03-DSM-setup-V1.3
description
Transcript of 03-DSM-setup-V1.3
-
Configuring the Vormetric Data Security
Manager
Lab Exercises:
-
Vormetric Software
Vormetric Corporation Inc, 2012 Page 2
Contents
Introduction ................................................................................................................................ 3
Part 1 Configure the DSM ...................................................................................................... 5
1.1 Set the DSM timezone, date, and time ......................................................................... 5
1.2 Configure DSM networking .......................................................................................... 7
1.3 Update DSM hostname ................................................................................................ 9
1.4 Setup the NTP (optional).............................................................................................10
1.5 Configure name resolution ..........................................................................................10
1.6 Generate the certificate authority ................................................................................11
Part 2 Configure the failover DSM .........................................................................................12
2.1 Set the DSM timezone, date, and time ........................................................................12
2.2 Configure failover DSM networking .............................................................................12
2.3 Update DSM hostname ...............................................................................................14
2.4 Setup the NTP (optional).............................................................................................14
2.5 Configure name resolution ..........................................................................................14
2.6 Test networking between DSMs ..................................................................................15
Part 3 Configure HA pairing ...................................................................................................16
3.1 Enable the primary DSM for communication to the failover .........................................16
3.2 Convert the failover DSM ............................................................................................18
3.3 Synchronize the primary and failover DSM .................................................................19
Additional Tasks ........................................................................................................................21
Appendix A. Reference Material ...........................................................................................22
Appendix B. FAQs ...............................................................................................................23
-
Vormetric Software
Page 3
Introduction
The purpose of this lab is to introduce the setup of the Vormetric Data Security Manager (DSM)
appliance. After completing the lab you will be able to perform the significant administrative
tasks of DSM setup including:
Configuring DSM networking
Configuring DSM date and time information
Changing the default CLI password
Generating the DSM Certificate Authority
Setup DSM high availability
Backing up the DSM
Lab Architecture
At the completion of the Lab you will have generated the DSM setup as illustrated in Figure 1.
Figure 1 Lab Architecture
Web Based
Management Console
hostname = admin-gui
TCP/50000
TCP/8445
Primary DSM
hostname = dsm-server-1
eth0 = 192.168.10.10
eth1 = (tbd) [public]
Failover DSM
hostname = dsm-server-2
eth0 = 192.168.10.11 (private)
eth1 = (tbd) [public]
User ID and password list
Table 1 lists the User IDs and passwords used in the lab. You may be prompted to update the
password while performing the lab tasks. You may use a new password of your choosing or
use the recommended password update.
-
Vormetric Software
Vormetric Corporation Inc, 2012 Page 4
Table 1 User IDs and password
Server User ID Default Password Recommened Update
1 DSM servers cliadmin cliadmin123
2 Web Console admin admin123 Admin123!
3 admin-gui Administrator Admin123!
-
Vormetric Software
Page 5
Part 1 Configure the DSM
A DSM is preconfigured with all the necessary software components installed. The only
customization required is to update the DSM configuration with relevant networking and
geography information for your location. The configuration of the DSM includes:
Date and time
Networking
CA generation
1.1 Set the DSM timezone, date, and time
Time is an interesting component of DSM setup. Not only is time configuration important for
knowing when an event happened but certificate exchange is time sensitive. If the time
difference between the DSM and a certificate signing requester is too far askew, based on GMT
not absolute time, the signing request will fail. Ensuring the DSM date/time and the date/time of
any agent systems is close to accurate will solve this issue.
__1. Login to the DSM, dsm-sever-1, ID = cliadmin and password = cliadmin123
Note: The DSM CLI has a very limited command structure. To view the current command options, type a ?. To move between the command options type the name of the command group you wish to use, example Network. If within a command group you want to return to previous command group type up.
__2. Type ? to view current command group.
-
Vormetric Software
Vormetric Corporation Inc, 2012 Page 6
__1. Type maintenance to move to the maintenance command group
Note: You do not have to type in the entire word as long as you type enough of the keyword to be unique. Example: maint would be sufficient
__2. List the command options using ?
__3. View the current settings for date, time, and time zone
date
time
gmttimezone show
-
Vormetric Software
Page 7
__4. List the time zones available
gmttimezone list
__5. Set the time zone for your local
gmttimezone set America/Chicago
__6. Set date
date 08/17/2012 [use current date]
__7. Set time
time 09:43:00 [use current time]
1.2 Configure DSM networking
1.2.1 Add eth1 network
__1. Return to the main DSM CLI menu
up
__2. Move to the network command group
network
-
Vormetric Software
Vormetric Corporation Inc, 2012 Page 8
__3. View the current network settings
ip address show
Note: The default IP address of the DSM eth0 is 192.168.10.1. The easiest way to configure a physical appliance is to attach a network cable to this NIC and laptop and change the laptop network settings to match the default network of eth0. The best order would be to setup eth1 and ensure connectivity to this NIC before changing eth0. This way if you accidentally set eth0 incorrectly you will lose connectivity and be limited to the serial interface.
__4. Add the IP for network of eth1 [use the network from VMnet8] (
ip address add 192.168.6.10/24 dev eth1
Note: Change the IP address and subnet. The network should be the network discovered in Lab 1 for VMnet8. The subnet is using shorthand notation (24 = 255.255.255.0). Refer to appendix for link to shorthand annotation of netmask.
yes
__5. Ping the eth1 address from the host machine
ping 192.168.6.1
1.2.2 Add default gateway
The only network that can reach the external network given the setup steps of this lab is
VMnet8, the NAT network. The examples used in these steps reflect network 192.168.6.0. Be
sure and use the proper network as discovered in Lab 1 for your VMnet8 environment.
__1. Add a default gateway
ip route add default table main.table via 192.168.6.254
1.2.3 Configure eth0 network
__1. Delete the IP address for eth0
ip address delete 192.168.10.1/16 dev eth0
yes
-
Vormetric Software
Page 9
__2. Add the IP address for eth0
ip address add 192.168.10.10/24 dev eth0
yes
__3. Ping the IP address for eth0
ping 192.168.10.10
__4. Show the IP address setup
ip address show
After configuring the network, you can use a SSH terminal window to connect to CLI DSM interface.
1.3 Update DSM hostname
Setting the DSM hostname is very important. The DSM hostname is a significant factor when
generating and registering certificates. Networking changes can be dynamic and do not affect
certificates.
__1. Return to the main DSM CLI menu
up
__2. Move to the system command group
system
__3. Use the setinfo command to set the hostname to dsm-server-1
setinfo hostname dsm-server-1
Note: You can ignore the message for the need to re-sign the server certificate as the certificate has not be generated.
-
Vormetric Software
Vormetric Corporation Inc, 2012 Page 10
1.4 Setup the NTP (optional)
It is a good practice to use a time server to synchronize system clocks across your data center
and this includes the DSM. This section will only work with an external network connection.
__1. Return to the main DSM CLI menu
up
__2. Move to the maintenance menu
main
__3. Add ntp server entry
ntpdate add 66.160.141.161
Note: Refer to Appendix A for a list of public NTP servers
__4. Synchronize time with the ntp server
ntpdate sync
__5. Turn ntp service on
ntpdate on
1.5 Configure name resolution
No DNS server is available for performing the lab exercises; in this section you will configure
static name resolution. You will add host entries for the following hosts:
dsm-server-2
data-node-1
__1. Return to the main DSM CLI menu
up
__2. Move to the network menu
Network
__3. Add network entries
host add dsm-server-2 192.168.10.11
host add data-node-1 192.168.10.20
__4. Display the host entries
host show
-
Vormetric Software
Page 11
1.6 Generate the certificate authority
After successful generation of the certificate authority CA the DSM will be ready to start
managing data security.
__1. Return to the main DSM CLI menu
up
__2. Move to the system menu
system
__3. Generate the CA
security genca
yes
Note: It is not necessary to edit any of the entries as prompted by the CA generation. None of the entries will be validated against an external registration authority and can be simply bypassed by pressing the Enter/Return key. The CA generation can take as long as 10 minutes depending on resources.
-
Vormetric Software
Vormetric Corporation Inc, 2012 Page 12
Part 2 Configure the failover DSM
2.1 Set the DSM timezone, date, and time
__1. Login to the DSM, dsm-server-2, ID = cliadmin and password = cliadmin123
__2. Type maintenance to move to the maintenance command group
__3. Set the time zone for your local
gmttimezone set America/Chicago
__4. Set date
date 08/17/2012 [use current date]
__5. Set time
time 09:43:00 [use current time]
2.2 Configure failover DSM networking
2.2.1 Add eth1 network
__1. Return to the main DSM CLI menu
up
__2. Move to the network command group
network
__3. View the current network settings
ip address show
__4. Add the IP for network of eth1 [use the network from VMnet8]
ip address add 192.168.6.11/24 dev eth1
-
Vormetric Software
Page 13
yes
__5. Ping the eth1 address from the host machine
ping 192.168.6.11
2.2.2 Add default gateway
__1. Add a default gateway
ip route add default table main.table via 192.168.6.254
2.2.3 Configure eth0 network
__2. Delete the IP address for eth0
ip address delete 192.168.10.1/16 dev eth0
yes
__3. Add the IP address for eth0
ip address add 192.168.10.11/24 dev eth0
yes
__4. Ping the IP address for eth0
ping 192.168.10.11
__5. Show the IP address setup
ip address show
After configuring the network, you can use a SSH terminal window to connect to CLI DSM interface.
-
Vormetric Software
Vormetric Corporation Inc, 2012 Page 14
2.3 Update DSM hostname
__1. Return to the main DSM CLI menu
up
__2. Move to the system command group
system
__3. Use the setinfo command to set the hostname to dsm-server-1
setinfo hostname dsm-server-2
Note: You can ignore the message for the need to re-sign the server certificate as the certificate has not be generated.
2.4 Setup the NTP (optional)
It is a good practice to use a time server to synchronize system clocks across your data center
and this includes the DSM. This section will only work with an external network connection.
__1. Return to the main DSM CLI menu
up
__2. Move to the maintenance menu
main
__3. Add ntp server entry
ntpdate add 66.160.141.161
Note: Refer to Appendix A for a list of public NTP servers
__4. Synchronize time with the ntp server
ntpdate sync
__5. Turn ntp service on
ntpdate on
2.5 Configure name resolution
Add the following host entries for the following hosts:
dsm-server-1
-
Vormetric Software
Page 15
data-node-1
__1. Return to the main DSM CLI menu
up
__2. Move to the network menu
network
__3. Add network entries
host add dsm-server-1 192.168.10.10
host add data-node-1 192.168.10.20
__4. Display the host entries
host show
2.6 Test networking between DSMs
__1. From network menu of dsm-server-1, ping dsm-server-2
ping dsm-server-2
__2. From network menu of dsm-server-2, ping dsm-server-1
ping dsm-server-1
__3. Form host machine, ping each DSM
ping 192.168.10.10
ping 192.168.10.11
-
Vormetric Software
Vormetric Corporation Inc, 2012 Page 16
Part 3 Configure HA pairing
To pair and synchronize the primary and failover DSM you must enable communication. In this
section you will do the following:
Configure the primary DSM for communication
Convert failover DSM
Enable synchronization
3.1 Enable the primary DSM for communication to the failover
__1. Login to the Management Console, from a Web browser enter the following address
https://192.168.10.10:8445
Note: For the most consistent interface results use Internet Explorer.
__2. When prompted, click Continue at any message concerning certificate error.
__3. Login, credentials = admin/admin123
__4. Trust the content from the DSM
-
Vormetric Software
Page 17
__5. Change the password as prompted, recommended Admin123!
Note: Do not use a password with a $ as this will cause an error in later steps. The password is case sensitive.
__6. Click the High Availability tab
__7. Click Add to add the failover server to the High Availability Servers list
__8. Type the name of the failover server in the Server Name field and click Ok
-
Vormetric Software
Vormetric Corporation Inc, 2012 Page 18
3.2 Convert the failover DSM
__1. Login to the failover DSM, ID = cliadmin and password = cliadmin123
Note: Ensure you are on the failover DSM. If you run the following steps on the primary DSM you will have to start over.
__2. Move to the ha menu
ha
__3. Convert the DSM to a failover
convert2failover
yes
dsm-server-1
admin (note: this is the admin account and not cliadmin)
Admin123! (note: this is the password I you used the
recommended, password is not displayed when typed)
dsm-server-2 (note: it is not necessary to type the name if the
name within the square brackets is accurate)
Note: It is not necessary to edit any of the entries as prompted
by the CA generation. None of the entries will be validated
against an external registration authority and can be simply
bypassed by pressing the Enter/Return key
yes
-
Vormetric Software
Page 19
The convert2failover can take as long as 30 minutes to finish.
3.3 Synchronize the primary and failover DSM
__1. From the management console, click the High Availability tab
Note: The failover DSM now shows registered.
-
Vormetric Software
Vormetric Corporation Inc, 2012 Page 20
__2. Select the dsm-server-2 and click Config Replication
__3. When prompted, click OK to continue
Note: This can take as long as 20 minutes to complete. When complete the synchronization time fields will be populated as well as Synchronization Status.
-
Vormetric Software
Page 21
Additional Tasks
Answer the following questions concerning DSM setup and use.
__1. To install the DSM license you would require which of the following
Cliadmin access
System administrator access
Domain administrator access
Security administrator access
__2. Which of the following are replicated with a DSM HA configuration, mark all that apply
Host IP information
License information
User account information, keys, and polices
Keys and policies only
Keys, policies, and audit records
__3. You must use the Serial Port interface to setup the initial DSM configuration. (True,False)
__4. DHCP is supported for eth1 but must use static addresses for eth0. (True,False)
__5. The DSM can store two versions of the DSM software. (True,False)
__6. What must be generated to move objects between DSMs such as configuration backups?
__7. The CLI Admin can reset which of the following accounts passwords
Other CLI Admin
Other CLI Admin + System Admin
System Admin
None
-
Vormetric Software
Vormetric Corporation Inc, 2012 Page 22
Appendix A. Reference Material
IP Address shorthand:
http://www.sustworks.com/site/prod_ipr_subnets.html
Public NTP servers:
http://www.pool.ntp.org/en/
-
Vormetric Software
Page 23
Appendix B. FAQs