Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Preparations

Before using the key management tool, check whether the OCK_HOME environment variable exists in the system and whether entropy needs to be supplemented in the current Linux environment.

Confirming the Environment Variable

Run the echo $OCK_HOME command to check whether the OCK_HOME environment variable exists in the system. If it does not exist, set it to the OmniShuffle installation directory, which defaults to /home/ockadmin/opt/ock. After confirming the OCK_HOME environment variable, perform the following operation to set LD_LIBRARY_PATH: 
export LD_LIBRARY_PATH="${OCK_HOME}/ucache/${OCK_VERSION}/${OCK_BINARY_TYPE}/lib/common:${OCK_HOME}/ucache/${OCK_VERSION}/${OCK_BINARY_TYPE}/lib/common/openssl:${OCK_HOME}/ucache/${OCK_VERSION}/${OCK_BINARY_TYPE}/lib/mf:${OCK_HOME}/ucache/${OCK_VERSION}/${OCK_BINARY_TYPE}/lib/datakit:${LD_LIBRARY_PATH}"
  • OCK_HOME: OCK tool installation directory.
  • OCK_VERSION: OCK tool version.
  • OCK_BINARY_TYPE: type of the OCK executable file.

Checking Entropy Supplementation

Before using kmc_tool, check whether entropy supplementation is required (for initializing KMC) in the current Linux environment. The following describes how to view and supplement entropy.

The process of generating a strong pseudo-random number in /dev/random blocks the current programs. Therefore, the random number should be generated as fast as possible. The speed of increasing the entropy from a small value to the target value is the random number generation speed. The haveged component is a feasible solution.

  1. Check whether the haveged process is enabled.

    You are advised to always enable this process.

    • Method 1 
      service haveged status
    • Method 2 
      ps -ef | grep "haveged" | grep -v "grep"
  2. Enable haveged and set it to start as the system boots. 
    systemctl start haveged
systemctl enable haveged.service
  3. Check the speed at which random numbers are displayed on the screen. 
    cat /dev/random | od -x
  4. View the current entropy. 
    cat /proc/sys/kernel/random/entropy_avail

    In normal cases, the entropy before haveged is started is over 100. After haveged is started, the entropy increases to more than 1,000 or even 2,000.

  5. Stop haveged.

    This step is optional after encryption and decryption are performed. Ensure that haveged is always enabled during encryption and decryption.

    service haveged stop

Non-O&M User Environment

kmc_tool is used to encrypt the keypass, whitelist, and keytab files. When using kmc_tool, call the correct domain ID interface for each file, specifically, domain 0 for keypass, domain 1 for whitelist, domain 2 for keytab_server, and domain 3 for keytab_client.

If you use kmc_tool as a non-O&M user, perform the following steps:

  1. Switch back to the non-O&M user and use kmc_tool for encryption.
    You are advised to disable history recording before generating an encrypted password to prevent the password from being recorded. You can enable this function after the password is generated. 
    set +o history
./kmc_tool 0 --encrypt
set -o history
    Figure 1 Generating an encrypted password

    The returned information indicates that the encryption is successful.

Parent topic: Key Management Tool