Preparations
Before using the key management tool, check whether the OCK_HOME environment variable exists in the system and whether entropy needs to be supplemented in the current Linux environment.
- Run the echo $OCK_HOME command to check whether the OCK_HOME environment variable exists. If not, set it to the OmniShuffle installation directory (/home/ockadmin/opt/ock by default). After confirming the OCK_HOME environment variable, perform the following operation to set LD_LIBRARY_PATH:
export LD_LIBRARY_PATH="${OCK_HOME}/ucache/${OCK_VERSION}/${OCK_BINARY_TYPE}/lib/common:${OCK_HOME}/ucache/${OCK_VERSION}/${OCK_BINARY_TYPE}/lib/common/openssl:${OCK_HOME}/ucache/${OCK_VERSION}/${OCK_BINARY_TYPE}/lib/mf:${OCK_HOME}/ucache/${OCK_VERSION}/${OCK_BINARY_TYPE}/lib/datakit:${OCK_HOME}/ucache/${OCK_VERSION}/${OCK_BINARY_TYPE}/lib/common/ucx:${OCK_HOME}/ucache/${OCK_VERSION}/${OCK_BINARY_TYPE}/lib/common/ucx/ucx:${LD_LIBRARY_PATH}" - Before using kmc_tool, check whether entropy supplementing is required (for initializing KMC) in the current Linux environment. The following describes how to view and supplement entropy.
The process of generating a strong pseudo-random number in /dev/random blocks the current programs. Therefore, the random number should be generated as fast as possible. The speed of increasing the entropy from a small value to the target value is the random number generation speed. Therefore, we must find a way to increase the entropy. The haveged component is a feasible solution.
- Check whether the haveged process is enabled in the system. (You are advised to keep the haveged process enabled.)
service haveged status
Or
ps –ef | grep "haveged" | grep -v "grep"
- Enable haveged and set it to start as the system boots.
systemctl start haveged systemctl enable haveged.service
- Check the speed at which random numbers are displayed on the screen.
cat /dev/random | od –x
- View the current entropy.
cat /proc/sys/kernel/random/entropy_avail
In normal cases, the entropy before haveged is started is over 100. After haveged is started, the entropy increases to more than 1,000 or even 2,000.
- Optional: Stop haveged. (This step is optional after encryption and decryption is performed. Ensure that haveged is always enabled during encryption and decryption.)
service haveged stop
- Check whether the haveged process is enabled in the system. (You are advised to keep the haveged process enabled.)
kmc_tool is used to encrypt the whitelist, keytab, and keypass files. For the files, call APIs based on the four domain IDs: keypass 0, whitelist 1, keytab_server 2 and keytab_client 3.
If you use kmc_tool as a non-O&M user, perform the following steps:
- Query the KMC semaphore.
ipcs -s
The semaphore is encrypted using KMC as the root user. You need to delete the semaphore. If there is no KMC semaphore, skip the following semaphore deletion operation.
- Delete the KMC semaphore as the root user.
ipcrm -S 0x20161316
This command is used to delete the KMC semaphore bound to the permissions of the root user.
- Switch back to the non-O&M user and use kmc_tool for encryption.You are advised to disable history recording before generating an encrypted password to prevent the password from being recorded. You can enable this function after the password is generated.
set +o history ./kmc_tool 0 --encrypt set -o history
Encryption is successful.