Modify Key Group

Overview

This function changes the key group settings.

The key group combines all of the RAID groups that use the same SED authentication key (hereinafter referred to as "key"). One key group can be created in the storage system.

User Privileges

Availability of Executions in the Default Role

Default role Availability of executions
Monitor  
Admin
StorageAdmin  
AccountAdmin  
SecurityAdmin
Maintainer  

Refer to "User Roles and Policies" for details on the policies and roles.

Settings

Key Group Setting

Item Description Setting values

Name

Input a key group name.

The key group name corresponds to "Serial Number", which is managed in the key server.

Caution

  • Do not change the key group name after the key status changes to "Normal". The key status can be checked on the [Key Group] screen. Refer to the [Key Group] function for details.

Up to 32 alphanumeric characters and symbols (underscore "_")

The first letter must be an alphabetic character

Storage System Group Name

Input the storage system group name.

The storage system group combines the key management device (Key Management Machine) name that is managed by the user with the key group. The storage system group name corresponds to "Device Group Name", which is managed in the key server.

Caution

  • Do not change the storage system group name after the key status changes to "Normal". The key status can be checked on the [Key Group] screen. Refer to the [Key Group] function for details.

Up to 16 alphanumeric characters and symbols (underscore "_")

The first letter must be an alphabetic character

Security Level

Select the security level of the key group from "High" or "Low".

"Security Level" indicates the handling level when application of the SED key to the target RAID group fails. If the key for the relevant RAID group cannot be obtained from the key server due to a communication error and the SEDs that configure the RAID group are changed to hot spares or changed to new SEDs due to failure or maintenance, the storage system performs operations according to the selected security level.

  • High

    Rebuilding to hot spares for which the key cannot be changed after SED failure is not performed. The RAID group loses its redundancy if the RAID group status is "Exposed", "Partially Exposed" (for RAID6), "Exposed (Fast)" (for RAID6-FR), or "Partially Exposed (Fast)" (for RAID6-FR).

    When SED maintenance is being performed, replacing an SED with a new SED for which the key cannot be changed does not complete successfully. If this action is performed, the status of the new SED changes to "Not Exist".

    When communication between the key server and the storage system returns to normal and the key can be obtained, the SED status changes to normal. Rebuilding to the SED for which the status changed to normal is performed after the key is changed. Note that "Modifying" may be displayed for the key status for few minutes even though the SED key has already changed. After changing the key, maintenance of the SEDs is complete.

  • Low

    Rebuilding or maintenance is performed by using the common key if changing of the key in the key server fails due to a network error.

Even if the security level is changed from "High" to "Low", the rebuilding process does not start immediately after the level is changed. Rebuilding processes start after the storage system recognizes that changing of the security level and key is complete.

High

Low

Recovery Mode

Select the recovery mode of the key group from "Automatic" or "Manual".

The recovery mode is a method to recover locked (*1) RAID groups or SEDs after communication with the key server is resolved. For RAID groups in locked status, "SED Locked" is displayed. For SEDs in locked status, "Not Exist" is displayed.

*1  :  A blocked status that occurs when the key of the RAID groups cannot be obtained.

  • Automatic

    This mode recovers locked RAID groups or SEDs when the communication error with the key server is resolved.

  • Manual

    Use the [Recovery SED] function of Web GUI to recover the locked RAID groups or SEDs when the communication error with the key server is resolved.

Automatic

Manual

Key Valid Period

Select a key expiration period that is based on the date when the key from the key server is obtained for the first time (beginning of use).

When the key expires, a new key is obtained from the key server and the expired key is automatically replaced. If the key expiration period is changed, the same key is used from the first date of use until the key expired. Note that the "first date" indicates the first day of use instead of the first day of the key changed.

  • Unlimited

    The same key is used until exactly 20 years elapses since the key was first used.

  • 1 month - 12 month

    The same key is used until the date and time in the specified month elapses since the key was first used. If the same date does not exist in the specified month (such as April 31st), the expiration date of the key becomes the last date of the specified month.

Unlimited

1 month - 12 month

Key Server

Master

Select the key server ID that is assigned for the master or slave server. "None" and the registered key server ID are displayed as options.

Caution

  • The same server ID (except for "None") cannot be selected for both the master and slave servers. Note that "None" cannot be selected for both of the servers when RAID groups are registered in the key group.

  • Note that if "None" is selected for both master and slave servers, the key cannot be managed by the key server.

  • The key can only be updated when the master server is specified. Refer to the [Update SED Authentication Key] function for details.

  • To perform maintenance of the key server, the key server setting parameters must be released temporarily. Select "None" for the target key server before starting maintenance. After maintenance is complete, set the key server parameters again.

None

1

2

Slave

Operating Procedures

  1. Click [Modify Key Group] in [Action].

  2. Specify the parameters, and click the [Modify] button.

    → A confirmation screen appears.

    Caution
    • An error screen appears in the following conditions:

      • The "Name" is not entered

      • The "Storage System Group Name" is not entered

      • Each parameter fails to satisfy the input conditions

      • The same server ID is specified for both the master and slave servers

      • When "None" is selected for both of the servers (master and slave) while RAID groups are registered in the key group

  3. Click the [OK] button.

    → Changing of the key group settings starts.

  4. Click the [Done] button to return to the [Key Group] screen.