Configuring the Data Security Manager (DSM)

ContentsIntroduction.................................................................................................................................................2

Primary DSM Configuration.........................................................................................................................2

1. Configure DSM Networking.............................................................................................................2

2. Set the DSM time zone, date, and time...........................................................................................3

3. Configure DSM Hostname...............................................................................................................4

4. Generate the Certificate Authority..................................................................................................4

Failover DSM Configuration.........................................................................................................................5

1. Configure DSM Networking.............................................................................................................5

2. Set the DSM time zone, date, and time...........................................................................................6

3. Configure DSM Hostname...............................................................................................................6

4. Generate the Certificate Authority..................................................................................................7

High-Availability Configuration....................................................................................................................7

1. Enable the primary DSM for communication to the failover...........................................................7

2. Convert the failover DSM................................................................................................................8

3. Synchronize the primary and failover DSM.....................................................................................8

IntroductionThe purpose of this lab is to introduce the setup of the Vormetric Data Security Manager (DSM) appliance. After completing the lab, you will be able to perform the significant administrative tasks of DSM setup.

User IDs and PasswordsRavello Name Hostname CLI Username CLI Password Web Username Web Password

Primary DSM dsm-primary cliadmin Vormetric123! admin Vormetric123!

Failover DSM dsm-failover cliadmin Vormetric123! admin Vormetric123!

Primary DSM ConfigurationA DSM is preconfigured with all the necessary software components installed. The only customization required is to update the DSM configuration with relevant networking and geography information for your location.

1. Configure DSM Networking1) Click the VMs tab in the Ravello interface2) Click the Primary DSM to highlight it and then click Console from the top menu

(Primary DSM) (ID=cliadmin / PASSWORD=Vormetric123!)

Note: The DSM CLI has a very limited command structure. To view the current command options, type a ‘?’. To move between the command options, type the name of the command group you wish to use, example Network. If within a command group and you want to return to previous command group type ‘up’.

3) Move to the network menu

>network

4) View the current network settings

>ip address show

Note: The default IP address of the DSM eth0 is 192.168.10.1. The easiest way to configure a physical appliance is to attach a network cable to this NIC and laptop and change the laptop network settings to match the default network of eth0. The best order would be to setup eth1 and ensure connectivity to this NIC before changing eth0. This way if you accidentally set eth0 incorrectly you will lose connectivity and be limited to the serial interface.

5) Add the IP for network of eht1

>ip address add 10.0.0.2 dev eth0

6) Add a default gateway

>ip route add default table main.table via 10.0.0.1

7) Configure name resolution by adding host entries for the primary DSM, secondary DSM, and test servers

>host add dsm-primary 10.0.0.2>host add dsm-failover 10.0.0.3

2. Set the DSM time zone, date, and timeTime is an interesting component of DSM setup. Not only is time configuration important for knowing when an event happened but certificate exchange is time sensitive. If the time difference between the DSM and a certificate signing requester is too far askew, based on GMT not absolute time, the signing request will fail. Ensuring the DSM date/time and the date/time of any agent systems is close to accurate will solve this issue.

Configuring the DSM with an NTP Date server is ideal because both the primary and failover DSMs can be synchronized to the same server. If that is not possible, you are still able to set the date and time manually.

1) Return to the main menu of the CLI

>up

2) Type maintenance to move to the maintenance command group

Note: You do not have to type in the entire word as long as you type enough of the keyword to be unique. (Example: ‘maint’ would be sufficient)

3) View the current settings

>date>time>gmttimezone show

4) List the time zones available

>gmttimezone list

5) Set the time zone for your locality

>gmttimezone set America/Chicago

6) Add NTP server

>ntpdate add pool.ntp.org [use your NTP server]

7) Synchronize time with the NTP server

>ntpdate start

8) Turn on NTP service

>ntpdate on

3. Configure DSM Hostname1) Return to the main DSM CLI menu

>up

2) Move to the system menu

>system

3) Use the setinfo command to set the hostname of the DSM

>setinfo hostname dsm-primary

4. Generate the Certificate Authority1) Return to the main DSM CLI menu

>up

2) Move to the system menu

>system

3) Generate the certificate authority

>security genca

Note: It is not necessary to edit any of the entries as prompted by the CA generation. None of the entries will be validated against an external registration authority and can be simply bypassed by pressing the Enter/Return key. The CA generation can take as long as 10 minutes depending on resources.

Failover DSM Configuration1. Configure DSM Networking

1) Click the VMs tab in the Ravello interface2) Click the Failover DSM to highlight it and then click Console from the top menu

(dsm-failover) (ID=cliadmin / PASSWORD=Vormetric123!)

3) Move to the network menu

>network

4) View the current network settings

>ip address show

Note: The default IP address of the DSM eth0 is 192.168.10.1. The easiest way to configure a physical appliance is to attach a network cable to this NIC and laptop and change the laptop network settings to match the default network of eth0. The best order would be to setup eth1 and ensure connectivity to this NIC before changing eth0. This way if you accidentally set eth0 incorrectly you will lose connectivity and be limited to the serial interface.

5) Add the IP for network of eht1

>ip address add 10.0.0.3/16 dev eth0

6) Add a default gateway

>ip route add default table main.table via 10.0.0.1

7) Configure name resolution by adding host entries for the primary DSM, secondary DSM, and test servers

>host add dsm-primary 10.0.0.2>host add dsm-failover 10.0.0.3

8) Test external and internal connectivity

2. Set the DSM time zone, date, and time1) Return to the main menu of the CLI

>up

2) Move to the maintenance menu

>maintenance

3) View the current settings

>date>time>gmttimezone show

4) List the time zones available

>gmttimezone list

5) Set the time zone for your locality

>gmttimezone set America/Chicago

6) Add NTP server

>ntpdate add pool.ntp.org [use your NTP server]

7) Synchronize time with the NTP server

>ntpdate start

8) Turn on NTP service

>ntpdate on

3. Configure DSM Hostname1) Return to the main DSM CLI menu

>up

2) Move to the system menu

>system

3) Use the setinfo command to set the hostname of the DSM

>setinfo hostname dsm-failover

4. Generate the Certificate Authority1) Return to the main DSM CLI menu

>up

2) Move to the system menu

>system

3) Generate the certificate authority

>security genca

Note: It is not necessary to edit any of the entries as prompted by the CA generation. None of the entries will be validated against an external registration authority and can be simply bypassed by pressing the Enter/Return key. The CA generation can take as long as 10 minutes depending on resources.

High-Availability ConfigurationAfter configuring high-availailover DSMs possess the same keys, policies, and configurations as the primary DSM. The primary DSM propagates configuration changes to the failover DSMs using DB2 SQL replication.

1. Enable the primary DSM for communication to the failover1) Get the external IP address of your primary DSM by clicking on it from the Ravello interface and

checking the lower right-hand corner

2) Login to the DSM management console. Use the following format and replace with the IP address from the previous step

https://XXX.XXX.XXX.XXX:8445

Note: For the most consistent interface results use Internet Explorer

3) When prompted about the website’s security certificate, click Continue4) Login to the Primary DSM (ID=admin / PASSWORD=admin123)5) Change the password to Vormetric123!6) Click the High Availability tab7) Click Add to add the failover server to the High Availability Servers list8) Type the name of the failover server in the Server Name field and click OK

(Server Name = dsm-failover)

2. Convert the failover DSM1) Open a console to the failover DSM and login (ID=cliadmin / PASSWORD=Vormetric123!)2) Move to the High Availability menu

>ha

3) Convert the DSM to a failover

>convert2failover

>yes

>dsm-primary

>admin (note: this is the admin account, NOT cliadmin)

>Vormetric123!

Note: It is not necessary to edit any of the entries as prompted by the CA generation. None of the entries will be validated against an external registration authority and can be simply bypassed by pressing the Enter/Return key

>yes

Note: The convert2failover process can take up to 30 minutes to finish

3. Synchronize the primary and failover DSM1) From the web console of the primary DSM, click the High Availability tab

Note: The failover DSM should now show as registered

2) Select the failover DSM and click Config Replication3) When prompted, click OK to continue

Note: This can take as long as 20 minutes to complete. When complete the synchronization time fields will be populated as well as Synchronization Status.