ProtectV Installation Guide (AWS) · • ProtectV Command Line Interface Guide (details on using...

Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright © 2013 SafeNet, Inc. All rights reserved.

1

ProtectV Installation Guide (AWS)

ProtectV: Installation Guide (AWS) Product Version 1.5, Document PN: 007-011535-001, Rev N, Copyright © 2013 SafeNet, Inc., All rights reserved.

2

Document Information

Product Version 1.5

Document Part Number 007-011532-001, Rev N

Release Date July 2013

Trademarks

All intellectual property is protected by copyright. All trademarks and product names used or referred to are the copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording, or otherwise, without the prior written permission of SafeNet, Inc.

• Linux® is a registered trademark of Linus Torvalds. Linux Foundation, Linux Standard Base, LSB, LSB Certified, IAccessible2, MeeGo are registered trademarks of the Linux Foundation. Copyright © 2010 Linux Foundation. All rights reserved.

• Windows is a registered trademark of Microsoft Corporation in the United States and other countries.

• VMware is a registered trademark of VMware, Inc. in the United States and/or other jurisdictions.

• Amazon Web Services™ and AWS™ are registered trademarks of Amazon.com, Inc. or its affiliates in the United States and other countries.

• Red Hat® Linux® is a registered trademark of Red Hat, Inc. in the United States and other countries.

Disclaimer

SafeNet makes no representations or warranties with respect to the contents of this document and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon SafeNet to notify any person or organization of any such revisions or changes.

We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product.

SafeNet invites constructive comments on the contents of this document. These comments, together with your personal and/or company details, should be sent to the address or email below.

Contact Method Contact Information

Mail SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017, USA

Email [email protected]

mailto:[email protected]�

Contents


3

Contents

Preface .................................................................................................................................. 5

Customer Release Notes ...................................................................................................................................... 5 Audience................................................................................................................................................................ 5 Document Conventions ......................................................................................................................................... 5

Hyperlinks ....................................................................................................................................................... 5 Notifications .................................................................................................................................................... 5

Notes ........................................................................................................................................................ 5 Cautions ................................................................................................................................................... 5 Warnings .................................................................................................................................................. 6

Command Syntax and Typeface Conventions ............................................................................................... 6 Related Documents ........................................................................................................................................ 7 Support Contacts ............................................................................................................................................ 7

CHAPTER 1 What’s in this Installation Guide? .................................................................... 8 Overview ................................................................................................................................................................ 8 Supported Platforms .............................................................................................................................................. 9 Supported KeySecure Versions ............................................................................................................................ 9 System Requirements ......................................................................................................................................... 10 Before You Begin ................................................................................................................................................ 11

CHAPTER 2 Obtain a Provisioned ProtectV Manager AMI ................................................ 12 Overview .............................................................................................................................................................. 12 Provision a ProtectV Manager............................................................................................................................. 12

CHAPTER 3 Configure the ProtectV Manager ................................................................... 14 Overview .............................................................................................................................................................. 14 Configure KeySecure .......................................................................................................................................... 14

Important Notes ............................................................................................................................................ 14 Create Security Groups ....................................................................................................................................... 17

ProtectV Manager Security Group ................................................................................................................ 17 Linux Server Security Group ......................................................................................................................... 17 Windows Server Security Group ................................................................................................................... 17

Launch Your Provisioned AMI ............................................................................................................................. 18

CHAPTER 4 Configure the ProtectV Client Virtual Server ................................................. 21 Overview .............................................................................................................................................................. 21

For Linux ....................................................................................................................................................... 21 For Windows ................................................................................................................................................. 21

Configure the Linux Virtual Server ...................................................................................................................... 22 Configure the Firewall ................................................................................................................................... 22 Create a Separate /boot Partition ................................................................................................................. 22

Sample Method to Create a Separate /boot Partition ............................................................................ 23

Contents


4

Download and Install the ProtectV Linux Client .................................................................................................. 24 Manual Install ................................................................................................................................................ 24 Automated Install with YUM .......................................................................................................................... 25

Download and Install the ProtectV Windows Client ............................................................................................ 25

CHAPTER 5 Start a ProtectV Client Virtual Server ............................................................ 27

CHAPTER 6 Encrypt/Decrypt Partitions ............................................................................. 28 Overview .............................................................................................................................................................. 28 Encrypt a Partition ............................................................................................................................................... 28 Decrypt a Partition ............................................................................................................................................... 30

CHAPTER 7 Upgrade ProtectV .......................................................................................... 31 Upgrade ProtectV Manager and ProtectV Clients to the Latest Version ............................................................ 31

Pre-upgrade Information for the ProtectV Manager ..................................................................................... 31 Pre-upgrade Information for the ProtectV Client .......................................................................................... 32 Upgrade of ProtectV Manager via Export/Import Process............................................................................ 33 Items Not Included in the Export Package ................................................................................................... 33 EC2 vs. VPC ................................................................................................................................................. 33 HA vs. Non-HA .............................................................................................................................................. 33 Will There be Downtime During the Upgrade? ............................................................................................. 34 Create the Export Package ........................................................................................................................... 34

Export Using the ProtectV Manager Console ........................................................................................ 35 Export Using the API .............................................................................................................................. 36 Export Using the CLI .............................................................................................................................. 36

Upgrade a Single Server Configuration (non-HA) via Import ....................................................................... 37 Upgrade Using the ProtectV Manager Console ..................................................................................... 37 Upgrade Using the API ........................................................................................................................... 38 Upgrade Using the CLI ........................................................................................................................... 39

Upgrade an HA Configuration via Import ...................................................................................................... 41 Import Using the ProtectV Manager Console......................................................................................... 41 Import Using the API .............................................................................................................................. 42 Import Using the CLI .............................................................................................................................. 43

Upgrade the ProtectV Clients ....................................................................................................................... 44 Windows Server Upgrade ...................................................................................................................... 44 Linux Server Upgrade ............................................................................................................................ 45

Preface


5

Preface

Customer Release Notes The Customer Release Notes (CRN) document provides important information about this release that is not included in other customer documentation. It is strongly recommended that you read the CRN to fully understand the capabilities, limitations, and known issues for this release.

Audience All products manufactured and distributed by SafeNet, Inc. are designed to be installed, operated, and maintained by personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them. The information, processes, and procedures contained in this document are intended for use by trained and qualified personnel only.

Document Conventions

Hyperlinks Hyperlinked text will, by default, appear in the SafeNet standard shade of purple. For example:

www.safenet-inc.com/Support

Notifications

Notes

This document uses notes to alert you to important or helpful information. These elements use the following format:

NOTE: Notes contain important or helpful information that you want to make stand out to the user.

Cautions

Cautions are used to alert you to important information that may help prevent unexpected results or data loss. These elements use the following format:

CAUTION: Exercise caution. Caution alerts contain important information that may help prevent unexpected results or data loss.

http://www.safenet-inc.com/Support�

Preface


6

Warnings

Warnings are used to alert you to the potential for catastrophic data loss or personal injury. These elements use the following format:

WARNING: Be extremely careful and obey all safety and security measures. In this situation you might do something that could result in catastrophic data loss or personal injury.

Command Syntax and Typeface Conventions Table 1: Syntax and Typeface Conventions

Convention Description

bold The bold attribute is used to indicate the following: • Command-line commands and options (Type dir /p.)

• Button names (Click Save As.)

• Check box and radio button names (Select the Print Duplex check box.)

• Dialog box titles (On the Protect Document dialog box, click Yes.)

• Field names (User Name: Enter the name of the user.)

• Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.)

• User input (In the Date box, type April 1.)

italic The italic attribute is used for emphasis or to indicate a related document. (See the Installation Guide for more information.)

Double quote marks Double quote marks enclose references to other sections within the document. For example: Refer to “Disclaimer” on page 2.

<variable> In command descriptions, angle brackets represent variables. You must substitute a value for command line arguments that are enclosed in angle brackets.

[ optional ] [ <optional> ] [ a | b | c ] [<a> | <b> | <c>]

Square brackets enclose optional keywords or <variables> in a command line description. Optionally enter the keyword or <variable> that is enclosed in square brackets, if it is necessary or desirable to complete the task. Square brackets enclose optional alternate keywords or variables in a command line description. Choose one command line argument enclosed within the braces, if desired. Choices are separated by vertical (OR) bars.

{ a | b | c } { <a> | <b> | <c> }

Braces enclose required alternate keywords or <variables> in a command line description. You must choose one command line argument enclosed within the braces. Choices are separated by vertical (OR) bars.

Preface


7

Related Documents The following documents contain related or additional information:

• ProtectV Release Notes (pertinent updates)

• ProtectV User Guide (details on how to use the ProtectV Manager Console)

• ProtectV Command Line Interface Guide (details on using the ProtectV CLI)

• ProtectV API Integration Guide (details on using the ProtectV APIs) • KeySecure Quick Start Guide (details on how to configure a KeySecure device for key storage)

• KeySecure User Guide (details on how to use a KeySecure device for key storage)

Support Contacts If you encounter a problem while installing, registering or operating this product, please make sure that you have read the documentation. If you cannot resolve the issue, contact your supplier or SafeNet Customer Support. SafeNet Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between SafeNet and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you.

Table 2: Support Contacts

Contact Method Contact Information

Address SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017 USA

Phone United States 1-800-545-6608

International 1-410-931-7520

Email [email protected]

Support and Downloads

www.safenet-inc.com/Support Provides access to the SafeNet Knowledge Base and quick downloads for various products.

Customer Connection Center

c3.safenet-inc.com Existing customers with a Customer Connection Center account can log in to manage incidents, get the latest software upgrades, and access the SafeNet Knowledge Base.

http://www.safenet-inc.com/Support�

http://c3.safenet-inc.com/�

CHAPTER 1 What’s in this Installation Guide?


8


Overview The ProtectV solution is built on proven SafeNet technologies, while extending robust security capabilities to the new demands of cloud environments. In Amazon Web Services (AWS), ProtectV supports both the public cloud platform (EC2) and private cloud platform (VPC).

ProtectV delivers the vital centralized management capabilities that organizations need to practically and effectively deploy encryption across environments with hundreds of virtual machines (VMs), geographically dispersed deployments, and multiple private and public cloud environments.

NOTE: The term, “virtual machine” and the acronym, “VM” are used interchangeably in this document. For AWS users, the term, “virtual machine,” is synonymous with an “instance.”

This document will walk you through the following tasks to get up and running with ProtectV. You will:

• Obtain a provisioned ProtectV Manager AMI.

• Configure KeySecure.

• Create the ProtectV Manager security groups.

• Launch the provisioned AMI.

• Download and install the ProtectV Client.

• Start a virtual server.

• Encrypt and decrypt a partition.

• Upgrade ProtectV.

After you complete the tasks in this document, please refer to the ProtectV User Guide for details on how to use the ProtectV Manager Console.



9

Supported Platforms The following table presents the virtualized server platforms that currently support ProtectV.

Distribution AWS VMware Physical Server

Microsoft Windows Server 2003 R2 (32-bit) Yes Yes Yes


Microsoft Windows Server 2008 (32-bit) Yes Yes Yes




Linux CentOS 6.2 (64-bit) Yes No No

SUSE Linux Enterprise Server (SLES) 10 SP4, 64-bit

No Yes No

SUSE Linux Enterprise Server (SLES) 11 SP1, 64-bit

No Yes No

Red Hat Enterprise Linux (RHEL) 5.8, 64-bit Yes Yes No



Supported KeySecure Versions For clustered or non-clustered KeySecure configurations, use version 6.1.2 or later.



10

System Requirements The following summarizes the system requirements to install ProtectV Manager, and to install and properly run the ProtectV Client on a Windows or Linux guest operating system.

• The system requirements to install the ProtectV Manager are:

• As a minimum, choose a c1.medium or m1.medium instance type.

• The minimum system requirements to install and run the ProtectV Agent on a Windows Guest operating system are:

• 256 MB RAM

• 100MB system free space

• Additionally please note the following limitations and considerations:

• We (currently) do not support partitions over 2TB in size (GPT partitions)

• The minimum system requirements to install and run the ProtectV Agent on a Linux Guest operating system in AWS EC2 are:

• m1.small instance type

• 100MB system free space

• The recommended instance configuration is a pv-grub instance with a separate /boot volume or partition at /dev/sda1 in ext3 format, or ext4 format (on distributions that support ext4 by default, such as RHEL 6.n). If the instance does not have a separate /boot partition, ProtectV will reconfigure the instance to pv-grub with a separate boot partition upon first encryption.

• For FIPS support or for instances whose root volume is /dev/sda (not an unpartitioned /dev/sda1), a separate boot partition is required.

• The root partition must be in ext3 format, or ext4 format (on distributions that support ext4 by default, such as RHEL 6.n).

• Any partition to be encrypted must be in swap, ext3, or ext4 format (on distributions that support ext4 by default).



11

Before You Begin • You should already be familiar with virtual cloud and Amazon Web Services terminology, know

how to navigate and use the Amazon Management Console, and launch a virtual machine. Refer to the Amazon Web Services EC2 and VPC documentation if you need assistance. The AWS EC2 documentation can be found here: http://aws.amazon.com/documentation/ec2/.

• Make sure that you have access to and login credentials for SafeNet’s Customer Connection Center (C3) site at http://c3.safenet-inc.com/secure.asp, so you can download the ProtectV Client software.

• Non-English characters are not supported in ProtectV Manager. Make sure all input uses English characters only. For example, this includes regions and virtual machine names.

• Physical Server support is currently unavailable in AWS environments (it is available in ProtectV Manager vSphere environments only). After installing ProtectV Manager, a Physical Server task menu is present in the Server Management tab in the ProtectV Manager Console. If desired, to remove this menu from the Server Management tab in the ProtectV Manager Console, please use either the disablePhysicalServerSupport API function or the physicalserver disable-support CLI command.

http://aws.amazon.com/documentation/ec2/�

http://c3.safenet-inc.com/secure.asp�

CHAPTER 2: Obtain a Provisioned ProtectV Manager AMI


12

CHAPTER 2 Obtain a Provisioned ProtectV Manager AMI

Overview Provisioning builds a customized, AWS region-specific, confidential (encrypted), ProtectV Manager image. This process is required to place a ProtectV Manager in your target AWS account. Separate provisioning requests must be made if you need multiple ProtectV Managers in one or multiple regions.

From the ProtectV Manager Provisioning user interface, you can customize your AMI for a specific region and add specific boot-authentication security administrators. Only SafeNet-authorized C3 users can connect to the SafeNet PVM provisioning web site and gain access to the provisioning system.

During the ProtectV Manager provisioning request, you can configure up to eight boot-authentication security administrators and their associated passwords. When the ProtectV Manager is stopped (powered-off), the system is encrypted to keep all security configuration information confidential. These registered boot-authentication security administrator accounts are used to authorize the boot-up and decryption of the ProtectV Manager to transition from power-off to a running (powered-on) state.

Once you have received your provisioned AMI, you can also add boot-authentication security administrators through the ProtectV Manager SSH Pre-boot Login Shell. See page 18 for more details. The ProtectV Manager SSH Pre-boot Login Shell is provided with a restricted command shell that allows user/password management, booting of the system, and port reassignment.

When powered-up, a provisioned ProtectV Manager image will stop and wait for a boot-authentication user’s authorization to decrypt the image and execute the run-time ProtectV Manager. When the boot command is applied at the ProtectV Manager SSH Pre-boot Login Shell, the ProtectV Manager virtual machine will continue to boot. Upon successful decryption, and run-time launch, you can log into the ProtectV Manager to perform the desired tasks through the ProtectV Manager Console.

Provision a ProtectV Manager 1. Log into the Provisioning Server at https://provision.protectv.safenet-inc.com/app with the C3 Username

and Password credentials provided by SafeNet, and click Login.

You will land on the Requests list tab, which displays any request(s) that you have made, their current status, date of request, region, etc.

2. Click the New request wizard tab.

3. Choose a Product selection (select ProtectV Manager AWS), and then click Next.

4. Choose a Version selection (select the latest version), and then click Next.

5. Configure these Environment settings:

• Select the Region where the ProtectV Manager AMI will be provisioned.

• Enter the AWS ID (Amazon account number) of the user requesting the provisioned PVM. Include numbers only—omit dashes, spaces, or leading tab characters.

https://provision.protectv.safenet-inc.com/app�

CHAPTER 2: Obtain a Provisioned ProtectV Manager AMI


13

6. Add credentials for the security administrators who are authorized to boot the encrypted ProtectV Manager. You can add up to eight security administrators. For each security administrator, enter a User name and Password (confirm the password in the Repeat password field).

NOTE: You do not have to add all security administrators at this time. Additional administrators can be added through the ProtectV Manager SSH Login Shell. See page 18 for details.

7. Click Submit. The ProtectV Manager provisioning service will now process your request.

8. When the ProtectV Manager image is provisioned, you will receive an e-mail confirmation with a provisioning request number (Request reference ID).

NOTE: The Requests list tab will display the status of your request. Look for your request reference ID under the Request ID column. The status will initially be set to pending, then change to dispatched, and then to created once the image is provisioned.

9. Once the image is provisioned, you will receive another e-mail notification with the ProtectV Manager AMI ID. The provisioned ProtectV Manager AMI will be shared with your account for at least two weeks.

CHAPTER 3: Configure the ProtectV Manager


14

CHAPTER 3 Configure the ProtectV Manager

Overview This chapter discusses how to configure the ProtectV Manager in AWS. In this chapter, you will:

• Configure KeySecure.

• Create security groups.

• Launch your ProtectV Manager AMI.

Configure KeySecure You must complete the procedures in this section on the KeySecure device before proceeding with ProtectV configuration. (You will be prompted to enter valid KeySecure settings during ProtectV configuration.)

Please make sure you have access to the KeySecure Quick Start Guide and the KeySecure User Guide for detailed instructions on how to complete the procedures in this section.

Important Notes • To perform cryptographic operations, ProtectV Manager needs to export the encryption key. If the

KeySecure device is configured for FIPS compliance, please be advised that key export will not be allowed over a TCP connection. This would cause the encryption/decryption operation to fail. In order for ProtectV to work in FIPS mode, you must have SSL set up to allow key export

• To ensure there is no SSL/TCP mismatch between the KeySecure device and ProtectV Manager, verify the protocol on the KeySecure server, go to the Device tab > KeyServer, and view the NAE-XML properties. If Use SSL is selected, the device is configured to use SSL.

.

• If the KeySecure device is already set for SSL and you decide to turn FIPS mode on later, you must edit the NAE-XML properties and enable Allow Key Export and Allow Key and Policy Configuration Operations properties.



15

1. Set up the KeySecure device in the network. Please refer to the KeySecure Quick Start Guide for details.

2. Complete the following installation and configuration procedures. Where noted in parentheses, please refer to that section in the KeySecure User Guide for details. Note that the screen shots shown here reflect only the portion of the screen that is applicable to the specified KeySecure configuration procedure.

• Obtain the software license from SafeNet and install it. (see “Install Software Licenses”)

• Configure SSL. These procedures are required only if you are using an SSL connection

• Create a Local Certificate Authority on KeySecure. (see “Create a Local Certificate Authority”)

between KeySecure and ProtectV. Before the KeySecure can respond to SSL requests from ProtectV Manager, the KeySecure must be configured with at least one server certificate.



16

• Create a Server Certificate signed by the Local CA. (see “Creating a Server Certificate for the KeySecure”)

• Create a Local user on the KeySecure. (see “Create a Local User”)

• Enable Key Export on the KeySecure. (see steps below)

a. Log in to the KeySecure Management Console with administrative access.

b. Go to Device tab > KeyServer.

c. Go to NAE-XML properties and click Edit.



17

d. Select Allow key export.

e. Select Allow Key and Policy Configuration Operations.

f. Save the changes.

Create Security Groups We recommend that you create three AWS security groups: one for ProtectV Manager servers, one for Linux clients, and one for Windows clients.

Refer to the Amazon Web Services documentation if you need assistance adding security groups.

ProtectV Manager Security Group Add these ports for the ProtectV Manager security group:

• 22 - SSH

• 443 - HTTPS

• 5984 – HA/Replication/TCP

• 6984 – HA/Replication/SSL

• 7080 – HA/SOAP

• 8080 – PVM/SOAP

• 9090 – SC/TCP

• 9093 – SC/SSL

Linux Server Security Group Add these ports for the Linux server security group. Please make sure you limit the Source field to the ProtectV Manager security group.

• 22 - SSH

• 9090 – SC/TCP

• 9093 – SC/SSL

Windows Server Security Group Add these ports for the Windows server security group. Please make sure you limit the Source field to the ProtectV Manager security group.

• 3389 – RDP

• 9090 – SC/TCP

• 9093 – SC/SSL



18

NOTE: After you have installed the Windows ProtectV Client, ProtectV rules are automatically created in the Windows firewall, which are used for ProtectV communications.

Launch Your Provisioned AMI Once you have received the provisioned ProtectV Manager AMI, you can use it for up to two weeks.

Follow the steps below to launch the AMI. Note that each time the ProtectV Manager virtual machine is started or rebooted, you will have to unlock (decrypt) it, as described in steps 2 through 4.

1. In the AWS Management Console, launch the ProtectV Manager virtual machine using the AMI ID provided by SafeNet. Select the c1.medium or m1.medium instance type.

2. Connect to the virtual machine using SSH on port 22.

3. Log in with the user name and password that was specified when creating user credentials in step 6 in the Provision a ProtectV Manager section in the previous chapter.

A successful login launches the ProtectV Manager SSH Login Shell. You can control your secured ProtectV Manager image using the following commands:

• add <user> — Use this option to add a registered user who can access the ProtectV Manager (PVM) virtual machine.

• You can have a maximum of eight registered users.

• User names cannot exceed 32 characters.

• User names can contain alphanumeric, '_', '-' symbols, but must begin with a letter or digit.

• boot — Use this option to unlock drives and boot a decrypted PVM virtual machine.

• exit — Use this option to close the PVM SSH Login Shell.

• help / ? — Use this option to list all of the available commands.

• list — Use this option to list all current users.

• password <user> — Use this option to change the password for a specified user.

• port <port> — Use this option to change the port connection. The default port is 22.

• reboot — Use this option to reboot the virtual machine.

• rm <user> — Use this option to delete the specified user.

• shutdown — Use this option to shut down the PVM virtual machine.

4. Type boot and press Enter. This step will boot the instance. (This step may take a few minutes.)

5. Once booted, open a new browser window, and connect to the virtual machine using the Public DNS (for example, https://ec2-50-16-156-2.compute-1.amazonaws.com).

ProtectV defaults with a self-signed HTTPS certificate. When the certificate security warning displays, proceed through the screens to accept the certificate.



19

For example, if you’re using Internet Explorer, you’d see:

• Click Continue to this website.

6. The ProtectV Manager User Login screen displays. Enter these default credentials, and then click Login:

• Username: admin

• Password: admin

7. The Software License Agreement displays. Carefully review the agreement. If you agree with the terms, click Accept to continue.

8. The Choose How to Configure the ProtectV Manager prompt displays. Select New Configuration and click Next.

9. You will be prompted to change your password. Enter the old password, and then enter the new one.

10. The Key Manager Settings page displays. You must already have a KeySecure device (K150 or higher) configured to complete this page. (Refer to the tasks outlined in the Configure KeySecure section starting on page 14.

Complete this page:

• Username: Enter the user created on the KeyManager device.

• Password: Enter the password of the user created on the KeyManager device.

• IP Address: Enter the KeyManager IP address. (For KeySecure clustering, enter the multiple IP addresses delineated by ':'. For example, 123.12.12.123:123.12.12.124)

• Port: Enter the KeyManager port.

• Protocol: Select SSL or TCP.



20

• Certificate: Copy the Local CA Certificate from the KeyManager device and paste it here.

NOTE: You must enter valid KeySecure settings to ensure that connection to the KeySecure server with the current configuration is correct.

If you do not have the KeySecure configured properly, ProtectV Manager cannot make a connection. If the configuration is correct, the System Status section on ProtectV Manager Dashboard will display the Key Manager connection status as Connected.

11. Click Save.

12. The Add Cloud Credential prompt displays. Enter the Access Key ID and Secret Access Key used to access your Amazon Web Services account. (These values are usually included with your IAM access credentials.)

13. Click Add.

NOTE: ProtectV Manager will verify the cloud credentials by communicating with AWS. If you do not have the AWS account configured properly and ProtectV Manager cannot contact AWS, then you will not be able to proceed.

14. Now you can add a ProtectV Client virtual machine. Continue with the procedures in the next chapter.

CHAPTER 4: Configure the ProtectV Client Virtual Server


21

CHAPTER 4 Configure the ProtectV Client Virtual Server

Overview In this chapter, you will complete the following:

For Linux • Configure the Linux virtual server.

- and-

• Download and install the ProtectV Linux Client virtual server.

During these procedures, you will configure the firewall, create a separate boot partition (if required), and then download and install the appropriate ProtectV Linux Client RPM. Each Linux distribution that ProtectV supports has a corresponding RPM, which can be installed either manually or via yum. Before you begin this procedure, make sure you are using a supported Linux distribution.

For Windows • Download and install the ProtectV Windows Client virtual server. Before you begin this procedure, make

sure you are using a supported Windows platform.

NOTE: The setip and pvsetip utilities are not supported in AWS environments. Please do not run these utilities in AWS.



22

Configure the Linux Virtual Server

Configure the Firewall Make sure the following ports are open for ProtectV Linux servers:

• 22 - SSH

• 9090 – SC/TCP

• 9093 – SC/SSL

Consult your system firewall documentation for information on setting the firewall rules. For example:

1. SSH to the client.

2. Open ports 9090 and 9093 for TCP in the firewall.

For example, for RHEL/CentOS 5.x distributions, use the following command:

system-config-securitylevel-tui -q -p 9090:tcp -p 9093:tcp

Create a Separate /boot Partition A separate /boot volume or partition is required if:

• FIPS support is desired.

• The instance has a partitioned root volume (i.e., the root volume is /dev/sda but the root device is /dev/sda1).

• You want to avoid instance reconfiguration in the first encryption.

NOTE: If your instance has been reconfigured to have a separate /boot, please ensure that it reboots successfully before

installing the ProtectV Client.

NOTE: Existing ProtectV Linux Client instances are not affected by this configuration change.

A separate /boot can be created several ways. A sample method is described on the next page.



23

Sample Method to Create a Separate /boot Partition

1. Attach a new, blank, 1G volume at the first unoccupied device location whose format matches the existing root volume.

For example, if the existing root volume is /dev/sda1, attach the new volume at /dev/sdb1. If the existing root volume is /dev/sda, attach the new volume at /dev/sdb.

NOTE:

• The Linux kernel may use a different device name. For example, on RHEL 6.3, a device attached at /dev/sdb1 would be named /dev/xvdf1.

• Be sure to avoid any ephemeral volume mount points.

2. If the existing root volume is partitioned, partition the new volume.

For example, if the root volume is /dev/sda and the root filesystem is mounted on /dev/sda1, then the new volume should be partitioned. Make sure the partition number is the same on the new volume.

3. Make an ext3 filesystem (or ext4 on distributions that support ext4 by default, such as RHEL 6.n) on the new volume (or partition).

For example:

mkfs.ext3 -L _/boot /dev/sdb1

4. Save the old /boot and make a new /boot directory.

For example:

mv /boot /boot.sav

mkdir /boot

5. Mount the new volume.

For example:

mount /dev/sdb1 /boot

6. Copy the boot directory to the new volume. Use tar to include hidden files.

For example:

tar -C /boot.sav -cf - . | tar -C /boot -xf –

7. Create a symlink so pv-grub can find /boot/grub/menu.lst on the unmounted boot device.

For example:

cd /boot

ln -s ./ boot

8. Modify /etc/fstab to mount the original root device at the new location if / is mounted using the device, and mount the new boot device on /boot.

For example:

cp /etc/fstab /etc/fstab.sav

echo "LABEL=_/boot /boot ext3 defaults 0 0" >> /etc/fstab

9. Modify menu.lst to specify the new location as root if root is specified by device rather than UUID or LABEL.

10. Shutdown the instance.



24

11. Swap the new boot volume and the old root volume.

• Record the volume IDs of both volumes.

• Detach both volumes.

• Attach the new boot volume to the root volume location.

• Attach the old root volume to the device used above for the new boot volume.

12. Start the instance to ensure that it reboots successfully before installing the ProtectV Client.

Download and Install the ProtectV Linux Client You can choose to manually install the RPM, or automate the install using yum. The advantage of using yum is that it will automatically download and install/update dependencies for you.

Manual Install

NOTE: When installing the ProtectV Linux Client RPM package, you implicitly agree to accept the SafeNet license terms.

1. Download the ProtectV Linux Client installer from SafeNet’s C3 site at http://c3.safenet-inc.com/secure.asp.

2. Deploy the virtual machine of the supported Linux platform.

3. Transfer the ProtectV Client to the virtual machine (SCP is one method).

4. Install the ProtectV Client. Run:

rpm -i pvlinux-<filename>.rpm

5. In the unlikely event that your system does not already have the necessary dependencies, the install will fail and indicate what dependencies are missing. (Examples would be: libcrypto.so.6() (64bit) or libz.so.1() (64bit).) Locate and install these dependencies, and then rerun the install command shown in the previous step.

• After the installation is complete, SafeNet StartGuard is active and you are logged in. You can immediately start to encrypt partitions, as described in Chapter 6.

• For all subsequent reboots, you will need to start the ProtectV Client virtual machine from the ProtectV Manager Console, as described in the next chapter.




25

Automated Install with YUM

NOTE: When installing the ProtectV Linux Client RPM package, you implicitly agree to accept the SafeNet license terms.

1. Install the ProtectV Client. Run:

yum install --nogpgcheck pvlinux-<filename>.rpm

2. You will be presented with a list of the updates that yum has determined it needs to make. If you tell it to proceed, it will download and install the dependencies, and then install the ProtectV Linux Client.

• After the installation is complete, SafeNet StartGuard is active and you are logged in. You can immediately start to encrypt partitions, as described in Chapter 6.

• For all subsequent reboots, you will need to start the ProtectV Client virtual machine from the ProtectV Manager Console, as described in the next chapter.

Download and Install the ProtectV Windows Client 1. Download the ProtectV Client software from SafeNet’s C3 site at http://c3.safenet-inc.com/secure.asp.

2. Extract the contents of the zip file.

3. Launch the ProtectV.msi.

NOTE: During a fresh installation or upgrade (to version 1.4 or higher), of a ProtectV Windows client, ProtectV FIPS mode is also aligned by default with the Windows security setting, System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

To enforce a ProtectV installation in FIPS mode, append the ProtectV.msi invocation with the ERA_ENCRYPT_USE_FIPS=1 property. For example: msiexec /i ProtectV.msi ERA_ENCRYPT_USE_FIPS=1.

If the system is not configured for FIPS operations, the ProtectV installation will fail, and an error message will be written to the log (in non-interactive installations), or the user will be prompted to continue or not (in interactive installations).

NOTE: The ERA_ENCRYPT_USE_FIPS=1 property has no affect on non-FIPS capable Windows systems.

UPGRADE NOTE: Due to the introduction of FIPS support, a version 1.4 (or higher) ProtectV Manager will be unable to boot up a ProtectV Windows or Linux client that is installed with version 1.2 or older. You must upgrade your ProtectV Clients incrementally, to version 1.3, then to 1.4, and then to 1.5.

4. The ProtectV installation wizard opens. When the Welcome screen displays, click Next.

5. Accept the License Agreement, and then click Next.

6. Select Typical Client Installation, and then click Next.




26

7. Select the language to be used for interface labels and text messages, and then click Next.

8. Click Install to continue.

9. When the installation is complete, click Finish.

10. When prompted, click Yes to restart the machine.

NOTE: If the Windows server is rebooted after the ProtectV Windows client is installed, the Windows server will be stuck at SafeNet StartGuard. To get the partition in OS mode, go to the Take Action menu in the ProtectV Manager Console and select Boot to OS.

11. This post-installation reboot will not activate SafeNet StartGuard, but StartGuard will be active for subsequent reboots.

• For this first reboot, you will be prompted to log into Windows, and then you can immediately start to encrypt partitions, as described in Chapter 6.

• For all subsequent reboots, you will first need to boot the ProtectV Client virtual server from the ProtectV Manager Console, as described in the next chapter.

CHAPTER 5: Start a ProtectV Client Virtual Server


27

CHAPTER 5 Start a ProtectV Client Virtual Server

If you have just completed the ProtectV Client installation, the procedure described in this chapter is not required—you can immediately start to encrypt partitions, as described in Chapter 6.

For all subsequent reboots, however, you will always need to boot the ProtectV Client virtual machine from the ProtectV Manager Console, as described in this chapter.

1. Open a new browser window, and connect to the virtual machine using the Public DNS (for example, https://ec2-50-16-156-2.compute-1.amazonaws.com).

2. Log into the ProtectV Manager Console.

3. Click the Server Management tab.

4. In the Clouds pane, select a region. The available virtual machines for the selected region will display.

5. Select the virtual machine to start.

• If the virtual machine status is currently stopped, click the Take Action menu, and then select Start Server.

• Click the Take Action menu, and then select Boot to OS.

6. Now you’re ready to encrypt or decrypt partitions. Go to the next chapter.

CHAPTER 6: Encrypt/Decrypt Partitions


28

CHAPTER 6 Encrypt/Decrypt Partitions

Overview In this chapter, you will learn how to:

• Encrypt a partition.

• Decrypt a partition.

Encrypt a Partition 1. In the ProtectV Manager Console, click the Server Management tab.

2. In the Clouds pane, select the appropriate region. The available virtual machines for the selected region display.

3. Select the check box adjacent to the virtual server with ProtectV Client installed. Partition details will display below your selection.

NOTE: Only the partitions for one machine can be displayed at any given time, and only the partitions that can be protected will display. For example, for Linux client machines, the /boot or /dev/sda1 partition is not displayed by ProtectV Manager, as it contains the ProtectV Client, and therefore, encryption is not permitted.

4. Select the partition(s) to encrypt and click the Take Action menu.

5. Click Encrypt Partition.

6. When prompted, click Yes to confirm the encryption.

NOTE FOR LINUX SERVERS: Any encrypt action will stop and restart your AWS virtual machine. Please save all data and close any open applications to prevent data loss.



29

7. Encryption can take several minutes and a progress bar will display. When the encryption completes, the status of each selected partition will change to Encrypted.

It is good practice to check the Audit Events log when encryption is started to verify the operation started successfully. You can "search" by its JobID (for example, [JobID: 30ee1a56d998] Starting operation:) to view the status. In the event that an error occurred, an error code will also be logged with the same JobID (for example, [JobID: 30ee1a56d998] Error operation:) to identify the problem.

NOTE FOR LINUX SERVERS: After the encryption operation, when the Linux client is rebooted, the Linux client will be inaccessible via SSH. To regain SSH access, go to the Take Action menu and select Boot to OS to reboot the client to make it accessible again.

You can view the encryption status on the Linux client using the command, pvinfo. For example:

[root@localhost ~]# pvinfo

ProtectV Linux v1.2.0.133

Device Mount Size Protected fs ca System

sda2 2147483648 no swap True False

sda3 / 13433307136 yes crypto_LUKS True True

NOTE FOR WINDOWS SERVERS: You can view the encryption status on the

Windows client. Double-click the ProtectV Client icon in the Windows system tray to view the Encryption Status window.



30

Decrypt a Partition 1. In the ProtectV Manager Console, click the Server Management tab.

2. In the Clouds pane, select the appropriate region. The available virtual servers for the selected region display.

3. Select the check box adjacent to the virtual server with ProtectV Client installed. Partition details will display below your selection.

NOTE: Only the partitions for one machine can be displayed at any given time, and only the partitions that can be unprotected will display. For example, for Linux client machines, the '/boot' or /dev/sda1 partition is not displayed by ProtectV Manager, as it contains the ProtectV Client, and therefore, decryption is not permitted.

4. Select the partition(s) to decrypt and click the Take Action menu.

5. Click Decrypt Partition.

6. When prompted, click Yes to confirm the decryption.

NOTE FOR LINUX SERVERS: Any decrypt action will stop and restart your AWS virtual machine. Please save all data and close any open applications to prevent data loss.

7. Decryption can take several minutes and a progress bar will display. When the decryption completes, the status of each selected partition will change to Unencrypted.

It is good practice to check the Audit Events log when decryption is started to verify the operation started successfully. You can "search" by its JobID (for example, [JobID: 30ee1a56d998] Starting operation:) to view the status. In the event that an error occurred, an error code will also be logged with the same JobID (for example, [JobID: 30ee1a56d998] Error operation:) to identify the problem.

NOTE FOR LINUX SERVERS: After the decryption operation, when the Linux client is rebooted, the Linux client will be inaccessible via SSH. To regain SSH access, go to the Take Action menu and select Boot to OS to reboot the client to make it accessible again.

NOTE FOR WINDOWS SERVERS: You can view the decryption status on the

client as well. Double-click the ProtectV Client icon in the Windows system tray to view the Encryption Status window.

CHAPTER 7: Upgrade ProtectV


31

CHAPTER 7 Upgrade ProtectV

Upgrade ProtectV Manager and ProtectV Clients to the Latest Version This chapter describes how to upgrade the ProtectV Manager and ProtectV Clients to the latest version.

The ProtectV Client upgrade process has not changed, however, please note that starting in version 1.5, the ProtectV Manager upgrade has changed. The upgrade API and CLI commands are no longer used. Now, upgrades are performed through export/import functionality.

Before you begin, please review the pre-upgrade information sections below, and then continue to “Upgrade of ProtectV Manager via Export/Import Process.”

Pre-upgrade Information for the ProtectV Manager • Please make sure that you have access to and login credentials for Safenet’s Customer Center (c3) site

at http://c3.safenet-inc.com/secure.asp, so you can provision a new version of ProtectV Manager.

• The 1.5 upgrade process for ProtectV Manager is very different from the pre-1.5 upgrade process.

• In order to upgrade to the current version from the previous version, you would need to “Export” all the configuration and operational data from the previous version of ProtectV Manager and import that data into a new version of ProtectV Manager. If you do not have an export package, please refer to “Create an Export Package” in the “Upgrade of ProtectV Manager via Export/Import Process” section.

• Please note that in version 1.4, export of ProtectV Manager data is only possible via GUI (not available in API or CLI).

• If the previous version of the ProtectV Manager that you desire to upgrade from is in the HA configuration then:

• The export of the configuration should only be done from the “Primary Node” of the HA setup of the previous version of ProtectV Manager. The node that has the virtual IP is the “Primary Node.”

• Once the export of the data is done from the previous version of ProtectV Manager, please shutdown both nodes of the previous version of the ProtectV Manager.

• Please note that the version of the export package must be less than or equal to the version of the ProtectV Manager you are importing to. For example, a version 1.4.188 PVM export package can be imported into a 1.5.190 PVM, but a version 1.5.192 export package cannot be imported into a 1.5.190 PVM.

• Before you proceed with a ProtectV Manager upgrade via the new import process, please ensure that the export package is of the same Cloud as ProtectV Manager (i.e., you cannot import an AWS settings package to vSphere, or vice-versa).




32

• Please “shutdown” the previous version of ProtectV Manager before importing the data into the new version of Protectv Manager. Please do not terminate the previous version of ProtectV Manager.

• Launch and boot up a new “fresh” version of ProtectV Manager, so you can import the information exported from the prior version.

• Once the import of the data is completed (see the “Upgrade a Single Server Configuration (non-HA) via Import” section) into this “fresh” version of the ProtectV Manager, then this is the “new”, “upgraded” ProtectV Manager that you should use. For HA configuration, this node will be the primary node. You need to setup the fresh network configuration, HA setup etc., since these settings are not imported.

• If HA configuration is desired after this upgrade, then pair-up a “fresh” new ProtectV Manager as the secondary node to the above created (and upgraded) primary node. Please note that you should NOT perform any imports into this secondary node—it will synch with the data from the primary during HA synch-up (see the “Upgrade an HA Configuration via Import” section).

• In ProtectV version 1.5, the default update interval for aggregate statistics by the ProtectV Manager dashboard has been increased from 5 to 30 minutes.

This enhancement improves and the dashboard performance. After an upgrade is complete, you can change this value (if desired) by calling the updateAggregateRefreshRate API function, the status update refresh CLI command, or by clicking on the pencil icon next to the interval on the Dashboard in the ProtectV Manager Console.

• If the upgrade fails via the import, please launch a new version ProtectV AMI before attempting the import again. Please do not try import more than once under any circumstances.

• ProtectV Manager can only be upgraded from the previous version

Pre-upgrade Information for the ProtectV Client

.

• Before you begin the ProtectV Agent upgrade, please make sure that you have access to and login credentials for SafeNet’s Customer Connection Center (C3) site at http://c3.safenet-inc.com/secure.asp, so you can download the necessary ProtectV Client AWS upgrade package(s).

• We do not support upgrading the ProtectV Agent directly from the C3 site. Please download ProtectV Agent MSI/RPM packages for the appropriate platform and from C3 and install to a local server prior to the upgrade.

• It is recommended that you always upgrade ProtectV Manager prior to upgrading the ProtectV Clients.

• Before you proceed with the ProtectV Client upgrade, please be aware that an AWS client upgrade will fail if the instance has not been encrypted (and therefore has no SafeNet StartGuard partition to change).




33

Upgrade of ProtectV Manager via Export/Import Process

Items Not Included in the Export Package

CAUTION: Please note that the following are not

• Active operations

exported/imported:

• Non-active operations

• Network configurations (import will not maintain network interface, DNS, route settings)

• AWS proxy settings

• HA Virtual IP and Heartbeat parameters

This implies that these items need additional setup after importing the data on the new version of the ProtectV Manager.

EC2 vs. VPC

The upgrade process is the same for all clouds, but may require additional setup as some of the setup items listed above are not imported/exported.

HA vs. Non-HA

The following table summarizes the HA and non-HA (single server) configuration upgrade processes.

I have a previous version of ProtectV Manager in HA... how do I upgrade? I have a single node...how do I upgrade?

• Go to the "primary node of the previous version of ProtectV Manager HA configuration using the virtual IP. (Please note in version 1.4, export is only available via the GUI.)

• Export the ProtectV Manager configuration data from the primary node. (Please note in version 1.4, export is only available via the GUI.)

• Export the ProtectV Manager configuration data from the primary node.

• Save the export package in a safe place.

• Save the export package in a safe place. • Shutdown (not terminate) the previous version of ProtectV Manager.

• Shutdown (not terminate) both nodes of the HA configuration of the previous version of ProtectV Manager.

Do not skip this step!

(The ProtectV Clients will continue to run even if the server is temporarily shut down.)

Do not skip this step!

• Launch and Bootup a new version of the ProtectV Manager, and then import the configuration data package into this new version of ProtectV Manager. You will need to setup the fresh network configuration, etc., since these settings are not imported. (Please note that for 1.5, import is available via GUI, CLI and API.)



34

• Launch and Bootup a new version of the ProtectV Manager, and then import the configuration data package into this new version of ProtectV Manager. You will need to setup the fresh network configuration, HA setup etc., since these settings are not imported. This node is the “new” upgraded Primary node for your HA configuration. (Please note that for 1.5, import is available via GUI, CLI and API.

• Pair up the new, upgraded primary node above with a “fresh” new version of the ProtectVManager. You do not need to import on this node.

Will There be Downtime During the Upgrade?

Yes. When importing settings to the target PVM, the original PVM (where the export was performed) must be stopped.

CAUTION: If the original PVM is not stopped during the import process, the following fatal errors can occur:

• Client identity corruption

• Client communication conflict

Create the Export Package

The exported configuration package from the “previous” version of ProtectV Manager is required and should be readily available for the import portion of the upgrade process. It is recommended to always have a current configuration saved as part of your system maintenance routine.

ProtectV Manager settings can be exported at any time. Just make sure that any active crypto jobs are complete before exporting.

During the upgrade process, the exported settings (cloud credentials, KeySecure settings, physical server machine, etc., are imported and restored) in a new PVM. However, there are some items (such as Active operations, Non-active operations, Network configurations) that import will not maintain.

NOTES:

• Any time you create an export file, it is highly recommended that you store the exported archive in a secure location to prevent tampering by unauthorized personnel.

• If there is not enough space for the export to complete, an “Disk Full. Insufficient disk space to export settings” message will display.

• Only one export operation is supported at a time. Do not attempt to perform additional exports while there is one already in progress.



35

• If an export file already exists, it may be overwritten with the new one. The default naming convention is pvm.backup.<version>_<date>_<time>.tar. Rename the export file if you do not want to overwrite the existing one.

• If export operation fails eith an error message from ‘tar’ command, please try the operation again after few minutes.

Export Using the ProtectV Manager Console

Make sure that any active crypto jobs are complete before exporting.

If you are upgrading an HA configuration, please be sure to create the export package from your current PRIMARY ProtectV Manager.

1. Log in to the ProtectV Manager Console.

2. Click the Administration tab.

3. Click the System Settings tab.

4. Click Export Settings.

5. Click Export. A “Generating and downloading...” dialog displays.

6. Save the file. (You can opt to rename the file as it may be overwritten if a previous one exists.)

Depending on the browser you are using (and the browser settings), the dialogs will differ. For example:

• If you are using Internet Explorer, choose Save, specify a secure location to download the file, click Save, and then click OK.

• If you are using Firefox, choose Save File, and then click OK. The file is automatically saved to the default download directory. It is recommended that you move this file to a more secure location when you have completed this procedure.

7. Proceed to the upgrade procedure for the appropriate configuration (HA, single server, etc.).



36

Export Using the API



1. Connect to the instance via python SOAPpy module to establish a SOAP API connection to the current PVM. $ python Python 2.5.1 (r251:54863, May 5 2011, 18:37:34) [GCC 4.0.1 (Apple Inc. build 5465)] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import SOAPpy >>> pvm = SOAPpy.SOAPProxy("https://admin:[email protected]:8080/soap") >>> pvm.getVersion() [0, '', '1.5.0.195'] >>>

2. Export the settings of the current PVM by specifying its export settings. The parameters needed to execute this protocol API: a) protocol = ftp, sftp or scp b) host = IP address of the host to export the settings to. c) user = login id for above host d) password = password for the above login e) directory = the directory on the host to transfer export settings file to f) force = parameter is only needed if multiple exports are being done as only one export operation is supported. This parameter is used to “force” to another one simultaneously Please ensure that the host is accessible, and the login credentials are correct. >>> pvm.exportSettings({"protocol":"scp", "host":"ec2-54-224-211-240.compute-1.amazonaws.com", "user":"root", "password":"********", "directory":"/tmp", "force":False}) [0, '', '/tmp/backup/pvm.backup.1.5.0.195_20130718_1029.tar'] >>>

The tar file shown on the output is the exported file of current PVM settings.

Export Using the CLI



1. Connect to the instance via ssh as user admin to enter the CLI mode. $ ssh [email protected] Warning: Permanently added 'ec2-50-19-46-29.compute-1.amazonaws.com,50.19.46.29' (RSA) to the list of known hosts. Password: --------------------------- Welcome to ProtectV 1.5.0.195 CLI --------------------------- press enter to list commands (PVM)



37

2. Export the settings of the current PVM by specifying its export settings. The parameters needed to execute this protocol are: a) protocol = ftp, sftp or scp b) host = IP address of the host to export the settings to. c) user = login id for above host d) password = password for the above login e) directory = the directory on the host to transfer export settings file to f) force = parameter is only needed if multiple exports are being done as only one export operation is supported. This parameter is used to “force” to another one simultaneously Please ensure that the host is accessible, and the login credentials are correct. (PVM) system export settings protocol="scp",host="ec2-54-224-211-240.compute-1.amazonaws.com",user="root",password="*****",directory="/tmp",force=False '/tmp/backup/pvm.backup.1.5.0.195_20130718_0931.tar' (PVM)

The tar file shown on the output is the exported file of current PVM settings.

Upgrade a Single Server Configuration (non-HA) via Import This upgrade process requires you to launch a fresh new ProtectV Manager (PVM) using the desired target version (i.e., ProtectV version 1.5.0).

Upgrade Using the ProtectV Manager Console

1. Make sure you have already created an export settings package from your original PVM.

2. Launch a fresh ProtectV Manager using the latest version.

3. Make sure the original PVM is not performing any active crypto. If it is, then please wait for it to finish before continuing.

4. Stop the original PVM. This is a critical step to avoid a communications conflict and identity mismatch.

NOTE: Do not terminate/delete the original Primary PVM instance/virtual machine. Keep it alive until the import has successfully completed.

5. On the new PVM, log into the ProtectV Manager Console using the default credentials (admin/admin)

6. Accept the Software License Agreement (EULA).

7. The Choose How to Configure the ProtectV Manager prompt displays. Select Import Settings from File.

8. Click Browse to locate the export file, and then click Open to select it.



38

9. Click Next. Wait for the import to complete. If the import was successful, ProtectV Manager will restart.

10. When the login screen displays, log into the ProtectV Manager Console using the same ProtectV credentials as used in the previous version.

11. Verify that the new PVM has all the settings from your previous PVM (with the exception of the settings that are not transferred (described on page 33).

12. Reconfigure the DNS/routes as needed. (Please refer to the “Networking” section in the ProtectV User Guide.)

13. For VPC configurations that require Proxy configuration, you need to reconfigure the Proxy settings and restart the PVM before proceeding further.

14. Verify the PVM can reach the clients by getting the partitions from clients

15. Terminate/delete the original Primary PVM instance/virtual machine. The upgraded PVM is now ready to use.

Upgrade Using the API


2. Launch a new PVM instance of the version that the PVM is being upgraded to, establish a SOAP connection to it, read the EULA text, and accept EULA as shown. $ python Python 2.5.1 (r251:54863, May 5 2011, 18:37:34) [GCC 4.0.1 (Apple Inc. build 5465)] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import SOAPpy >>> pvm = SOAPpy.SOAPProxy("https://admin:[email protected]:8080/soap") >>> (e, s, d) = pvm.eulaText() >>> print e 0 >>> pvm.eulaAccept() [0, '', None] >>> pvm.getVersion() [0, '', '1.5.0.197'] >>>

3. Import the exported settings. The parameters needed to execute this API are: a) protocol = ftp, sftp or scp b) host = IP address of the host to import the exported file settings from. c) user = login id for above host d) password = password for the above login e) filename = the complete path to the file on the host to import settings from f) force = need explanation >>> pvm.importSettings({'protocol':'scp', 'host':'ec2-54-224-109-115.compute-1.amazonaws.com', 'user':'root', 'password':'cocobello', 'filename':'/tmp/pvm.backup.1.5.0.195_20130718_0931.tar', 'force':True}) [0, '', None] >>>

The return status code of 0 confirms that the import process was successful.



39

4. Execute the listUsers() API to check the success again. If there were multiple users in the exported PVM settings, they should be displayed now, confirming that the update was successful. >>> pvm.listUsers() [0, '', ['admin', 'svr-admin', 'sec-admin']] >>>

5. The import settings API is allowed to be executed only once on a pristine instance of a PVM. Should the process fail, it would have to be attempted on another pristine PVM. In addition, trying to import settings again on the same instance will result in the following error. >>> pvm.importSettings({'protocol':'scp', 'host':'ec2-54-224-109-115.compute-1.amazonaws.com', 'user':'root', 'password':'cocobello', 'filename':'/tmp/pvm.backup.1.5.0.195_20130718_2048.tar', 'force':True}) [3899, 'Failed to import settings - Cannot import settings after change password. Please create a new PVM and import settings after accepting EULA, and before changing password.', None] >>> exit()

Upgrade Using the CLI


2. Connect to the instance via ssh as user admin to enter the CLI mode. $ ssh [email protected] Warning: Permanently added 'ec2-107-20-29-94.compute-1.amazonaws.com,107.20.29.94' (RSA) to the list of known hosts. Password: ******* 'SOFTWARE LICENSE AGREEMENT IMPORTANT - READ THESE TERMS CAREFULLY BEFORE DOWNLOADING, INSTALLING OR USING THIS SOFTWARE. BY DOWNLOADING OR INSTALLING THIS SOFTWARE, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS LICENSE AGREEMENT, THAT YOU UNDERSTAND IT, AND THAT YOU AGREE TO BE BOUND BY ITS TERMS. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT, YOU MAY NOT INSTALL OR USE THIS SOFTWARE. 1. Grant of License for Personal Use. <SNIPPED REST OF EULA TEXT> to reasonably effect the intention of the parties. Copyright (c) 2013 SafeNet, Inc. All rights reserved.' Do you accept [yes]:yes --------------------------- Welcome to ProtectV 1.5.0.197 CLI --------------------------- press enter to list commands (PVM) system eula accept 'EULA User License Agreement is already accepted' (PVM)

3. Import the exported settings. The parameters needed to execute this command are: a) protocol = ftp, sftp or scp b) host = IP address of the host to import the exported file settings from. c) user = login id for above host d) password = password for the above login e) filename = the complete path to the file on the host to import settings from f) force = parameter is only needed if multiple exports are being done as export operation is supported, you would need to use “force” to create another one



40

(PVM) system import settings protocol="scp",host="ec2-54-224-109-115.compute-1.amazonaws.com",user="root",password="******",filename="/tmp/pvm.backup.1.5.0.195_20130718_2048.tar",force=False (PVM) user table Warning ! PVM connection has been lost (possible reasons: upgrade in progress, PVM is down etc.) Exiting CLI ... Connection to ec2-107-20-29-94.compute-1.amazonaws.com closed.

4. Connect again to the PVM after some time, and validate that the PVM has been successfully upgraded by listing the users in the system. $ ssh [email protected] Password: ******** --------------------------- Welcome to ProtectV 1.5.0.197 CLI --------------------------- press enter to list commands (PVM) list users Bad command (PVM) user table admin: role: 'admin' svr-admin: role: 'server-admin' sec-admin: role: 'security-admin'

5. The import settings command is allowed to be executed only once on a pristine instance of a PVM. Should the process fail, it would have to be attempted on another pristine PVM. In addition, trying to import settings again on the same instance will result in the following error. (PVM) system import settings protocol="scp",host="ec2-54-224-109-115.compute-1.amazonaws.com",user="root",password="********",filename="/tmp/pvm.backup.1.5.0.195_20130718_2048.tar",force=False Error(3899): Failed to import settings - Cannot import settings after change password. Please create a new PVM and import settings after accepting EULA, and before changing password. (PVM)



41

Upgrade an HA Configuration via Import These steps apply to EC2 and VPC configurations, except where specific additional steps are mentioned for a particular environment.

Import Using the ProtectV Manager Console

This upgrade process requires you to launch a fresh new pair of ProtectV Managers (PVMs) using the desired target version (i.e., ProtectV version 1.5.0).

Prepare the New Version PVM Configuration

1. Make sure you have already created an export settings package from your original PRIMARY node of the previous version of the PVM.

2. Launch a fresh ProtectV Manager using the latest version. This will be the new PRIMARY PVM. (Please allocate the Virtual IP to this node.)

3. Launch a second fresh ProtectV Manager using the latest version. This will be the new SECONDARY PVM.

Stop the “Original” PVM Configuration

4. Make sure the original PRIMARY PVM is not performing any active crypto. If it is, then please wait for it to finish before continuing.

5. From the original PRIMARY PVM, in the ProtectV Manager Console, deactivate (“Disable HA”) the original PRIMARY and SECONDARY PVMs.

6. Stop the original PRIMARY and SECONDARY PVMs. This is a critical step to avoid a communications conflict and identity mismatch.

NOTE: Do not terminate/delete the original Primary or Secondary PVM instances/virtual machines. Keep them alive until the import has successfully completed.

Start the Upgrade on the New PVM via Import

7. On the new PRIMARY PVM, log into the ProtectV Manager Console using the default credentials (admin/admin).

8. Accept the Software License Agreement (EULA).

9. The Choose How to Configure the ProtectV Manager prompt displays. Select Import Settings from File.

10. Click Browse to locate the export file, and then click Open to select it.



42

11. Click Next. Wait for the import to complete. If the import was successful, ProtectV Manager will restart.

12. When the login screen displays, log into the ProtectV Manager Console using the same ProtectV credentials you used in the previous version.

13. Verify that the new PRIMARY PVM has all the settings from your previous PVM. You need to setup a few of the settings that are not imported before proceeding further. The settings that are not imported are active operations, non-active operations, network configurations such as network interface, HA Virtual IP and Heartbeat parameters, DNS, route settings.

On the new Primary PVM,

• Reconfigure the DNS/routes as needed. (Please refer to the “Networking” section in the ProtectV User Guide.)

• For VPC configurations that require Proxy configuration, you need to reconfigure the Proxy settings on the Primary PVM restart the Primary PVM before proceeding further.

• Reconfigure the HA Virtual IP and Heartbeat parameters. (Please refer to the “Configure HA Settings” section in the ProtectV User Guide for details.)

14. Bring a fresh new secondary PVM.

15. On this new secondary PVM, if it is on VPC configuration, then configure Proxy settings (only CLI is allowed) and restart the secondary PVM. There is no need to do any other setup for the Secondary PVM.

16. Establish HA between the new PRIMARY PVM and new SECONDARY PVM. (Please refer to the “Add a Peer” section in the ProtectV User Guide.)

17. Verify HA is established and PVM can reach the clients.

18. Terminate/delete the original Primary and Secondary PVM instances. The upgraded PVMs are now ready to use.

19. Verify that the new PRIMARY PVM and new SECONDARY PVM both display a healthy status. 20. List the instances and partitions on the new upgraded PVM as a part of the health check. The upgrade via import of data is now complete.

Import Using the API

1. Make sure you have already created an export settings package from your original PRIMARY PVM in the HA pair. The PRIMARY node has the virtual IP associated with it. (See “Export Using the API”)

2. On the original PRIMARY node, disable HA.

3. Shutdown the original PVM nodes. This is a very important step before proceeding further.

4. Launch a fresh new version PVM. This will be the new PRIMARY node.

5. Import the exported settings. The parameters needed to execute this API are: a) protocol = ftp, sftp or scp b) host = IP address of the host to import the exported file settings from. c) user = login id for above host d) password = password for the above login e) filename = the complete path to the file on the host to import settings from f) force = need explanation



43

>>> pvm.importSettings({'protocol':'scp', 'host':'ec2-54-224-109-115.compute-1.amazonaws.com', 'user':'root', 'password':'cocobello', 'filename':'/tmp/pvm.backup.1.5.0.195_20130718_0931.tar', 'force':True}) [0, '', None] >>>


6. Launch a second fresh new version PVM. This will be the new SECONDARY node. Do not import any settings.

7. Verify that the new PRIMARY PVM has all the settings from your previous PVM. Then, on the new PRIMARY node:

• Reconfigure the settings that were not imported—active operations, non-active operations, network configurations such as network interface, HA Virtual IP and Heartbeat parameters, DNS, and route settings.

• For VPC configurations that require Proxy configuration, you need to reconfigure the Proxy settings on the new PRIMARY node.

• Reconfigure the HA Virtual IP and Heartbeat parameters. Please refer to the “Configure HA Settings” section in the ProtectV User Guide for details.

8. Establish HA between the new PRIMARY PVM and new SECONDARY PVM. (Please refer to the “Add a Peer” section in the ProtectV User Guide.)

Import Using the CLI

1. Make sure you have already created an export settings package from your original PRIMARY PVM. The PRIMARY node has the virtual IP associated with it. (See “Export Using the CLI”)

2. On the original PRIMARY node, disable HA.

3. Shutdown the original PVM nodes. This is a very important step before proceeding further.

4. Launch a fresh new version PVM. This will be the new PRIMARY node.

5. Import the exported settings. The parameters needed to execute this command are: a) protocol = ftp, sftp or scp b) host = IP address of the host to import the exported file settings from. c) user = login id for above host d) password = password for the above login e) filename = the complete path to the file on the host to import settings from f) force = need explanation (PVM) system import settings protocol="scp",host="ec2-54-224-109-115.compute-1.amazonaws.com",user="root",password="******",filename="/tmp/pvm.backup.1.5.0.195_20130718_2048.tar",force=False (PVM) user table Warning ! PVM connection has been lost (possible reasons: upgrade in progress, PVM is down etc.) Exiting CLI ... Connection to ec2-107-20-29-94.compute-1.amazonaws.com closed.


6. Launch a second fresh new version PVM. This will be the new SECONDARY node. Do not import any settings.



44

7. Verify that the new PRIMARY PVM has all the settings from your previous PVM. Then, on the new PRIMARY node:

• Reconfigure the settings that were not imported—active operations, non-active operations, network configurations such as network interface, HA Virtual IP and Heartbeat parameters, DNS, and route settings.

• For VPC configurations that require Proxy configuration, you need to reconfigure the Proxy settings on the new PRIMARY node.

• Reconfigure the HA Virtual IP and Heartbeat parameters. Please refer to the “Configure HA Settings” section in the ProtectV User Guide for details.

8. Establish HA between the new PRIMARY PVM and new SECONDARY PVM. (Please refer to the “Add a Peer” section in the ProtectV User Guide.

Upgrade the ProtectV Clients Please note the following:

• It is recommended that you upgrade ProtectV Manager prior to upgrading the ProtectV Clients.

• You do not have to decrypt any encrypted partitions prior to performing the upgrade.

• Due to the introduction of FIPS support, a version 1.4 (or higher) ProtectV Manager will be unable to boot up a ProtectV Windows or Linux client that is installed with version 1.2 or older. You must upgrade your ProtectV Clients incrementally, to version 1.3, then to 1.4, and then to 1.5.

Windows Server Upgrade

A ProtectV Windows server upgrade is initiated the same way as a new installation. Silent (/q) or interactive mode upgrades can be performed.

1. Make sure you have already downloaded the appropriate upgrade package from C3, and copied it to the client.

2. Extract the contents of the zip file and launch the ProtectV.msi. The system will detect that an earlier version of ProtectV is installed and upgrade it.

NOTE: During a version 1.4 (or higher) upgrade of a ProtectV Windows client, ProtectV FIPS mode is aligned by default with the Windows security setting, System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

To enforce a ProtectV installation in FIPS mode, append the ProtectV.msi invocation with the ERA_ENCRYPT_USE_FIPS=1 property. For example: msiexec /i ProtectV.msi ERA_ENCRYPT_USE_FIPS=1.

If the system is not configured for FIPS operations, the ProtectV installation will fail, and an error message will be written to the log (in non-interactive installations), or the user will be prompted to continue or not (in interactive installations).

NOTE: The ERA_ENCRYPT_USE_FIPS=1 property has no affect on non-FIPS capable Windows systems.



45

3. Restart the server after the upgrade. After the restart, the server will be at SafeNet StartGuard.

4. Take the machine into OS mode using any of the following: Boot to OS action in the ProtectV Manager Console, instance boot in the CLI, or bootupProtectedInstance in the API.

5. To verify the upgrade was successful, right-click on the ProtectV icon in the Windows system tray and view the About ProtectV dialog. The new version will display.

Linux Server Upgrade

NOTE: A Linux server upgrade will fail if the instance has not been encrypted (and therefore has no SafeNet StartGuard partition to change).

Manual Upgrade

1. Make sure you have already downloaded the upgrade package from C3, and copied it to the server.

2. Upgrade the ProtectV Client using: rpm -U pvlinux-<filename>.rpm

3. To verify the upgrade was successful, run pvinfo. The new version will display.

Automatic Upgrade

1. Make sure you have already downloaded the upgrade package from C3, and copied it to the server.

2. Upgrade the ProtectV Client using: yum upgrade <filename>.rpm

NOTE: Alternatively, you can use the install argument to upgrade, but it can be quite slow.

3. To verify the upgrade was successful, run pvinfo. The new version will display.

END OF DOCUMENT

ProtectV Installation Guide (AWS) · • ProtectV Command Line Interface Guide (details on using...

Documents

Transcript of ProtectV Installation Guide (AWS) · • ProtectV Command Line Interface Guide (details on using...