Key Group

Overview

This function displays the SED authentication key (hereinafter, referred to as "key") information that is used for a key group and the SSL/KMIP certificate information.

The key group combines all of the RAID groups that use the same key.

Note
  • The RAID groups that are registered in the key group can be checked by using the [SED Key Group] screen. Refer to the [SED Key Group] function for details.

User Privileges

Availability of Executions in the Default Role

Default role Availability of executions
Monitor
Admin
StorageAdmin
AccountAdmin  
SecurityAdmin
Maintainer

Refer to "User Roles and Policies" for details on the policies and roles.

Display Contents

Key Group

Item Description

Name

The key group name is displayed. If no key groups are created, the field is blank.

The key group name corresponds to "Serial Number", which is managed in the key server.

Storage System Group Name

The storage system group name is displayed. If no key groups are created, the field is blank.

The storage system group combines the key management device (Key Management Machine) name that is managed by the user with the key group. The storage system group name corresponds to "Device Group Name", which is managed in the key server. Note that "ETERNUS_DX" is specified as the factory default storage system group name when "ETERNUS SF KM" (key management software) is shipped.

Key Status

The key status is displayed. If no key groups are created, the field is blank.

Refer to "Key Status" for details.

Security Level

The security level for the key group is displayed. If no key groups are created, the field is blank.

"Security Level" indicates the handling level when application of the SED key to the target RAID group fails. If the key for the relevant RAID group cannot be obtained from the key server due to a communication error and the SEDs that configure the RAID group are changed to hot spares or changed to new SEDs due to failure or maintenance, the storage system performs operations according to the selected security level.

  • High

    Rebuilding to hot spares for which the key cannot be changed after SED failure is not performed. The RAID group loses its redundancy if the RAID group status is "Exposed", "Partially Exposed" (for RAID6), "Exposed (Fast)" (for RAID6-FR), or "Partially Exposed (Fast)" (for RAID6-FR).

    When SED maintenance is being performed, replacing an SED with a new SED for which the key cannot be changed does not complete successfully. If this action is performed, the status of the new SED changes to "Not Exist".

    When communication between the key server and the storage system returns to normal and the key can be obtained, the SED status changes to normal. Rebuilding to the SED for which the status changed to normal is performed after the key is changed. Note that "Modifying" may be displayed for the key status for few minutes even though the SED key has already changed. After changing the key, maintenance of the SEDs is complete.

  • Low

    Rebuilding or maintenance is performed by using the common key if changing of the key in the key server fails due to a network error.

Even if the security level is changed from "High" to "Low", the rebuilding process does not start immediately after the level is changed. Rebuilding processes start after the storage system recognizes that changing of the security level and key is complete.

Recovery Mode

The recovery mode for the key group is displayed. If no key groups are created, the field is blank.

The recovery mode is a method to recover locked (*1) RAID groups or SEDs after communication with the key server is resolved. For RAID groups in locked status, "SED Locked" is displayed. For SEDs in locked status, "Not Exist" is displayed.

*1  :  A blocked status that occurs when the key of the RAID groups cannot be obtained.
  • Automatic

    This mode recovers locked RAID groups or SEDs when the communication error with the key server is resolved.

  • Manual

    Use the [Recovery SED] function of Web GUI to recover the locked RAID groups or SEDs when the communication error with the key server is resolved.

Key Expiration Date

The following information is displayed depending on the key status.

  • When the status is "Modifying", the expiration date (YYYY-MM-DD) before the key was replaced is displayed.

  • When the status is "Unregistered Server Certificate", "Expired Server Certificate", "No SSL Certificate", "Network Error", "Not Acquired", or "Key Server Error", a "-" (hyphen) is displayed.

  • For the other statuses, the key expiration date (YYYY-MM-DD) is displayed.

If no key groups are created, the field is blank.

When the key has expired, a new key is obtained from the key server and automatically applied in place of the expired key.

Master Server

Server ID

The key server ID (1 or 2) for the master server is displayed. If no key group is created or if no master server is specified, the field is blank.

Domain Name / IP Address

The domain name (FQDN) or the IP address of the master server is displayed. If no key group is created or if no master server is specified, the field is blank.

Note that the IPv6 address is displayed as an abbreviation. Refer to "IPv6 Address Notation" for details.

Status

The master server status is displayed. If no key group is created or if no master server is specified, the field is blank.

Refer to "Key Server Status" for details.

Slave Server

Server ID

The key server ID (1 or 2) of the slave server is displayed. If no key group is created or if no slave server is specified, the field is blank.

Domain Name / IP Address

The domain name (FQDN) or the IP address of the slave server is displayed. If no key group is created or if no slave server is specified, the field is blank.

Note that the IPv6 address is displayed as an abbreviation. Refer to "IPv6 Address Notation" for details.

Status

The slave server status is displayed. If no key group is created or if no slave server is specified, the field is blank.

Refer to "Key Server Status" for details.

SSL / KMIP Certificate

Item Description

Issuer Name

The certificate authority name that issues the SSL/KMIP certificate is displayed. If the certificate is not imported, the field is blank.

Subject Name

The name of the destination to which the SSL/KMIP certificate is issued is displayed. If the certificate is not imported, the field is blank.

Valid From

The start date and time (YYYY-MM-DD hh:mm:ss) of the SSL/KMIP certificate validity period is displayed. If the certificate is not imported, the field is blank.

Valid To

The end date and time (YYYY-MM-DD hh:mm:ss) of the SSL/KMIP certificate validity period is displayed. If the certificate is not imported, the field is blank.

Serial Number

The serial number for the SSL/KMIP certificate is displayed. If the certificate is not imported, the field is blank.

When created, the serial number is combined with the issuer name, which is a unique number in the certificate authority.