Vblock Ready™ Certification Test Plan Report...

104 Schneider Road Kanata, Ontario K2K 1Y2

Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

Vblock Ready™ Certification Test Plan Report Vormetric Security Manager v5.1.1

September 18, 2013

http://www.superna.net/


Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

2 |Page

1 Certification Overview ...................................................................................................................................... 4

2 Product Terminology and Definitions ............................................................................................................... 5

3 Certification Status ........................................................................................................................................... 6

4 Executive Summary .......................................................................................................................................... 6

5 Product Overview ............................................................................................................................................. 7

6 Certification Test Cases .................................................................................................................................... 8

7 Certification Environment ................................................................................................................................ 9

8 Product Dependence to Vblock Types ............................................................................................................. 9

9 Vblock Platform Hardware and Software Component ..................................................................................... 9

10 Certification Product Components and Configuration Details ....................................................................... 10

11 Certification Results ........................................................................................................................................ 11

12 Test Case Execution Results Summary ........................................................................................................... 12

13 Recommendations & Future Considerations ................................................................................................. 12

14 Certification Summary .................................................................................................................................... 13

15 Test Case Details ............................................................................................................................................. 14

15.1 Test ID : 1230 - VCE ISV COMMON - Vendor Appliance Live Migration (vMotion) ............................. 14

15.1.1 Steps ................................................................................................................................................. 14

15.2 Test ID : 1233 - VCE ISV COMMON - Software Restart (Graceful) ....................................................... 14

15.2.1 Steps ................................................................................................................................................. 15

15.3 Test ID : 1234 - VCE ISV COMMON - Software Restart (Forced_Unexpected) .................................... 15

15.3.1 Steps ................................................................................................................................................. 15

15.4 Test ID : 1235 - VCE ISV COMMON - Loss of communications ............................................................ 16

15.4.1 Steps ................................................................................................................................................. 16

15.5 Test ID : 1236 - VCE ISV COMMON - High Availability Test (Forced_Unexpected) .............................. 16

15.5.1 Steps ................................................................................................................................................. 17

15.6 Test ID : 1237 - VCE ISV COMMON - High Availability Test (Graceful) ................................................. 17

15.6.1 Steps ................................................................................................................................................. 17

15.7 Test ID : 1240 - VCE ISV IHV COMMON - Installation ........................................................................... 17

15.7.1 Steps ................................................................................................................................................. 18

15.8 Test ID : 1241 - VCE ISV IHV COMMON - Removal ............................................................................... 18

15.8.1 Steps ................................................................................................................................................. 18

15.9 Test ID : 1242 - VCE ISV IHV COMMON - Documentation ................................................................... 18

15.10 Test ID : 1261 - Vendor Test 1 - Transform Data from Clear to Encrypted .......................................... 19

15.10.1 Steps .............................................................................................................................................. 19

15.11 Test ID : 1262 - Vendor Test 2 - Apply production policy after Data transformation.......................... 20

15.11.1 Steps .............................................................................................................................................. 21

15.12 Test ID : 1263 - Vendor Test 3 - Quest Benchmark Facility Test 1 ....................................................... 22

15.12.1 Steps .............................................................................................................................................. 22

15.13 Test ID : 1264 - Vendor Test 4 - Quest Benchmark Test 2 ................................................................... 23

15.13.1 Steps .............................................................................................................................................. 23

15.14 Test ID : 1265 - Vendor Test 5 - DSM Unreachable .............................................................................. 24



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

3 |Page

15.14.1 Steps .............................................................................................................................................. 24

15.15 Test ID : 1266 - IOmeter tests for one volume non-encryted on vormetric Win appliance VM ......... 25

15.15.1 Steps .............................................................................................................................................. 25

15.16 Test ID : 1267 - IOmeter tests for one volume encryted on vormetric Win appliance VM ................. 25

15.16.1 Steps .............................................................................................................................................. 25

16 Testing Results ................................................................................................................................................ 26

16.1 Configuration: Test ID : 1230 - VCE ISV COMMON - Vendor Appliance Live Migration (vMotion) .... 26

16.2 Configuration: Test ID : 1233 - VCE ISV COMMON - Software Restart (Graceful) .............................. 26

16.3 Configuration: Test ID : 1234 - VCE ISV COMMON - Software Restart (Forced_Unexpected) ........... 26

16.4 Configuration: Test ID : 1235 - VCE ISV COMMON - Loss of communications ................................... 27

16.5 Configuration: Test ID : 1236 - VCE ISV COMMON - High Availability Test (Forced_Unexpected) .... 27

16.6 Configuration: Test ID : 1237 - VCE ISV COMMON - High Availability Test (Graceful) ....................... 27

16.7 Configuration: Test ID : 1240 - VCE ISV IHV COMMON - Installation.................................................. 27

16.8 Configuration: Test ID : 1241 - VCE ISV IHV COMMON - Removal ...................................................... 28

16.9 Configuration: Test ID : 1242 - VCE ISV IHV COMMON - Documentation .......................................... 28

16.10 Configuration: Test ID : 1261 - Vendor Test 1 - Transform Data from Clear to Encrypted ................. 28

16.11 Configuration: Test ID : 1262 - Vendor Test 2 - Apply production policy after Data transformation 29

16.12 Configuration: Test ID : 1263 - Vendor Test 3 - Quest Benchmark Facility Test 1 .............................. 29

16.13 Configuration: Test ID : 1264 - Vendor Test 4 - Quest Benchmark Test 2 .......................................... 30

16.14 Configuration: Test ID : 1265 - Vendor Test 5 - DSM Unreachable..................................................... 31

16.15 Configuration: Test ID : 1266 - IOmeter tests for one volume non-encryted on vormetric Win appliance VM ...................................................................................................................................................... 31

16.16 Configuration: Test ID : 1267 - IOmeter tests for one volume encryted on vormetric Win appliance VM 31

17 About The Vblock Ready™ Certification Process ............................................................................................ 33



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

4 |Page

1 Certification Overview

Test Plan Name Vormetric Security Manager 5.1.1 Certification Final Report

Product Vormetric Data Security Manager (DSM) (V5.1.1) Vormetric Encryption Expert Agent for Linux & Windows (V5.1.2)

Product Version V5.1.1

Revision History:

Rev Number

Date Author Description – Reason for Change

0.1 September 18, 2013 Sandra Escarraga Initial Draft

0.2 September 18, 2013 Sandra Escarraga Draft for review

0.3 September 18, 2013 Emily Chan Edits

1.0 September 19, 2013 Emily Chan Report for Review

1.1 September 19, 2013 Emily Chan Added more data

1.2 October 16, 2013 Emily Chan Added corrections

Review List:

Area of Expertise Name Role Review Date

VCE Certification Sponsor Jamie Chui Approver Sept. 19, 2013

Superna Certification Program Manager

Andrew MacKay Approver Sept. 19, 2013

Product References:

Document Name Link Description

Data Security Manager

http://www.vormetric.com/products/encryption/data-security-manager

Overview product

Vormetric Encryption Expert Agent

http://www.vormetric.com/products/encryption Overview product




http://www.vormetric.com/products/encryption


Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

5 |Page

2 Product Terminology and Definitions Vormetric Encryption allows enterprises to encrypt sensitive data on servers, control access to the encrypted data, and then to report on who is accessing that information. Vormetric Encryption supports all of the major platforms – Linux, Unix, Windows – and can be used in physical, virtual and cloud environments. This enterprise data encryption solution protects both structured and unstructured data with integrated data encryption, encryption key management and a common infrastructure environment. GuardPoint - A GuardPoint is a location in the file system hierarchy where everything underneath has the policy applied to it. It can be thought of as a UNIX mount point. The File System Agent intercepts any attempt to access anything in the GuardPoint and uses policies obtained from the DSM to grant or deny the access attempt Agent - A Vormetric software program that is loaded onto the host machine containing the data to be secured. Vormetric Agents implement the security policies that are defined and stored in the DSM. Vormetric Agents include the File Systems Agent, Backup Agents for DB2 and IDS, and Key Agents for Oracle Database TDE and Microsoft SQL Server. Challenge-response - The cryptographic algorithm used to limit access to the Management Console. The host user enters a new password each time a host password is required. When a host is configured with a dynamic password, the host user runs a utility that displays a seemingly random string (the challenge), which he or she then gives to a DSM administrator. The DSM administrator returns a counter-string (the response) that the host user must enter to decrypt guarded data. The host user has 15 minutes to enter the counter-string. ciphertext - Data in its encrypted form. Ciphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Decryption - The process of changing ciphertext into plaintext using a cryptographic algorithm and key. Digital signature - A cryptographic transformation of data that provides the services of origin authentication, data integrity, and signer non-repudiation. Encryption - The process of changing plaintext into ciphertext using a cryptographic algorithm and key. Policies - A set of security access rules for protected data. These rules are specified by security administrators, stored in the DSM, and implemented on hosts by agents.



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

6 |Page

3 Certification Status Certification Status: Certified Certification Date: September 19, 2013 Certification Type: Standard Product Certification Certification HW: VB700MX Certification RCM: 3.5.3

4 Executive Summary This report is focused on the results and findings of the Vblock Ready™ Certification project that was completed for Vormetric Data Security Manager and Vormetric Encryption Expert Agent. Vormetric Data Security Manager is a FIPS 140-2 certified hardware appliance that provides centralized key and policy management for all Vormetric Encryption Expert Agents installed on servers across the distributed enterprises. The Vormetric Data Security Manager can also provide enterprise encryption management for Transparent Data Encryption from Oracle and Microsoft SQL Server databases as well as providing storage for any other encryption key. Features and benefits for this data security management system include:

- Automated key generation and distribution - Automated policy distribution - Health monitoring and alerting for Vormetric Encryption Expert Agents - Centralized data access logging and auditing

Vormetric Data Security Manager and Vormetric Encryption Expert Agent are posted in EMC Solutions Gallery:

Vital Stats

i

Certification: RSA Secured

Classification: Integration

EMC Products Supported: RSA enVision

Date Added: Feb 17, 2012


http://www.vormetric.com/products/enterprise-key-management/transparent-data-encryption-key-management

http://www.vormetric.com/products/enterprise-key-management/transparent-data-encryption-key-management

http://www.vormetric.com/products/encryption/database-encryption/oracle-database-encryption

http://www.vormetric.com/products/encryption/database-encryption/microsoft-sql-server-data-encryption

http://www.vormetric.com/products/encryption

https://gallery.emc.com/docs/DOC-2594


Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

7 |Page

Support statement: The primary goals of the Vblock Ready™ certification tests conducted for the Vormetric Data Security Manager and Vormetric Encryption Expert Agent were:

1. Ensure the integration of Vormetric Data Security Manager and Vormetric Encryption Expert Agent software with an operationally clean, running Vblock produces no errors or performance degradations.

2. Demonstrate logical integration with VCE Vblock System 700 elements and managers 3. Observe accurately represented events from connected VCE Vblock System 700 elements 4. Demonstrate operation functionality of Vormetric software by performing operational and

management activities available from vendor software The Vormetric Data Security Manager and Vormetric Encryption Expert Agent met these goals, and achieved Vblock Ready™ certification.

5 Product Overview Vormetric Data Security Manager provides centralized key and policy management for Vormetric Encryption. The Data Security Manager provides console functionality in a FIPS 140-2 certified appliance. The Data Security Manager functions as a console for both Vormetric Encryption and Vormetric Key Management. Vormetric Encryption Expert Agent software applies the enterprise encryption policies established at the Data Security Manager console. Encryption Expert Agents support the leading operating systems – Linux, Unix and Windows. Vormetric Encryption delivers:

- Near zero performance overhead through software optimization and support for hardware cryptographic acceleration technologies including Intel® AES-NI and SPARC Niagara Crypto.

- Centralized policy management and audit across the distributed enterprise for file systems, databases and applications.

- Application and database transparent data security - eliminating application, database, and storage change requirements.

- Strong encryption, access control and encryption key management across platforms, applications and devices.



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

8 |Page

- Flexible security infrastructure for distributed environments including physical, virtual and cloud environments.

- Highly configurable security and policy enforcement through granular access control, audit and host integrity capabilities.

- Common Vormetric Data Security infrastructure with Vormetric Key Management that can manage encryption keys from Transparent Data Encryption for Oracle and Microsoft SQL Server along with key vaulting to store other encryption keys

6 Certification Test Cases The test cases that were developed and used for this certification are outlined below and discussed in complete detail in the certification test plan. The test cases were developed to demonstrate the primary functionality of Vormetric Data Security. The following outlines the test cases performed:

1. Server Integration in Vblock System 700 2. Logical integration of software with VNX 5300 3. Vormetric Data Security Management Console (Create domains, create hosts, created keys, created

policies, apply policies and rules, guard file systems, monitor VM resources, monitor application resources, fill datastore, delete archive)

A high level overview of the test execution is shown below:


http://www.vormetric.com/products/encryption/database-encryption/oracle-database-encryption

http://www.vormetric.com/products/encryption/database-encryption/microsoft-sql-server-data-encryption


Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

9 |Page

7 Certification Environment The test cases took place in the Superna Vblock Ready™ Certification Lab on a Vblock System 700 platform. The following table summarizes the test cases conducted and the expected sensitivity across Vblock platforms. Sensitivity is given as (H,M,L) corresponding to High, Medium, Low and is noted below:

Vblock System 100 Vblock System 200 Vblock System 300 Vblock System 700

Vormetric Data Security Manager and Vormetric Encryption Expert Agent for Linux & Windows (V5.1.2)

L L L L

Logical Software Integration L L L L

Observe Relative Events L L L L

Normal Software Functionality (Monitor Resources/Generate Reports)

L L L L

Vendor Solution Disassociation L L L L

8 Product Dependence to Vblock Types

There are currently no known Vblock type dependencies.

9 Vblock Platform Hardware and Software Component The following table provides additional information regarding the hardware and software used in the test environment. Certification RCM: 3.5.3



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

10 |Page

10 Certification Product Components and Configuration Details

Software Version Description

Vormetric Data Security Manager (DSM) (V5.1.1) Vormetric Encryption Expert Agent for Linux & Windows (V5.1.2)

5.0

Windows 2008 Server R2 Standard Agent

CentOs Linux Standard Agent

ESXi 5.1 VMware Hypervisor

Please refer to the following diagram for an architectural overview of the Vormetric Data Security Manager and Vormetric Encryption Expert Agent for Linux and Windows for this Vblock Ready™ Certification:



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

11 |Page

11 Certification Results All certification tests yielded results that were expected and met the defined success criteria for the effort. The tables below summarize the test case and success criteria findings. Success Criteria Validation Results Summary:

Vormetric and Superna have agreed that certification is achieved based on completion of the following test criteria:

Successfully integration of Vormetric Data Security Manager and the Vblock Platform

Successfully integration of Vormetric Encryption Expert Agent for Linux & Windows and Vblock Platform.

Ensure no critical system errors or performance degradation after integration of Vormetric Data Security Manager and the Vblock platform.

Successfully run desired test cases as outlined in the Test Case scenarios.



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

12 |Page

12 Test Case Execution Results Summary

Success Criteria Result

Pass

Fail

No critical events recorded in VMware Hypervisor

✔

No critical events recorded in VMware vCenter ✔

No critical events on UCS compute chassis or Blades

✔

Application installed without error ✔

Application is virtualized ✔

No performance degradation on the UCS or Virtual Machine during test case(s) execution

✔

Application functionality validated on Vblock Platform

✔

Application test cases completed without errors on Vblock Platform.

✔

Application test cases completed with acceptable response time on Vblock Platform.

✔

13 Recommendations & Future Considerations

Recommendation #1: Updating Installation Guide with Requirements Section for Linux Agent Install When following the installation guide for Linux Agent install, there was no mention of requirements on the VM. However, when running the installation, two issues were run into. The first being that perl needed to be installed before the installation could run. The second was disabling firewall ports so that the server and agent could communicate. It was not clearly outlined in the Linux portion of the agent installation documentation. The commands to install perl as well as the instruction or either disabling firewall ports or firewall altogether is recommended to be included in documentation.



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

13 |Page

Recommendation #2: Integrating Partner Product with VCE Systems and Management Tools VCE continues to evolve its Vblock System platforms and its systems management technologies. With respect to Vblock Systems management framework, VCE has always considered a converged infrastructure foundational software layer as strategic and continues to develop its software in this space. As VCE makes new system management capabilities and API's available to its developer community and the market, it will be important for FIS to evaluate these capabilities and determine how FIS Profile and GT.M software can leverage and integrate to the Vblock by way of this software layer and these API's. In addition, updated certification will be required at which time these new VCE system management integration capabilities are available.

Recommendation #3: Acquiring VMware Ready certified status for the product Vormetric Data Security Manager and Vormetric Encryption Expert Agent is not VMware Ready certified. It is important to note that VMware Ready™ certification is not a hard pre-requisite for Vblock Ready™ certification but it is a recommendation of this report that Vormetric considers VMware Ready™ certification for this product. Given the pervasive nature of virtualization with the Vblock platform, having this certification would help to further increase customer confidence and also act as an additional level of validation with respect to any technical inconsistencies or challenges. VMware has complete details on this program on their website.

14 Certification Summary Superna certifies that the Vormetric Data Security Manager and Vormetric Encryption Expert Agent for Linux & Windows are Vblock Ready™. Superna has tested the product on Vblock Systems, verified the product does not result in degradation of Vblock platform performance or availability, and the product has met the jointly agreed upon entrance, integration, and interoperability criteria.



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

14 |Page

15 Test Case Details

15.1 Test ID : 1230 - VCE ISV COMMON - Vendor Appliance Live Migration (vMotion)

Field Label Field Value Field Label Field Value

Creation Date: 7/2/2013 Template:

Test Name: VCE ISV COMMON - Vendor Appliance Live Migration (vMotion)

Test ID: 1230

Execution Status: Passed Type: MANUAL

Description

Test VMWare Live Migration function on vendor appliance.

15.1.1 Steps

Step Name Description Expected Result

Step 1 Vendor application has been fully deployed and tested.

Step 2 Perform a live migration of the vendor appliance from existing blade to another blade in the Vblock cluster.

Step 3 Test vendor functionality during live migration. If migration completes prior to functionality test, complete testing at destination.

Step 4 Migrate the vendor appliance back to the original blade.

Step 5 Retest vendor functionality during live migration. If migration completes prior to functionality test, complete testing at destination.

15.2 Test ID : 1233 - VCE ISV COMMON - Software Restart (Graceful)



Test Name: VCE ISV COMMON - Software Restart (Graceful)

Test ID: 1233


Description

This is a graceful restart of the vendor’s software. Tests the ability of software under certification to recover and resume operation after a restart following vendor procedure.



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

15 |Page

15.2.1 Steps


Step 1 Follow vendor documentation to perform a restart of software under test. All vendor documented procedures are to be followed exactly as precribed. Attach procedure for restart to this test run.

Procedures for restart are available. Software restarts and resumes functional operation equivalent to pre-restart state.

Step 2 Vormetric Linux agent restart

Software restarts and resumes functional operation equivalent to pre-restart state.

Step 3 Restart Security Server Software

Software restarts and resumes functional operation equivalent to pre-restart state

15.3 Test ID : 1234 - VCE ISV COMMON - Software Restart (Forced_Unexpected)



Test Name: VCE ISV COMMON - Software Restart (Forced_Unexpected)

Test ID: 1234


Description

This test case is designed to test the software under certification’s ability to recover from an unexpected interruption. Software will be runnning and operationally configured. The virtual machine will be reset unexpectedly using the vSphere client.

15.3.1 Steps


Step 1 1. Launch the vSphere client. 2. Browse to the management or main component of

the software under certification. 3. Right click on the icon representing the virtual

machine. 4. Select Power then Reset 5. Click Yes on the Confirm Reset Dialog 6. Wait for vendor VM to restart- progress can (usually)

be monitored in the vm console window. 7. After restart has completed, confirm that the virtual

machine is functionally and operationally equivalent to state prior to starting this test case.

Virtual machine restarts and resumes operation without user intervention.



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

16 |Page

15.4 Test ID : 1235 - VCE ISV COMMON - Loss of communications



Test Name: VCE ISV COMMON - Loss of communications

Test ID: 1235


Description

Tests ability of software under test to automatically recover after a 15 minute loss of communications. Software is configured and operationally functional prior to the start of this test. All vendor to Vblock element API connections are configured and operationally functional/normal.

15.4.1 Steps


Step 1 1. Launch vCenter Server and locate virtual machine being tested.

2. Edit running vendor virtual machine by right clicking on the vCenter vm icon and selecting "Edit Setting"

Click on the network adapter(s) responsible for connectivity to Vblock Management APIs and uncheck the "Connected" box.

Repeat for all management interfaces if multiple interfaces are used to provide high availability connectivity to management infrastructure

4. Click OK

** If vendor management is running on bare metal server physically disconnect management interface(s) connections.

Wait for a period of 15 minutes.

Vendor software should lose connectivity with all Vblock elements being managed.

Step 2 Enable (or reconnect) interface(s) by ticking the "Connected" box under and then clicking ok. Retest management functions by browsing all Vblock elements being managed by vendor software.

Vendor software should automatically reconnect to all Vblock elements being managed. Operation and functions of vendor software should be restored to an operational state.

15.5 Test ID : 1236 - VCE ISV COMMON - High Availability Test (Forced_Unexpected)



Test Name: VCE ISV COMMON - High Availability Test (Forced_Unexpected)

Test ID: 1236




Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

17 |Page

15.5.1 Steps


Step 1 Convert failover server dsm-server-1 as primary server.

Step 2 Convert primary server dsm-server-2 as a failover server.

15.6 Test ID : 1237 - VCE ISV COMMON - High Availability Test (Graceful)



Test Name: VCE ISV COMMON - High Availability Test (Graceful)

Test ID: 1237


15.6.1 Steps


Step 1 High Availability Test (Graceful)

Step 2 Convert primary server as failover Synchronized the servers

15.7 Test ID : 1240 - VCE ISV IHV COMMON - Installation



Test Name: VCE ISV IHV COMMON - Installation

Test ID: 1240


Description

This test case is designed to demonstrate successful installation of software under certificication. Insert steps in Design Section.



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

18 |Page

15.7.1 Steps


Step 1 Install Vendor Software

Software is installed by following vendor documentation, or by vendor if part of service. Vblock does not need any modification to core elements (firmware, Vblock service networks) Attach Installation procedure or notes.

15.8 Test ID : 1241 - VCE ISV IHV COMMON - Removal



Test Name: VCE ISV IHV COMMON - Removal Test ID: 1241


Description

Dissassociation of Vendor SW/HW from Vblock. Insert Steps here

15.8.1 Steps


Step 1 Uninstall/Removal of Vendor Software

Software is uninstalled by following vendor documentation, or by vendor if part of service. Vblock does not need any modification to core elements (firmware, Vblock service networks) Attach removal procedure or notes.

15.9 Test ID : 1242 - VCE ISV IHV COMMON - Documentation



Test Name: VCE ISV IHV COMMON - Documentation

Test ID: 1242


Description

Ensures vendor documentation is clear and error free.



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

19 |Page

15.10 Test ID : 1261 - Vendor Test 1 - Transform Data from Clear to Encrypted



Test Name: Vendor Test 1 - Transform Data from Clear to Encrypted

Test ID: 1261


Description

Test the ability to transform data from clear to encrypted data

15.10.1 Steps


Step 1 Create a host in DSM and check "Communication Enabled" box for the FS agent under "Hosts" tab.

Afterwards, install Vormetric agent in a Linux or Windows host and register it to the DSM.

There should be connectivitiy between hosts and DSM

Step 2 Log into DSM using an "ALL" type administrator. Afterwards click on "Domains" -> "Switch Domains". Select the domain that you’ve created and click on

"Switch to domain".

You should have access to new tabs with different functions now

Step 3 Click on "Keys" -> "Agent Keys" -> "Key". Click on "Add" to add a new AES-256 key.

Enter "key_aes256" for the key name, select "AES256" for algorithm.

Click "OK" to generate the key.

New line with key should populate the table

Step 4 Click on "Policies" -> "Manage Policies". Then click on "Add Online Policy" button to create a

policy. You will see "Online Policy Composer" java applet shows up.

Click on the "Action", select "key_ops operations" and click on "Add" button.

Click on "OK" to close the windows. Afterwards, click on "Effect" and select "permit" and

"apply_key" and click on OK to close the java windows.

Finally, click "Add" button to add the policy rule. Afterwards, click on the "Key Selection Rules" and

select "clear_key". In the "Data Transformation Rules", select

"key_aes256" as follow. Afterwards, click on "Policy" -> "save" to save the policy. Name the policy

Check with attached screenshots to compare output



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

20 |Page

Dataxform.

Step 5 In the host where the Vormetric agent is installed, create a directory and copy some clear data over from a source directory. It’s better that the data contain some text files so you can check the files later for encryption.

Create directory with data

Step 6 Go back to DSM and click on "Hosts" and select the host that has Vormetric agent installed.

Click on "Guard FS" -> "Guard". Select the "Dataxform" as the policy, use "Directory

(Auto Guard)", then click on browse button and pick the same directory that you’ve copied the clear data in Step 5.

Afterwards, click OK to guard.

Manager GUI should reflect changes

Step 7 Click the "Refresh" button and wait until the "status" light turns green under "Guard FS" in Hosts tab.

When the status light turns agree, the policy has been implemented at the agent side.

Step 8 Open a SSH or command prompt for Windows session, and run "dataxform –rekey –gp Guard_Point" where Guard_Point is the name of the directory that you have guard in Step 6.

Dataxform will transform the data from clear to encrypted data using key_aes256 specified by the Dataxform policy.

[root@linux2612 home]# dataxform --rekey --gp /home/dataxform Checking if /home/dataxform is a guard point with a rekey policy applied /home/dataxform is a guard point with a rekey policy applied About to perform the requested data transform operation -- Be sure to back up your data -- Please do not access files in the guard point during the transform process -- Please do not attempt to terminate the application Do you wish to continue (y/n)?y Scan found 229 files (47 MB) in 1 directories for guard point /home/dataxform Transformed 229 files (47 MB) of 229 files (47 MB) for guard point /home/dataxform The data transform operation took 0 hours, 0 minutes and 1 seconds The data transform program ran from Tue Sep 3 14:01:42 2013 until Tue Sep 3 14:01:43 2013 Data transform for guard point /home/dataxform finished

15.11 Test ID : 1262 - Vendor Test 2 - Apply production policy after Data transformation



Test Name: Vendor Test 2 - Apply production policy after Data transformation

Test ID: 1262




Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

21 |Page

15.11.1 Steps


Step 1 After performing test case #1, we need to unguard the dataxform policy and apply a production policy to the same directory.

Log into the DSM, switch domain, click on "Hosts" and select the host that has the dataxform policy.

No issues expected

Step 2 Click on "Guard FS" tab and select the dataxform policy.

Click on "Unguard" button to unguard the dataxform policy.

GUI should reflect changes

Step 3 Wait and click on the "Refresh" button until the dataxform policy disappears from the web GUI

Policy is removed

Step 4 In DSM, click on "Policies"->"Manage Policies" to go to policies web page.

Click on "Add Online Policy" button to create a production policy using the same key, ie key_aes256.

In the policy composer, click "Action" and add "all_ops" to the action.

Click on "Effect" button and add "permit apply_key" to the selection.

Click "Add" button to add the policy rule.

Select "key_aes256" and add it to the You don’t need to select anything in the "Data Tranformation Rules" because this is a production policy.

Save the policy as "po_aes256". The production policy should have the follow security and key selection rules.

Check with attached screenshots

Step 5 In DSM, click on "Hosts" and click on the host that has Vormeric agent installed.

Click on "Guard FS"-> "Guard" and select "po_aes256" as the policy, "Directory (auto guard)" as type, and browse to the same directory that is previously guarded by Dataxform policy in test case #1.

Click "OK" to apply the production policy, po_aes256.

No issues expected

Step 6 Click on "Refresh" button and wait until the status light turns green.

Open a SSH in Linux and type "secfsd –status guard" to see if the policy is guarded under the status field.

For Windows, right-click on the Vormetric icon in the taskbar and click on "status".

Run system utility command such as "diff" for Linux or "fc" for windows to compare the original source directory and the encrypted directory. The files should be identical



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

22 |Page

15.12 Test ID : 1263 - Vendor Test 3 - Quest Benchmark Facility Test 1



Test Name: Vendor Test 3 - Quest Benchmark Facility Test 1

Test ID: 1263


Description

Install Microsoft SQL server and run Quest Benchmark Factory for SQL baseline

15.12.1 Steps


Step 1 Install SQL 2008 64-bit or SQL 2012 64-bit to a non-guarded directory

No issues expected

Step 2 Download 64-bit version of Quest Benchmark factory trail version from here, http://www.quest.com/benchmark-factory/

A 30 days trial license can be provided upon installation. Install Benchmark Factory to a non-guarded directory. You can watch a demo video from the download page to see how Benchmark factory works.

No issues expected

Step 3 Create a regular (non-encrypted) directory. Login to MS SQL manager and create a new Database in Microsoft SQL called "baseline"

No Issues expected

Step 4 In Benchmark factory wizard, you will need to select "industry standard" and pick "TPC-E".

Create a new profile that point to Microsoft SQL ODBC.

Click on "Add DSN" to add the appreciate DSN, user, password for ODBC connection.

Point the default database to "baseline" instead of master database or the same database that you’ve created in step 3

No issues expected

Step 5 During the load scenario wizard, select Benchmark Scale "6".

You also wan to add selected user load of 1, 4, 8, 10, 50, 100. Finally click on "submit" to run job

Benchmark factory completes successfully. Record all baseline number for user load 1, 2, 4, 8, 10, 50, 100.


http://www.quest.com/benchmark-factory/


Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

23 |Page

15.13 Test ID : 1264 - Vendor Test 4 - Quest Benchmark Test 2



Test Name: Vendor Test 4 - Quest Benchmark Test 2

Test ID: 1264


Description

Run Benchmark factory in the encrypted directory

15.13.1 Steps


Step 1 For fair comparison, reboot the system after Case #3

Communiation and services should be restored

Step 2 After reboot, log into Microsoft SQL server management studio and create a new database in the encrypted directory that is guarded by production policy "po_aes256" in case #2.

Call the new database "encrypted".

No issues expected

Step 3 Open the Benchmark factory, click on Wizards-> profile creation.

Afterwards select MS SQL server (ODBC), and select TPC-E, and create a new profile.

Add a new DSN. This is similar to case 3 step 4, except that you will

change the default database to point to "encrypted" database that you’ve created in step 2.

No issues expected

Step 4 During the load scenario wizard, select Benchmark Scale "6".

You also wan to add selected user load of 1, 4, 8, 10, 50, 100.

Finally click on "submit" to run job. (Check the storage to make sure that there is enough free space to run benchmark scale 6).

Benchmark factory completes successfully. Record all encrypted number for user load 1, 2, 4, 8, 10, 50, 100. Compare the numbers with baseline to make sure there is no significant performance degradation.



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

24 |Page

15.14 Test ID : 1265 - Vendor Test 5 - DSM Unreachable



Test Name: Vendor Test 5 - DSM Unreachable Test ID: 1265


Description

Challenge and response when DSM is not reachable

15.14.1 Steps


Step 1 Log into DSM, click on Domains->Switch domain. Select the domain and click on "Switch to domain".

No issues expected

Step 2 Click on Hosts and click on the host name that has Vormetric agent installed.

Afterwards, uncheck "Communication Enabled" in the "General" tab.

Loss of communication is expected

Step 3 SSH to a linux agent or log into a Windows agent and reboot the host

Step 4 After host rebooted, login through ssh(Linux) or remote desktop (windows).

Cd to the guarded directory and perform simple "cat file"(Linux) or "type file" (windows).

Since the DSM communication is disabled, the guarded directory will not be accessible.

Step 5 Open SSH(linux) and type "vmsec challenge" to obtain a challenge string in Linux.

In Windows, right-click on the Vormetric icon in the taskbar, select "challenge" and click on "response".

A windows will pop up with challenge.

See attached screenshot for verification

Step 6 Log into DSM, switch domain, and select the host that generated the challenge.

Click on "Challenge Response" tab and input the challenge.

Response should be generated



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

25 |Page

Click "Apply" to generate the response.

Step 7 Copy the response strings and input them back to the agent.

After entering correct response, the guard point should be accessible afterwards.

15.15 Test ID : 1266 - IOmeter tests for one volume non-encryted on vormetric Win appliance VM



Test Name: IOmeter tests for one volume non-encryted on vormetric Win appliance VM

Test ID: 1266


15.15.1 Steps


Encryption Off Ensure encryption is not configured before running sweep.

Step 1 Perform IOmeter sweep test with profile to run all io sizes 512b - 2Kb. and with different queu depth. Attach all result files to test case

document protocol, setup with diagram, excel file graph of results

15.16 Test ID : 1267 - IOmeter tests for one volume encryted on vormetric Win appliance VM



Test Name: IOmeter tests for one volume encryted on vormetric Win appliance VM

Test ID: 1267


15.16.1 Steps


Encryption On Ensure encryption is configured correctly before running sweep.

Step 1 Perform IOmeter sweep test with profile to run all io sizes 512b - 2Kb. and with different queu depth. Attach all result files to test case

document protocol, setup with diagram, excel file graph of results



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

26 |Page

16 Testing Results

16.1 Configuration: Test ID : 1230 - VCE ISV COMMON - Vendor Appliance Live Migration (vMotion)


Test: Test Name: VCE ISV COMMON - Vendor Appliance Live Migration (vMotion)

Target Cycle: Vormetric Security Manager 5.1.1

Configuration: Execution Status:

Passed Test: Execution Status: Passed

Tester: sandra Exec Date: 9/16/2013

Type: MANUAL Time 12:36:28 PM

Name: [4184]VCE ISV COMMON - Vendor Appliance Live Migration (vMotion)

Status: Passed

16.2 Configuration: Test ID : 1233 - VCE ISV COMMON - Software Restart (Graceful)


Test: Test Name: VCE ISV COMMON - Software Restart (Graceful)






Name: [4186]VCE ISV COMMON - Software Restart (Graceful)

Status: Passed

16.3 Configuration: Test ID : 1234 - VCE ISV COMMON - Software Restart (Forced_Unexpected)


Test: Test Name: VCE ISV COMMON - Software Restart (Forced_Unexpected)






Name: [4187]VCE ISV COMMON - Software Restart (Forced_Unexpected)

Status: Passed



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

27 |Page

16.4 Configuration: Test ID : 1235 - VCE ISV COMMON - Loss of communications


Test: Test Name: VCE ISV COMMON - Loss of communications






Name: [4188]VCE ISV COMMON - Loss of communications

Status: Passed

16.5 Configuration: Test ID : 1236 - VCE ISV COMMON - High Availability Test (Forced_Unexpected)


Test: Test Name: VCE ISV COMMON - High Availability Test (Forced_Unexpected)






Name: [4189]VCE ISV COMMON - High Availability Test (Forced_Unexpected)

Status: Passed

16.6 Configuration: Test ID : 1237 - VCE ISV COMMON - High Availability Test (Graceful)


Test: Test Name: VCE ISV COMMON - High Availability Test (Graceful)





Type: MANUAL Time 11:42:24 AM

Name: [4190]VCE ISV COMMON - High Availability Test (Graceful)

Status: Passed

16.7 Configuration: Test ID : 1240 - VCE ISV IHV COMMON - Installation


Test: Test Name: VCE ISV IHV COMMON - Installation




Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

28 |Page



Tester: emily Exec Date: 06/09/2013


Name: [4193]VCE ISV IHV COMMON - Installation

Status: Passed

16.8 Configuration: Test ID : 1241 - VCE ISV IHV COMMON - Removal


Test: Test Name: VCE ISV IHV COMMON - Removal Target Cycle: Vormetric Security Manager 5.1.1





Name: [4194]VCE ISV IHV COMMON - Removal

Status: Passed

16.9 Configuration: Test ID : 1242 - VCE ISV IHV COMMON - Documentation


Test: Test Name: VCE ISV IHV COMMON - Documentation






Name: [4195]VCE ISV IHV COMMON - Documentation

Status: Passed

16.10 Configuration: Test ID : 1261 - Vendor Test 1 - Transform Data from Clear to Encrypted


Test: Test Name: Vendor Test 1 - Transform Data from Clear to Encrypted




Tester: daniel Exec Date: 9/11/2013


Name: [4998]Vendor Test 1 - Transform Data from Clear to Encrypted

Status: Passed



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

29 |Page

16.11 Configuration: Test ID : 1262 - Vendor Test 2 - Apply production policy after Data transformation


Test: Test Name: Vendor Test 2 - Apply production policy after Data transformation






Name: [4999]Vendor Test 2 - Apply production policy after Data transformation

Status: Passed

16.12 Configuration: Test ID : 1263 - Vendor Test 3 - Quest Benchmark Facility Test 1


Test: Test Name: Vendor Test 3 - Quest Benchmark Facility Test 1






Name: [5000]Vendor Test 3 - Quest Benchmark Facility Test 1

Status: Passed



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

30 |Page

16.13 Configuration: Test ID : 1264 - Vendor Test 4 - Quest Benchmark Test 2


Test: Test Name: Vendor Test 4 - Quest Benchmark Test 2






Name: [5001]Vendor Test 4 - Quest Benchmark Test 2

Status: Passed



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

31 |Page

16.14 Configuration: Test ID : 1265 - Vendor Test 5 - DSM Unreachable


Test: Test Name: Vendor Test 5 - DSM Unreachable Target Cycle: Vormetric Security Manager 5.1.1





Name: [5002]Vendor Test 5 - DSM Unreachable

Status: Passed

16.15 Configuration: Test ID : 1266 - IOmeter tests for one volume non-encryted on vormetric Win appliance VM


Test: Test Name: IOmeter tests for one volume non-encryted on vormetric Win appliance VM






Name: [5010]IOmeter tests for one volume non-encryted on vormetric Win appliance VM

Status: Passed

16.16 Configuration: Test ID : 1267 - IOmeter tests for one volume encryted on vormetric Win appliance VM


Test: Test Name: IOmeter tests for one volume encryted on vormetric Win appliance VM






Name: [5011]IOmeter tests for one volume encryted on vormetric Win appliance VM

Status: Passed



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

32 |Page

Memory Usage during Sweep Test

Average CPU: average %CPU utilization for non-encrypted is 1.49% and encrypted is 7.52%



Tel: 613-729-1100 Fax: 613-591-3352

www.superna.net

33 |Page

17 About The Vblock Ready™ Certification Process Superna offers Vblock Ready™ Certification for third party products that integrate with the Vblock Systems. The VCE “Vblock Ready™” Certification ensures that:

The primary functionality of a product has been tested on Vblock Systems and VCE will support a customer’s decision to implement that product.

The interaction of the product does not result in any degradation of Vblock Platform performance or availability

The product has met jointly agreed upon entrance, integration, and interoperability criteria.


Vblock Ready™ Certification Test Plan Report...

Documents

Transcript of Vblock Ready™ Certification Test Plan Report...