文档中心API Explorer
ZHEN
文档中心ZVFZStack ZSphere用户手册ZVF

VM Security

Configure and Manage a Standard Key Provider

Add a Standard Key Provider

You can add an external key server (KMS) to support various encryption capabilities of the system, thereby enhancing overall system security. The KMS must support the Key Management Interoperability Protocol (KMIP) 1.1 or later.

Before you begin

Make sure the platform is installed with a valid Advanced Edition license.

Procedure

  1. In the navigation pane, select Inventory > VM and Host.
  2. Select the root node.
  3. On the root node details page, click Key Providers.
  4. On the Key Providers tab, click Add Key Provider.
  5. In the Add Key Provider dialog, set the following parameters:
    • Name: Enter a name for the key provider.
      Note: The name of each key provider serves as its identifier. Ensure the name is globally unique.
    • Description: Enter a brief description for the key provider.
    • Type: Select Standard Key Provider.
    • IP Address/Domain Name: Enter the IP address or domain name of the KMS.
    • Port: Enter the connection port of the KMS. The default port is 5696.
    • Password Protection: Some KMS systems allow you to isolate encryption keys used by different users or groups by specifying a username and password. Enable this option and enter the corresponding username and password.
  6. After you confirm the configuration details are correct, click OK.
  7. Click Trust.
    After the key provider is added successfully, its status shows as "Connected | Not Trusted by KMS".

What to do next

Establish Trust

Make KMS Trust ZStack ZSphere

Use KMS Certificate and Private Key to Make KMS Trust

Some KMS vendors require you to upload the KMS server certificate and private key to ZStack ZSphere.

Procedure

  1. Navigate to the Key Providers page.
  2. Locate the standard key provider with which you want to establish trust, and click Actions > Establish Trust > Make KMS Trust the Platform.
  3. In the Make KMS Trust the Platform dialog, select KMS Certificate and Private Key as the trust method.
  4. Click Next.
  5. Upload the certificate and private key files you received from the KMS, or paste the certificate and private key content into the text box.
  6. Click OK.

What to do next

To establish two-way trust, see Make ZStack ZSphere Trust the KMS.

Use the New Certificate Signing Request (CSR) to Make KMS Trust

Some KMS vendors require ZStack ZSphere to generate a Certificate Signing Request (CSR) and submit the CSR to the KMS. The KMS signs the CSR and returns a signed certificate. You must upload the signed certificate back to ZStack ZSphere to establish trust.

Procedure

  1. Navigate to the Key Providers page.
  2. Locate the standard key provider with which you want to establish trust, and click Actions > Establish Trust > Make KMS Trust the Platform.
  3. In the Make KMS Trust the Platform dialog, select New Certificate Signing Request (CSR) as the trust method.
  4. Click Next.
  5. Click Copy or Download to copy the entire content from the text box or save it as a file.
    Use Generate New CSR only when you explicitly need to create a new CSR.
  6. Click OK.
  7. Log in to the KMS and submit the CSR according to the KMS requirements.
  8. After you receive the certificate signed by the KMS, click Actions > Establish Trust > Upload Signed CSR Certificate again.
  9. Paste the signed certificate into the text box, or click Upload File to upload it.

What to do next

To establish two-way trust, see Make ZStack ZSphere Trust the KMS.

Make ZStack ZSphere Trust the KMS

If you skipped the step of trusting the KMS when you added the standard key provider, you must establish two-way trust after the KMS trusts ZStack ZSphere.

Procedure

  1. Navigate to the Key Providers page.
  2. Locate the standard key provider with which you want to establish trust, and click Actions > Establish Trust.
  3. Select one of the following options from the Establish Trust menu.
    • Make the Platform Trust KMS: In the Make the Platform Trust KMS dialog, click Trust.
    • Upload KMS Certificate: In the Upload KMS Certificate dialog, upload a file or paste the certificate content into the text box. Then click OK.

Delete a Standard Key Provider

Before you begin

  • When multiple key providers exist, the default key provider cannot be deleted. Set another key provider as the default first, and then perform the deletion.
  • To preserve encrypted resources, perform the Update Key operation on the relevant virtual machines before deletion, and re-encrypt them using the default key provider.

Procedure

  1. In the navigation pane, select Inventory > VM and Host.
  2. Select the root node.
  3. On the root node details page, click Key Providers.
  4. On the Key Providers tab, select the standard key provider you want to delete, and then click Actions > Delete.
    Note: After you delete a key provider, all resources encrypted with this key provider (such as TPM-enabled virtual machines, encrypted virtual machines, and encrypted disks) will enter a locked state and become inaccessible.
  5. Read the risk warning, enter the confirmation information, and click OK.

Use the Thales Key Provider

About this task

  1. Add the Thales key provider in ZStack ZSphere
  2. Create a localhost user in Thales and add it to the admin group
  3. (Optional) Use the New Certificate Signing Request (CSR) method to make Thales trust ZStack ZSphere
  4. (Optional) Use the KMS certificate and private key method to make Thales trust ZStack ZSphere

Procedure

  1. Add the Thales key provider in ZStack ZSphere.
    For detailed steps, see Add a Standard Key Provider.
  2. Create a localhost user in Thales and add it to the admin group.
    1. Log in to Thales.
    2. Click Access Management > Users > Add User.
      图 1. Add a User


    3. Create the localhost user.
      图 2. Create the localhost User


    4. Click the user name to go to its details page.
    5. Expand the GROUP MEMBERSHIP section, and then click Add Group.
      图 3. Add the User to a Group


    6. In the Add member to group(s) dialog, select admin, and then click Add Group.
  3. (Optional) Use the New Certificate Signing Request (CSR) method to make Thales trust ZStack ZSphere.
    1. Log in to ZStack ZSphere.
    2. Navigate to the Key Providers page.
    3. Locate the Thales standard key provider you added, and click Actions > Establish Trust > Make KMS Trust the Platform.
    4. In the Make KMS Trust the Platform dialog, select New Certificate Signing Request (CSR) as the trust method.
    5. Click Next.
    6. Copy the entire CSR content.
    7. Log in to Thales.
    8. Click Products > KMIP.
      图 4. Access the KMIP Module


    9. Click Client Profile > Add Profile.
      图 5. Add a Profile


    10. In the Add Profile dialog, set the profile basic information, paste the CSR information, and then click Save.
      图 6. Configure the Profile


    11. Click Registration Token > New Registration Token.
      图 7. New Registration Token


    12. In the Create New Registration Token dialog, follow the wizard to complete the configuration.
      • In step 3 Select Profile, select the profile you created earlier.
      • In step 4 Create Token, copy the generated token.
      图 8. Create a Token


    13. Click Registered Clients > Add Client.
      图 9. Add a Client


    14. In the Add Client dialog, set the client name, paste the registration token, and then click Save.
      图 10. Configure the Client


    15. After saving successfully, click Save CSR and Save Certificate to download the CSR and certificate.
      图 11. Download the CSR and Certificate


    16. Log in to ZStack ZSphere.
    17. Navigate to the Key Providers page, and then click Actions > Establish Trust > Upload Signed CSR Certificate.
    18. Upload the certificate you downloaded from Thales.
  4. (Optional) Use the KMS certificate and private key method to make Thales trust ZStack ZSphere.
    1. Log in to Thales.
    2. Click Products > KMIP.
      图 12. Access the KMIP Module


    3. Click Client Profile > Add Profile.
      图 13. Add a Profile


    4. In the Add Profile dialog, set the profile name, and then click Save.
      图 14. Add a Profile


    5. Click Registration Token > New Registration Token.
      图 15. New Registration Token


    6. In the Create New Registration Token dialog, follow the wizard to complete the configuration.
      • In step 3 Select Profile, select the profile you created earlier.
      • In step 4 Create Token, copy the generated token.
      图 16. Create a Token


    7. Click Registered Clients > Add Client.
      图 17. Add a Client


    8. In the Add Client dialog, set the client name, paste the registration token, and then click Save.
      图 18. Configure the Client


    9. After saving successfully, click Save Certificate and Save Private Key to download the certificate and private key.
      图 19. Download the Certificate and Private Key


    10. Log in to ZStack ZSphere.
    11. Navigate to the Key Providers page.
    12. Locate the Thales standard key provider you added, and click Actions > Establish Trust > Make KMS Trust the Platform.
    13. In the Make KMS Trust the Platform dialog, select KMS Certificate and Private Key as the trust method.
    14. Click Next.
    15. Upload the KMS certificate and private key you downloaded from Thales.
    16. Click OK.

Use the HashiCorp Key Provider

About this task

  1. Add the HashiCorp key provider in ZStack ZSphere
  2. (Optional) Use the KMS certificate and private key method to make HashiCorp trust ZStack ZSphere
  3. (Optional) Use the New Certificate Signing Request (CSR) method to make HashiCorp trust ZStack ZSphere

Procedure

  1. Add the HashiCorp key provider in ZStack ZSphere.
    For detailed steps, see Add a Standard Key Provider.
  2. (Optional) Use the KMS certificate and private key method to make HashiCorp trust ZStack ZSphere.
    1. Log in to HashiCorp.
    2. Click Vault > Secrets Engines.
    3. On the Secrets Engines page, click kmip to access the KMIP module.
      图 1. Access the KMIP Module


    4. On the kmip page, click Create scope to create a scope or enter an existing one.
      图 2. Create or Enter an Existing Scope


    5. On the scope details page, click Create role to create a role.
    6. On the Create a Role page, set the role name and complete the TLS configuration by referring to the example.
      图 3. Create a Role


    7. After you create the role, click the role to go to its details page, and then click Generate credentials.
    8. On the Generate Credentials page, select pem as the certificate format, and then click Save.
      图 4. Generate a Certificate


    9. Copy the certificate and private key.
      图 5. Copy the Certificate and Private Key


    10. Log in to ZStack ZSphere.
    11. Navigate to the Key Providers page.
    12. Locate the HashiCorp standard key provider you added, and click Actions > Establish Trust > Make KMS Trust the Platform.
    13. In the Make KMS Trust the Platform dialog, select KMS Certificate and Private Key as the trust method.
    14. Click Next.
    15. Paste the KMS certificate and private key you copied from HashiCorp.
    16. Click OK.
  3. (Optional) Use the New Certificate Signing Request (CSR) method to make HashiCorp trust ZStack ZSphere.
    1. Log in to the HashiCorp system.
    2. Run vault login and enter the token.
    3. Generate the CSR: 
      vault write -format=json kmip/scope/test/role/admin/credential/sign csr="$(cat csr.pem)" | jq -r '.data.certificate' > client.crt
    4. Log in to ZStack ZSphere.
    5. Navigate to the Key Providers page, and then click Actions > Establish Trust > Upload Signed CSR Certificate.
    6. Upload the obtained client.crt certificate.

Configure and Manage a Native Key Provider

Add a Native Key Provider

ZStack ZSphere provides a native key provider that allows you to enable encryption-related features without a third-party KMS.

Procedure

  1. In the navigation pane, select Inventory > VM and Host.
  2. Select the root node.
  3. On the root node details page, click Key Providers.
  4. On the Key Providers tab, click Add Key Provider.
  5. In the Add Key Provider dialog, set the following parameters:
    • Name: Enter a name for the key provider.
      Note: The name of each key provider serves as its identifier. Ensure the name is globally unique.
    • Description: Enter a brief description for the key provider.
    • Type: Select native Key Provider.
  6. Click OK.
    After the key provider is added successfully, its status shows as "Not Backed Up".

What to do next

After you add a native key provider, you must back it up before use. For more information, see Back Up the Native Key Provider.

Back Up the Native Key Provider

The native key provider is stored only in ZStack ZSphere. If ZStack ZSphere fails or needs to be rebuilt, the key is lost and all encrypted virtual machines cannot be decrypted or started. Therefore, backing up the native key provider is necessary for disaster recovery. After you back it up, you can restore key services and remount encrypted virtual machines after you rebuild ZStack ZSphere.

Procedure

  1. In the navigation pane, select Inventory > VM and Host.
  2. Select the root node.
  3. On the root node details page, click Key Providers.
  4. On the Key Providers tab, select the native key provider you want to back up.
    For key providers that are not yet backed up, the status shows as "Not Backed Up".
  5. Click Actions > Back Up.
  6. In the Back Up Key Provider dialog, select the backup mode as needed.
    • Without Password Protection
      Note: Without password protection, the configuration data and the virtual machines encrypted with this key provider face potential security risks.
    • Password Protection: Enter and confirm the password.
      Note:

      Store the password in a safe place. The platform cannot access or recover the password you set. Make sure this password is securely saved, as it will be required to restore the Native Key Provider configuration in case of disaster.

      If you forget or lose the password:
      • You cannot restore the key provider.
      • You cannot access encrypted resources (such as TPM-enabled virtual machines and encrypted virtual machines) that depend on this key provider.
  7. Click OK.
    The backup file is downloaded through your browser. Save the backup file in a secure location.

Restore the Native Key Provider

Before you begin

  • You have prepared the backup file of the native key provider.
  • If you set password protection for the backup file when you backed up the key provider, prepare the password for the backup file.
  • Ensure that no key provider with the same name exists on the platform.

Procedure

  1. In the navigation pane, select Inventory > VM and Host.
  2. Select the root node.
  3. On the root node details page, click Key Providers.
  4. On the Key Providers tab, click Actions > Restore.
  5. In the Restore Key Provider dialog, upload the backup file.
  6. (Optional) If the backup file is password-protected, enter the password.
  7. Click Next.
  8. Confirm the information of the key provider to restore, and then click OK.

Delete the Native Key Provider

Before you begin

  • If you want to keep the key provider for future use, back it up first.
  • To preserve encrypted resources, perform the Update Key operation on the relevant virtual machines before deletion, and re-encrypt them using the default key provider.

Procedure

  1. In the navigation pane, select Inventory > VM and Host.
  2. Select the root node.
  3. On the root node details page, click Key Providers.
  4. On the Key Providers tab, select the native key provider you want to delete, and then click Actions > Delete.
    Note:
    • After deletion, all resources encrypted with this key provider (such as TPM-enabled virtual machines, encrypted virtual machines, and encrypted disks) will enter a locked state and become inaccessible.
    • The key provider is permanently deleted from the platform and cannot be recovered. Proceed with caution.
  5. Read the risk warning, enter the confirmation information, and click OK.

Rekey

For business or compliance requirements (such as regular key rotation, suspected key leakage, or meeting security audit standards), you can update the key and re-encrypt encrypted virtual machines using the default key provider.

Procedure

  1. In the navigation pane, select Inventory > VM and Host.
  2. Select the root node.
  3. On the root node details page, click Key Providers.
  4. On the Key Providers tab, click Actions > Rekey.
  5. In the Rekey dialog, click OK.
    This operation re-encrypts all encrypted resources using the new key from the current default key provider.

Secure VMs with vTPM

When you create a new virtual machine or add a virtual Trusted Platform Module (vTPM) to an existing virtual machine, you provide enhanced security for the virtual machine operating system.

Before you begin

  • The platform has an available key provider. If you use the native key provider, back it up first.
  • The host on which the VM runs must meet the vTPM support requirements for kernel, QEMU, and libvirt versions. The following table lists the required component versions for each architecture and host operating system version:
    Architecture Host OS version Kernel version QEMU version libvirt version
    x86 H84r 4.18.0-553.69.1.13.gc220c6303994.el8.x86_64 qemu-kvm-6.2.0-235.g51749aa16b.el8 libvirt-8.0.0-90.g4f8dd1cb01.el8.x86_64
    KY10 SP3 4.19.90-52.48.v2207.ky10.x86_64 qemu-kvm-6.2.0-235.g51749aa16b.ky10 libvirt-8.0.0-90.g4f8dd1cb01.ky10.x86_64
    KY10 SP3.2403 4.19.90-89.25.v2401.ky10.x86_64 qemu-kvm-6.2.0-232.g09252161d1.ky10 libvirt-8.0.0-90.g4f8dd1cb01.ky10.x86_64
    ARM KY10 SP3 4.19.90-52.48.v2207.ky10.aarch64 qemu-6.2.0-906.g271454a05e.ky10 libvirt-6.2.0-415.gf2c25be909.ky10.aarch64
    KY10 SP3.2403 4.19.90-89.25.v2401.ky10.aarch64 qemu-6.2.0-1042.g7eecd245dd.ky10 libvirt-6.2.0-463.g2ee090fe60.ky10.aarch64
    H22e 5.10.0-136.12.0.86.oe2203sp1.aarch64 qemu-6.2.0-906.g271454a05e libvirt-6.2.0-415.gf2c25be909.aarch64
  • The virtual machine boot mode must be set to UEFI.
  • The virtual machine operating system must support the TPM 2.0 specification. Operating systems that do not support TPM 2.0 (including but not limited to Windows Server 2012 and earlier, CentOS 6 / RHEL 6, Ubuntu 14.04 and earlier) are not supported.
  • Before you add a TPM to an existing virtual machine, power off the virtual machine.

Procedure

  1. In the navigation pane, select Inventory > VM and Host.
  2. In the resource tree, right-click the target cluster, host, or image, and then click New Virtual Machine.
  3. In the Select VM Creation Method dialog, select New VM, and then click Next.
  4. In the New Virtual Machine dialog, complete the relevant basic configuration. For more information about virtual machine parameters, see Create a New Virtual Machine.
  5. In the Advanced Settings section, click Boot Options and select UEFI as the virtual machine BIOS mode.
  6. In the Hardware Info section, click Add Hardware > TPM.
    After the TPM is added successfully, click TPM in the hardware list. You can view the TPM status and specification in the hardware configurations pane on the right.
  7. After you confirm the configuration details are correct, click OK.
上一篇VM HA下一篇Storage Management