Post on 19-Jun-2018
CloudLink®
Amazon Web Services Deployment Guide
June 2014
Notice
THIS DOCUMENT CONTAINS CONFIDENTIAL AND TRADE SECRET INFORMATION OF AFORE
SOLUTIONS INC AND ITS RECEIPT OR POSSESSION DOES NOT CONVEY ANY RIGHTS TO
REPRODUCE OR DISCLOSE ITS CONTENTS, OR TO MANUFACTURE, USE, OR SELL
ANYTHING THAT IT MAY DESCRIBE. REPRODUCTION, DISCLOSURE, OR USE IN WHOLE OR IN
PART WITHOUT THE SPECIFIC WRITTEN AUTHORIZATION OF AFORE IS STRICTLY
FORBIDDEN.
The information furnished herein is believed to be accurate and reliable to the best of our knowledge.
However, AFORE Solutions, Inc. assumes no responsibility for its use, or for any infringements of
patents or other rights of third parties resulting from its use.
AFORE Solutions, Inc. reserves the right to, without notice, modify all or part of this document and/or
change product features or specifications and shall not be responsible for any loss, cost, or damage,
including consequential damage, caused by reliance on these materials. If you are in any doubt as to
whether this is the correct version of the manual for a particular release, contact the AFORE Solutions,
Inc.
Trademarks
AFORE Solutions and the AFORE Solutions logo are trademarks of AFORE Solutions Inc. All other
brands or product names mentioned herein are for identification purposed only and may be trademarks
and/or registered trademarks of their respective companies.
© Copyright 2014 All Rights Reserved
AFORE Solutions Inc.
2680 Queensview Drive, Suite 150 Ottawa, Ontario, K2B 8J9, Canada
Tel: (613) 224-5995 Fax: (613) 224-5410
Support Inquiries
(866) 356-4060 support@aforesolutions.com
General Inquiries afore_info@aforesolutions.com
Sales Inquiries afore_sales@aforesolutions.com
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 3 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
Table of Contents 1 Introduction ................................................................................................................ 4
1.1 Audience and Purpose .................................................................................................................... 4
1.2 Typographical Conventions ............................................................................................................. 5
1.3 Deployment Guide Organization ..................................................................................................... 5
1.4 CloudLink ........................................................................................................................................ 6
2 CloudLink Amazon Machine Images ........................................................................ 7
2.1 Instance Types ................................................................................................................................ 7
2.2 Storage Modes ................................................................................................................................ 7
2.3 Storage Access in VPC Environments ............................................................................................ 8
2.4 Storage Access in EC2 Environments ............................................................................................ 8
2.5 Security ........................................................................................................................................... 9
2.5.1 Security Groups in VPC Environments ............................................................................................... 9
2.5.2 Security Groups in EC2 Environments ............................................................................................. 10
3 Prerequisites ............................................................................................................. 11
4 CloudLink Deployment ............................................................................................ 12
4.1 CloudLink Deployment in VPC ...................................................................................................... 13
4.2 CloudLink Deployment in EC2 ...................................................................................................... 16
5 Configuring the CloudLink Environment ............................................................... 19
5.1.1 Accessing CloudLink Center............................................................................................................. 20
5.1.2 Changing the secadmin Password ................................................................................................... 20
5.1.3 Assigning Licenses to the Storage Volumes .................................................................................... 21
5.1.4 Splitting a Volume ............................................................................................................................. 21
5.1.5 Changing the Volume Type .............................................................................................................. 22
5.1.6 Changing the Volume Write Mode to Async ..................................................................................... 23
5.1.7 Formatting the Volumes ................................................................................................................... 24
5.1.8 Configuring NFS/SMB Access to Secure Storage ............................................................................ 25
5.1.9 Configuring iSCSI Access to Secure Storage ................................................................................... 26
6 Accessing the Secure Storage ................................................................................ 29
6.1.1 Storage Access in an EC2 Environment ........................................................................................... 29
6.1.2 Storage Access in a VPC Environment ............................................................................................ 30
7 Terms and Acronyms ............................................................................................... 31
Appendix A: AWS Deployment Worksheet ..................................................................... 32
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 4 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
1 Introduction
CloudLink® is a data at rest encryption solution that provides a software defined storage encryption layer on top
of existing storage infrastructures whether deployed in the enterprise data center, private clouds or in public
clouds. Its cloud security management software enables a single data encryption solution for on-premise
enterprise virtualized data centers, hybrid cloud deployments, and public cloud environments such as Amazon
AWS, Microsoft Azure, and VMware-based cloud environments.
AFORE’s CloudLink solution on the AWS Marketplace is a simple to deploy, self-contained AMI that enables
customers to get up and running quickly. You install a CloudLink AMI instance from the AWS Marketplace and
Amazon will simply add the CloudLink costs to your AWS bill as a separately identified charge.
There are two CloudLink AMIs: CloudLink 10TB Edition and CloudLink 1TB Edition. CloudLink instances can be
deployed in either Elastic Compute Cloud (EC2) or Virtual Private Cloud (VPC) environments.
1.1 Audience and Purpose
This guide is intended for system administrators managing CloudLink deployments in an Amazon Web Services
environment.
This guide assumes the administrator is experienced with AWS AMI deployment, Amazon Elastic Compute
Cloud (EC2) and Virtual Private Cloud (VPC) services, and IP networking. If you are new to AWS, visit the AWS
documentation webpage for useful getting started guides at http://aws.amazon.com/documentation.
The purpose of this guide is to walk you through the deployment and configuration of CloudLink instances
based on CloudLink AMIs available from the AWS Marketplace.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 5 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
1.2 Typographical Conventions
This guide uses the following typographical conventions.
Convention Used for
Black bold User interface elements such as menus, menu items, tabs, boxes, lists, and buttons. For example:
In the CloudLink window, select the Options tab.
Italics Examples of formats and values. Also used for emphasis. For example:
Use the default user name (secadmin)…
For each CloudLink instance you must…
1.3 Deployment Guide Organization
This deployment guide consists of the following chapters:
Chapter 1, Introduction, introduces you to CloudLink, AWS, and this document.
Chapter 2, CloudLink Amazon Machine Images, provides information on the AWS deployment
environment.
Chapter 3, Prerequisites, provides the necessary prerequisites for the deployment.
Chapter 4, CloudLink Deployment, provides a detailed description of CloudLink deployments in VPC
and EC2 environments.
Chapter 5, Configuring the CloudLink Environment, provides information on how to configure the
CloudLink environment.
Chapter 6, Accessing the Secure Storage, provides information on how to access the secure storage
volumes.
Chapter 7, Terms and Acronyms
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 6 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
1.4 CloudLink
CloudLink is a software solution that is deployed into enterprise virtualization infrastructures and/or public
clouds. CloudLink controls the encryption keys used to secure the storage while monitoring the network. The
CloudLink operating environment is as follows:
CloudLink includes CloudLink Center, a Web-service application that provides a user interface to configure
CloudLink instances and manage CloudLink. CloudLink Center provides secure storage encryption
management and provides audit trails of actions, alarms, events, and security events.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 7 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
2 CloudLink Amazon Machine Images
An Amazon Machine Image (AMI) is a virtual machine preconfigured with a base Linux or Windows operating
system (OS) and, optionally, application software such as CloudLink. After you launch a CloudLink instance, it
looks like a virtualized server, and you can interact with it as you would any computer. Your CloudLink AMIs
must then be configured for security and with Elastic Block Store (EBS) volumes.
AFORE Solutions provides a CloudLink 10TB Edition AMI and a CloudLink 1TB Edition AMI. Both CloudLink
instances run in one of two supported platforms: EC2 or VPC. The operating environment will vary depending
on the selected platform.
2.1 Instance Types
The AWS instance type defines the number of cores, number of Elastic Compute Units (ECUs), and storage
space for the instance. The supported instance types for each CloudLink edition are as follows:
CloudLink 1TB Edition: m1.small, m3.medium, m3.large, m3.xlarge
CloudLink 10TB Edition: m3.medium, m3.large, m3.xlarge
Use of at least the m3.medium instance type is recommended for CloudLink AMIs.
2.2 Storage Modes
By default, EBS volumes assigned to a CloudLink instance at deployment time are merged into a single
CloudLink encrypted volume. From CloudLink Center you can split the encrypted volume into the original
volumes and assign an encryption key to each volume or keep the merged encrypted volume and assign a
single encryption key to the entire volume.
A single merged encrypted volume supports up to 10 TB (or 1 TB) to handle a large amount of data. In a multi-
volume environment, each volume is limited to 1 TB (EBS volume limitation) and the maximum aggregated
volume size is limited to 10 TB or 1 TB depending upon the CloudLink Edition licensed. Separate volumes allow
you to provide a separate key for each volume and manage the volumes independently.
CloudLink provides AWS instances with direct access to their encrypted storage over NFS/SMB or iSCSI.
CloudLink supports three storage modes:
NFS/SMB network-attached storage (NAS)
This option is appropriate for standard deployments where instances will be attaching/mapping
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 8 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
to an encrypted share.
iSCSI remote disk for a single Windows server
This option is appropriate for servers requiring dedicated, block-level high performance access
to a remote disk.
iSCSI remote disk for a Windows SMB server
This option is appropriate for advanced SMB sharing configurations where Windows Kerberos
authentication and access control is required.
Any data that is written to the EBS volume is secured with AES 256-bit encryption. Each EBS volume will have
a unique encryption key when configured in split volume mode. When EBS volumes are merged into a single
encrypted volume, a single key is used to encrypt the merged volume.
Note: CloudLink does not support AWS encrypted EBS volumes in this release.
2.3 Storage Access in VPC Environments
In a VPC environment, instances within AWS will access the CloudLink encrypted storage based on its private
IP address as private IP addressing is persistent in VPC environments.
Assigning a public IP to a VPC CloudLink instance is recommended to enable administrators to manage their
CloudLink deployment from a browser. If a public IP address is not assigned to CloudLink, administrators will
need to RDP to an AWS instance that does have a public IP and then access CloudLink from that instance’s
web browser.
NOTE: In VPC environments, public IP addresses are not persistent after stopping and starting the CloudLink
instance, but the private IP address is persistent (static).
2.4 Storage Access in EC2 Environments
Support of CloudLink deployments in EC2 requires additional configuration steps due to the fact that in EC2
both private and public IP addresses are not persistent after stopping and starting CloudLink instances. This
non-persistent IP addressing behaviour introduces ease of use challenges from the perspective of seamless
access and access control to the CloudLink encrypted storage.
To support CloudLink EC2 deployments, it is recommended that an Elastic IP address be assigned to
CloudLink. An Elastic IP (EIP) address is a static IP reservation that can be assigned to a CloudLink instance
providing a consistent IP for external Internet access to the CloudLink instance. An additional benefit of EIPs is
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 9 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
that internally within the AWS environment, if the EIP public domain name is queried, the current private IP
address of the CloudLink instance associated with the EIP is returned. If AWS instances attach/map to
CloudLink storage based upon the public domain name, even if the CloudLink instance is stopped and started,
the AWS DNS service will always return the current private IP address and the pre-defined attach/map
commands will be successful.
For a Windows instance attempting to access CloudLink encrypted storage, the attach or map command for a
single volume would look similar to the following: \\public_domain_name\secure0.
As mentioned, the AWS DNS service will return the current private IP address of the CloudLink instance to the
Windows instance attempting to access the CloudLink encrypted storage
If an EC2 CloudLink instance is stopped and started, the same EIP address is assigned to the CloudLink
instance, however, you must manually re-associate the IP address to the instance.
NOTE: A reboot of the CloudLink instance does not require re-association.
2.5 Security
By default, access to the CloudLink instance encrypted storage is denied to all. You must configure AWS
security groups to control traffic into the CloudLink instance. You then configure the CloudLink Access Control
List (ACL) to allow all members of the subnet to connect to the encrypted storage. Security groups act as a
virtual firewall.
2.5.1 Security Groups in VPC Environments
One method to grant access to secure encrypted storage in a VPC environment is to create a second security
group and associate it to designated virtual servers. You then add the security group to an inbound rule of the
CloudLink instance security group. Alternatively, you can assign individual IP or IP ranges to restrict access to
specific instances or groups of instances.
After you launch a CloudLink instance in a VPC, you can change its security groups. You can also change the
rules of a security group, and those changes are automatically applied to all virtual servers that are associated
with the security group.
NOTE: The rules you create for use with a security group for a VPC cannot reference a security group from the EC2
environment.
For more information on VPC security groups, refer to the AWS VPC user guide.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 10 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
2.5.2 Security Groups in EC2 Environments
Since private IP addresses are non-persistent in an EC2 environment, access rules must be based on security
groups and not on IP addresses. You can create additional security groups and associate them with designated
virtual servers. You then add the security groups to inbound rules of the CloudLink instance security group.
For increased access control, you can configure the CloudLink instance encrypted storage as an iSCSI share,
then use a Windows server as the SMB server and configure Windows ACL capabilities.
After you launch a CloudLink instance in an EC2 environment, you cannot change its security groups. However,
you can add rules to or remove rules from a security group, and those changes are automatically applied to all
instances that are associated with the security group.
NOTE: The rules you create for use with a security group for EC2 cannot reference a security group from the VPC
environment.
For more information on EC2 security groups, refer to the AWS EC2 user guide.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 11 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
3 Prerequisites
Before launching a CloudLink instance on the AWS Marketplace, ensure that you have the following:
An AWS account.
You can use an existing key pair or create a key pair during the deployment process.
Access to the AWS documentation at http://aws.amazon.com/documentation.
Access to the CloudLink documentation available on the CloudLink page in the AWS Marketplace:
o CloudLink Amazon Web Services Deployment Guide (this guide)
o CloudLink Amazon Web Services Administration Guide
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 12 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
4 CloudLink Deployment
The CloudLink instance is deployed with the Launch with EC2 Console method and is capable of supporting
multiple EBS volumes totalling up to 10 TB or 1 TB, depending upon the edition licensed, that can be configured
as standard or Provisioned Input/Output Operations per Second (IOPS) volumes. In this deployment model, as
storage requirements grow, additional storage can be added to the CloudLink instance or additional CloudLink
instances can be added to the AWS environment.
The CloudLink instance ACL is initially configured to deny access to all servers. Once security group
configuration is complete and applied to the designated instances, you can change the CloudLink instance ACL
setting to allow access to all instances. The security group settings will act as a virtual firewall and filter access
to the encrypted storage of the CloudLink instance.
The port requirements for CloudLink are as follows:
CloudLink ports:
o TCP: 8443 (HTTPS) for incoming access to CloudLink.
o UDP: 514 to send the CloudLink Center logs to a system log
o TCP: 443 if RSA DPM is implemented as a key store
o TCP: 389 if Active Directory is implemented as a key store
iSCSI ports:
o TCP: 860 and 3260
NFS ports:
o TCP: 111, 2049, and 32666
SMB ports:
o TCP and UDP: 135, 137, 138, and 139
o TCP: 445
For SSH access to the CloudLink instance, enable port 22.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 13 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
4.1 CloudLink Deployment in VPC
The Launch with EC2 Console method allows you to configure a CloudLink instance to meet your requirements
for the VPC environment.
To deploy a CloudLink AMI instance in a VPC environment:
1. Log on to the AWS Marketplace with your AWS account credentials.
2. Locate the AFORE Solutions CloudLink products on the AWS Marketplace website.
3. Select either of the following CloudLink products:
AFORE CloudLink® NAS Encryption – 10 TB Edition
AFORE CloudLink® NAS Encryption – 1 TB Edition
4. From the CloudLink product page, click Continue.
5. Select a version.
6. Click Accept Terms (only required if you have not previously accepted the terms).
7. Click the Launch with EC2 Console button for the desired region.
8. Step 2 of the AWS deployment procedure appears on your screen. For example:
9. Select the m3.medium instance type or a larger instance type.
10. Click Next to proceed to Step 3.
11. For the Network parameter, select an existing VPC or click Create new VPC.
If you selected Create new VPC, the VPC console is launched. Click Create VPC and configure the
VPC parameters to suit your environment and return to the EC2 console to resume deployment. You
then select the new VPC as the Network parameter and create a subnet for the VPC.
12. Checkmark the Automatically assign a public IP address to your instances checkbox to assign a
public IP address to the CloudLink instance.
13. Click Next to proceed to Step 4.
14. Add the necessary EBS volumes up to a maximum of 10 TB or 1TBs depending upon the CloudLink
edition selected. Log the snapshot identifiers of all EBS volumes and store them in a safe place. You
can use the worksheet in Appendix A: AWS Deployment Worksheet on page 32 to log your
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 14 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
configuration.
NOTES:
You can also add EBS volumes after deployment, see the CloudLink Amazon Web Services
Administration Guide.
Newer Linux kernels may rename the devices from dev/sd to /dev/xvd.
15. Ensure that the Delete on Termination checkbox is unchecked for all EBS volumes. Otherwise, all
data on the EBS volumes will be lost on termination of the CloudLink instance.
16. Click Next to proceed to Step 5.
17. Enter a string for the Name tag in the Value field. This string will be used as the CloudLink hostname.
18. Click Next to proceed to Step 6.
19. Create a new security group or select an existing security group. Only security groups from the VPC
environment are available.
NOTE: At this point, you can only configure inbound rules. Once deployed, you can change the inbound
rules and the default outbound rules.
20. Click Review and Launch.
21. Confirm your settings and click Launch.
22. From the Key Pair dialog, select an existing key pair or create a new key pair.
A key pair consists of a public key that AWS stores, and a private key file that you store. Together, they
allow you to connect to your CloudLink instance securely. For the CloudLink AMIs, the private key file
allows you to use SSH to log in to your CloudLink instance.
23. Click Launch Instances to launch the CloudLink instance and view the instance identifier from the
Launch Status window.
24. Click View Instances to access the EC2 console and view the new VPC CloudLink instance.
25. Access the CloudLink instance’s security group from the EC2 console and modify the inbound and
outbound rules to suit your environment and security requirements.
You have deployed an instance of the CloudLink AMI in a VPC environment. The CloudLink instance has a
static private IP address and a public IP address that allows you to access the CloudLink instance from the
Internet. If the CloudLink instance is stopped and restarted, a new public IP address will be assigned to the
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 15 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
CloudLink instance.
To configure the CloudLink environment, proceed to 5 Configuring the CloudLink Environment on page 19.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 16 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
4.2 CloudLink Deployment in EC2
The Launch with EC2 Console method allows you to configure a CloudLink instance to meet your requirements
for the EC2 environment.
To deploy a CloudLink AMI instance in a VPC environment:
1. Log on to the AWS Marketplace with your AWS account credentials.
2. Locate the AFORE Solutions CloudLink products on the AWS Marketplace website.
3. Select either of the following CloudLink products:
AFORE CloudLink® NAS Encryption – 10 TB Edition
AFORE CloudLink® NAS Encryption – 1 TB Edition
4. From the CloudLink product page, click Continue.
5. Select a version.
6. Click Accept Terms (only required if you have not previously accepted the terms).
7. Click the Launch with EC2 Console button for the desired region.
8. Step 2 of the AWS deployment procedure appears on your screen. For example:
9. Select the m3.medium instance type or a larger instance type.
10. Click Next to proceed to Step 3.
11. For the Network parameter, select Launch into EC2-Classic and configure the remaining parameters
to suit your environment.
12. Click Next to proceed to Step 4.
13. Add the necessary EBS volumes up to a maximum of 10 TB or 1 TB depending upon the CloudLink
edition selected. Log the snapshot identifiers of all EBS volumes and store them in a safe place. You
can use the worksheet in Appendix A: AWS Deployment Worksheet on page 32 to log your
configuration.
NOTES:
You can also add EBS volumes after deployment, see the CloudLink Amazon Web Services
Administration Guide.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 17 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
Newer Linux kernels may rename the devices from dev/sd to /dev/xvd.
14. Ensure that the Delete on Termination checkbox is unchecked for all EBS volumes. Otherwise, all
data on the EBS volumes will be lost on termination of the CloudLink instance.
15. Click Next to proceed to Step 5.
16. Enter a string for the Name tag in the Value field. This string will be used as the CloudLink hostname.
17. Click Next to proceed to Step 6.
18. Create a new security group or select an existing security group. Only security groups from the EC2
environment are available.
NOTE: At this point, you can only configure inbound rules. Once deployed, you can change the inbound
rules.
19. Click Review and Launch.
20. Confirm your settings and click Launch.
21. From the Key Pair dialog, select an existing key pair or create a new key pair.
A key pair consists of a public key that AWS stores, and a private key file that you store. Together, they
allow you to connect to your CloudLink instance securely. For the CloudLink AMIs, the private key file
allows you to use SSH to log in to your CloudLink instance.
22. Click Launch Instances to launch the CloudLink instance and view the instance identifier from the
Launch Status window.
23. Click View Instances to access the EC2 console and view the new EC2 CloudLink instance.
24. Access the CloudLink instance’s security group from the EC2 console and modify the inbound rules to
suit your environment and security requirements.
25. From the EC2 console, you can assign an EIP address to the CloudLink instance. The EIP is a public
static IP address that belongs to your AWS account. If the CloudLink instance is stopped and restarted,
you must re-associate the EIP with the CloudLink instance. A reboot of the CloudLink instance does not
require re-association.
a. Under Network and Security, click Elastic IPs and then click Allocate New Address.
b. From the Allocate New Address dialog, select EC2 and click Yes, Allocate.
c. Observe the new IP address in the EIP window.
d. Select the new IP address and click Associate Address.
e. From the Associate Address dialog, select the CloudLink instance and click Associate.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 18 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
f. Observe the results in the Elastic IP window.
g. Click Instances and select the CloudLink instance. Observe the parameters from the
Description tab.
h. To view the security group configuration, click the view rules link in the Description tab.
You have deployed an instance of the CloudLink AMI in an EC2 environment. The CloudLink instance has a
non-static private IP address and a static public EIP address.
To configure the CloudLink environment, proceed to 5 Configuring the CloudLink Environment on page 19.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 19 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
5 Configuring the CloudLink Environment
After you deploy a CloudLink instance on AWS, you must access CloudLink Center on the CloudLink instance
and configure the CloudLink environment before you can access the encrypted storage from the designated
virtual servers. Proceed as follows:
1. Access CloudLink Center on the CloudLink instance, see 5.1.1 Accessing CloudLink Center on page 20.
2. Change the default secadmin user account password, see 5.1.2 Changing the secadmin Password
on page 20.
3. Assign storage licenses to the storage volumes, see 5.1.3 Assigning Licenses to the Storage
Volumes on page 21.
4. Split the volume if desired (CloudLink merges all storage volumes at deployment time), see 5.1.4
Splitting a Volume on page 21.
5. Specify the storage type (NFS/SMB or iSCSI), see 5.1.5 Changing the Volume Type on page 22.
6. Set the write mode for the storage volumes, see 5.1.6 Changing the Volume Write Mode to Async on
page 23.
7. Format the storage volume(s), see 5.1.7 Formatting the Volumes on page 24.
8. Configure access rights to the storage volumes:
For SMB/NFS, see 5.1.8 Configuring NFS/SMB Access to Secure Storage on page 25.
For iSCSI, see 5.1.9 Configuring iSCSI Access to Secure Storage on page 26.
For information on how to access a storage volume, see 6 Accessing the Secure Storage on page 29.
For additional information on configuring and managing the CloudLink environment, refer to the CloudLink
Amazon Web Services Administration Guide.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 20 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
5.1.1 Accessing CloudLink Center
To connect to CloudLink Center on the CloudLink instance:
1. In your Web browser, type the URL of the CloudLink instance in the format
https:// IpAddress:8443 or https:// fqdn:8443 where IpAddress is the public interface IP and fqdn is the
fully qualified domain name (FQDN).
2. Observe the presence of the CloudLink Center home page in your browser.
3. Log in. The default Username is secadmin and the default Password is your AWS instance ID.
5.1.2 Changing the secadmin Password
To change the default secadmin password:
1. Log in as a secadmin user. The default password is your AWS instance ID.
(see 5.1.1 Accessing CloudLink Center on page 20).
2. From the Topology Tree, select the CloudLink instance.
3. Click the Administration tab.
4. From the Options panel, select User Accounts.
5. In the User name list, right-click the secadmin account and click Change password.
6. In the Change password window, enter the new password and confirm the new password.
7. Click OK.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 21 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
5.1.3 Assigning Licenses to the Storage Volumes
Storage licenses form part of the CloudLink instances and depending upon the edition selected either a 10 TB
or 1 TB license is included.
To assign a storage license to a CloudLink instance:
1. Log in as a secadmin or admin user (see 5.1.1 Accessing CloudLink Center on page 20).
2. From the Topology Tree, select a CloudLink instance.
3. Select the Storage tab.
4. From the Options panel, select the License option.
5. From the License Assignment panel, select the storage license from the Available Licenses
dropdown list.
6. Click Assign to assign the storage license.
7. Observe the graph in the License Usage panel.
5.1.4 Splitting a Volume
When you create more than one volume at instantiation, CloudLink automatically merges the volumes into a
single volume. You can split the aggregated volume back into separate volumes, with each volume being
encrypted with a unique encryption key.
NOTE: Splitting a volume results in the loss of all data on the EBS volume. Ensure any data associated with the
CloudLink EBS volume is backed up before proceeding.
The storage volume names will be secure0-xx where xx starts at 01. The Device rows will show the original
device names, for example, sdb, sdc, sdd, and sde. The displayed Size of the volumes will show the original
disk sizes.
The results of a volume split are as follows:
All data previously stored on the combined volume is lost.
The storage key for the volume is lost and the ACL configuration is lost.
The storage write mode is set to Sync.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 22 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
To split a volume:
1. Log in as a secadmin user (see 5.1.1 Accessing CloudLink Center on page 20).
2. From the Topology Tree, select a CloudLink instance.
3. Click the Storage tab then the Configuration tab.
4. Click Volumes in the Options panel.
5. From the Volumes panel, right-click the volume and select Split. Click Yes in the confirmation window.
6. Once the Storage tab reappears, select it to view the results.
5.1.5 Changing the Volume Type
You can change the volume type of a volume from NFS/SMB to iSCSI and from iSCSI to NFS/SMB.
Server Message Block (SMB) shares, also referred to as Common Internet File System (CIFS) shares, are
primarily used in Windows operating systems.
Network File System (NFS) shares are primarily used in Unix and Linux based operating systems. When
working with NFS you mount a remote folder to a local path.
The Internet Small Computer System Interface (iSCSI) provides better performance for raw I/O and is used for
databases/clusters.
The results of a change in volume type are as follows:
All data on the disk is lost.
The storage keys are lost and the ACL configuration is lost.
The storage write mode is set to Sync.
To access a CloudLink instance’s secure storage over iSCSI, you must also configure CHAP credentials for use
in performing incoming access to the instance’s iSCSI target. For more information, see the CloudLink Amazon
Web Services Administration Guide.
To change the volume type for a storage volume:
1. Log in as a secadmin user (see 5.1.1 Accessing CloudLink Center on page 20).
2. From the Topology Tree, select a CloudLink instance.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 23 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
3. Click the Storage tab then the Configuration tab.
4. Click Volumes in the Options panel.
5. Right-click a NFS/SMB volume and select Change volume type to iSCSI or right-click an iSCSI
volume and select Change volume type to NFS/SMB.
6. Observe that the volume type has changed in the Volumes panel.
NOTES: If the new volume type is iSCSI, you must mount the volume as an iSCSI target from the disk
management facility on the client PC and configure CHAP credentials for use in performing access to the
iSCSI target.
5.1.6 Changing the Volume Write Mode to Async
The default write mode for NFS/SMB and iSCSI EBS volumes is synchronous (sync). You can change the write
mode to asynchronous for the purpose of reducing data transfer times to EBS volumes. In the asynchronous
write mode, loss of data can occur under network failure scenarios.
NOTE: After changing the write mode for an iSCSI volume, you must reactivate the disk from the disk
management facility on the client PC.
To change the write mode of a volume to async:
1. Log in as a secadmin or admin user (see 5.1.1 Accessing CloudLink Center on page 20).
2. From the Topology Tree, select a CloudLink instance.
3. Click the Storage tab then the Configuration tab.
4. Click Volumes in the Options panel.
5. From the Volumes panel, right-click a volume and select Change Write Mode to async.
NOTE: You can change the mode back to sync at any time. See the CloudLink Amazon Web Services
Administration Guide for details.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 24 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
5.1.7 Formatting the Volumes
To format a storage volume:
1. Log in as a secadmin or admin user (see 5.1.1 Accessing CloudLink Center on page 20).
2. From the Topology Tree, select a CloudLink instance.
3. Click the Storage tab then the Configuration tab.
4. Click Key in the Options panel.
5. Select one or more volumes and right-click a selected volume.
6. Select Format from the menu.
The format operation formats the disk and makes old data unusable. The generated key has a name in the
following format:
volumeName_yyyyMMdd_HHmmss.key
where: volumeName - the name of volume yyyyMMdd - key generation date HHmmss - key generation time
For example, secure0-01_20131008_033222.key
To retain access to the secure storage in the event of an unrecoverable failure of the CloudLink instance, you
should export and securely save all keys before storing data on the volumes. All keys are exported as a set into
a single file. The exported keys will allow you to access the storage volumes from another CloudLink instance.
NOTE: Active Directory (AD) or RSA DPM can be used as a key store. For more information, see the CloudLink
Amazon Web Services Administration Guide.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 25 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
5.1.8 Configuring NFS/SMB Access to Secure Storage
To access a CloudLink instance secure storage over NFS/SMB, you configure which instances are granted
access to the secure storage. For CloudLink instances in an AWS environment, you simply allow all machines
connected to the CloudLink instance’s private subnet. As part of deployment, AWS security groups are
configured and therefore act as a virtual firewall to control traffic into the CloudLink instance’s secure storage.
To configure the ACL to provide access to the storage for all members:
1. Log in as a secadmin user (see 5.1.1 Accessing CloudLink Center on page 20).
2. From the Topology Tree, select a CloudLink instance.
3. Click the Storage tab then the Configuration tab.
4. In the Options panel, click Access.
5. Select a volume from the Volume Name dropdown list.
6. Click the IP Address dropdown list, and select Any.
7. Click Add.
NOTE: All IP entries in the Access Control List must be deleted before you can select Any.
The Access Control List will display the subnet(s) that will be granted access to the secure storage.
Once access to a secure storage has been granted, the storage is made available to those devices over
NFS/SMB that form part of the proper AWS security groups. For more information, see 6 Accessing the Secure
Storage on page 29.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 26 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
5.1.9 Configuring iSCSI Access to Secure Storage
To access a CloudLink instance secure storage over iSCSI, you must configure CHAP credentials for use in
performing incoming access to the iSCSI target (that is, one-way CHAP authentication).
If you wish to configure mutual CHAP authentication, you can optionally configure CHAP credentials for
performing outgoing access from the CloudLink instance to the iSCSI initiator.
This section shows you how to:
Configure one-way CHAP authentication.
Configure mutual CHAP authentication.
To configure one-way CHAP authentication:
1. Log in as a secadmin user (see 5.1.1 Accessing CloudLink Center on page 20).
2. From the Topology Tree, select a CloudLink instance.
3. Click the Storage tab then the Configuration tab.
4. From the Options panel, click Access.
5. Select the encrypted volume for which you are configuring access from the Volume Name dropdown
list in the Volume panel.
6. If the Access Control List is empty, then there are no credentials configured for accessing the iSCSI
storage and the storage is therefore inaccessible. Set the ACL configuration to Any.
7. Enter a CHAP user name in the User Name field and a corresponding secret in the Secret field. This
user name and secret combination will be used to authenticate the iSCSI initiator.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 27 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
8. Select Incoming User in the User Type dropdown list and click Add. For example:
NOTES:
You must configure the iSCSI initiator(s) you wish to connect to with one of the Incoming User
credentials specified in the Access Control List.
The iSCSI Qualified Name (IQN) field is not used for this release.
To configure mutual CHAP authentication:
1. Configure one-way CHAP authentication as described in this section.
2. Enter a CHAP user name in the User Name field and a corresponding secret in the Secret field. This
user name and secret combination will be used to authenticate the CloudLink iSCSI target to the
initiator.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 28 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
3. Select Outgoing User in the User Type dropdown list and click Add. For example:
NOTES:
You can configure only one Outgoing User credential for each volume.
You must configure the iSCSI initiator(s) you wish to connect to with an Outgoing User
credential specified in the Access Control List for mutual authentication.
The iSCSI Qualified Name (IQN) field is not used for this release.
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 29 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
6 Accessing the Secure Storage
Once access to a CloudLink instance’s secure storage has been granted to virtual servers, the storage is made
available to those devices over NFS/SMB or iSCSI.
If you opted to have the encrypted storage presented as a single volume, the storage volume name is secure0.
It you opted to split the encrypted storage into multiple volumes, the volume name format is secure0-x where x
represents the numerical identifier of the encrypted storage volume. For example, secure0-01 to secure0-12.
6.1.1 Storage Access in an EC2 Environment
To access encrypted secure storage from a Windows machine in an EC2 environment, launch a file browser
from a qualified instance and enter the domain name of the CloudLink instance followed by the secure storage
name. For example, a CloudLink instance with an EIP address of 54.232.178.105, may be accessed as follows:
\\ec2-54-232-178-105.sa-east-1.compute.amazonaws.com\secure0
To test the storage, you can create a folder on the encrypted storage volume. For example:
To access the same encrypted secure storage from a Linux machine, you would mount the drive as follows:
mount ec2-54-232-178-105.sa-east-1.compute.amazonaws.com:/secure0/mnt/ folderName
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 30 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
6.1.2 Storage Access in a VPC Environment
To access an encrypted secure storage from a Windows machine in an EC2 environment, launch a file browser
from a qualified instance and enter the private IP address of the CloudLink instance followed by the secure
storage name. For example, a CloudLink instance with a private IP address of 10.0.0.103, may be accessed as
follows:
\\10.0.0.103\secure0
For external access, you can use the public IP address.
To access the same encrypted secure storage from a Linux machine, you would mount the drive as follows:
mount 10.0.0.103:/secure0/mnt/ folderName
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 31 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
7 Terms and Acronyms ACL Access Control List
AES Advanced Encryption Standard
AMI Amazon Machine Image
AWS Amazon Web Services
AWS Marketplace An online store of software and services to build products and run businesses. AWS Marketplace includes databases, application servers, testing tools, monitoring tools, content management, and business intelligence software.
CHAP Challenge-Handshake Authentication Protocol
CIFS Common Internet File System
DNS Domain Name Server
EBS Elastic Block Store
EC2 Elastic Compute Cloud
EIP Elastic Internet Protocol
FQDN Fully Qualified Domain Name
GB Gigabyte
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
I/O Input/Output
IOPS Input/Output Operations per Second
IP Internet Protocol
iSCSI Internet Small Computer System Interface
NFS Network File System
PIN Personal Identification Number
RDP Remote Desktop Protocol
SG Security Group
SMB Server Message Block
SSH Secure Shell
TB Terabyte
TCP Transmission Control Protocol
UDP User Datagram Protocol
vDC Virtual Data Center
VM Virtual Machine
VPC Virtual Private Cloud
CloudLink® Amazon Web Services Deployment Guide
Software Version 2.2 32 Document Version 1.0
© Copyright 2014 AFORE Solutions Inc. All rights reserved.
Appendix A: AWS Deployment Worksheet
After deployment and before using the encrypted storage you should log the AWS AMI instance configuration to
help you correlate the CloudLink instances to their components.
CloudLink Instance Name:
Region / Availability Zone:
VPC Id. (vpc-):
AMI Id:
Instance Id. (i-):
Public DNS (ec2-):
Private DNS (ip-):
EIP Address:
Security groups (sg-):
Volumes (vol-) / Snapshots (snap-):
Other: