03-DSM-setup-V1.3

Configuring the Vormetric Data Security

Manager

Lab Exercises:

Vormetric Software

Vormetric Corporation Inc, 2012 Page 2

Contents

Introduction ................................................................................................................................ 3

Part 1 Configure the DSM ...................................................................................................... 5

1.1 Set the DSM timezone, date, and time ......................................................................... 5

1.2 Configure DSM networking .......................................................................................... 7

1.3 Update DSM hostname ................................................................................................ 9

1.4 Setup the NTP (optional).............................................................................................10

1.5 Configure name resolution ..........................................................................................10

1.6 Generate the certificate authority ................................................................................11

Part 2 Configure the failover DSM .........................................................................................12

2.1 Set the DSM timezone, date, and time ........................................................................12

2.2 Configure failover DSM networking .............................................................................12

2.3 Update DSM hostname ...............................................................................................14

2.4 Setup the NTP (optional).............................................................................................14

2.5 Configure name resolution ..........................................................................................14

2.6 Test networking between DSMs ..................................................................................15

Part 3 Configure HA pairing ...................................................................................................16

3.1 Enable the primary DSM for communication to the failover .........................................16

3.2 Convert the failover DSM ............................................................................................18

3.3 Synchronize the primary and failover DSM .................................................................19

Additional Tasks ........................................................................................................................21

Appendix A. Reference Material ...........................................................................................22

Appendix B. FAQs ...............................................................................................................23

Vormetric Software

Page 3

Introduction

The purpose of this lab is to introduce the setup of the Vormetric Data Security Manager (DSM)

appliance. After completing the lab you will be able to perform the significant administrative

tasks of DSM setup including:

Configuring DSM networking

Configuring DSM date and time information

Changing the default CLI password

Generating the DSM Certificate Authority

Setup DSM high availability

Backing up the DSM

Lab Architecture

At the completion of the Lab you will have generated the DSM setup as illustrated in Figure 1.

Figure 1 Lab Architecture

Web Based

Management Console

hostname = admin-gui

TCP/50000

TCP/8445

Primary DSM

hostname = dsm-server-1

eth0 = 192.168.10.10

eth1 = (tbd) [public]

Failover DSM

hostname = dsm-server-2

eth0 = 192.168.10.11 (private)

eth1 = (tbd) [public]

User ID and password list

Table 1 lists the User IDs and passwords used in the lab. You may be prompted to update the

password while performing the lab tasks. You may use a new password of your choosing or

use the recommended password update.

Vormetric Software


Table 1 User IDs and password

Server User ID Default Password Recommened Update

1 DSM servers cliadmin cliadmin123

2 Web Console admin admin123 Admin123!

3 admin-gui Administrator Admin123!

Vormetric Software

Page 5

Part 1 Configure the DSM

A DSM is preconfigured with all the necessary software components installed. The only

customization required is to update the DSM configuration with relevant networking and

geography information for your location. The configuration of the DSM includes:

Date and time

Networking

CA generation

1.1 Set the DSM timezone, date, and time

Time is an interesting component of DSM setup. Not only is time configuration important for

knowing when an event happened but certificate exchange is time sensitive. If the time

difference between the DSM and a certificate signing requester is too far askew, based on GMT

not absolute time, the signing request will fail. Ensuring the DSM date/time and the date/time of

any agent systems is close to accurate will solve this issue.

__1. Login to the DSM, dsm-sever-1, ID = cliadmin and password = cliadmin123

Note: The DSM CLI has a very limited command structure. To view the current command options, type a ?. To move between the command options type the name of the command group you wish to use, example Network. If within a command group you want to return to previous command group type up.

__2. Type ? to view current command group.

Vormetric Software


__1. Type maintenance to move to the maintenance command group

Note: You do not have to type in the entire word as long as you type enough of the keyword to be unique. Example: maint would be sufficient

__2. List the command options using ?

__3. View the current settings for date, time, and time zone

date

time

gmttimezone show

Vormetric Software

Page 7

__4. List the time zones available

gmttimezone list

__5. Set the time zone for your local

gmttimezone set America/Chicago

__6. Set date

date 08/17/2012 [use current date]

__7. Set time

time 09:43:00 [use current time]

1.2 Configure DSM networking

1.2.1 Add eth1 network

__1. Return to the main DSM CLI menu

up

__2. Move to the network command group

network

Vormetric Software


__3. View the current network settings

ip address show

Note: The default IP address of the DSM eth0 is 192.168.10.1. The easiest way to configure a physical appliance is to attach a network cable to this NIC and laptop and change the laptop network settings to match the default network of eth0. The best order would be to setup eth1 and ensure connectivity to this NIC before changing eth0. This way if you accidentally set eth0 incorrectly you will lose connectivity and be limited to the serial interface.

__4. Add the IP for network of eth1 [use the network from VMnet8] (

ip address add 192.168.6.10/24 dev eth1

Note: Change the IP address and subnet. The network should be the network discovered in Lab 1 for VMnet8. The subnet is using shorthand notation (24 = 255.255.255.0). Refer to appendix for link to shorthand annotation of netmask.

yes

__5. Ping the eth1 address from the host machine

ping 192.168.6.1

1.2.2 Add default gateway

The only network that can reach the external network given the setup steps of this lab is

VMnet8, the NAT network. The examples used in these steps reflect network 192.168.6.0. Be

sure and use the proper network as discovered in Lab 1 for your VMnet8 environment.

__1. Add a default gateway

ip route add default table main.table via 192.168.6.254

1.2.3 Configure eth0 network

__1. Delete the IP address for eth0

ip address delete 192.168.10.1/16 dev eth0

yes

Vormetric Software

Page 9

__2. Add the IP address for eth0


yes

__3. Ping the IP address for eth0

ping 192.168.10.10

__4. Show the IP address setup

ip address show

After configuring the network, you can use a SSH terminal window to connect to CLI DSM interface.

1.3 Update DSM hostname

Setting the DSM hostname is very important. The DSM hostname is a significant factor when

generating and registering certificates. Networking changes can be dynamic and do not affect

certificates.


up

__2. Move to the system command group

system

__3. Use the setinfo command to set the hostname to dsm-server-1

setinfo hostname dsm-server-1

Note: You can ignore the message for the need to re-sign the server certificate as the certificate has not be generated.

Vormetric Software


1.4 Setup the NTP (optional)

It is a good practice to use a time server to synchronize system clocks across your data center

and this includes the DSM. This section will only work with an external network connection.


up

__2. Move to the maintenance menu

main

__3. Add ntp server entry

ntpdate add 66.160.141.161

Note: Refer to Appendix A for a list of public NTP servers

__4. Synchronize time with the ntp server

ntpdate sync

__5. Turn ntp service on

ntpdate on

1.5 Configure name resolution

No DNS server is available for performing the lab exercises; in this section you will configure

static name resolution. You will add host entries for the following hosts:

dsm-server-2

data-node-1


up

__2. Move to the network menu

Network

__3. Add network entries

host add dsm-server-2 192.168.10.11

host add data-node-1 192.168.10.20

__4. Display the host entries

host show

Vormetric Software

Page 11

1.6 Generate the certificate authority

After successful generation of the certificate authority CA the DSM will be ready to start

managing data security.


up

__2. Move to the system menu

system

__3. Generate the CA

security genca

yes

Note: It is not necessary to edit any of the entries as prompted by the CA generation. None of the entries will be validated against an external registration authority and can be simply bypassed by pressing the Enter/Return key. The CA generation can take as long as 10 minutes depending on resources.

Vormetric Software


Part 2 Configure the failover DSM

2.1 Set the DSM timezone, date, and time

__1. Login to the DSM, dsm-server-2, ID = cliadmin and password = cliadmin123

__2. Type maintenance to move to the maintenance command group

__3. Set the time zone for your local

gmttimezone set America/Chicago

__4. Set date

date 08/17/2012 [use current date]

__5. Set time

time 09:43:00 [use current time]

2.2 Configure failover DSM networking

2.2.1 Add eth1 network


up

__2. Move to the network command group

network

__3. View the current network settings

ip address show

__4. Add the IP for network of eth1 [use the network from VMnet8]


Vormetric Software

Page 13

yes

__5. Ping the eth1 address from the host machine

ping 192.168.6.11

2.2.2 Add default gateway

__1. Add a default gateway

ip route add default table main.table via 192.168.6.254

2.2.3 Configure eth0 network

__2. Delete the IP address for eth0

ip address delete 192.168.10.1/16 dev eth0

yes

__3. Add the IP address for eth0


yes

__4. Ping the IP address for eth0

ping 192.168.10.11

__5. Show the IP address setup

ip address show

After configuring the network, you can use a SSH terminal window to connect to CLI DSM interface.

Vormetric Software


2.3 Update DSM hostname


up

__2. Move to the system command group

system

__3. Use the setinfo command to set the hostname to dsm-server-1

setinfo hostname dsm-server-2

Note: You can ignore the message for the need to re-sign the server certificate as the certificate has not be generated.

2.4 Setup the NTP (optional)

It is a good practice to use a time server to synchronize system clocks across your data center

and this includes the DSM. This section will only work with an external network connection.


up

__2. Move to the maintenance menu

main

__3. Add ntp server entry

ntpdate add 66.160.141.161

Note: Refer to Appendix A for a list of public NTP servers

__4. Synchronize time with the ntp server

ntpdate sync

__5. Turn ntp service on

ntpdate on

2.5 Configure name resolution

Add the following host entries for the following hosts:

dsm-server-1

Vormetric Software

Page 15

data-node-1


up

__2. Move to the network menu

network

__3. Add network entries

host add dsm-server-1 192.168.10.10

host add data-node-1 192.168.10.20

__4. Display the host entries

host show

2.6 Test networking between DSMs

__1. From network menu of dsm-server-1, ping dsm-server-2

ping dsm-server-2

__2. From network menu of dsm-server-2, ping dsm-server-1

ping dsm-server-1

__3. Form host machine, ping each DSM

ping 192.168.10.10

ping 192.168.10.11

Vormetric Software


Part 3 Configure HA pairing

To pair and synchronize the primary and failover DSM you must enable communication. In this

section you will do the following:

Configure the primary DSM for communication

Convert failover DSM

Enable synchronization

3.1 Enable the primary DSM for communication to the failover

__1. Login to the Management Console, from a Web browser enter the following address

https://192.168.10.10:8445

Note: For the most consistent interface results use Internet Explorer.

__2. When prompted, click Continue at any message concerning certificate error.

__3. Login, credentials = admin/admin123

__4. Trust the content from the DSM

Vormetric Software

Page 17

__5. Change the password as prompted, recommended Admin123!

Note: Do not use a password with a $ as this will cause an error in later steps. The password is case sensitive.

__6. Click the High Availability tab

__7. Click Add to add the failover server to the High Availability Servers list

__8. Type the name of the failover server in the Server Name field and click Ok

Vormetric Software


3.2 Convert the failover DSM

__1. Login to the failover DSM, ID = cliadmin and password = cliadmin123

Note: Ensure you are on the failover DSM. If you run the following steps on the primary DSM you will have to start over.

__2. Move to the ha menu

ha

__3. Convert the DSM to a failover

convert2failover

yes

dsm-server-1

admin (note: this is the admin account and not cliadmin)

Admin123! (note: this is the password I you used the

recommended, password is not displayed when typed)

dsm-server-2 (note: it is not necessary to type the name if the

name within the square brackets is accurate)

Note: It is not necessary to edit any of the entries as prompted

by the CA generation. None of the entries will be validated

against an external registration authority and can be simply

bypassed by pressing the Enter/Return key

yes

Vormetric Software

Page 19

The convert2failover can take as long as 30 minutes to finish.

3.3 Synchronize the primary and failover DSM

__1. From the management console, click the High Availability tab

Note: The failover DSM now shows registered.

Vormetric Software


__2. Select the dsm-server-2 and click Config Replication

__3. When prompted, click OK to continue

Note: This can take as long as 20 minutes to complete. When complete the synchronization time fields will be populated as well as Synchronization Status.

Vormetric Software

Page 21

Additional Tasks

Answer the following questions concerning DSM setup and use.

__1. To install the DSM license you would require which of the following

Cliadmin access

System administrator access

Domain administrator access

Security administrator access

__2. Which of the following are replicated with a DSM HA configuration, mark all that apply

Host IP information

License information

User account information, keys, and polices

Keys and policies only

Keys, policies, and audit records

__3. You must use the Serial Port interface to setup the initial DSM configuration. (True,False)

__4. DHCP is supported for eth1 but must use static addresses for eth0. (True,False)

__5. The DSM can store two versions of the DSM software. (True,False)

__6. What must be generated to move objects between DSMs such as configuration backups?

__7. The CLI Admin can reset which of the following accounts passwords

Other CLI Admin

Other CLI Admin + System Admin

System Admin

None

Vormetric Software


Appendix A. Reference Material

IP Address shorthand:

http://www.sustworks.com/site/prod_ipr_subnets.html

Public NTP servers:

http://www.pool.ntp.org/en/

Vormetric Software

Page 23

Appendix B. FAQs

03-DSM-setup-V1.3

Documents

Transcript of 03-DSM-setup-V1.3