Use the following procedure to run the initial configuration script (setup_kms.py). Make sure to run the initial configuration script before enabling encryption on any DDP groups.
- Update the Initialize parameters in the initial configuration script file to match your storage system environment and requirements.
Parameter Example settings Description STORAGE_SERVER_IP_ADDR "XXX.XXX.XXX.XXX" Service IP address of the ESM FIRST_WAIT_TIME 60 First interval (in seconds) to get the execution result of the asynchronous process. Default = 60. You can specify a value of 1 to 120. Normally, you don't need to change this setting.
MAX_RETRY_COUNT 60 Maximum number of retries to retrieve the results of asynchronous processing. Default = 60. You can specify a value of 1 to 60. Normally, you don't need to change this setting.
USER_CREDENTIAL ("user1", "pass1") Credentials used to authenticate with the storage system. In this example, the user ID is "user1" and the password is "pass1". The user must have the Security Manager (View & Modify) role.
NUM_OF_KMS_SETTINGS 2 Number of KMSs to be configured. Default = 2. You can specify 1 or 2. In this example, two KMSs are configured and two client certificates and two root certificates are uploaded.
- Update the KMS certificate parameters to match your storage system environment and requirements.
The paths for the certificate files must be set to the same value for each client certificate and root certificate. When registering two KMSs, separate the values with commas as shown in the following example.
Parameter Example settings Description CLIENT_CERT_FILE_PATH "D:/cert/" The path where the client certificate file is stored. Prepare the client certificate file of the key management server in advance. CLIENT_CERT_FILE_NAME_LIST ["clientCert1.p12", "clientCert2.p12"] Specify a file name for each client certificate to be registered. CLIENT_CERT_FILE_NICKNAME_LIST ["clientCert1", "clientCert2"] Specify the nickname for each client certificate to be registered as 1 to 255 alphanumeric characters. You cannot specify duplicate nicknames for the first and second units. CLIENT_CERT_FILE_PASSWORD_LIST ["clientCertPass1", "clientCertPass2"] Specify the password of the client certificate file: 1 to 128 alphanumeric characters. For a client certificate without a password, specify "" (empty character). ROOT_CERT_FILE_PATH "D:/cert/" The path where the root certificate file is stored. Prepare the root certificate file of the KMS in advance. ROOT_CERT_FILE_NAME_LIST ["rootCert1.pem", "rootCert2.pem"] Specify a file name for each root certificate to be registered. ROOT_CERT_FILE_NICKNAME_LIST ["rootCert1", "rootCert2"] Specify the nickname of the root certificate as 1 to 255 alphanumeric characters. You cannot specify duplicate nicknames for the first and second units. - Update the KMS parameters to match your storage system environment and requirements.
When registering two KMSs, separate the values with commas (for example, [<setting for KMS1>, <setting for KMS2>]).
Parameter Example settings Description KMS_ID_LIST ["0", "1"] Number for each KMS to be registered. Specify ["0"] to register one KMS. Specify ["0","1"] or ["1","0"] to register two KMSs. INTRA_CLASS_PRIORITY_LIST [1, 2] Priority setting in the cluster when the KMS is in a multi-master cluster. Specify [1] to register one KMS, and specify [1,2] or [2,1] to register two KMSs. KMS_SERVER_NAME_LIST ["XXX.XXX.XXX.XXX",
"XXX.XXX.XXX.XXX"]
Specify the IP address or host name IPv4, IPv6 IP address, or host name for each KMS to be registered. KMS_SERVER_PORT_LIST [5696, 5696] Port number for each KMS to be registered. Default = 5696. NUM_OF_RETRIES_LIST [3, 3] Number of retries when communication fails for each KMS to be registered. Specify a value of 1 to 50. Default = 3. RETRY_INTERVAL_LIST [10, 10] Retry interval (in seconds) when communication fails for each KMS to be registered. Specify a value of 1 to 60. Default = 10. TIMEOUT_LIST [120, 120] Time (in seconds) before the connection times out for each KMS to be registered. Specify a value of 10 to 999. Default = 120.
- For each KMS that you add, store the root certificate and client certificate in the path specified in CLIENT_CERT_FILE_PATH and ROOT_CERT_FILE_PATH of the KMS certificate settings.
- Open the command prompt, and move to the folder containing the script file.
- Run the script.
python setup_kms.py
- Check the execution result.
- Successful completion: The script completes normally with the following message:
Operation was completed.
- Abnormal termination: The script terminates abnormally with the following message:
An error occurred while running the script. Please check the error message.
If the specified parameters are incorrect, the script execution is interrupted and an error message is displayed at the command prompt where the script was executed. Check the error message output to the command prompt, change the parameter settings accordingly, and then run the script again.
- Successful completion: The script completes normally with the following message: