This article is intended for administrators wishing to use our SvKMS solution as an External Key Manager for the HPE Alletra 6000 Storage Array.
Note: All images are clickable for enlarging, or can be opened in a new tab
Resolution/Information
Important: SvKMS must be first upgrade to the latest build 2.6.5 before attempting the integration.
This guide will run through the different steps required to configure SvKMS as an External Key Manager for details on deployment of an SvKMS Cluster please see the SvKMS Documentation
Simple overview of Required Steps
Create a Certificate Authority (CA) in SvKMS:
- Create Group.
- Create Key.
- Add Local CA.
- Sign CSR with Local CA in SvKMS
- Create User In SvKMS (using signed CSR).
Create custom Certificate Signing Request (CSR) and import certificates on the Storage Array
- Import a trusted certificate
- Create Custom CSR in the CLI on the Array.
Please follow the steps as outlined below:
Step 1:
Create a CA in SvKMS:
This task is broken down into the following steps:
Create Group
In the SvKMS Web Portal>GROUPS
Select Add Group
Fill in values for the following and Click Save.
- Group ID
- Display Name
Create Key
Web Portal>KEYS
select Add Key.
Use and populate the following settings and choose Add Key.
- Asymmetric
- RSA2048
- Key Name - provide a unique name
- Key Group - select the group created in the previous step.
Add Local CA
Note: Ensure that the Business ID is known as this is needed for the next steps.
Found here: Web Portal>ADMINISTRATION>Company Info
Web Portal>CERTIFICATES
Choose option Add Local CA.
Populate the following fields ensuring the following values are used and Click Add Local CA.
- CA Name
- CN = Business ID
- O = Business ID
- Key = Asymmetric RSA Key (created in previous step).
- Certificate Validity = ensure this is the same as for the other certificates i.e. the custom CSR to be created in later steps.
Step 2
On the HPE Alletra 6000 array perform the following:
Import Trusted Certificate:
Administration>Security>SSL Certificate
Select '+' Add.
From the drop down menu select Import a trusted certificate.
Add the following details and click Save.
- Name
- Load the certificate from an SSL/TLS connection
- Hostname or IP: use IP
- Port: 443
Under SSL Certificates and Signing Request the new Trusted Certificate of the SvKMS cluster should be visible.
Create Custom CSR in the CLI on the array
SSH onto the array to create the Custom CSR using the appropriate credentials.
Note the following information about the syntax and values:
O = BusinessID of the SvKMS Cluster
CN = Hostname of the Array (not fqdn)
Example code block
cert --gen custom-csr --subject '<fill in the required values >' --iplist <all ip separated by a ‘,’> --num_days <same as CA?
Example below:
cert --gen custom-csr --subject '/C=UK/ST=Bristol/L=Bristol/O=<Business ID of svkms cluster>/OU=Engineering/CN=c3-nimaf6010-056' --iplist 16.172.72.18,16.172.72.19,16.172.72.20,172.20.160.177,172.20.172.178 --num_days 365
Important: Copy the output as this will be needed when signing the CSR in SvKMS in a later stage.
After this command has completed the custom-csr should now be visible in the WebUI:
Step 3
Sign CSR with Local CA
In the SvKMS Web Portal>CERTIFICATES
Next to the Local CA (created in Step 1) select sign CSR
In the next window
Paste the custom CSR created in the CLI on the Nimble (Saved from Step 2)
Validity = ensure this is the same value as the Custom CSR and click Sign CSR.
In the next window make sure to copy and keep safe the following Certificates as this is needed in the next steps.
- Signed CSR
- CA Cert
Double check that all the values match up:
Issuer:
O = BusinessID
CN = BusinessID
Subject:
O = BusinessID
CN = Hostname of Array (not fqdn)
Step 4
Create User In SvKMS
In the SvKMS Web Portal>USERS select Add User
Fill in the following details:
- Username = CN of CSR request = Hostname of Array (as in Step 2)
- Key Access User
- Display Name
- Default Group = Group of Local CA Key
Ensure that Authenticate via Client Cert is selected and click on Add User.
In the Next window choose Upload.
Then paste in the Signed CSR (created in Step 3) and click Upload.
NB. Remember carriage returns after the -----End Certificate------
Ensure the upload was successful.
Step 5
In the Array WebUI
Administration>Security>SSL Certificate
Add Certificate and select from the drop down menu:
Import a CA signed certificate
In the available fields enter the following corticates (saved from Step 3)
- Value for CA Certificate Chain (saved from signing CSR)
- Signed Certificate in PEM format (saved from signing CSR)
Note: Remember carriage return after the -----End Certificate------
Following Certificates should now be displayed
If after loading the certs the following error is displayed in the WEBUI please follow the instructions in the ERROR and clear the browser cache and reload the page.
Step 6
Final step to add the SvKMS as an external Key manager.
In the Array WebUI
On the Left Hand Menu select>Encryption
Then select External Key Manager and select Add Key Manager
Fill in the details under Apply Encryption as per Business Requirements and Click Save.
Create Key Manager
Fill out required fields.
- Name = name of svkms cluster
- IP address = Cluster IP of SvKMS
- Port = 5696
- Protocol = 1.3
- Username = username created in svkms (see Step 4)
- password = fill in anything (not important the user certificate is being used for the authentication - see Steps 1-5).
Click Save.
Following confirmation should be displayed:
Final check is that in SvKMS Web Portal>KEYS
A CUSTOM Key should have been created and is now visible.
Encrypted Volumes may now be created as per:
Any issues with the integration please raise a ticket with support support@stormagic.com or raise a ticket at https://support.stormagic.com.
See Also
https://stormagic.com/doc/svkms/svkms_2.6.5/Content/Release_Notes/Release_Notes.htm
https://stormagic.com/doc/svkms/svkms_2.6.5/Content/Web_Portal/Overview.htm
Comments
0 comments
Article is closed for comments.