Breadcrumbs

Configuring on Dell Data Domain DD3300

  1. Login to DD System Manager using the admin credentials.

  2. Go to DD3300 > Protocols > CIFS and verify that the certificate folder is enabled.

a3f2d90f-84b4-4c5e-b352-15af42fd8b68.png


DD System Manager

  1. After enabling CIFS setup, you can access the certificate folder from Windows using the configured CIFS credentials.

  • Path: \\<ipaddress>\cer

  • Username: sysadmin

  • Password: xxxxxxxxx

  1. Log in to the DD3300 console using an SSH tool to create the certificate request file. The DD3300 (KMIP Client) will use this certificate later.

  2. Generate a host certificate signing request (CSR) Format by using the below command.

adminaccess certificate cert-signing-request generate [key-strength {1024bit | 2048bit | 3072bit | 4096bit}] [country country-code] [state state] [city city] [orgname organization-name] [org-unit organization-unit] [common-name commonname] [subject-alt-name value]

  1. After entering the command, the generated request file (.csr) can be found at the \\<ipaddress>\cer path.

  2. After obtaining the generated .csr file and having it signed by ESKM (refer to the Sign the host certificate using ESKM chapter and complete all related steps before performing this step), place the signed certificate file in PEM format into the DD3300 certificate directory. Once the file is placed, run the appropriate command in the DD3300 console to import and apply it as the DD3300 Host CA.

Import the host certificate & CA to the Data Domain System

The authentication method varies depending on the application type. When integrating with ESKM, select GKLM for the Import CA application type.

  1. Run the adminaccess certificate import command on the DD system to import the host certificate.
    adminaccess certificate import host application gklm file signed.pem

17dcd507-142f-4a38-8984-469e433cb6c9.png


Import the host application GKLM file

063f7183-fe07-4637-9e34-3303e78217c1.png


Manage Certificates

  1. Go to Security > Local CAs, download the ESKM (KMIP Server) Local CA, and then import it into the DD3300 (KMIP Client) to establish trust.

  2. Since DD3300 only accepts .pem format, the .crt certificate file downloaded from ESKM can be converted via OpenSSL.

  3. After opening the command prompt, navigate to the file directory and run the following command:
    openssl x509 -in DD3signed.crt -out DD3signed.pem

  4. Place the ESKM Local CA into the DD3300 certificate folder, then enter the command and complete the import of ESKM CA.
    adminaccess certificate import ca application gklm file xxxx.pem

  5. Go to DD3300 Web GUI > Data Management > File System > DD Encryption.

  6. Enable encryption and connect key management.

171371f5-eb40-44d4-89e2-a5e0e3e81ce0.png


DD Encryption and Key Management

  1. Go to Key Management > Settings. Input relevant information to complete the integration with ESKM (KMIP Server).

f6b21931-5e71-499f-bf89-105e20714805.png


Change Key Manager

When integrating with ESKM, select GKLM as the application type.

  1. After selecting the application type, click Manage Certificates to confirm whether the certificate previously imported in the Console command is successfully displayed.

48359010-012e-4406-b766-630a34691292.png

Manage Certificates for GKLM Key Manager

  1. If DD3300 (KMIP Client) and ESKM (KMIP Server) are successfully integrated, the interface will display the key management (ESKM) information, and the KMIP key activation status will be visible.

c751d88c-2e6a-4e88-a81f-6a44c62fbf6d.png


DD Encryption

  1. Enter the relevant commands in the DD3300 console to verify again that the KMIP integration is successful and that the KMIP key is activated.

f1106963-ae8a-4453-bcaa-c888d1683886.png


KMIP Key Activation Status