/n8b5LxOSvPE5B4NpOucX8m/jmpfgHcIh5v RRGV34wPR+4BzYaA2uRmBITwbeq6HyJs2P8iV5fbfaitQK8rVuTh+TaHXkzXlFso Mj/Fu+enQthCTwMPkfaSRbGQOp78x0nbbAFD9/NuGIKJlIFUtb+HOn6QcrEpzpzF TPy3WsWbS45y33A070nKmUI/ogBniER/+h5w9dgIpqVjYalHAgMBAAGjIDAeMAkG A1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMA0GCSqGSIb3DQEBCwUAA4IBAQBb 24 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration lqgtot4zpkjufivkrn0scmqlaq37m2yev1mvxtuiuzrcvaqss0/hnrambb8jvyg/ gn6hq3dedda+fvhpk5dmt8y7j8l+qmfd86mlei2gmgqpxdbmjcehph8a7zjxoqc2 jp1fg/pxjqeaiqm5vitidb03edbfl10pwrxnxkv8+gzd+e8ijk/ceww9terbqzkz 4xBvSF3S4u0FIyqiogmOuIXQSGsG8f7Sp0auQoX1HUlijZOPVZ1K74gHYRDmVXgD wfaiaum1tfsslfc4492gwnpzsanjqr9nylwuehfgbzxqtz8i10corvhlzycynvgi eur1puqfhpfgh7jevolz -----END CERTIFICATE----- 13. From the stop of the screen, select Security > SSL Certificate Creating and installing a KeySecure KMIP server certificate 25

14. Select the radio button for the new certificate. The certificate displays as Pending CSR. 15. Click Install Certificate. 26 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration 16. Paste the signed certificate text in the Certificate Response field. Creating and installing a KeySecure KMIP server certificate 27

17. Click Save. Note Verify that the Certificate Status displays as Active. 28 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration Importing the signed server certificate Complete the following steps to import the signed server certificate. Procedure 1. In the left-most pane, select Security > SSL Certificates. Importing the signed server certificate 29

2. In Import Certificate, select Upload from browser to upload the server certificate through the web browser. 3. Click Browse to locate the file on a local or network drive. 4. In the Certificate Name field, specify the certificate name. 5. In the Private Key Password field, specify the certificate password. 6. Click Import to import the certificate into KeySecure. Configuring KMIP service on KeySecure Complete the following steps to create the client certificate. Procedure 1. Click the Device tab. 2. In the Cryptographic Server Key Settings pane, click Add. On the Protocol drop-down list, select KMIP. 3. Select Edit, and specify the following information: IP Address: <KMIP-server-IP-address> 30 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration Port: 5696 Use SSL: Select the checkbox (SSL is required for KMIP) Server Certificate: <Previously-created-server-certificate> 4. Click Save. 5. Select the KMIP radio button, and click Properties. 6. At the bottom of the Authentication Settings pane, click Edit. 7. Specify the following information: Password Authentication: Optional Client Certificate Authentication: Used for SSL session and username (most secure) Trusted CA List Profile: Default Username Filed in Client Certificate: CN (Common Name) Require Client Certificate to Contain Source IP: Leave this field blank 8. Click Save. Configuring KMIP service on KeySecure 31

Creating a local user Complete the following steps to create a local user. Procedure 1. In the left-most pane, browse to Security > Users & Groups > Local Authentication. Click Add. 32 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration 2. Type in values for: Username: <local-username> Password: <passwd-mgmt-setting> Password must be at least 8 characters User Administration Permission: <check-mark-to-enable> Change Password Permission: <check-mark-to-enable> 3. Click Save. Creating and installing the host certificate Generating a host certificate A host certificate can be generated on either the Data Domain system or on a Linux system and imported to a Data Domain system. Procedure 1. To generate a host certificate signing request (CSR), type the following command: adminaccess certificate cert-signing-request generate [key-strength {1024bit 2048bit 3072bit 4096bit}] [country <country-code>] [state <state>] [city <city>] [org-name <organization-name>][org-unit <organization unit>][common-name <common-name>] Creating and installing the host certificate 33

Note <common-name> should be the KeySecure admin username. See Create a new user topic in this document. sysadmin@dd4500-90# adminaccess certificate cert-signing-request generate key-strength 2048bit country US state CA city Santaclara org-name Dell org-unit DD common-name user1 Certificate signing request (CSR) already exists at /ddvar/certificates/certificate SigningRequest.csr With following parameters: Key Strenth : 2048 Country : US State : California City : Santa Clara Organization Name : My Company Ltd Organization Unit : Common Name : dd4500-90.datadomain.com Do you want to regenerate? (yes no) [no]: yes Certificate signing request (CSR) successfully generated at /ddvar/certificates/ CertificateSigningRequest.csr with the following parameters: Key Strenth : 2048 Country : US State : CA City : Santa Clara Organization Name : Dell Organization Unit : DD Common Name : user1 2. Copy CSR from /ddvar/certificates/ CertificateSigningRequest.csr 3. Obtain the host certificate signing request (CSR) signed by KeySecure certificate authority (CA). a. In KeySecure, browse to Security > Local CAs, and select the radio button for the newly created CA. 34 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration b. Click Sign Request. c. Paste CSR on certificate request, and select Client for Certificate Purpose. Click Sign Request. Generating a host certificate 35

4. Download signed certificate. 5. Install the signed host certificate on the Data Domain system. a. Copy the signed certificate to /ddvar/certificates folder. b. Import host certificate to the Data Domain system. Import host certificate to the Data Domain system. adminaccess certificate import host application keysecure file <Certificate in PEM> Importing the CA certificate to a Data Domain system In order for KeySecure to transmit and manage key management requests from KMIP clients (a Data Domain system), it is essential that the Data Domain system have both a CA certificate and Host certificate. Hence, both certificates (CA and Host) are required to be imported to a Data Domain system. This step is about importing CA certificate. Here are the steps for importing the CA certificate. Procedure 1. In KeySecure, select Security > Local CAs. 2. Click the CA used to sign the server certificate. 3. Copy the certificate text, and paste it into the file named cacert.pem in the / ddvar/certificates directory on the Data Domain system. 36 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration Note Download the CA certificate on the Data Domain system as cacert.pem, and copy it to the /ddvar/certificates/ directory. Creating the KeySecure encryption key Complete the following steps to create the KeySecure encryption key. Procedure 1. In KeySecure, select Security > Managed Objects > Keys. 2. Click Create Key. 3. Specify the following information: Key Name: <Key-name> Template: None Owner Username: <KMIP-admin-username> Creating the KeySecure encryption key 37

Algorithm: AES-256 Deletable: Leave blank Exportable: Yes Versioned Key Bytes: Leave blank Template: Leave blank Activation Date: Immediately Process Start Date: Immediately 4. Click Create. 5. Select Keys (Security > Managed Objects > Keys, and select the radio button for the new key. 6. Click the Attributes tab. 7. Under the Application Specific Information pane, click Add. Specify the following information: Application Namespace: DD_DARE_KEYS Application Data: <Key Class Name> Note This <Key Class> acts as a group identifier for all of this particular Data Domain system's keys. Note this value, and use the exact text to later configure the Data Domain system. The chosen value has to be alphanumeric value. 38 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration 8. Click Add > Save. Configuring KMIP on the Data Domain system Complete the following steps to configure KMIP on the Data Domain system. Procedure 1. Set the "system passphrase." A strong passphrase is required in order for the KMIP feature to work and must contain: A minimum of nine characters, A minimum of one lowercase character, A minimum of one uppercase character, A minimum of one digit, and A minimum of one special character. a. In DDSH, run system passphrase set. b. Type passphrase: ********* c. Re-enter passphrase: ********* Note A weak passphrase that does not comply with the guidelines will cause the KMIP feature to fail. If a weak passphrase was previously set, update the system passphrase according to the guidelines previously listed. 2. Import the CA certificate to the Data Domain system. sysadmin@ddxxxx-xx# adminaccess certificate import ca application keysecure file <CA certificate> Configuring KMIP on the Data Domain system 39

The SHA1 fingerprint for the imported CA certificate is CB:3F:B6:7D:00:7C:5D:B3:1B:CD:27:63:32:2F:4F:CF:E9:F1:1B:E4 Do you want to import this certificate? (yes no) [yes]: yes CA certificate imported for application(s) : "keysecure". sysadmin@ddxxxx-xx# 3. Verify both host and CA certificates are imported by running the command # adminaccess certificate show. 4. On the Data Domain system, run filesys encryption enable. sysadmin@ddxxxx-xx# filesys encryption enable Enter new passphrase: ********* Re-enter new passphrase: ********* Passphrases matched. The passphrase is set. Encryption feature is enabled on the system. The filesystem must be restarted to effect this change. sysadmin@ddxxxx-xx# sysadmin@ddxxxx-xx# filesys restart This action will restart the file system. Applications may experience interruptions while the file system is restarted. Are you sure? (yes no) [no]: yes ok, proceeding. Disabling filesystem: Please wait... The filesystem is now disabled. Enabling filesystem: Please wait... The filesystem is now enabled. sysadmin@ddxxxx-xx# Note <key-class> should be set to same value as the Application Data of Application Specific Information in the KeySecure. sysadmin@ddxxxx-xx# filesys encryption key-manager set server <KeySecure-IP-Address> port 5696 fips-mode enabled key-class <key-class-name> server-type keysecure kmip-user <KeySecure-username> The current key-manager configuration is: Key Manager: Disabled Server Type: KeySecure Server: <KeySecure-IP-Address> Port: 5696 Fips-mode: enabled Status: Online Key-class: <Key-class> KMIP-user: <KeySecure-admin-username> sysadmin@ddxxxx-xx# sysadmin@ddxxxx-xx# filesys encryption key-manager enable Key manager is enabled. The filesystem must be restarted to effect this change. sysadmin@ddxxxx-xx# sysadmin@ddxxxx-xx# filesys restart This action will restart the file system. Applications may experience interruptions while the file system is restarted. Are you sure? (yes no) [no]: yes ok, proceeding. Disabling filesystem: Please wait... 40 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration The filesystem is now disabled. Enabling filesystem: Please wait... The filesystem is now enabled. sysadmin@ddxxxx-xx# 5. Verify that the key manager is set to KeySecure. sysadmin@ddxxxx-xx# filesys encryption key-manager show The current key-manager configuration is: Key Manager: Enabled Server Type: KeySecure Server: <KeySecure-IP-Address> Port: 5696 Fips-mode: Enabled Status: Online Key-class: <key-class> KMIP-user: <KeySecure-username> sysadmin@ddxxxx-xx# sysadmin@ddxxxx-xx# filesys encryption keys show Active Tier: Key Key State Size Id MUID post-comp --- ---------------------------------------------------------------- ------------ --------- 0.1 817 Deactivated - 0.2 38D41BCEB0D2FEBD3676A54960E6C3074A0699DA1CE7603CFE2BEE286160EFB2 Activated-RW - --- ---------------------------------------------------------------- ------------ --------- * Post-comp size will be updated after next cleaning cycle. sysadmin@ddxxxx-xx# 6. Restart the Data Domain file system. Run the following command: filesys restart # filesys restart This action will restart the file system. Applications may experience interruptions while the file system is restarted. Are you sure? (yes no) [no]: yes ok, proceeding. Disabling filesystem: Please wait... The filesystem is now disabled. Enabling filesystem: Please wait... The filesystem is now enabled. 7. Verify that the key manager is set to KeySecure. Run the following command: filesys encryption key-manager show # filesys encryption key-manager show The current key-manager configuration is: Key Manager: Enabled Server Type: KeySecure Server: 10.110.140.151 Port: 5696 Fips-mode: enabled Status: Online Configuring KMIP on the Data Domain system 41

Key-class: KMIP-user: ddve6_1 ddve 42 Data Domain Operating System and Gemalto KeySecure 6.1 Integration Guide

DD OS and Gemalto KeySecure Integration Copyright 2017 Dell Inc. or its subsidiaries. All rights reserved. Published June 2017 Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS-IS. DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published in the USA. Configuring KMIP on the Data Domain system 43

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback