ET0010A ET0100A ET1000A ET10000A EncrypTight Installation Guide The EncrypTight™ Manager Installation Guide provides detailed information BLACK on how BOX to install and configure EncrypTight Manager software. ® Customer Support Information Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500) FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746 Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018 Web site: www.
Table Of Contents About This Document ...................................................................................................5 EncrypTight Manager 3.3 Installation Options ..............................................................7 Virtual Machine Options ................................................................................................7 EncrypTight-Manager-3.3-standalone ................................................................................. 7 EncrypTight-Manager-3.
Procedure 0. copying drives with dd (only for non-RAID systems!!!!) ........................... 27 Procedure 1. Backing up the entire filesystem .............................................................. 27 Procedure 2. Restoring the complete filesystem, including the OS .............................. 28 Procedure 3. Backing up the ETM software and data ................................................... 28 Procedure 4. Restoring the ETM software and data ................................................
Preface About This Document Purpose The EncrypTight Manager Installation Guide provides detailed information on how to install and configure EncrypTight Manager software. Intended Audience This document is intended for network managers and security administrators who are familiar with setting up and maintaining network equipment. Some knowledge of network security issues and encryption technologies is assumed.
Preface Black Box Corporation 1000 Park Drive Lawrence, PA 15055-1018 email: info@blackbox.com Contacting Customer Support Technical support services are accessible through the Black Box support center. US (toll free) 1-877-877-BBOX International outside U.S. call 724-746-5500 Email info@blackbox.com Web www.blackbox.
EncrypTight Manager 3.3 Installation Options EncrypTight Manager 3.3 Installation Options • • Virtual Machines • EncrypTight-Manager-3.3-standalone • EncrypTight-Manager-3.3 • single server • cluster high availability • single server disaster recovery Hardware • EncrypTight-Manager-3.3 • single server • cluster high availability • single server disaster recovery We will be using RedHat kickstart technology to install directly to hardware and to build the Virtual Machines.
EncrypTight-Manager-3.3 • Available in 32 and 64 bit architectures • Expects to be run in an environment where the VM has at least 2GB of RAM and 40GB of disk • This virtual machine is setup so that when it first boots it will initialize the operating system for use by EncrypTight Manager. It will not be fully configured until there is some user interaction to finish the installation options of EncrypTight Manager.
Firewall Information Firewall Information Servers in cluster must have the following ports available: TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP 21 2221 22 80 8080 443 8443 8764 5432 47788 47799 UDP UDP UDP UDP 45588 46688 45599 46699 NOTE These ports are made available by default. Installation Examples Single Server Install Either deploy the EncrypTight Manager virtual machine using management software such as VMware vSphere or power on the ETM server hardware.
Figure 1 EncrypTight Manager Console view Configuring Networking Parameters Once the machine is running, you can configure networking parameters. This includes assigning a static IP address, netmask, and gateway address. To configure an IP address and netmask: 1 Click in the console window to activate it. 2 Use the arrow keys to highlight Configure Network and press Enter. 3 At the Network Configuration Main Menu, type 6 and press Enter.
Installation Examples 4 Type 1 and press Enter to exit the menu. Note that you can use the same menu to assign a hostname, specify a DNS server, set up a proxy server, or view the current networking configuration. Running the Installation Script Once the virtual machine has been deployed and networking parameters are configured, you need to run a script to specify the type of installation you are setting up.
• Modify the /opt/scripts/policyserver-init.conf and set the following. Emacs, nano, and vi are available on the OS. ######################################################################## ####### ####### ####### Cluster options ####### # ## for a clustered installation node1 and node2 must be set the same ## on each of the hosts in the cluster, same ordering node1=192.168.80.1 node2=192.168.80.2 # # clusterJdbcMcast=229.10.10.10 # clusterMcast=228.10.10.
Installation Examples NOTE Support for a crossover cable connection between node1 and node2 has been added in the hardware cluster installation. ######################################################################## ####### ####### ####### Cluster options ####### # ## for a clustered installation node1 and node2 must be set the same ## on each of the hosts in the cluster, same ordering node1=192.168.80.1 - THE IP OF NODE 1 node2=192.168.80.2 - THE IP OF NODE 2 # # clusterJdbcMcast=229.10.10.
Disaster Recovery Option If this cluster is going to have a disaster recovery site assigned to it then you need to modify the following section of the /opt/scripts/policyserver-init.conf: ######################################################################## ####### ####### ####### Disaster Recovery options ####### # ## When this server will use a disaster recovery site set the following: heartbeatEnabled=true disasterEnabled=true disasterHost=192.168.80.
Installation Examples Ordering of actions is important. You should install in the following steps: 1 Power on both servers 2 Assign IP to server #1 3 Assign IP to server #2 4 Make sure that server #1 can see server #2 on the network 5 Run /etc/init.d/policyserver-install on server #1 ( same order of IP addresses on both ) 6 IMPORTANT: WAIT for server #1 to fully complete the install and startup 7 Run /etc/init.
## comma separated list of hosts to check # heartbeatHosts= # # ######################################################################## ####### Run the installation script on the Main site: /etc/init.d/policyserver-install Disaster Recovery Site • Assign an IP to the DR site installation. • Modify the /opt/scripts/policyserver-init.conf and set the following. Emacs, nano, and vi are available on the OS. NOTE The heartbeatHosts IP should be the IP of the Main Site server.
EncrypTight Manager Upgrade of an Existing ETM Instance > /etc/init.d/policyserver stop Once that is down you can see that the disaster recovery picks up rekeys by viewing the DR logs on the DR Machine: > tail -f /opt/jboss/server/policyserver/log/server.log To bring the Main Site back up use the init.d script again on the Main Site machine: > /etc/init.
Optional - Verify the downloaded upgrade bin file. • Download and scp the public key pubkey.txt over to the ETM server. # scp pubkey.txt root@192.168.X.X:/opt/upgrade/ • Scp the external signature for the upgrade bin: # scp policyserver-upgrade-.bin.asc root@192.168.X.X:/opt/upgrade/ • Import the public key and verify the upgrade bin: # cd /opt/upgrade # gpg --import pubkey.txt gpg: directory `/root/.gnupg' created gpg: new configuration file `/root/.gnupg/gpg.
EncrypTight Manager Upgrade of an Existing ETM Instance ************************************************************************* ******** UPGRADE: Examining System, Please Wait... ************************************************************************* ************************************************************************* ******** ******** UPGRADE WARNING ******** ******** This will upgrade from: 3.1.3451 to 3.2.
Finished server backup Running through the upgrades available *********************************************************************** Performing upgrade to 3.1 Application upgrade... upgrade ../../common/ear/cipher.ear /opt/jboss/server/policyserver/deploy/ upgrade jbossweb.jar /opt/jboss/server/policyserver/deploy/jbossweb.sar/ Database upgrade... Finished upgrade to 3.
EncrypTight Manager Upgrade of an Existing ETM Instance Upgrading the policyserver-init.conf Upgrading the database schema sql Upgrading the system scripts ####################################################################### Upgrade process complete. Application version is: 3.2.3971 ####################################################################### Finishing Server Startup ...
gpg: Signature made Mon 12 Dec 2011 03:19:38 PM EST using DSA key ID 9B705669 gpg: Good signature from "Black Box (Policy Server) " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
EncrypTight Manager Upgrade of an Existing ETM Instance YOU MUST wait for the upgrade to complete before continuing EXAMPLE: Upgrade from 3.2.3971 to 3.3.4364: [root@PIT-ETM-N1 upgrade]# ./policyserver-upgrade-3.3.4364.bin Verifying archive integrity... All good. Uncompressing Upgrade to 3.3.4364............................................... ...........................................................
scp_host not set, not scp-ing /opt/upgradebackup/db-backup-2012-02-15-18-54-v.sq l.gz backup anywhere keeping backup 1: /opt/upgradebackup/db-backup-2012-02-15-18-54-v.sql.gz Finished db-backup done. Backing up the server dirs: /opt/ftpserverdir /opt/filestore /opt/jboss/server/p olicyserver... tar cfzh policyserver-backup-2012-02-15-18-54-v.tar.
Backup and Restore of EncrypTight Manager [root@PIT-ETM-N1 upgrade]# /etc/init.d/policyserver start Server is starting, check the log files for application status 2 Start the policyserver on EncrypTight Manager Cluster Node 2 YOU MUST wait for the startup to complete before continuing [root@PIT-ETM-N2 upgrade]# /etc/init.
Backup components provided by ETM EncrypTight Manager provides mechanisms for backing up its database, and also for backing up the ETM software. Customers who do not do full server backups regularly can use those tools to ensure that they can recover as close to a point of failure as possible, while backing up the minimal amount of data necessary to restore. Using these tools also reduces the need for frequent full system backups.
Backup and Restore of EncrypTight Manager Other hardware component failures If some component other than a drive has failed, that component could be replaced in the field, or the server could be RMA'd back to Black Box. Damage to the ETM software or database If some damage is done to the ETM installation, such as unintentional removal of key configuration files or binaries under /opt/jboss/server/policyserver, then the ETM software should be restored.
tar cvpzf backup.tgz --exclude=/proc --exclude=/lost+found --exclude=/backup.tgz --exclude=/mnt --exclude=/sys / Please familiarize yourself with the tar command and its arguments. The man pages are included in the ETM distro. As noted above, the dd operation for non-RAID configured servers also serves as a full filesystem backup. It can be performed at important milestones to keep the backup current. Procedure 2.
Backup and Restore of EncrypTight Manager • Backup Server scp User • Backup Server scp Password Also note that the ETM root dir is /opt/jboss/server/policyserver, and that the /opt/scripts directory is a symlink to /opt/jboss/server/policyserver/scripts, so that directory will be backed up. It contains the config files that were used during installation. Files in /etc/init.d are not included in this tar, so those should be backed up separately, after installation.
If you changed the database userid or password, you will have to supply those options as well. [root@policyserver log]# /opt/scripts/db-import.sh --help db-import.sh --help --dbUser=dbUser --dbPass=dbPassword --dbType=dbType --importFile=importFile --disasterServer=[true/false] Cluster notes Restoring a cluster node should not include restoring the database if another cluster node with a database is still active. Instead, the database on the restored node should be synchronized via the ETM web application.
Appendices Appendices Hardware Disaster Recovery Cluster Install If you are going to have the disaster recovery cluster on node1 = 192.168.80.3 and node2 = 192.168.80.4 then you would run like this on both installs: • Modify the /opt/scripts/policyserver-init.conf and set the following. Emacs, nano, and vi are available on the OS.
######################################################################## ####### ######################################################################## ####### ####### ####### VM tuning options ####### # ## max number of workder threads in the application server, MUST be more than 2 x mdbQueueThreads maxServerThreads=500 ## max number of high queue threads, max number of low queue threads mdbQueueThreads=200 # ## at least 2G of RAM # minMemory=512 # maxMemory=768 # permSize=128 # maxPermSize=256 # ## at l
Appendices UDP 45599 UDP 46699 Ordering of actions is important. You should install in the following steps: 1 Power on both servers 2 Assign IP to server #1 3 Assign IP to server #2 4 Make sure that server #1 can see server #2 on the network 5 Run /etc/init.d/policyserver-install on server #1 ( same order of IP addresses on both ) 6 IMPORTANT: WAIT for server #1 to fully complete the install and startup 7 Run /etc/init.
EncrypTight Manager OVA Deployment Using vSphere Client Applications You need to install vSphere Client onto your workstation. The vSphere Client software is only available for Windows platforms. Open up the VMware vSphere Client software. You will see the login prompt for the client to connect to the server. Figure 2 Running vSphere Client Enter the IP address of ESX server Select the checkbox for "Use Windows session credentials" Select Login.
Appendices Figure 3 Installing the CSM OVA Click on the menu option File -> Deploy OVF Template...
Figure 4 Deploy OVF Template Select the "Deploy from file" option. Copy and paste the ova link that is generated from the CSM build server. Select Next.
Appendices Figure 5 OVF Template Details Select Next. You will see the Name and Location. Here you will enter a Name for your virtual machine that will be created.
Figure 6 Name and Location Select Next. You will see the Host / Cluster selection. Select the Simulators -> vmhost1.blackbox.
Appendices Figure 7 Host / Cluster vmhost1.blackbox.com Select Next. You will see the Resource Pool selection. Select the vmhost1.blackbox.
Figure 8 Resource Pool Select Next. You will see the Datastore selection. You can select any of the available Datastores. Ensure there is at least 45G of Free space available.
Appendices Figure 9 Datastore Select Next. You will see the Ready to Complete screen.
Figure 10 Ready to Complete Select Next. Now vSphere will import the ova into the CSM Testing Resource Pool. You will see a dialog with the progress and a complete message once it is done. You can close the complete message. You can select the newly created VM under the CSM Testing tree and power it on. There is a link to power it on under the Basic Tasks section of the VM.
Appendices Figure 11 Basic Tasks Once the VM begins to power up you right click on the VM and select “Open Console”. You will see the VM operating system boot up and get to the main blue screen.
Figure 12 Main Screen Setup Networking Once you are on the main blue screen of the virtual machine appliance you can click your mouse inside of it. The virtual machine now has control of your mouse. You will have to type "Ctrl+Alt" to release the mouse from it. You can use the arrow keys in the appliance to select "Configure Network" You will see the main network config menu. Enter 6 and press Enter.
Appendices Figure 13 Main Network Config Now you will be able to enter your IPv4 address information: Configure an IPv4 address for eth0? y/n n: y Use a DHCPv4 Server instead of a static IPv4 address? y/n n: n IPv4 Address []: 192.168.4.X Netwmask []: 255.255.192.0 Is this correct? y/n y: y Make sure you use 255.255.192.0 as the netmask. Valid static IP range for the QA CSM VM's are 4.20 to 4.50. Next select option 2 from the menu.
Figure 14 Default Gateway Enter 0 for the interface to configure. Enter 192.168.1.1 for the Gateway. (Optional) If you need to setup DNS for external access from the VM select option 4 from the menu and enter the DNS IP settings. ( Use 192.168.1.10 and 192.168.4.2 for DNS servers if you require DNS) Select option 1 from the menu to exit the network config.
Black Box Tech Support: FREE! Live. 24/7. Tech support the way it should be. Great tech support is just 30 seconds away at 724-746-5500 or blackbox.com. About Black Box Black Box Network Services is your source for an extensive range of networking and infrastructure products. You’ll find everything from cabinets and racks and power and surge protection products to media converters and Ethernet switches all supported by free, live 24/7 Tech support available in 30 seconds or less. © Copyright 2012.
