Thales V6000 Installation And Configuration Manual Download Page 58

Page: 58 / 181

Chapter 3: DSM V6000 Hardware Appliance
Configuring a V6000 Appliance

DSM Installation and Configuration Guide

Configure the hostname

1. Navigate to the

system

menu. Type:

0001:vormetric$ system

2. Show the current setting. Type:

0002:system$ setinfo show

3. Set the hostname. You must enter the fully qualified domain name for the DSM. Type:

0003:system$ setinfo hostname

<FQDN>

Example

0003:system& setinfo hostname dsm.company.com

Note

The default host name in the output is

your. name.here

. Also, it

must

be lowercase.

Generate DSM Certificate Authority and create ACS

On completion of the preliminary configuration, you must now generate the DSM certificate authority which requires
the ACS. Read

"ACS Guidelines" on page 20

before going through the procedures in this section.

Prerequisites

Move the mode switch on the back panel of the appliance to the Operational (O) position.

WARNING

The switch must remain in the Operational (O) position at all times when using either
local or remote administration.

1. Install the client software on the laptop or PC. Instructions for how to install the TVD client software are available

in the CD and guide that came with your TVD. The software must be installed on all laptops and PCs
participating in the ACS creation. Refer to the TVD release notes for supported operating systems.

2. Connect the TVD to your laptop or PC.

3. Determine the total number of smart cards,

, you require for your Administrator Card Set (ACS).

4. Determine the quorum (K) i.e., the number of cards required to perform an administrative operation.

5. Document the ACS group for each card as well as the security officer to which a card belongs. You can also add

the passphrase and any additional information you consider useful for your situation.

The following steps display the DSM CLI commands and output when you create the certificate authority and ACS.

Generating the CA and the ACS

1. From your laptop or PC, open a DSM CLI session and log in using the CLI Administrator credentials you set here,

"Configuration tasks" on page 27

2. Start the client software on the laptop or PC.

3. Generate a new certificate authority for the DSM and create the ACS. At the prompt, type:

0012:system$ security genca

Summary of Contents for V6000

Page 1: ...Data Security Manager DSM Installation and Configuration Guide 6 4 2 Document Version 2 06 18 2020 ...

Page 2: ...all warranties and conditions with regard to the information contained herein including all implied warranties of merchantability fitness for a particular purpose title and non infringement In no event shall Thales be liable whether in contract tort or otherwise for any indirect special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of u...

Page 3: ...are Appliance 18 DSM V6100 Overview 18 Remote HSM Administration 18 Advantages 18 Requirements 19 Administrator Card Set ACS 19 Security World 19 ACS 20 ACS Guidelines 20 V6100 Operations that require the ACS 21 Configuring a V6100 Appliance 22 Configuring DSM with DHCP 22 Configure appliance with DHCP enabled 23 Configuring a DSM v6100 via Static IP Address 23 Configure appliance with static IP a...

Page 4: ...g a lost passphrase 42 Configuring IPMI 44 IPMI Ports 44 Configuring IPMI on the DSM 44 Configuring High Availability for V6100 45 Chapter 3 DSM V6000 Hardware Appliance 46 Overview 46 Configuring a V6000 Appliance 46 Configuring the DSM via DHCP 46 Configuring DSM with DHCP 46 Configure appliance with DHCP enabled 47 Configuring a DSM v6000 via Static IP Addressing 47 Configuring a DSM v6100 via ...

Page 5: ...dd the nShield Connect HSM to the DSM 65 Configuring High Availability for network HSM enabled DSM 66 Managing network HSM enabled DSM 66 Backing up and Restoring network HSM enabled DSM 67 Updating a network HSM enabled DSM Security World 68 High Availability HA Configuration for V6000 hardware appliance 68 Chapter 4 Installing and Configuring a DSM 69 Overview 69 Assumptions 70 Virtual machine h...

Page 6: ...M Cloud 87 DSM Installation on Hyper V 89 Deploying a DSM Azure Image 90 Requirements 90 Deployment Procedure 90 Configure the Hostname 91 Generating the CA 92 Pinging the DSM in Azure 92 Enabling Ping 93 Configuring an HA Cluster 93 Deploying a DSM AWS image 93 Requirements 93 Installing DSM 93 Configuring HA 95 Deploying a DSM in the Google Cloud platform 95 Obtain the DSM image for GCP Deployme...

Page 7: ...D authenticated Luna 104 Backup your Configuration 105 Break Apart the Cluster 105 Add a Luna to the Initial Node of the HA Cluster 105 Verifying the Luna status 106 Add DSM Nodes to a Luna enabled HA Cluster 107 Join a missing or bad snippet Node to an HA Cluster 108 Monitoring the Luna 109 HSM Slots 109 Upgrading a DSM attached to a Luna 110 Registering Again 110 On the DSM 110 On the Luna 110 T...

Page 8: ...pendix A Specifications Racking and Cabling for the V6000 and V6100 122 Hardware Appliance Diagrams 122 Control Panel LEDs 123 DSM Appliance features 123 Informational LEDs 124 DSM Hardware Appliance Specifications 124 Space Network and Power Requirements 125 Physical dimensions 125 External connectors 125 Power requirements 125 Data center environmental requirements 125 Appliance Rack Mount Safet...

Page 9: ...to an HA Cluster 137 Join a Node to an HA Cluster 137 Configuring High Availability for Network HSM enabled Nodes 139 Configure HA with standalone nodes 139 Configure an HA cluster with HSM enabled nodes 140 Adding a Host to a new HA node 141 Upgrading an HA Cluster 142 Prerequisite 142 Remove Nodes from the HA cluster 142 Upgrade the Initial HA node 143 Optimize the Upgrading of Nodes in the HA C...

Page 10: ... Update 154 Prerequisite 154 Upgrading the firmware 154 Reset the Firmware 154 Restore the IPMI Configuration from a Backup File 155 Server Health 155 Best Practices after IPMI is Configured 156 Replace the default certificate with a Web Server Certificate 156 Change the port through which you access IPMI 157 Change the IPMI password 158 Creating IPMI users 158 To create an IPMI user 158 Configuri...

Page 11: ...efault 169 reset bmc 169 selftest 170 version 170 Appendix D Ports 171 Ports to Configure 171 IPMI Ports 172 Appendix E Bonding Driver Modes 173 Appendix F Troubleshooting 174 Loss of Connection 174 Is the Management Console accessible 174 Check whether Agent communication ports are open from the UI 174 Reset DSM Appliance and Remove All Data 174 Reset Original Security World with Original ACS Quo...

Page 13: ...ncept that with 6 2 x and 6 3 x user is creating a new cluster they cannot upgrade a 6 1 x or lower cluster 6 4 0 v1 12 19 2019 DSM now compatible with the Luna SA password HSM and Smart cards users can create GuardPoints for Cloud Object Storage devices System admins can prevent domain admins from deleting other admins LDAP limits raised 6 4 2 v1 5 22 2020 DSM is now compatible with Luna SA PED H...

Page 14: ...GUI dialog box titles The General Preferences window opens File names paths and directories usr bin Emphasis Do not resize the page New terminology Key Management Interoperability Protocol KMIP Document titles Refer to the DSM Administrators Guide for information on how to administer your DSM Appliance quotes File extensions Attribute valuesTerms used in special senses js ext true false 0 1 1 hot ...

Page 15: ...f electrostatic damage to the module To prevent equipment damage follow suitable grounding techniques The following warning statement is used to indicate the risk of hazardous voltages of equipment HAZARDOUS VOLTAGES The warnings in this section indicate voltages that could cause serious danger to personnel Sales and Support If you encounter a problem while installing registering or operating this...

Page 16: ...rent customers to share the DSMs protection but with complete separation of administrators and the data they control l Provide continuous availability by clustering DSMs to ensure access to DSM policies and keys l Provide flexible administration via a web based management console command line interface CLI and application programming interfaces API including REST and SOAP This guide describes how ...

Page 17: ... release IPv6 addresses are supported on DSM hardware appliances However IPv6 addresses cannot be configured via the IPMI CLI To configure an IPv6 address using IPMI you must access the IPMI management console UI Although not necessary for DSM maintenance and operation some administrators may find the IPMI features useful IPMI activation and best practices are described in Appendix C IPMI on page ...

Page 18: ...Chapter 1 The Data Security Manager DSM Deployment DSM Installation and Configuration Guide Copyright 2009 2020 Thales Group All rights reserved 17 Figure 1 3 The DSM in a VTE Environment ...

Page 19: ...se the DSM supports full disk encryption for enhanced security and dynamic IP addressing via DHCP Figure 2 1 DSM V6100 hardware appliance DSM V6100 Overview The V6100 includes a FIPS 140 2 Level 3 cryptographic HSM The HSM is managed by a set of smart cards known as the Administrator Card Set ACS which are read using a card reader The DSM software provides a Remote HSM Administration feature to re...

Page 20: ...e required to carry out administrative operations for example l Initial DSM configuration specifically generating certificate authority using the DSM CLI command system security genca l Generating a certificate or Master Key rotation l Replacing the ACS These are just a few of the administrative operations that require the ACS see V6100 Operations that require the ACS on page 21 for complete list ...

Page 21: ... these guidelines to carefully select the card set l The ACS is crucial an unusable card set will prevent you from performing administrative operations that require the ACS l The ACS for the DSM s in a standalone or HA environment is created when HA node 1 is configured You must define N and K before you set up HA node 1 and you must decide whether or not to use pass phrases for each card in the A...

Page 22: ...anage the card set and to keep it well protected No single person should have access to more than one card separation of duties V6100 Operations that require the ACS The following table outlines the operations that require the smart card ACS set Once remote HSM administration is configured the mode switch located on the back panel of the V6100 appliance is moved to the operational O position and p...

Page 23: ...See Reset DSM Appliance and Remove All Data on page 174 for more information about using this command Except when upgrading from DSM software v5 3 1 to v6 0 a quorum and physical toggling of the switch are required while doing an upgrade Configuring a V6100 Appliance This section describes how to configure a new V6100 appliance with DSM software 6 4 2 Follow the procedure described in Appendix A S...

Page 24: ...uration tasks on page 27 5 Configuration tasks on page 27 6 Configuration tasks on page 27 if you choose to use this feature 7 Generate DSM Certificate Authority and create ACS on page 82 8 Configuring High Availability for V6100 on page 45 9 Add more CLI administrators optional on page 62 Configuring a DSM v6100 via Static IP Address If you do not want to want to use DHCP you can turn it off usin...

Page 25: ...uring High Availability for V6100 on page 45 11 Add more CLI administrators optional on page 62 Assumptions l Data center conditions meet the appliance racking networking and power requirements l The IP address routing configuration and DNS addresses for the DSM allow connectivity to all servers where Vormetric Encryption Agents are installed DSM Installation Checklist Use this table to collect th...

Page 26: ...ical interface for load balancing fault tolerance If configured the bond0 interface supersedes the eth0 and eth1 interfaces and must be used to access the DSM appliance DHCP Server If you choose to use static IP addressing you need the following IP address net mask default gateway optional IPMI NIC this interface comes configured with a default IP address 192 168 10 10 This interface supports DHCP...

Page 27: ...and under the network menu For example 0011 network host add hostname 192 168 1 1 SUCCESS add host 0012 network host show name localhost1 localdomain1 ip 1 name hostname domain_name com ip 192 168 10 8 name hostname ip 192 168 1 1 SUCCESS show host You must do one of the following on each DSM since entries in the host file are not replicated across DSMs o Modify the host file on the protected host...

Page 28: ...work dns switchhosts Switched hosts sources in nsswitch conf 0003 network dns show nameserver 10 3 110 224 nameserver 10 3 110 104 hosts dns files DNS show SUCCESS Configure DSM ports If a DSM is to communicate with a device behind a firewall you must open various ports in the firewall l To see the ports to configure see Ports to Configure on page 171 Configuration tasks When you configure the DSM...

Page 29: ...ress 192 168 10 10 See Configuring and Accessing IPMI on the DSM on page 146 for more information about configuring the DSM via IPMI To configure the DSM you need to access the DSM CLI through a terminal connection in the back of the DSM hardware appliance The following figure shows the various DSM appliance ports Figure 2 2 V6100 appliance ports Access the DSM Command Line Interface CLI 1 Manuall...

Page 30: ...n to previous menu exit Exit Every command has a usage and example input Type the command without a value 0039 maintenance ntpdate usage ntpdate sync add SERVER_ADDRESS delete SERVER_ADDRESS on off show 0040 maintenance date month Mar day 17 year 2015 Show system date SUCCESS 0041 maintenance time hour 11 min 11 sec 36 zone PDT Show system time SUCCESS 0042 maintenance gmttimezone usage gmttimezon...

Page 31: ...om a different subnet To configure an IP address for ETH1 type 0003 network ip address init eth1 IP address subnet mask e g 16 or 24 dev eth Example IPv4 0003 network ip address init 192 168 10 3 16 dev eth1 Example IPv6 0003 network ip address init fa01 3 15 130 64 dev eth1 System Response WARNING Changing the network ip address requires server software to be restarted Continue yes no no Type yes...

Page 32: ... to the network commands menu type network 3 Enable the bonded NIC type 0001 network ip address init ip_address subnet_mask dev bond0 Example ip address init 1 2 3 4 16 dev bond0 In the event that a bonded NIC is being configured after the initial configuration or after the DSM has been upgraded if you want to reuse an IP address that was originally assigned to eth0 or eth1 then you must delete th...

Page 33: ...and The delete command will only delete a specific IP address multiple can be assigned and flush will clear all assigned IP addresses 0003 network ip address delete ip_address subnet_mask dev bond0 or 0003 network ip address flush bond0 Routes that are associated with this bonded NIC device will also be deleted Bonding driver modes The modes specify bonding policies Some options for certain modes ...

Page 34: ...our session and will require the server software to be restarted Continue yes no no yes DHCP operations may take some time please wait SUCCESS Please restart server software to pick up the changes 0005 network Configure NTP time zone date time You must have the correct time set on your DSM server s as this will affect system functions such as agent registration log timestamps high availability clu...

Page 35: ...ing through the procedures in this section Prerequisites Move the mode switch on the back panel of the appliance to the Operational O position WARNING The switch must remain in the Operational O position at all times when using either local or remote administration 1 Install the client software on the laptop or PC Instructions for how to install the TVD client software are available in the CD and ...

Page 36: ...s Security Server This Security Server host name hostname com Please enter the following information for key and certificate generation What is the name of your organizational unit Engineering What is the name of your organization Vormetric Inc What is the name of your City or Locality San Jose What is the name of your State or Province California What is your two letter country code US What is yo...

Page 37: ...0 Remove card Module 1 slot 0 empty Module 1 Slot 0 Insert appropriate card Checking Modules and reading cards Module 1 slot 0 unknown card Module 1 slot 0 Overwrite card press Return Module 1 slot 0 Enter new passphrase Module 1 slot 1 no passphrase specified overwriting card Module 1 slot 1 Processing This process continues until you have created your N cards The following message is displayed a...

Page 38: ...has a dedicated IPMI Ethernet port that is pre configured with the IP address 192 168 10 10 The DSM IPMI Ethernet port is separate from the other two DSM Ethernet ports see the following figure Figure 2 3 IPMI Ethernet port This section describes how to configure IPMI and access the IPMI management console IPMI Ports To see which ports can be configured for IPMI on the V6000 V6100 DSM hardware app...

Page 39: ...iadmin password cliadmin123 You will be prompted to change the CLI administrator password After that you will be prompted to change the IPMI GUI login password as well The new password must be at least 8 characters long must contain at least one upper case letter one special character and one number 3 Configure the network settings See Configuration tasks on page 27 and Generate DSM Certificate Au...

Page 40: ...ns 4 Click Upload License File The Upload License File window opens 5 In the License File box enter the full path of the license file or click Browse to locate and select the license file 6 Click Ok Menu items available to you per your license will now be visible Upload a license file The first time you log on to a DSM the dashboard displays License file not found and only the Dashboard and System...

Page 41: ...commend that you set a boot passphrase Set boot passphrase Once a boot passphrase is set it is required each time the system boots The passphrase is set via the CLI and is available under the System category of commands in the security sub menu refer to the CLI chapter of the DSM Administrators Guide for details about usage If you plan to create a high availability cluster we recommend that you se...

Page 42: ...rase again WARNING After setting the new boot passphrase the system will be rebooted automatically and the new passphrase must be entered on the console If you do not have direct or IPMI access to the console then choose no to cancel DSM will not boot up until a correct boot passphrase is entered Continue yes no no yes CAUTION Save this encrypted passphrase as it is required each time the DSM rebo...

Page 43: ...GYx9e5AT5nPnPD2GAyMWM H8GOvuJvht7UzBodMA07DHNMpyMnOEsy6Nz ouWsMWhHen5JFNMXKWM9TYQ9 yr1D2cFuBsppFLV W 2McKIYuBqgeaOefzL2jr8vyyFudq6TGgTjRJe1edLDCqTJbcK100o036U0vynEsvMucps1sq0k Lpes6Zp1ud5usWngn2J2X6PrlAugHp4nMMDIRLQBgzX95x7Fb7VLebcb eIGn39KJaPU9sxEiFwl xh f6azXhHpjahwjirzfpZl0300VFYT0P9o5xg Public key used for encryption BEGIN PUBLIC KEY MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYIf0Z04nzne9j78...

Page 44: ...ey used for encryption BEGIN PUBLIC KEY MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYIf0Z04nzne9j78BY7 Q9kMTgh8YErtklECnVVhxExob UvAWOvSBcGDVgixpeMCywWVh8OgTIbj751PVf TI8 C gP4Rd6cdtO7fGzsYsAZxN9OCssRQlCJfCe6y6fNep3dDOh1noTFyFNTqO c3WW0gAlJ9ILPwn6uxVRgtXPgLnFfP9zNieyWmHTLw6He8BZAAYkWbESMgnA5Bo mcxdpv i 8ZODTMMo 6Ji4oYpQPa8i9Ex7qTZinl5hxjIjC8eIcUOMNdAhvslNz T6FZPJ2BEYBU6TAQpxDPLwPAQIEw1x NzcYUUfga...

Page 45: ...rnet port This section describes how to configure IPMI and access the IPMI management console IPMI Ports To see which ports can be configured for IPMI on the V6000 V6100 DSM hardware appliance see IPMI Ports on page 172 Configuring IPMI on the DSM Before you can use IPMI to configure your DSM V6000 V6100 appliance you need to configure an IP address and enable the KVM port for remote Java console ...

Page 46: ...n the resulting jnlp file to open a Java console for your DSM This Java console provides access to the DSM CLI 2 Log on to the CLI using the default CLI administrator credentials Username cliadmin password cliadmin123 You will be prompted to change the CLI administrator password After that you will be prompted to change the IPMI GUI login password as well The new password must be at least 8 charac...

Page 47: ... configuring the DSM V6000 hardware appliance with DHCP enabled or if you choose to turn it off how to configure the appliance using static IP addressing Follow the procedure described in Appendix A Specifications Racking and Cabling for the V6000 and V6100 on page 122 to install the physical appliance After installation and configuration the DSM must have connectivity to all hosts that have Vorme...

Page 48: ...bility for V6100 on page 45 9 Add more CLI administrators optional on page 62 Configuring a DSM v6000 via Static IP Addressing Setting the DSM for the V6000 uses the same method as in the V6100 Configuring a DSM v6100 via Static IP Address If you do not want to want to use DHCP you can turn it off using the CLI and assign static IP addresses to the DSM interfaces The DHCP CLI commands are availabl...

Page 49: ...ators optional on page 62 Assumptions l Data center conditions meet the appliance racking networking and power requirements l The IP address routing configuration and DNS addresses for the DSM allow connectivity to all servers where Vormetric Encryption Agents are installed DSM Installation Checklist Use this table to collect the information you need for the installation REQUIREMENT VALUE Software...

Page 50: ...dressing you need the following IP address net mask default gateway optional bond0 this interface is used when the eth0 and eth1 interfaces are aggregated into a single logical interface for load balancing fault tolerance If configured the bond0 interface supersedes the eth0 and eth1 interfaces and must be used to access the DSM appliance DHCP Server If you choose to use static IP addressing you n...

Page 51: ...SM must communicate with a device behind a firewall you must open various ports in the firewall To see the ports to configure see Ports to Configure on page 171 Configuration Tasks When you configure the DSM Appliance you must 1 Connect to the V6100 appliance on page 28 2 Access the DSM Command Line Interface CLI on the next page 3 Configure network settings on page 77 4 Configure a bonded NIC dev...

Page 52: ...Password cliadmin123 4 The license agreement is displayed type y to accept and press Enter 5 When prompted type in a new password and press Enter Reconfirm your password WARNING Do not lose this password After connecting your laptop to the DSM use the DSM Command Line Interface CLI to configure the DSM see the first few steps in Access the DSM Command Line Interface CLI above CLI commands are grou...

Page 53: ...me 0044 maintenance You must enter a submenu to execute the commands in that submenu For example the reboot command is in the system submenu you would type system and press enter to enter the system submenu then type reboot to execute the reboot command To return to the main menu when finished type up A complete description of all the DSM CLI commands can be found in the DSM Administrators Guide C...

Page 54: ...IP address configuration 4 Configure the IP address for the default gateway Type 0004 network ip route add default table main table dev eth0 or eth1 via IP address for the default gateway Example 0004 network ip route add default table main table dev eth0 via 192 168 1 5 IPv6 Example 0004 network ip route default table main table dev eth0 via fa01 3 15 120 5 Verify the interface settings Type 0005...

Page 55: ...an IP address that was originally assigned to eth0 or eth1 then you must delete that address from eth0 or eth1 first and then reassign it to the bond0 device 4 Add a default gateway for the bond0 device 0001 ip route add default table main table dev bond0 via gateway_ip_address Example ip route add default table main table dev bond0 via 1 2 7 8 If a bond0 interface is configured after setting up t...

Page 56: ...s for certain modes are configurable the transmit hash policy for bonding modes 2 and 4 and the updelay for bonding mode 6 while the others take the default values for those modes except for the miimon setting The transmit hash policy for bonding modes 2 and 4 is used for slave selection in these modes To set the transmit hash policy for mode 2 or 4 use the ip link set command for example 0004 net...

Page 57: ...server s as this will affect system functions such as agent registration log timestamps high availability cluster synchronization and certificate exchange Although configuring an NTP server is not mandatory it is strongly recommended 1 Navigate to the maintenance commands menu Type 0001 dsm maintenance 2 Show the current ntpdate settings Type 0002 maintenance ntpdate show 3 Add a new ntpdate serve...

Page 58: ...or remote administration 1 Install the client software on the laptop or PC Instructions for how to install the TVD client software are available in the CD and guide that came with your TVD The software must be installed on all laptops and PCs participating in the ACS creation Refer to the TVD release notes for supported operating systems 2 Connect the TVD to your laptop or PC 3 Determine the total...

Page 59: ...t is the name of your State or Province California What is your two letter country code US What is your email address What is the validity period of the generated certificate from 2 to 10 years 10 Regenerating the CA and server certificates now 6 You will now create your ACS CAUTION Do not set the number of cards to use in the ACS to more than the number of cards in your possession See ACS Guideli...

Page 60: ...phrase specified overwriting card Module 1 slot 1 Processing This process continues until you have created your N cards The following message is displayed after the last card is written Card writing complete security world generated on module 0 hknso f7387fed7f52625bc06b79607bb4b0afdd93a6b1 The hash value above is the same hash value that will be displayed when you create an HA node You can compar...

Page 61: ...MI Ethernet port This section describes how to configure IPMI and access the IPMI management console IPMI Ports To see which ports can be configured for IPMI on the V6000 V6100 DSM hardware appliance see IPMI Ports on page 172 Configuring IPMI on the DSM Before you can use IPMI to configure your DSM V6000 V6100 appliance you need to configure an IP address and enable the KVM port for remote Java c...

Page 62: ...long must contain at least one upper case letter one special character and one number 3 Configure the network settings See Configuration tasks on page 27 and Generate DSM Certificate Authority and create ACS on page 82 Verify Web Access After configuring your appliance you need to access the DSM Management Console from a browser to administer the DSM Open a browser and confirm access over HTTPS to...

Page 63: ...ile The first time you log on to a DSM the dashboard displays License file not found and only the Dashboard and System tabs display To upload a license 1 Click System 2 Select License 3 Click Upload the license file After uploading your license file all the other functions for which you have a license will be visible Add more CLI administrators optional 1 Navigate to the users commands menu type u...

Page 64: ...ode Connect appliance Figure 3 5 Network HSM enabled V6000 virtual DSM HA cluster The nShield Connect HSMs use the Security World paradigm to provide a secure environment for all HSM and key management operations The nShield Connect HSM has its own Security World and the DSM or DSM high availability cluster joins that Security World For more about the Security World paradigm see Security World on ...

Page 65: ...This feature is only supported on v6 0 3 or higher of the DSM firmware you must upgrade your system to this version to enable this feature See Chapter 6 Upgrade and Migration on page 112 for details about upgrading your system Note The V6000 appliance does not support network HSM l At least one nShield Connect HSM and its corresponding remote file system RFS deployed on the network The nShield HSM...

Page 66: ...quired for this step The card is only required for the first HSM device to be added to the DSM it is not required for any subsequent nShield Connect HSMs that are added 1 Navigate to the HSM category of commands type the following at the prompt 0000 dsm hsm 0001 hsm 2 Use the connect add command to add the nShield Connect HSM to the DSM Type the following command at the prompt 0001 hsm connect add...

Page 67: ...e of two ways The first way is to configure DSMs as standalone nodes and enable network HSMs for each of them in the same Security World That is all the DSMs must be configured with nShield Connect HSM s that are part of the same Security World You can now create a network HSM enabled DSM cluster in the same way as for any other DSM cluster The high level steps for to configure a network HSM enabl...

Page 68: ...s the same as for any other DSM deployment Refer to the DSM Administrators Guide chapter Backing Up and Restoring the DSM 2 Backup the nShield Connect RFS Refer to the nShield user documentation for the procedure 3 Restore the Security World data on the nShield Connect device connected to the new network HSM enabled DSM that belongs to another Security World 4 Run the connect secworldupdate comman...

Page 69: ...ample the ACS has been replaced To update the Security World on the network HSM enabled DSM 1 Open a CLI session on the DSM if this is a high availability cluster do this on all the nodes in the cluster 2 Navigate to the HSM submenu 0000 dsm hsm 0001 hsm 3 Type the following at the prompt 0001 hsm secworldupdate SUCCESS Security World data on this DSM node updated 0002 hsm You can view the DSM aud...

Page 70: ...rtual machines within a VMware environment The tar file contains the OVA file This chapter describes how to deploy the various virtual images Overview DSM supports full disk encryption for enhanced security and dynamic IP addressing via DHCP The full disk encryption feature is only available on a fresh installation of v6 0 2 or later DHCP is enabled by default on the eth0 interface on a fresh v6 0...

Page 71: ...s support l The IP address routing configuration and DNS addresses for the DSM to allow connectivity to all servers where VTE VAE Agents are installed Virtual machine hardware requirements The virtual machine must meet the following requirements Number of Agents 1 to 10 11 to 50 Over 250 Number of CPUs 2 4 4 6 RAM in GB 8 8 12 16 HD in GB for VM instance 250 250 250 above 250 Cloud instance 120 16...

Page 72: ...n detail in the DSM Administrators Guide After accepting the license agreement and changing the CLI administrators password you need to set the host name and configure an NTP server The steps are as follows 1 Assemble configuration information using the Virtual DSM Installation Checklist on the next page 2 Set up the virtual appliance see Virtual Appliance Setup on page 75 3 Specify host name reso...

Page 73: ...page 77 6 Virtual Appliance Configuration on page 77 if you choose to use this feature 7 Virtual Appliance Configuration on page 77 8 Virtual Appliance Configuration on page 77 9 Virtual Appliance Configuration on page 77 10 Virtual Appliance Configuration on page 77 11 Virtual Appliance Configuration on page 77 Virtual DSM Installation Checklist Use this table to collect the information you need ...

Page 74: ...onfigured with a default IP address 192 168 10 10 This interface supports DHCP refer to the CLI chapter in the DSM Administrators Guide for details DHCP Server If you choose to use static IP addressing you need the following IP address net mask default gateway optional HA Node 1DSM Hostname FQDN lowercase only HA Node 2DSM Hostname FQDN lowercase only Domain Name Server DNS addresses up to 3 plus ...

Page 75: ...ng on each DSM since entries in the host file are not replicated across DSMs o Modify the host file on the protected hosts Enter the DSM host names and matching IP addresses in the etc hosts file on the protected host You must do this on EACH protected host making sure to add an entry for all DSM nodes if using HA o Use IP addresses You may use IP addresses or the FQDN to identify the host simulta...

Page 76: ...enter system then enter reboot To return to the main level when finished enter up A complete description of the DSM CLI commands can be found in the Administrators Guide Virtual Appliance Setup This section describes how to deploy the DSM OVA file Note The DSM virtual appliance OVA file hardware version has been upgraded to version 9 The version 9 hardware is supported on ESXi version 5 5 or later...

Page 77: ...you just created and click the green Power On icon in the tool bar or right click the VM and select Power Power On Note It takes about a half hour to provision the VM and build the DSM 12 To watch the output as the installation progresses click the Console tab and click inside the console window The DSM eth0 interface is DHCP enabled by default For DHCP to work properly you must have a DHCP Server...

Page 78: ...you need to do the following l If your system is part of an HA deployment you need to break up the cluster this procedure is described here Upgrading an HA Cluster on page 142 l If you have any configuration information or data created after the initial setup of your DSM backup your DSM this procedure is described here Backup current DSM configuration on page 114 l Restore the system to factory de...

Page 79: ... from a different subnet To configure an IP address for ETH1 type 0003 network ip address init eth1 IP address subnet mask e g 16 or 24 dev eth Example IPv4 0003 network ip address init 192 168 10 3 16 dev eth1 Example IPv6 0003 network ip address init fa01 3 15 130 64 dev eth1 System Response WARNING Changing the network ip address requires server software to be restarted Continue yes no no Type ...

Page 80: ...ate to the network commands menu type network 3 Enable the bonded NIC type 0001 network ip address init ip_address subnet_mask dev bond0 Example ip address init 1 2 3 4 16 dev bond0 In the event that a bonded NIC is being configured after the initial configuration or after the DSM has been upgraded if you want to reuse an IP address that was originally assigned to eth0 or eth1 then you must delete...

Page 81: ...ommand The delete command will only delete a specific IP address multiple can be assigned and flush will clear all assigned IP addresses 0003 network ip address delete ip_address subnet_mask dev bond0 or 0003 network ip address flush bond0 Routes that are associated with this bonded NIC device will also be deleted Bonding driver modes The modes specify bonding policies Some options for certain mod...

Page 82: ...t your session and will require the server software to be restarted Continue yes no no yes DHCP operations may take some time please wait SUCCESS Please restart server software to pick up the changes 0005 network Configure NTP time zone date time You must have the correct time set on your DSM server s as this will affect system functions such as agent registration log timestamps high availability ...

Page 83: ... going through the procedures in this section Prerequisites Move the mode switch on the back panel of the appliance to the Operational O position WARNING The switch must remain in the Operational O position at all times when using either local or remote administration 1 Install the client software on the laptop or PC Instructions for how to install the TVD client software are available in the CD a...

Page 84: ...this Security Server This Security Server host name hostname com Please enter the following information for key and certificate generation What is the name of your organizational unit Engineering What is the name of your organization Vormetric Inc What is the name of your City or Locality San Jose What is the name of your State or Province California What is your two letter country code US What is...

Page 85: ...ot 0 Remove card Module 1 slot 0 empty Module 1 Slot 0 Insert appropriate card Checking Modules and reading cards Module 1 slot 0 unknown card Module 1 slot 0 Overwrite card press Return Module 1 slot 0 Enter new passphrase Module 1 slot 1 no passphrase specified overwriting card Module 1 slot 1 Processing This process continues until you have created your N cards The following message is displaye...

Page 86: ...aracters l Uses at least 1 upper and 1 lower case character l Uses at least 1 special character The DSM Management Console has a help icon located on the right hand side of the title bar which is located under the menu bar on each page of the Web UI Click the icon for help with tasks on a specific page Upload a license file The first time you log on to a DSM the dashboard displays License file not...

Page 87: ...re information about the Luna HSM see Luna SA HSM on page 101 DSM Installation on bare metal using IBM Cloud To install the DSM virtual appliance on a bare metal system using IBM Cloud you need to have an IBM Cloud account and your bare metal system in place before you begin Upload the DSM ISO image to the IBM Cloud NAS storage This process assumes that you have an IBM Cloud account with Cloud NAS...

Page 88: ...g the NAS hostname to get the IP address 14 Click Mount and Refresh Status Device 1 should show as mounted Make sure that you ve requested mount permission from IBM Cloud support first Otherwise you cannot mount the virtual CDROM 15 Click Save to save the information 16 Navigate to Remote Control Console Redirection and click Launch Console 17 Download and run the resulting jnlp file to open a Jav...

Page 89: ...address add 10 114 160 214 26 dev eth0 6 Add public IP Address type 0002 network ip address add 169 53 182 122 28 dev eth1 7 Add default public gateway type 0002 network ip route add default table main table via 169 53 182 113 8 Add default private gateway type 0002 network ip route add 10 0 0 0 8 table main table via 10 114 160 193 9 Clear DNS type 0002 network dns clear 10 Add DNS1 type 0002 net...

Page 90: ...t operating system for the virtual machine We recommend that you disable the Use Dynamic Memory for this virtual machine option which is enabled by default This is to prevent memory over commits 7 On the Networking page connect the network adapter to an existing virtual switch to establish network connectivity at this point A second optional switch can be added later if desired If you want to use ...

Page 91: ...re the proper deployment of a DSM Azure image Thales recommends the configuration parameters described below 1 Log on to the Azure portal with your credentials 2 From the Dashboard click Create a Resource on the upper left corner of the Azure portal 3 In the search field type Thales 4 Select the latest version of Vormetric Data Security Manager from Thales eSecurity 5 After reading the online mate...

Page 92: ...o your requirements o For Auto shutdown select Off o For Monitoring in Boot diagnostics and Guest OS diagnostics accept the default settings o For Diagnostics storage account you can choose to create an account or select an existing account if it fits your requirements o For managed Service identity click Yes to control access to the storage account 11 Click OK Review the Summary and click Create ...

Page 93: ...d be correct Press Enter to accept the name or enter the FQDN that you copied to the clipboard 3 Enter the information required to generate the certificate Answer the prompts o What is the name of your organizational unit o What is the name of your organization o What is the name of your City or Locality o What is the name of your State or Province o What is your two letter country code US o What ...

Page 94: ...in the image Note DSM does not support Amazon EBS Elastic Block Store encryption in AWS The DSM storage is already encrypted Adding EBS encryption would result in double encryption which is not feasible Requirements l Amazon Web Services AWS account with a VPC and subnet l DSM AMI template l Knowledge of the following o Creating AWS instances o Command line interface of your host operating system ...

Page 95: ...g Elastic IPs and allocating an IP address for the DSM instance o Termination protection We recommend that you enable this setting to avoid accidentally terminating a DSM instance 5 Click Next The Add Storage page displays 6 Accept the default size of 250GB or increase it per your requirements Click Next 7 Click Add Tags 8 In the Key field type Name 9 In the Value field enter a name for the DSM in...

Page 96: ...ry for every other node in the HA cluster to etc hosts Note that the hosts file will already contain an entry for the DSM from which you are working To add the host information to the etc hosts file in the CLI menu switch to the network submenu and type 0001 network host add HOST_NAME IP_ADDRESS Example 0001 network host add dsmHA1 compute amazonaws com 192 68 10 1 5 Click Copy AMI Deploying a DSM...

Page 97: ...llow the on screen prompts to create a bucket 2 For encryption option select Google managed key 3 Click Create Upload the DSM image to the GCP Storage Bucket 1 In the Cloud Storage browser click on the bucket that you just created 2 Click Upload Files 3 In the Explorer file select the DSM GCP tar file to upload and click Open Create a GCP Image Google Cloud Platform converts your DSM tar image to ...

Page 98: ...Security Manager 10 In the VM instances page your VM displays with an External IP address 11 Open a browser and type in the external IP address https External IP address Deploying a DSM to GCP through the GCP CLI After obtaining the DSM tar file from Thales technical support see Obtain the DSM image for GCP Deployment on page 95 you can as an alternative to the UI method use the GCP CLI to perform...

Page 99: ...rsion and click Forward 6 Set RAM to 4096 MB minimum CPUs to 4 minimum and click Forward 7 Name your virtual machine and select your network adapter For a bridge select Specify shared device name and enter the name for your bridge device for example br0 8 Check Customize configuration before install 9 Click Finish 10 You can now add or modify your hardware selections Add another NIC now if desired...

Page 100: ...fulvirt Then click forward Note Architecture type should already be set to x86_64 5 Browse to your qcow2 file and select it 6 Choose Linux CentOS 7 0 for the OS type version and click Forward 7 Set RAM to 4096 MB minimum CPUs to 4 minimum and click Forward 8 Name your virtual machine and select your network adapter For a bridge select it directly from the network pull down menu or select Specify s...

Page 101: ...Virtual Appliances DSM Installation and Configuration Guide Copyright 2009 2020 Thales Group All rights reserved 100 High Availability HA Configuration for Virtual Appliances See Configuring HA for V6x00 and Virtual Appliances on page 135 for procedures to configure high availability ...

Page 102: ...cessing key generation and key storage An HSM manages cryptographic keys used to lock and unlock access to digitized information over their lifecycle This includes generation distribution rotation storage termination and archival functions An HSM also engages in cryptographic processing which produces the dual benefits of isolation and offloading cryptographic processing from application servers T...

Page 103: ...clusters register to the same partition Note Thales does not recommend having multiple HA clusters registered to the same partition because it decreases fault tolerance In the PED authenticated Luna you can also have multiple clusters using different partitions on the same Luna or you can use multiple Lunas for increased fault tolerance When you add the Luna to the DSM you will have to enter the p...

Page 104: ...e steps with the second cluster Creating a Partition on the Password authenticated Luna In the Password authenticated Luna a DSM can only register to an empty unconfigured partition It registers to the partition creates a random password for the partition and stores it on the DSM Only that one DSM or DSMcluster can access that partition To create a partition on a Password authenticated Luna 1 SSH ...

Page 105: ... password 10 Repeat the previous step 5 and 6 to create the partition 11 To verify that your partition was created type lunash partition list Partition Name Objects Total Used Free 1394399181013 Luna1_Par100 0 409782 0 409782 1394399181014 Luna1_Par101 1 409782 200 409582 1394399181015 Luna1_Par102 2 409782 400 409382 1394399181016 DSM51005 0 409782 0 409782 Creating a Partition on the PED authent...

Page 106: ... backup of your system You will not have to restore the configurations for any other DSM in your cluster When that DSM synchronizes with the initial node the initial node overwrites everything so that the cluster nodes are peers For more information see the chapter entitled Backing Up and Restoring in the DSM Administration Guide Break Apart the Cluster Before you can add a Luna to a DSM cluster y...

Page 107: ... DSM A warning displays WARNING All Peer node and agent certificates will need to be re signed after CA and server certificates are regenerated The security server software will be restarted automatically 10 To continue type yes 11 Enter the host name of the initial node If the name is already correct hit Enter o This Security Server host name DSM08648 i thales com 12 Enter the following informati...

Page 108: ...commands Note When adding a Luna to a DSM cluster you must be consistent with your naming convention If you use the hostname of the DSM when adding the first Luna then you must use the hostname when adding the remaining DSMs in the cluster Likewise if you use the IP address for the first DSM you must use the IP address for the remaining DSMs To add subsequent nodes 1 Log in to the CLI menu of your...

Page 109: ...Initial_Server dsm95459 i thales com CAs_ Fingerprint 2F C3 56 00 22 6D 8C 71 4A 3B D8 39 09 62 23 18 A0 FF 77 6D 6 At the prompt enter the administrator name for the Initial Security Server system this is the node that you just connected to the Luna 7 At the prompt enter the DSM administrator password for the Initial Security Server system 8 To continue type yes 9 Enter the IP address or host nam...

Page 110: ...M cluster Monitoring the Luna To monitor the Luna type 0011 hsm status HA auto recovery enabled HA recovery mode activeEnhanced Maximum auto recovery retry 500 Auto recovery poll interval 60 seconds HA logging disabled Only Show HA Slots yes HA Group Label g30606 HA Group Number 11394399181044 HA Group Slot ID 4 Synchronization enabled Group Members 1394399181044 Needs sync no Standby Members none...

Page 111: ...ation 0002 hsm Upgrading a DSM attached to a Luna When you upgrade the initial DSM that is attached to the Luna HSM you do not have to detach the DSM from the Luna They can stay connected The upgrade does not affect it at all Registering Again On the DSM If you need to register the Cluster to the same Luna SA again delete the Luna appliance from the DSM s local config Type 0001 hsm luna delete hos...

Page 112: ...Cluster is registered to then you need to delete the original partition At the Luna type lunash partition delete partition partitionName Logs When a Luna in a DSM cluster is down or not accessible no audit logs syslogs email notifications are generated on the DSM Therefore to ensure proper notification for issues configure syslog on the Luna Refer to the Luna documentation for information on confi...

Page 113: ...efore the upgrade to the version of the software in use before the upgrade Overview The software on a DSM appliance can always be upgraded to the next immediate release version In some cases upgrades to a higher version while skipping an intermediate releases is also possible In a scenario that involves a platform change it is called a migration A migration is also when you upgrade the DSM hardwar...

Page 114: ... appliances to V6x00 appliances Migrating from DSM v6 1 0 9229 to DSM 6 4 2 You must migrate to DSM v6 4 2 due to database improvements It is not an upgrade As a result the following conditions exist l You can only migrate from DSM v6 1 9229 or a later version to DSM v6 4 2 If you have a version that is lower than DSM v6 1 9229 upgrade to DSM v6 1 9229 first then migrate to DSM v6 4 2 l After migr...

Page 115: ...re page with a message saying that you can proceed with creating a backup You must export this wrapper key in order to use it 1 Select Export from the Operation menu to export key shares 2 Set a number for both the Minimum Custodians Needed and the Total Number of Custodians This setting splits the wrapper key value among multiple custodians o Minimum value required for Minimum Custodians Needed 2...

Page 116: ...ware that supports the upgrade path you want to follow Note As of release v6 0 3 the DSM supports nShield Connect integration to make the DSM V6000 or virtual DSM a network HSM enabled DSM See nShield Connect Integration on page 63 for details Upgrading a Single Node Deployment Note If you are upgrading from DSM v6 1 x or an earlier version then upgrade each node as a single node After which you w...

Page 117: ...configuration on page 114 for detailed procedures 2 Turn off the old hardware appliance and take it off the network You must turn off the old DSM hardware appliance and remove it from the network before you restore the DSM to the new hardware appliance otherwise any registered agents will try and communicate with both the old DSM and the new DSM and cause conflicts in your system 3 Configure the V...

Page 118: ...need to plan maintenance windows for the following tasks l Upgrading DSM software if this is part of a cluster each node will have to be upgraded l Enabling remote administration requires installing a KLF2 warrant from Thales Support which takes up to 24 hours to obtain l Replacing the ACS if this is part of a cluster you need to enable remote administration on each of the nodes and this requires ...

Page 119: ...36fd28364592587c66c36551a25da1df37073f4001d6325d5f6877ab4ebc2f805ffd54ebf000000bb 000000 Enter the contents of the warrant file copy and paste followed by a blank line or just press Enter to abort Copy and paste the contents including the ESN and the content of the CSR file and email it to Support support vormetric com You will receive the signed warrant within 24 hours 5 Copy the contents of the ...

Page 120: ... replace ACS procedure if you lose a card from the smart card set or if a card is compromised or corrupted If you have a DSM backup created using the old card set you should retain that old card set in case you want to restore the backup in which case do not erase the old card set when prompted during the replaceacs procedure ACS replacement guidelines l Obtain a set of blank cards equal to N l Yo...

Page 121: ...address and click Connect 4 Select the Electronic Serial Number ESN of the HSM from the Choose HSM screen click Next The Remote Administration Client displays if you have inserted a card into the reader TVD or not 5 Insert a card into the TVD the Card Inserted column displays Yes click Next 6 Click the green OK button on the TVD to confirm the HSM ESN If you take more than a minute to do this step...

Page 122: ...ge 115 3 Enable remote administration on the initial node and obtain a warrant see Obtain a warrant on page 117 4 Replace the ACS see Replacing the ACS on page 119 5 Upgrade the other nodes same as step 2 above 6 Enable remote administration on the other nodes as in step 3 above 7 Recreate the cluster See the HA chapter for more information Note Remote administration is also available for DSM V600...

Page 123: ...5 Rack Mounting the Appliance 126 Rack Mounting Instructions 128 Installing and Connecting Cables 133 This chapter provides the V6000 V6100 hardware appliance specifications and installation instructions Hardware Appliance Diagrams Figure A 1 Front view of DSM hardware appliance with bezel WARNING The DSM appliance is covered with three FIPS tamper evident stickers Removing or damaging the sticker...

Page 124: ...M Appliance features Number Description 1 Power Button Used to apply or remove power from the power supply to the server system Turning off system power with this button removes the main power but keeps standby power supplied to the system Therefore you must unplug system before servicing 2 Reset The reset button is used to reboot the system 3 Power LED Indicates power is being supplied to the sys...

Page 125: ...ote UID is on Use this function to identify the server from a remote location DSM Hardware Appliance Specifications Specification Description Chassis 1U rack mountable 17 wide x 20 1 2 long x 1 75 high Weight V6000 21 5 lbs 9 8 kg V6100 22 lbs 10 kg Memory 16GB Hard Drive Seagate Savvio 600GB mirrored Serial Ports 1 Ethernet 2 x 1GB IPMI 1 x 100Mb Power Supplies 2 removable 80 certified 100VAC 240...

Page 126: ... back panel Data center environmental requirements The table below lists the required environmental conditions for the DSM Condition Range Maximum BTU 410 BTU max Operating temperature 10 to 35 C 50 to 95 F Non operating temperature 40 to 70 C 40 to 158 F Operating relative humidity 8 to 90 non condensing Non operating relative humidity 5 to 90 non condensing Table A 2 Environmental conditions for...

Page 127: ... the chassis itself shows damage file a damage claim with the carrier Decide on a suitable location for the rack unit that will hold your chassis Choose a clean dust free well ventilated area Avoid areas where heat electrical noise and electromagnetic fields are generated Placed near a grounded power outlet Preparing for setup The box your chassis was shipped in includes two sets of rail assemblie...

Page 128: ...d or multi unit rack assembly the ambient operating temperature of the rack environment may be greater than the ambient temperature of the room Therefore consideration should be given to installing the equipment in an environment compatible with the manufacturer s maximum rated ambient temperature Tmra Reduced Airflow Equipment should be mounted into a rack so that the amount of airflow required f...

Page 129: ...f the rack l If the rack is provided with stabilizing devices install the stabilizers before mounting or servicing the unit in the rack Rack Mounting Instructions This section provides information on installing the V6000 V6100 chassis into a rack unit with the rails provided There are a variety of rack units on the market which may mean the assembly procedure will differ slightly You should also r...

Page 130: ...ghts reserved 129 Figure A 5 Identifying the Sections of the Rack Rails Locking tabs Both chassis rails have a locking tab The tabs lock the server into place when installed and pushed fully into the rack These tabs also lock the server in place when fully extended from the rack This prevents the server from coming completely out of the rack when you pull it out for servicing ...

Page 131: ...the inner rail extension to stabilize the chassis within the rack If you are not using a rack you do not have to install the inner rail extensions Installing the inner rails 1 Place the inner rack extensions on the side of the chassis aligning the hooks of the chassis with the rail extension holes Make sure the extension faces outward just like the pre attached inner rail 2 Slide the extension tow...

Page 132: ... between 30 inches and 33 inches Installing the outer rails to the rack 1 Attach the short bracket to the outside of the long bracket You must align the pins with the slides Also both bracket ends must face the same direction 2 Adjust both the short and long brackets to the proper distance so that the rail fits snugly into the rack 3 Secure the long bracket to the front side of the outer rail with...

Page 133: ...nto the locked position 4 Optional Insert and tightening the thumbscrews that hold the front of the server to the rack CAUTION The rack stabilizing mechanism must be in place or the rack must be bolted to the floor before you slide the unit out for servicing Failure to stabilize the rack can cause the rack to tip over Figure A 9 Installing into a rack Note Figures are for illustrative purposes onl...

Page 134: ...B 9 RS 232 connector See Configuration tasks on page 27 The serial console port provides a direct connection to the DSM hardware appliance By default the serial console interface is always accessible and it can always be relied on to communicate with the DSM Communication with the appliance is done through the DSM CLI after making a terminal connection The serial console is used to configure the a...

Page 135: ...on tasks on page 27 The eth0 interface comes pre configured from the factory The eth1 interface is not configured and is disabled by default You can access the DSM appliance immediately after bootup via a Secure Shell Protocol SSH connection The default IP address of the eth0 network interface is eth0 192 168 10 1 If you want to connect to the DSM via Ethernet manually set the IP address for the l...

Page 136: ...that if you are migrating from 6 1 x or an earlier version then you can t upgrade or migrate You have to create a new cluster Note If you are migrating from an HA cluster that is DSM v6 1 x or an earlier version then you cannot upgrade or migrate your cluster to 6 2 x or 6 3 x You must create a new cluster See Migrating from DSM v6 1 0 9229 to DSM 6 4 2 on page 113 for more information Supported H...

Page 137: ...HA nodes For Azure and AWS platforms you will need to add this port to your security groups You can now close port 50000 as it is no longer used 3 Perform a ping operation on all of the DSMs to ensure that network communication is working between the DSM HA nodes Network Latency If the network latency between the HA nodes exceeds 100ms you may experience delays in HA replication especially if you ...

Page 138: ... node 6 Click Ok The DSM node is listed in the High Availability Servers window It is designated as Not Configured Figure B 1 Node added but not configured joined to the cluster Note You can also add nodes in the CLI See the High Availability Category section in the CLI chapter in the DSM Admin guide Join a Node to an HA Cluster Joins the current node to the HA cluster If you are joining an HA clu...

Page 139: ...rity Server host name dsm15100 i vormetric com Please enter the following information for key and certificate generation 5 The HA cluster will issue the certificate using the information you provide in the following steps e What is the name of your organization f What is the name of your City or Locality a What is the name of your organizational unit b What is the name of your State or Province c ...

Page 140: ...vailability HA for network HSM enabled DSM Thales recommends the following l Configure at least two nShield Connect appliances in the Security World for fault tolerance This means that in the event that one of the appliances is not reachable the Security World is still available Refer to the nShield Connect user documentation for a description of procedures to configure an nShield Connect HSM Note...

Page 141: ...8 3 18 192 168 3 4 A warning displays informing you that once this DSM is converted to a network HSM enabled appliance it cannot be rolled back d Type yes to continue The DSM is restarted if the operation is successful e Follow the prompts to add the nShield Connect appliance to the DSM f To view the nShield Connect that has been added type 0002 hsm connect show g If there are more nShield applian...

Page 142: ...ster and cannot wait for that node to restart you can manually move the host to another node To move the hosts 1 On the DSM click High Availability 2 Click on the Name of the node to which you want to move the Agent s 3 Click Host Assignment 4 Click Add The Details page opens and displays all of the Agents connected to the HA cluster Figure B 2 Host Assignments for HA Server 5 Select and click OK ...

Page 143: ...ack into it the host s are reassigned to the same node Prerequisite l Backup your current DSM configuration as described above Backup current DSM configuration on page 114 Note If synchronization is in progress anywhere in the HA cluster wait until it completes before upgrading each of the nodes in the cluster Remove Nodes from the HA cluster Breaking up the HA cluster involves removing the nodes ...

Page 144: ... DSM HA cluster see Configuring High Availability for network HSM enabled DSM on page 66 Optimize the Upgrading of Nodes in the HA Cluster The initial node is the only node that needs to be upgraded This ensures that all of the content of the node policies admins domains keys reports logs etc will be saved However an upgrade is unnecessary for the other nodes in the cluster because all of the cont...

Page 145: ...t to a different Node with the CLI To move the hosts to a specific HA node type 0001 ha remove node1 reassignhost node2 Example 0001 ha remove dsm15099 i vormetric com reassignhost dsm15100 i vormetric com To make the DSM move the hosts to HA nodes and evenly distribute the load type 0001 ha remove node1 reassignhost rr Example 0001 ha remove dsm15099 i vormetric com reassignhost rr System Respons...

Page 146: ...o Leave hosts unassigned after deletion of node Click Delete See Deleting a Node from a Cluster with Hosts assigned on the previous page o Let DSM assign hosts to available nodes in the cluster before deleting node Click Delete The DSM evenly distributes the hosts to balance the load in the HA cluster o Assign hosts to a specific node before deleting node Click Delete 4 When you select this last o...

Page 147: ...t practices will reduce the probability of these security issues occurring l IPMI requires a browser with Java 7 or higher Enable Java Network Launch Protocol JNLP and Java content in the browser to use the keyboard video mouse KVM for the remote console In Windows you also must install Java JRE l Disable IPMI services if not needed Disconnect the IPMI port at the back of the DSM hardware applianc...

Page 148: ...h enabled for IPMI IPv6 will not work for HTTPS The workaround is to either disable HTTP or use IPv4 instead of IPv6 To configure the IPMI IP address 1 Access the DSM CLI and log on to the CLI console 2 Enter the ipmi submenu type 0011 vormetric ipmi 0012 ipmi 3 Set the IPMI IP address using the command ip set type 0012 ipmi ip set ip address 4 Set the IPMI net mask using the command mask set net ...

Page 149: ...s This feature allows you to configure the network settings 1 Select Configuration Network to display the Network Settings 2 Enter a hostname for the DSM 3 If you want to obtain an IP address through DHCP select the first radio button If you want to use a static IP address select the second radio button and manually enter appropriate information in the IPvX fields Note It is set to static as the d...

Page 150: ...condary NTP server 6 Select the daylight saving time DST option for the time to automatically adjust during DST 7 Click Refresh to display the current date time 8 Click Save to save the entries Configuring Date and Time Settings with NTP Disabled Follow the instructions below to set date and time manually 1 In the Configuration submenu select Date and Time to set the date and time settings 2 Selec...

Page 151: ...s F W Update View Only View Only Full Access SDR Update View Only Full Access Full Access Logout Full Access Full Access Full Access To create users and assign privileges 1 Click Configuration Users 2 To add a new user to the network select an empty slot from the users list 3 Click Add User 4 Enter the following information a User Name b Password c Confirm password d Network Privileges 5 To modify...

Page 152: ...mance 3 Click Save Remote Control Remote control allows you to carry out activities and perform operations on a remote server through remote access such as accessing the DSM CLI There are three options for remote control l Console Redirection It opens the Java console so that you can access the CLI to configure settings l Power Control Displays and executes the power options of the remote system i...

Page 153: ...SM This option is only available if the DSM is not currently powered on o Power Cycle Server Select this option to simulate an AC power cycle The DSM powers off then powers on after a couple seconds Note Power cycling the DSM through IPMI is not the same as an actual power cycle Standby power is still available 3 Click Perform Action to perform the selected option Using Active Directory with IPMI ...

Page 154: ...teps 5 9 for all other roles groups needed Configuring LDAP Server 1 On the LDAP server create an OU organizational unit that you will use for LDAP 2 Create users in that OU that have a permission attribute H number where the number can be from 1 4 and the permission levels are as follows o 4 Administrator o 3 Operator o 2 User o 1 Callback Configuring LDAP Settings on IPMI 1 Click Configuration L...

Page 155: ...firmware image 7 Uncheck Preserve Configuration and Preserve SDR so that the firmware and TLS update properly 8 Click Start Upgrade to begin upgrading the firmware 9 Once the package has been fully installed a prompt displays stating to wait 1 minute while the BMC module is restarted Click OK WARNING To properly upgrade your firmware do not interrupt the process until the process is completed Once...

Page 156: ...set factorydefault 4 When the warning message displays type yes Do you want to load IPMI factory default It takes about 100 seconds to load Warning IPMI IP address will reset to default 192 168 10 10 and IPMI users will get deleted yes no no SUCCESS Reset to factory default with IP 192 168 10 10 and default username and password 5 After resetting the factory default settings you must restore the I...

Page 157: ...ort through which you access IPMI on the next page l Change the IPMI password on page 158 l Creating IPMI users on page 158 l Restrict inbound traffic to IPMI through IP Access control on page 160 l Reset Default Configuration Settings on page 160 Replace the default certificate with a Web Server Certificate Replace the default IPMI certificate to make your system more secure To replace the certif...

Page 158: ...ystore Change the port through which you access IPMI By default you can only access the IPMI management console through HTTPS The default port for HTTPS is 443 Changing the default port from 443 will present an obstacle to potential hackers If you change the https port for example to 59841 you will have to add it to the IPMI URL For example instead of accessing IPMI using https 10 3 45 45 you will...

Page 159: ...r show User ID IPMI user ID User Name IPMI user name up to 15 characters Privilege Level Administrator Operator or User In this example there is only on administrator the default The IPMI user ID is 2 and the IPMI user name is ADMIN and the privilege level is Administrator Using the DSM CLI you can use any of the unused user IDs from 3 to 8 In this example we ll use User ID 3 2 Choose a user name ...

Page 160: ...ipmi user modified The new password must be at least 8 characters long must contain at least one upper case letter one special character and one number where 4 administrator 3 operator 2 user 1 callback Configuring Alerts You can configure IPMI to send alert notifications about hardware events on the DSM appliance To receive email alerts you will need to configure your SMTP server in the IPMI GUI ...

Page 161: ... allows you to grant access to a specific IP address or a range of IP addresses For example if you wanted to specify a range of IP addresses from 192 168 0 1 to 192 168 0 126 you would enter 192 168 0 1 25 5 From the policy dropdown menu select Accept to allow access for the IP address es entered above Select Drop to deny access Note The Number of Access Rules displays the maximum number of IP Acc...

Page 162: ...l appliance or hardware appliances earlier than V6000 V6100 Command Description ip Set delete or show ip address of machine using IPMI mask Set delete or show subnet mask of machine using IPMI gateway Set delete or show gateway of machine dhcp Enable disable show DHCP disable Disable IPMI network access port Enable disable status IPMI ports user Add show or delete user Also change password and pri...

Page 163: ...ess Setting the IP address automatically sets the mask to 16 bit mask Syntax ip set ip_address The following example sets the IPMI network interface IP address 0001 vormetric ipmi 0002 ipmi ip set 10 3 99 77 IP 10 3 99 77 SUCCESS ip set ip delete Delete the IPMI IP address This sets the IP to 0 0 0 0 Syntax ip delete The following example deletes the IPMI network interface IP address 0002 ipmi ip ...

Page 164: ... the IP address mask command elements mask set Set the subnet mask for the IP address Syntax mask set subnet_mask 0001 vormetric ipmi 0002 ipmi mask set 255 255 0 0 Subnet Mask 255 255 0 0 SUCCESS subnet mask set mask delete Set the subnet mask for the IP address to 0 0 0 0 Syntax mask delete Example 0002 ipmi mask delete Subnet Mask 0 0 0 0 SUCCESS subnet mask delete mask show Show the subnet mas...

Page 165: ...xample 0001 vormetric ipmi 0002 ipmi gateway set 10 10 79 254 Gateway 10 10 79 254 SUCCESS gateway set gateway delete Use the gateway delete command to delete the IPMI gateway Syntax gateway delete Example 0002 ipmi gateway delete Gateway 0 0 0 0 SUCCESS gateway delete gateway show Use the gateway show command to show the IPMI gateway Syntax gateway show Example 0003 ipmi gateway show Gateway 0 0 ...

Page 166: ...able IPMI network port Enable disable or check the status of the IPMI port The default ports are https 443 keyboard video mouse kvm 5900 vmedia 623 web 80 IPMI users can change the port numbers but the service will still get enabled or disabled with the same command DSM CLI IPMI category port command elements Command Description enable Enable IPMI port disable Disable IPMI port status Show IPMI po...

Page 167: ...letes users Also changes user password and privilege level See Creating IPMI users on page 158 for more details The user command includes the following elements DSM CLI IPMI category Command Description add Add an IPMI user delete Delete an IPMI user show Show the IPMI users password Change the IPMI user password level Set the IPMI user privilege level user command elements user add Add an IPMI us...

Page 168: ...ecial character are also required Syntax user password userID Example 0002 ipmi user password 3 Enter new password Enter password again SUCCESS user password modified user delete Delete user Syntax user delete userID Example 0003 ipmi user delete 4 user show Use user show to show the IPMI users Syntax user show Example 0003 ipmi user show User ID User Name Privilege Level Enable 2 ADMIN Administra...

Page 169: ...ne module Syntax psinfo Example 0001 ipmi psinfo SlaveAddress 78h Module 1 Item Value Status STATUS OK 00h AC Input Voltage 116 5 V AC Input Current 0 34 A DC 12V Output Voltage 12 00 V DC 12V Output Current 2 25 A Temperature 1 27C 81F Temperature 2 34C 93F Fan 1 5472 RPM Fan 2 0 RPM DC 12V Output Power 26 W AC Input Power 36 W PMBus Revision 0x8B22 PWS Serial Number P406PCE24AT1144 PWS Module Nu...

Page 170: ... 192 168 10 10 mask 255 255 0 0 gateway 0 0 0 0 ADMIN will be the only user left with default password ADMIN All others users are deleted Also disables DHCP and sets the IPMI to a dedicated non share port Syntax reset factorydefault Example reset factorydefault System Response Do you want to load IPMI factory default It takes about 100 seconds to load Warning IPMI IP address will reset to default ...

Page 171: ...e Copyright 2009 2020 Thales Group All rights reserved 170 selftest Test that the BMC chip is working Syntax selftest Example selftest Selftest Passed SUCCESS ipmi selftest version Show IPMI version Syntax version Example version Firmware Version 08 55 SUCCESS ipmi show version ...

Page 172: ...n HA cluster and for LDT registration 1792 TCP DSM network HSM DSM communication with Luna HSM 5432 TCP DSM HA node 1 DSM HA node n HA information exchange 5696 TCP KMIP client DSM Allows communication between the KMIP client and DSMs 7025 TCP UDP DSM DSM Uses SNMP to get HA node response time 8080 TCP Agent DSM DSM DSM Port 8080 is no longer used for registration but you can manually close open t...

Page 173: ...th ECC compatible mode 9004 TCP DSM network HSM DSM communication with nShield Connect and its associated RFS 9005 TCP DSM remote admin Used by Remote Administration Service process to accept connections from the Remote Administration Client Table D 1 Ports to Configure continued IPMI Ports The following table lists all of the IPMI ports that you can configure Port Protocol Communication Direction...

Page 174: ... all slave interfaces No Yes 4 802 3ad IEEE 802 3ad Dynamic link aggregation Creates aggregation groups that share the same speed and duplex settings Utilizes all slaves in the active aggregator according to the 802 3ad specification Yes Yes 5 balance tlb Adaptive transmit load balancing channel bonding that does not require any special switch support The outgoing traffic is distributed according ...

Page 175: ...e Network Diagnostic checkport tool in the Management Console or CLI to check those ports 2 Refer to Ports to Configure on page 171 for information about ports that need to be configured Reset DSM Appliance and Remove All Data The config reset command removes all configuration data added after the current DSM software is installed This command is available on both appliance based and software only...

Page 176: ...mpt to return to the main menu 2 Type system to access the System category sub menu 3 To generate the CA type 0004 system security genca System Response WARNING All Agents and Peer node certificates will need to be re signed after CA and server certificate regenerated and the security server software will be restarted automatically Continue yes no no yes 4 The following message displays Read it en...

Page 177: ... keys and signer certificates done Generating server private key done You may now remove the smart card from the reader Creating and signing the server certificates done CA and Server certificates have been generated successfully JBoss vault keystore password have been completed successfully Self test in progress passed SUCCESS The CA and security certificates are re generated and the Security Ser...

Page 178: ... new Security World Have the new set of cards available for this step For information about the ACS and best practices see Administrator Card Set ACS on page 19 Follow the instructions on the screen There is an existing Security World Would you like to reuse it yes no no no Enter the total number of cards N you would like to use in your Administrator Card Set ACS Note The system can handle at most...

Page 179: ...tes are re generated and the Security Server software is restarted 00053 system The DSM appliance is now ready to use with the new Security World For procedures to restore a backup of your previous configuration refer to the DSM Administrators Guide CAUTION Restoring a backup of the previous configuration will restore the old Security World and the new one just created will be destroyed Chassis Is...

Page 180: ...ot have a PS 2 keyboard attached This is not a hardware failure so DOES NOT require an RMA If the following message is observed on boot up it means the following Some configured disks have been removed from your system or are no longer accessible Please check your cables and also ensure that all disks are present Press any key to continue or C to load the configuration utility Contact Technical Su...

Search results

Summary of Contents for V6000

Reviews:

Related manuals for V6000

Brands by name

Popular brands

Thales V6000, Installation And Configuration Manual

Search results

Summary of Contents for V6000

Reviews:

Related manuals for V6000

Brands by name

Popular brands