protectv installation guide (aws) - thales group · 2014. 4. 7. · safenet makes no...

Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright © 2013 SafeNet, Inc. All rights reserved.

1

ProtectV Installation Guide (AWS)

ProtectV: Installation Guide (AWS) Product Version 1.7, Document PN: 007-011532-001, Rev R, Copyright © 2014 SafeNet, Inc., All rights reserved.

2

Document Information

Product Version 1.7

Document Part Number 007-011532-001, Rev R

Release Date March 2014

Trademarks

All intellectual property is protected by copyright. All trademarks and product names used or referred to are the copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording, or otherwise, without the prior written permission of SafeNet, Inc.

• Linux® is a registered trademark of Linus Torvalds. Linux Foundation, Linux Standard Base, LSB, LSB Certified, IAccessible2, MeeGo are registered trademarks of the Linux Foundation. Copyright © 2010 Linux Foundation. All rights reserved.

• Windows is a registered trademark of Microsoft Corporation in the United States and other countries.

• Amazon Web Services™ and AWS™ are registered trademarks of Amazon.com, Inc. or its affiliates in the United States and other countries.

• Red Hat® Linux® is a registered trademark of Red Hat, Inc. in the United States and other countries.

• Ubuntu™ is a registered trademark of Canonical Ltd.

Disclaimer

SafeNet makes no representations or warranties with respect to the contents of this document and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon SafeNet to notify any person or organization of any such revisions or changes.

We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product.

SafeNet invites constructive comments on the contents of this document. These comments, together with your personal and/or company details, should be sent to the address or email below.

Contact Method Contact Information

Mail SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017, USA

Email [email protected]

mailto:[email protected]�

Contents


3

Contents

Preface .................................................................................................................................. 6 Customer Release Notes ...................................................................................................................................... 6 Audience................................................................................................................................................................ 6 Document Conventions ......................................................................................................................................... 6

Hyperlinks ....................................................................................................................................................... 6 Notifications .................................................................................................................................................... 6

Notes ........................................................................................................................................................ 6 Cautions ................................................................................................................................................... 6 Warnings .................................................................................................................................................. 7

Command Syntax and Typeface Conventions ............................................................................................... 7 Related Documents ........................................................................................................................................ 8 Support Contacts ............................................................................................................................................ 8

CHAPTER 1 What’s in this Installation Guide? .................................................................... 9 Overview ................................................................................................................................................................ 9 Supported Platforms ............................................................................................................................................ 10 Supported KeySecure Versions .......................................................................................................................... 10 System Requirements ......................................................................................................................................... 11 Before You Begin ................................................................................................................................................ 12

CHAPTER 2 Obtain a Provisioned ProtectV Manager AMI ................................................ 15 Overview .............................................................................................................................................................. 15 Provision a ProtectV Manager............................................................................................................................. 15

CHAPTER 3 Configure the ProtectV Manager ................................................................... 17 Overview .............................................................................................................................................................. 17 Configure KeySecure .......................................................................................................................................... 17

Important Notes ............................................................................................................................................ 17 Create Security Groups ....................................................................................................................................... 20

ProtectV Manager Security Group ................................................................................................................ 20 Linux Server Security Group ......................................................................................................................... 20 Windows Server Security Group ................................................................................................................... 20

Launch Your Provisioned AMI ............................................................................................................................. 21

CHAPTER 4 Configure the ProtectV Client Virtual Server ................................................. 24 Overview .............................................................................................................................................................. 24

For Linux ....................................................................................................................................................... 24 For Windows ................................................................................................................................................. 25

Configure the Linux Virtual Server ...................................................................................................................... 25 Configure the Firewall ................................................................................................................................... 25 Create a Separate /boot Partition ................................................................................................................. 26

Sample Method to Create a Separate /boot Partition ............................................................................ 26

Contents


4

Download and Install the ProtectV Linux Client .................................................................................................. 28 Manual Install ................................................................................................................................................ 28 Automated Install with YUM .......................................................................................................................... 29

Download and Install the ProtectV Windows Client ............................................................................................ 29

CHAPTER 5 Start a ProtectV Client Virtual Server ............................................................ 31

CHAPTER 6 Encrypt/Decrypt Partitions ............................................................................. 32 Overview .............................................................................................................................................................. 32 Encrypt a Partition ............................................................................................................................................... 32 Decrypt a Partition ............................................................................................................................................... 34

CHAPTER 7 Linux Logical Volume Manager (LVM) ........................................................... 35

CHAPTER 8 Upgrade ProtectV .......................................................................................... 36 Upgrade ProtectV Manager and ProtectV Clients to the Latest Version ............................................................ 36

Pre-upgrade Information for the ProtectV Manager ..................................................................................... 36 Pre-upgrade Information for the ProtectV Client .......................................................................................... 37 Upgrade of ProtectV Manager via Export/Import Process............................................................................ 38 Items Not Included in the Export Package ................................................................................................... 38 EC2 vs. VPC ................................................................................................................................................. 38 HA vs. Non-HA .............................................................................................................................................. 38 Will There be Downtime During the Upgrade? ............................................................................................. 39 Create the Export Package ........................................................................................................................... 39

Export Using the ProtectV Manager Console ........................................................................................ 40 Export Using the API .............................................................................................................................. 41 Export Using the CLI .............................................................................................................................. 41

Upgrade a Single Server Configuration (non-HA) via Import ....................................................................... 42 Upgrade Using the ProtectV Manager Console ..................................................................................... 42 Upgrade Using the API ........................................................................................................................... 43 Upgrade Using the CLI ........................................................................................................................... 44

Upgrade an HA Configuration via Import ...................................................................................................... 46 Import Using the ProtectV Manager Console......................................................................................... 46 Import Using the API .............................................................................................................................. 47 Import Using the CLI .............................................................................................................................. 48

Upgrade the ProtectV Clients ....................................................................................................................... 49 Windows Server Upgrade ...................................................................................................................... 49 Linux Server Upgrade ............................................................................................................................ 50

CHAPTER 9 Linux Kernel Upgrades .................................................................................. 51 Overview .............................................................................................................................................................. 51 Minor Kernel Upgrades ....................................................................................................................................... 51

Upgrade the Linux Kernel ............................................................................................................................. 51 Major Kernel Upgrades ....................................................................................................................................... 52

Contents


5

CHAPTER 10 Uninstall ProtectV .......................................................................................... 53 Overview .............................................................................................................................................................. 53

Linux Servers ................................................................................................................................................ 53 Windows Servers .......................................................................................................................................... 53

CHAPTER 11 AES-NI Support ............................................................................................. 54 Overview .............................................................................................................................................................. 54 Configuration Requirements................................................................................................................................ 54

CHAPTER 12 Windows Pre-boot Network Error Messages ................................................. 55

Preface


6

Preface

Customer Release Notes The Customer Release Notes (CRN) document provides important information about this release that is not included in other customer documentation. It is strongly recommended that you read the CRN to fully understand the capabilities, limitations, and known issues for this release.

Audience All products manufactured and distributed by SafeNet, Inc. are designed to be installed, operated, and maintained by personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them. The information, processes, and procedures contained in this document are intended for use by trained and qualified personnel only.

Document Conventions

Hyperlinks Hyperlinked text will, by default, appear in the SafeNet standard shade of purple. For example:

www.safenet-inc.com/Support

Notifications

Notes

This document uses notes to alert you to important or helpful information. These elements use the following format:

NOTE: Notes contain important or helpful information that you want to make stand out to the user.

Cautions

Cautions are used to alert you to important information that may help prevent unexpected results or data loss. These elements use the following format:

CAUTION: Exercise caution. Caution alerts contain important information that may help prevent unexpected results or data loss.

http://www.safenet-inc.com/Support�

Preface


7

Warnings

Warnings are used to alert you to the potential for catastrophic data loss or personal injury. These elements use the following format:

WARNING: Be extremely careful and obey all safety and security measures. In this situation you might do something that could result in catastrophic data loss or personal injury.

Command Syntax and Typeface Conventions Table 1: Syntax and Typeface Conventions

Convention Description

bold The bold attribute is used to indicate the following: • Command-line commands and options (Type dir /p.)

• Button names (Click Save As.)

• Check box and radio button names (Select the Print Duplex check box.)

• Dialog box titles (On the Protect Document dialog box, click Yes.)

• Field names (User Name: Enter the name of the user.)

• Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.)

• User input (In the Date box, type April 1.)

italic The italic attribute is used for emphasis or to indicate a related document. (See the Installation Guide for more information.)

Double quote marks Double quote marks enclose references to other sections within the document. For example: Refer to “Disclaimer” on page 2.

In command descriptions, angle brackets represent variables. You must substitute a value for command line arguments that are enclosed in angle brackets.

[ optional ] [ ] [ a | b | c ] [ | | ]

Square brackets enclose optional keywords or in a command line description. Optionally enter the keyword or that is enclosed in square brackets, if it is necessary or desirable to complete the task. Square brackets enclose optional alternate keywords or variables in a command line description. Choose one command line argument enclosed within the braces, if desired. Choices are separated by vertical (OR) bars.

{ a | b | c } { | | }

Braces enclose required alternate keywords or in a command line description. You must choose one command line argument enclosed within the braces. Choices are separated by vertical (OR) bars.

Preface


8

Related Documents The following documents contain related or additional information:

• ProtectV Release Notes (pertinent updates)

• ProtectV User Guide (details on how to use the ProtectV Manager Console)

• ProtectV Command Line Interface Guide (details on using the ProtectV CLI)

• ProtectV API Integration Guide (details on using the ProtectV APIs) • KeySecure or DataSecure User Guide (details on how to use a KeySecure or DataSecure device for

key storage) • Quick start documentation included with the device (details on how to configure the device for key

storage)

Support Contacts If you encounter a problem while installing, registering or operating this product, please make sure that you have read the documentation. If you cannot resolve the issue, contact your supplier or SafeNet Customer Support. SafeNet Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between SafeNet and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you.

Table 2: Support Contacts

Contact Method Contact Information

Address SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017 USA

Phone United States 1-800-545-6608

International 1-410-931-7520

Email [email protected]

Support and Downloads

www.safenet-inc.com/Support Provides access to the SafeNet Knowledge Base and quick downloads for various products.

Technical Support Customer Portal

https://serviceportal.safenet-inc.com Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the SafeNet Knowledge Base.

http://www.safenet-inc.com/Support�https://serviceportal.safenet-inc.com/�

CHAPTER 1 What’s in this Installation Guide?


9


Overview The ProtectV solution is built on proven SafeNet technologies, while extending robust security capabilities to the new demands of cloud environments. In Amazon Web Services (AWS), ProtectV supports both the public cloud platform (EC2) and private cloud platform (VPC).

ProtectV delivers the vital centralized management capabilities that organizations need to practically and effectively deploy encryption across environments with hundreds of virtual machines (VMs), geographically dispersed deployments, and multiple private and public cloud environments.

NOTE: The term, “virtual machine” and the acronym, “VM” are used interchangeably in this document. For AWS users, the term, “virtual machine,” is synonymous with an “instance.”

This document will walk you through the following tasks to get up and running with ProtectV. You will:

• Obtain a provisioned ProtectV Manager AMI.

• Configure KeySecure.

• Create the ProtectV Manager security groups.

• Launch the provisioned AMI.

• Download and install the ProtectV Client.

• Start a virtual server.

• Encrypt and decrypt a partition.

• Upgrade ProtectV.

After you complete the tasks in this document, please refer to the ProtectV User Guide for details on how to use the ProtectV Manager Console.



10

Supported Platforms The following table presents the virtualized server platforms that currently support ProtectV.

Distribution AWS VMware Physical Server

Microsoft Windows Server 2003 R2 (64-bit), SP2 Yes Yes Yes

Microsoft Windows Server 2008 (64-bit), SP2 Yes Yes Yes

Microsoft Windows Server 2008 R2 (64-bit), SP1 Yes Yes Yes

Microsoft Windows Server 2012 (64-bit) Yes Yes Yes

Microsoft Windows Server 2012 R2 (64-bit) No Yes Yes

CentOS Linux 6.2 (64-bit) Yes Yes No

SUSE Linux Enterprise Server (SLES) 10 SP4, 64-bit

No Yes No

SUSE Linux Enterprise Server (SLES) 11 SP1, 64-bit

No Yes No

Red Hat Enterprise Linux (RHEL) 5.8, 64-bit Yes Yes No




Ubuntu 12.04 LTS (FIPS is not available) Yes Yes No

Supported KeySecure Versions For clustered or non-clustered KeySecure configurations, use version 6.1.2 or later.

AWS Marketplace customers can configure ProtectV with Virtual KeySecure which is now available for purchase on AWS Marketplace.



11

System Requirements The following summarizes the system requirements to install ProtectV Manager, and to install and properly run the ProtectV Client on a Windows or Linux guest operating system.

• The system requirements to install the ProtectV Manager are:

• As a minimum, choose a c1.medium or m1.medium instance type.

• Each ProtectV Manager instance or HA pair can manage up to 500 ProtectV Clients.

• The minimum system requirements to install and run the ProtectV Client on a Windows Guest operating system in AWS EC2 are:

• m1.small instance type (The ProtectV Client installer will display the following message if a micro instance type is used: "ProtectV does not support t1.micro instances. Please convert to m1.small or larger.")

• 256 MB RAM

• 100MB system free space

• Additionally please note the following limitations and considerations:

• We (currently) do not support partitions over 2TB in size (GPT partitions)

• The minimum system requirements to install and run the ProtectV Client on a Linux Guest operating system in AWS EC2 are:

• m1.small instance type (The ProtectV Client installer will display the following message if a micro instance type is used: "ProtectV does not support t1.micro instances. Please convert to m1.small or larger.")

• 100MB system free space

• The recommended instance configuration is a pv-grub instance with a separate /boot volume or partition at /dev/sda1 in ext3 format, or ext4 format (on distributions that support ext4 by default, such as RHEL 6.n). If the instance does not have a separate /boot partition, ProtectV will reconfigure the instance to pv-grub with a separate boot partition upon first encryption.

• For instances whose root volume is /dev/sda (not an unpartitioned /dev/sda1), a separate boot partition is required.

• The root partition must be in ext3 format, or ext4 format (on distributions that support ext4 by default, such as RHEL 6.n).

• Any partition to be encrypted must be in swap, ext3, or ext4 format (on distributions that support ext4 by default).

• Please note the following regarding ProtectV Linux Client encryption:

• ProtectV no longer supports non-PVGRUB instances.

• The recommended instance configuration is a separate /boot partition. If there is no separate /boot partition, ProtectV will add a volume and modify the instance to have a separate /boot on first encryption.

Please refer to “Create a Separate /boot Partition” for configuration details.



12

Before You Begin • You should already be familiar with virtual cloud and Amazon Web Services terminology, know

how to navigate and use the Amazon Management Console, and launch a virtual machine. Refer to the Amazon Web Services EC2 and VPC documentation if you need assistance. The AWS EC2 documentation can be found here: http://aws.amazon.com/documentation/ec2/.

• Make sure that you have access to and login credentials for SafeNet’s Technical Support Customer Portal site at https://serviceportal.safenet-inc.com, so you can get support for the product.

• Ensure you have the appropriate IAM permissions. ProtectV Manager will verify the cloud credentials by communicating with AWS. If you do not have the AWS account configured properly and ProtectV Manager cannot contact AWS, then you will not be able to proceed. Make sure you have the Access Key ID and Secret Access Key used to access your Amazon Web Services account. These values are usually included with your IAM access credentials.

In addition, make sure you have the following minimum IAM permissions to run ProtectV and manage Windows and Linux servers in ProtectV Manager.

Action Command

Associate Elastic IP address ec2:AssociateAddress

Create snapshot Delete snapshot Describe an attribute of a snapshot Describe one or more of the Amazon EBS snapshots that are available

ec2:CreateSnapshot ec2:DeleteSnapshot ec2:DescribeSnapshotAttribute ec2:DescribeSnapshots

Create tags Describe one or more of the tags for your EC2 resources

ec2:CreateTags ec2:DescribeTags

Create volume Attach volume Detach volume Remove volume Describe an attribute of a volume Describe the status of one or more volumes Describe one or more of your Amazon EBS volumes Modify a volume attribute

ec2:CreateVolume ec2:AttachVolume ec2:DetachVolume ec2:DeleteVolume ec2:DescribeVolumeAttribute ec2:DescribeVolumeStatus ec2:DescribeVolumes ec2:ModifyVolumeAttribute

Describe the regions that are currently available to you ec2:DescribeRegions

Stop instances Start instances Reboot instances Launch the specified number of instances Describe an attribute of the specified instance Describe the status of one or more instances Describe one or more of your instances Submit feedback about an instance's status

ec2:StopInstances ec2:StartInstances ec2:RebootInstances ec2:RunInstances ec2:DescribeInstanceAttribute ec2:DescribeInstanceStatus ec2:DescribeInstances ec2:ReportInstanceStatus

http://aws.amazon.com/documentation/ec2/�https://serviceportal.safenet-inc.com/�



13

For details about AWS IAM permissions, please refer to the AWS documentation at: http://docs.aws.amazon.com/IAM/latest/UserGuide/PermissionsOverview.html

• When running Sysprep on an Amazon AMI using the EC2Config service, you will need to edit C:\Program Files\Amazon\EC2ConfigService\Settings\BundleConfig.xml, and remove the ‘/generalize’ switch:

(snippet of BundleConfig.xml file)

The example below shows the entire edited ‘BundleConfig.xml’ file to illustrate the proper edits that will allow you to utilize Sysprep, and be able to issue the Boot to OS command to boot the new AMIs into their Guest OS as expected.

• Physical Server support is currently unavailable in AWS environments (it is only available in vSphere environments). After installing ProtectV Manager, if the Physical Server task menu is present in the Server Management tab in the ProtectV Manager Console, you can remove it.

In the ProtectV Manager Console, go to Administration > System Settings > Physical Server Settings > Disable, or use either the disablePhysicalServerSupport API function or the physicalserver disable-support CLI command.

• Non-English characters are not supported in ProtectV Manager. Make sure all input uses English characters only. For example, this includes regions and virtual machine names.

http://docs.aws.amazon.com/IAM/latest/UserGuide/PermissionsOverview.html�



14

• Windows servers only: Do not take partitions offline or change drive letters while encryption or decryption is in progress.

• Windows servers only: Reformatting on an encrypted system is currently not allowed. As an alternative, delete the partition, then create a new partition, and format it.

• Linux servers only: For Ubuntu distribution s configured to use dynamic IP addressing, we recommend the usage of a non-stock DHCP client. The default DHCP client may experience frequent IP address changes when the VM reboots from OS to pre-boot. If a DHCP client is used, replace the isc-dhcp-client package with udhcpc.

CHAPTER 2: Obtain a Provisioned ProtectV Manager AMI


15

CHAPTER 2 Obtain a Provisioned ProtectV Manager AMI

Overview Provisioning builds a customized, AWS region-specific, confidential (encrypted), ProtectV Manager image. This process is required to place a ProtectV Manager in your target AWS account. Separate provisioning requests must be made if you need multiple ProtectV Managers in one or multiple regions.

From the ProtectV Manager Provisioning user interface, you can customize your AMI for a specific region and add specific boot-authentication security administrators. Only SafeNet-authorized Technical Support Customer Portal users can connect to the SafeNet PVM provisioning web site and gain access to the provisioning system.

During the ProtectV Manager provisioning request, you can configure up to eight boot-authentication security administrators and their associated passwords. When the ProtectV Manager is stopped (powered-off), the system is encrypted to keep all security configuration information confidential. These registered boot-authentication security administrator accounts are used to authorize the boot-up and decryption of the ProtectV Manager to transition from power-off to a running (powered-on) state.

Once you have received your provisioned AMI, you can also add boot-authentication security administrators through the ProtectV Manager SSH Pre-boot Login Shell. See page 21 for more details. The ProtectV Manager SSH Pre-boot Login Shell is provided with a restricted command shell that allows user/password management, booting of the system, and port reassignment.

When powered-up, a provisioned ProtectV Manager image will stop and wait for a boot-authentication user’s authorization to decrypt the image and execute the run-time ProtectV Manager. When the boot command is applied at the ProtectV Manager SSH Pre-boot Login Shell, the ProtectV Manager virtual machine will continue to boot. Upon successful decryption, and run-time launch, you can log into the ProtectV Manager to perform the desired tasks through the ProtectV Manager Console.

Provision a ProtectV Manager 1. Log into the Provisioning Server at https://provision.protectv.safenet-inc.com/app with the Technical Support

Customer Portal Username and Password credentials provided by SafeNet, and click Login.

You will land on the Requests list tab, which displays any request(s) that you have made, their current status, date of request, region, etc.

2. Click the New request wizard tab.

3. Choose a Product selection (select ProtectV Manager AWS), and then click Next.

4. Choose a Version selection (select the latest version), and then click Next.

5. Configure these Environment settings:

• Select the Region where the ProtectV Manager AMI will be provisioned.

• Enter the AWS ID (Amazon account number) of the user requesting the provisioned PVM. Include numbers only—omit dashes, spaces, or leading tab characters.

https://provision.protectv.safenet-inc.com/app�

CHAPTER 2: Obtain a Provisioned ProtectV Manager AMI


16

6. Add credentials for the security administrators who are authorized to boot the encrypted ProtectV Manager. You can add up to eight security administrators. For each security administrator, enter a User name and Password (confirm the password in the Repeat password field).

User names must start with a lowercase letter and can only contain lowercase letters, numbers, and '_' and '-' symbols. (Do not include spaces or special characters.) User names cannot exceed 32 characters.

NOTE: You do not have to add all security administrators at this time. Additional administrators can be added through the ProtectV Manager SSH Login Shell. See page 21 for details.

7. Click Submit. The ProtectV Manager provisioning service will now process your request.

8. When the ProtectV Manager image is provisioned, you will receive an e-mail confirmation with a provisioning request number (Request reference ID).

NOTE: The Requests list tab will display the status of your request. Look for your request reference ID under the Request ID column. The status will initially be set to pending, then change to dispatched, and then to created once the image is provisioned.

9. Once the image is provisioned, you will receive another e-mail notification with the ProtectV Manager AMI ID. The provisioned ProtectV Manager AMI will be shared with your account for at least two weeks.

CHAPTER 3: Configure the ProtectV Manager


17

CHAPTER 3 Configure the ProtectV Manager

Overview This chapter discusses how to configure the ProtectV Manager in AWS. In this chapter, you will:

• Configure KeySecure.

• Create security groups.

• Launch your ProtectV Manager AMI.

Configure KeySecure You must complete the procedures in this section on the KeySecure device before proceeding with ProtectV configuration. (You will be prompted to enter valid KeySecure settings during ProtectV configuration.)

Please make sure you have access to the KeySecure User Guide or DataSecure User Guide, and the quick start documentation included with the device for detailed instructions on how to complete the procedures in this section.

Important Notes • To perform cryptographic operations, ProtectV Manager needs to export the encryption key. If the

KeySecure device is configured for FIPS compliance, please be advised that key export will not be allowed over a TCP connection. This would cause the encryption/decryption operation to fail. In order for ProtectV to work in FIPS mode, you must have SSL set up to allow key export

• To ensure there is no SSL/TCP mismatch between the KeySecure device and ProtectV Manager, verify the protocol on the KeySecure server, go to the Device tab > KeyServer, and view the NAE-XML properties. If Use SSL is selected, the device is configured to use SSL.

.

• If the KeySecure device is already set for SSL and you decide to turn FIPS mode on later, you must edit the NAE-XML properties and enable Allow Key Export and Allow Key and Policy Configuration Operations properties.



18

1. Set up the KeySecure device in the network. Please refer to the quick start documentation included with the device for details.

2. Complete the following installation and configuration procedures. Where noted in parentheses, please refer to that section in the KeySecure User Guide or DataSecure User Guide for details. Note that the screen shots shown here reflect only the portion of the screen that is applicable to the specified KeySecure configuration procedure.

• Obtain the software license from SafeNet and install it. (see “Install Software Licenses”)

• Configure SSL. These procedures are required only if you are using an SSL connection

• Create a Local Certificate Authority on KeySecure. (see “Create a Local Certificate Authority”)

between KeySecure and ProtectV. Before the KeySecure can respond to SSL requests from ProtectV Manager, the KeySecure must be configured with at least one server certificate.



19

• Create a Server Certificate signed by the Local CA. (see “Creating a Server Certificate for the KeySecure”)

• Create a Local user on the KeySecure. (see “Create a Local User”)

• Enable Key Export on the KeySecure. (see steps below)

a. Log in to the KeySecure Management Console with administrative access.

b. Go to Device tab > KeyServer.

c. Go to NAE-XML properties and click Edit.

d. Select Allow key export.

e. Select Allow Key and Policy Configuration Operations.

f. Save the changes.



20

Create Security Groups We recommend that you create three AWS security groups: one for ProtectV Manager servers, one for Linux clients, and one for Windows clients.

If you need assistance adding security groups, please refer to the Amazon Web Services documentation at http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html.

ProtectV Manager Security Group Add these ports for the ProtectV Manager security group:

• 22 - SSH

• 443 - HTTPS

• 5432 – HA/postgres replication

• 5984 – HA/Replication/TCP

• 6984 – HA/Replication/SSL

• 7080 – HA/SOAP

• 8080 – PVM/SOAP

• 9000 – Default KeySecure/DataSecure NAE_XML

• 9090 – SC/TCP

• 9093 – SC/SSL

Linux Server Security Group Add these ports for the Linux server security group. Please make sure you limit the Source field to the ProtectV Manager security group.

• 22 - SSH

• 9090 – SC/TCP

• 9093 – SC/SSL

Windows Server Security Group Add these ports for the Windows server security group. Please make sure you limit the Source field to the ProtectV Manager security group.

• 3389 – RDP

• 9090 – SC/TCP

• 9093 – SC/SSL

NOTE: After you have installed the Windows ProtectV Client, ProtectV rules are automatically created in the Windows firewall, which are used for ProtectV communications.

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html�



21

Launch Your Provisioned AMI Once you have received the provisioned ProtectV Manager AMI, you can use it for up to two weeks.

Follow the steps below to launch the AMI. Note that each time the ProtectV Manager virtual machine is started or rebooted, you will have to unlock (decrypt) it, as described in steps 2 through 4.

1. In the AWS Management Console, launch the ProtectV Manager virtual machine using the AMI ID provided by SafeNet. Select the c1.medium or m1.medium instance type.

2. Connect to the virtual machine using SSH on port 22.

3. Log in with the user name and password that was specified when creating user credentials in step 6 in the Provision a ProtectV Manager section in the previous chapter.

A successful login launches the ProtectV Manager SSH Login Shell. You can control your secured ProtectV Manager image using the following commands:

• add — Use this option to add a registered user who can access the ProtectV Manager (PVM) virtual machine.

• You can have a maximum of eight registered users. • Usernames must start with a lowercase letter and can only contain lowercase letters, numbers, and

'_' and '-' symbols. (Do not include spaces or special characters.) • Usernames cannot exceed 32 characters.

• boot — Use this option to unlock drives and boot a decrypted PVM virtual machine.

• exit — Use this option to close the PVM SSH Login Shell.

• help / ? — Use this option to list all of the available commands.

• list — Use this option to list all current users.

• password — Use this option to change the password for a specified user.

• port — Use this option to change the port connection. The default port is 22.

• reboot — Use this option to reboot the virtual machine.

• rm — Use this option to delete the specified user.

• shutdown — Use this option to shut down the PVM virtual machine.

4. Type boot and press Enter. This step will boot the instance. (This step may take a few minutes.)

5. Once booted, open a new browser window, and connect to the virtual machine using the Public DNS (for example, https://ec2-50-16-156-2.compute-1.amazonaws.com).

ProtectV defaults with a self-signed HTTPS certificate. When the certificate security warning is displayed, proceed through the screens to accept the certificate.

For example, if you’re using Internet Explorer, you’d see:

• Click Continue to this website.



22

6. The ProtectV Manager User Login screen is displayed. Enter these default credentials, and then click Login:

• Username: admin

• Password: admin

7. The Software License Agreement is displayed. Carefully review the agreement. If you agree with the terms, click Accept to continue.

8. The Choose How to Configure the ProtectV Manager prompt is displayed. Select New Configuration and click Next.

9. You will be prompted to change your password. Enter the old password, and then enter the new one.

10. The Key Manager Settings page is displayed. You must already have a KeySecure device (K150 or higher) configured to complete this page. (Refer to the tasks outlined in the Configure KeySecure section starting on page 17.

Complete this page:

• Username: Enter the user created on the KeyManager device.

• Password: Enter the password of the user created on the KeyManager device.

• IP Address: Enter the KeyManager IP address. (For KeySecure clustering, enter the multiple IP addresses delineated by ':'. For example, 123.12.12.123:123.12.12.124)

• Port: Enter the KeyManager port.

• Protocol: Select SSL or TCP.

• Certificate: Copy the Local CA Certificate from the KeyManager device and paste it here.

NOTE: You must enter valid KeySecure settings to ensure that connection to the KeySecure server with the current configuration is correct.

If you do not have the KeySecure configured properly, ProtectV Manager cannot make a connection. If the configuration is correct, the System Status section on ProtectV Manager Dashboard will display the Key Manager connection status as Connected.



23

11. Click Save.

12. The Add Cloud Credential prompt is displayed. Enter the Access Key ID and Secret Access Key used to access your Amazon Web Services account. (These values are usually included with your IAM access credentials.)

13. Click Add.

NOTE: ProtectV Manager will verify the cloud credentials by communicating with AWS. If you do not have the AWS account configured properly and ProtectV Manager cannot contact AWS, then you will not be able to proceed.

14. Now you can add a ProtectV Client virtual server. Continue with the procedures in the next chapter.

CHAPTER 4: Configure the ProtectV Client Virtual Server


24

CHAPTER 4 Configure the ProtectV Client Virtual Server

Overview In this chapter, you will complete the following:

For Linux • Configure the Linux virtual server.

- and-

• Download and install the ProtectV Linux Client virtual server. During these procedures, you will configure the firewall, create a separate boot partition (if required), and then download and install the appropriate ProtectV Linux Client installer package. Each Linux distribution that ProtectV supports has a corresponding installer package (in .tar.gz format) that you can download from the ProtectV Manager Console, which can be installed either manually or via yum.

Before you begin this procedure, make sure you are using a supported Linux distribution.

NOTE: For a list of virtualized server platforms that currently support ProtectV, please refer to page 10.

NOTE: RHEL 6.4 and Ubuntu 12.04 LTS servers only: If you boot up a kernel where the ProtectV Linux Client is not installed, you will not be able to access any encrypted partitions/devices.

To boot to a kernel without ProtectV, perform the following command to install the ProtectV Linux Client:

For Ubuntu:

update-initramfs -u -k KERNEL_VERSION For RHEL:

# dracut -f /boot/initramfs-2.6.32-XXX.el6.x86_64.img 2.6.32-XXX.el6.x86_64 As an alternative, you can use mkinitrd, which is a wrapper that calls the dracut command. Where: /boot/initramfs-2.6.32-XXX.el6.x86_64.img is the kernel initrd that does not have ProtectV Linux 2.6.32-XXX.el6.x86_64 kernel version



25

For Windows • Download and install the ProtectV Windows Client virtual server. During these procedures, you will

download and install the appropriate ProtectV Windows Client installer self-extracting archive. Each Windows platform that ProtectV supports has a corresponding executable file (in .exe format) that you can download from the ProtectV Manager Console.

Before you begin this procedure, make sure you are using a supported Windows platform.

NOTE: For a list of virtualized server platforms that currently support ProtectV, please refer to page 10.

NOTE: The setip and pvsetip utilities are not supported in AWS environments. Please do not run these utilities in AWS.

NOTE: Do not take partitions offline or change drive letters while encryption or decryption is in progress..

NOTE: Reformatting on an encrypted system is currently not allowed. As an alternative, delete the partition, then create a new partition, and format it.

Configure the Linux Virtual Server Configure the Firewall Make sure the following ports are open for ProtectV Linux servers:

• 22 - SSH

• 9090 – SC/TCP

• 9093 – SC/SSL

Consult your system firewall documentation for information on setting the firewall rules. For example:

1. SSH to the client.

2. Open ports 9090 and 9093 for TCP in the firewall.

For example, for RHEL/CentOS 5.x distributions, use the following command:

system-config-securitylevel-tui -q -p 9090:tcp -p 9093:tcp



26

Create a Separate /boot Partition A separate /boot volume or partition is required if:

• The instance has a partitioned root volume (i.e., the root volume is /dev/sda but the root device is /dev/sda1).

• You want to avoid instance reconfiguration in the first encryption.

NOTE: If your instance has been reconfigured to have a separate /boot, please ensure that it reboots successfully before

Existing ProtectV Linux Client instances are not affected by this configuration change. installing the ProtectV Client.

A separate /boot can be created several ways. A sample method is described on the next page.

Sample Method to Create a Separate /boot Partition

1. Attach a new, blank, 1G volume at the first unoccupied device location whose format matches the existing root volume.

For example, if the existing root volume is /dev/sda1, attach the new volume at /dev/sdb1. If the existing root volume is /dev/sda, attach the new volume at /dev/sdb.

NOTE:

• The Linux kernel may use a different device name. For example, on RHEL 6.3, a device attached at /dev/sdb1 would be named /dev/xvdf1.

• Be sure to avoid any ephemeral volume mount points.

2. If the existing root volume is partitioned, partition the new volume.

For example, if the root volume is /dev/sda and the root filesystem is mounted on /dev/sda1, then the new volume should be partitioned. Make sure the partition number is the same on the new volume.

3. Make an ext3 filesystem (or ext4 on distributions that support ext4 by default, such as RHEL 6.n) on the new volume (or partition).

For example:

mkfs.ext3 -L _/boot /dev/sdb1

4. Save the old /boot and make a new /boot directory.

For example:

mv /boot /boot.sav

mkdir /boot

5. Mount the new volume.

For example:

mount /dev/sdb1 /boot



27

6. Copy the boot directory to the new volume. Use tar to include hidden files.

For example:

tar -C /boot.sav -cf - . | tar -C /boot -xf –

7. Create a symlink so pv-grub can find /boot/grub/menu.lst on the unmounted boot device.

For example:

cd /boot

ln -s ./ boot

8. Modify /etc/fstab to mount the original root device at the new location if / is mounted using the device, and mount the new boot device on /boot.

For example:

cp /etc/fstab /etc/fstab.sav

echo "LABEL=_/boot /boot ext3 defaults 0 0" >> /etc/fstab

9. Modify menu.lst to specify the new location as root if root is specified by device rather than UUID or LABEL.

10. Shutdown the instance.

11. Swap the new boot volume and the old root volume.

• Record the volume IDs of both volumes.

• Detach both volumes.

• Attach the new boot volume to the root volume location.

• Attach the old root volume to the device used above for the new boot volume.

12. Start the instance to ensure that it reboots successfully before installing the ProtectV Client.



28

Download and Install the ProtectV Linux Client You can choose to manually install the client installer package, or automate the install using yum. The advantage of using yum is that it will automatically download and install/update dependencies for you.

Manual Install

NOTE: When installing the unpacked ProtectV Linux Client installer (RPM), you implicitly agree to accept the SafeNet license terms.

1. Download the ProtectV Linux Client installer package from the ProtectV Manager Console:

• Click the Administration tab.

• Click the Installers tab.

• Click the client installer that you want to download.

• Click the Take Action menu, and then select Download Installer.

• Click Save File. The tar.gz archive file will be saved locally to the default download directory. A progress icon in the upper-right corner of the browser will display the progress of the download, and then you will see a message that indicates the download is complete.

2. Locate the tar.gz archive file and unpack it. The file name should look something like this:

red_hat_enterprise_linux_(rhel)_6.3_(64-bit).aws.1.6.0.208.20130926_215603460.tar.gz

Run:

tar -xzvf .tar.gz

3. Deploy the instance of the supported Linux platform.

4. Transfer the ProtectV Client to the virtual machine (SCP is one method).

5. Install the ProtectV Client. Run:

rpm -i pvlinux-.rpm

6. In the unlikely event that your system does not already have the necessary dependencies, the install will fail and indicate what dependencies are missing. (Examples would be: libcrypto.so.6() (64bit) or libz.so.1() (64bit).) Locate and install these dependencies, and then rerun the install command shown in the previous step.

• After the installation is complete, the machine continues to operate its operating system and services. You can immediately start to encrypt partitions (as described in Chapter 6). SafeNet StartGuard will be activated after the first crypto operation of a partition.

• For all subsequent reboots, you will need to start the ProtectV Client virtual machine from the ProtectV Manager Console, as described in the next chapter.



29

Automated Install with YUM

NOTE: When installing the ProtectV Linux Client RPM package, you implicitly agree to accept the SafeNet license terms.

1. Download the ProtectV Linux Client installer package from the ProtectV Manager Console, as described in the previous “Manual Install” section.

2. Unpack the installer package. Run:

tar -xzvf .tar.gz

3. Install the ProtectV Client. Run:

yum install --nogpgcheck pvlinux-.rpm

4. You will be presented with a list of the updates that yum has determined it needs to make. If you tell it to proceed, it will download and install the dependencies, and then install the ProtectV Linux Client.

• After the installation is complete, the machine continues to operate its operating system and services. You can immediately start to encrypt partitions (as described in Chapter 6). SafeNet StartGuard will be activated after the first crypto operation of a partition.

• For all subsequent reboots, you will need to start the ProtectV Client virtual machine from the ProtectV Manager Console, as described in the next chapter.

Download and Install the ProtectV Windows Client

NOTE: During a ProtectV Windows Client fresh installation or upgrade (to version 1.4 or higher), ProtectV FIPS mode is also aligned by default with the Windows security setting, System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. By default, ProtectV Windows Client will install or upgrade in ProtectV FIPS mode on operating systems that support FIPS. To enforce a ProtectV installation not

For non-interactive installations, if the system is not configured for FIPS operations and ERA_ENCRYPT_USE_FIPS=1 is on the command line, the ProtectV installation will fail and an error message will be written to the log.

in FIPS mode, append the ProtectV.msi invocation with the ERA_ENCRYPT_USE_FIPS=0 property. For example: msiexec /i ProtectV.msi ERA_ENCRYPT_USE_FIPS=0.

For interactive installations, if the system is not configured for FIPS operations and ERA_ENCRYPT_USE_FIPS=0 is not on the command line the user will be prompted to continue or not.

NOTE: The ERA_ENCRYPT_USE_FIPS=1 property has no affect on non-FIPS capable Windows systems.

UPGRADE NOTE: Due to the introduction of FIPS support, a version 1.4 (or higher) ProtectV Manager will be unable to boot up a ProtectV Windows or Linux client that is installed with version 1.2 or older. You must upgrade your ProtectV Clients incrementally, to version 1.3, then 1.4, then 1.5, then 1.6, and then to 1.7.



30

1. Download the ProtectV Windows Client installer from the ProtectV Manager Console:

• Click the Administration tab.

• Click the Installers tab.

• Click the client installer that you want to download.

• Click the Take Action menu, and then select Download Installer.

• Click Save File. The self-extracting archive file will be saved locally to the default download directory. A progress icon in the upper-right corner of the browser will display the progress of the download, and then you will see a message that indicates the download is complete.

2. Locate the installer file. The file name should look something like this:

microsoft_windows_server_2008_r2_(64-bit).aws.1.6.0.208.20130926_200156263.exe

3. Launch the .exe to extract the contents.

4. Launch setup.exe for an interactive installation. For a non-interactive installation, the ProtectV.msi can be used directly.

5. The ProtectV installation wizard opens. When the Welcome screen is displayed, click Next.

6. Accept the License Agreement, and then click Next.

7. Select Typical Client Installation, and then click Next.

8. Select the language to be used for interface labels and text messages, and then click Next.

9. Click Install to continue.

10. When the installation is complete, click Finish.

11. When prompted, click Yes to restart the machine.

NOTE: If the Windows server is rebooted after the ProtectV Windows Client is installed, the Windows server will be stuck at SafeNet StartGuard. To get the partition in OS mode, go to the Take Action menu in the ProtectV Manager Console and select Boot to OS.

12. You are now ready to encrypt or decrypt partitions. Go to Chapter 4.

13. This post-installation reboot will not activate SafeNet StartGuard, but StartGuard will be active for subsequent reboots.

• For this first reboot, you will be prompted to log into Windows, and then you can immediately start to encrypt partitions, as described in Chapter 6.

• For all subsequent reboots, you will first need to boot the ProtectV Client virtual server from the ProtectV Manager Console, as described in the next chapter.

CHAPTER 5: Start a ProtectV Client Virtual Server


31

CHAPTER 5 Start a ProtectV Client Virtual Server

If you have just completed the ProtectV Client installation, the procedure described in this chapter is not required—you can immediately start to encrypt partitions, as described in Chapter 6.

For all subsequent reboots, however, you will always need to boot the ProtectV Client virtual machine from the ProtectV Manager Console, as described in this chapter.

1. Open a new browser window, and connect to the virtual machine using the Public DNS (for example, https://ec2-50-16-156-2.compute-1.amazonaws.com).

2. Log into the ProtectV Manager Console.

3. Click the Server Management tab.

4. In the Clouds pane, select a region. The available virtual machines for the selected region will display.

5. Select the virtual machine to start.

• If the virtual machine status is currently stopped, click the Take Action menu, and then select Start Server.

• Click the Take Action menu, and then select Boot to OS.

6. Now you’re ready to encrypt or decrypt partitions. Go to the next chapter.

CHAPTER 6: Encrypt/Decrypt Partitions


32

CHAPTER 6 Encrypt/Decrypt Partitions

Overview In this chapter, you will learn how to:

• Encrypt a partition.

• Decrypt a partition.

Encrypt a Partition 1. In the ProtectV Manager Console, click the Server Management tab.

2. In the Clouds pane, select the appropriate region. The available virtual machines for the selected region display.

3. Select the check box adjacent to the virtual server with ProtectV Client installed. Partition details will display below your selection.

NOTE: Only the partitions for one machine can be displayed at any given time, and only the partitions that can be protected will display. For example, for Linux client machines, the /boot or /dev/sda1 partition is not displayed by ProtectV Manager, as it contains the ProtectV Client, and therefore, encryption is not permitted.

4. Select the partition(s) to encrypt and click the Take Action menu.

5. Click Encrypt Partition.

6. When prompted, click Yes to confirm the encryption.

NOTE FOR LINUX SERVERS: Any encrypt action will stop and restart your AWS virtual machine. Please save all data and close any open applications to prevent data loss.



33

7. Encryption can take several minutes and a progress bar will display. When the encryption completes, the status of each selected partition will change to Encrypted.

It is good practice to check the Audit Events log when encryption is started to verify the operation started successfully. You can "search" by its JobID (for example, [JobID: 30ee1a56d998] Starting operation:) to view the status. In the event that an error occurred, an error code will also be logged with the same JobID (for example, [JobID: 30ee1a56d998] Error operation:) to identify the problem.

NOTE FOR LINUX SERVERS: After the encryption operation, when the Linux client is rebooted, the Linux client will be inaccessible via SSH. To regain SSH access, go to the Take Action menu and select Boot to OS to reboot the client to make it accessible again.

You can view the encryption status on the Linux client using the command, pvinfo. For example:

[root@localhost ~]# pvinfo

ProtectV Linux v1.6.0.210

Device Mount Size Protected fs ca System

sda2 2147483648 no swap True False

sda3 / 13433307136 yes crypto_LUKS True True

NOTE FOR WINDOWS SERVERS: You can view the encryption status on the Windows client. Double-click the ProtectV Client icon in the Windows system tray to view the Encryption Status window.



34

Decrypt a Partition 1. In the ProtectV Manager Console, click the Server Management tab.

2. In the Clouds pane, select the appropriate region. The available virtual servers for the selected region display.

3. Select the check box adjacent to the virtual server with ProtectV Client installed. Partition details will display below your selection.

NOTE: Only the partitions for one machine can be displayed at any given time, and only the partitions that can be unprotected will display. For example, for Linux client machines, the '/boot' or /dev/sda1 partition is not displayed by ProtectV Manager, as it contains the ProtectV Client, and therefore, decryption is not permitted.

4. Select the partition(s) to decrypt and click the Take Action menu.

5. Click Decrypt Partition.

6. When prompted, click Yes to confirm the decryption.

NOTE FOR LINUX SERVERS: Any decrypt action will stop and restart your AWS virtual machine. Please save all data and close any open applications to prevent data loss.

7. Decryption can take several minutes and a progress bar will display. When the decryption completes, the status of each selected partition will change to Unencrypted.

It is good practice to check the Audit Events log when decryption is started to verify the operation started successfully. You can "search" by its JobID (for example, [JobID: 30ee1a56d998] Starting operation:) to view the status. In the event that an error occurred, an error code will also be logged with the same JobID (for example, [JobID: 30ee1a56d998] Error operation:) to identify the problem.

NOTE FOR LINUX SERVERS: After the decryption operation, when the Linux client is rebooted, the Linux client will be inaccessible via SSH. To regain SSH access, go to the Take Action menu and select Boot to OS to reboot the client to make it accessible again.

NOTE FOR WINDOWS SERVERS: You can view the decryption status on the client as well. Double-click the ProtectV Client icon in the Windows system tray to view the Encryption Status window.

CHAPTER 7: Linux Logical Volume Manager (LVM)


35

CHAPTER 7 Linux Logical Volume Manager (LVM)

This version of ProtectV supports the protection of logical volumes on a Linux client LVM. Please note the following:

• ProtectV Manager does not support LVM snapshot partitions. In addition, an LVM snapshot made from an encrypted drive will not be usable (the key cannot be injected, so it cannot be enabled).

• ProtectV Manager does not perform a “cloud” snapshot of all volumes when protecting an LVM that spans multiple disks.

• To extend an encrypted volume, run the commands following this example:

1. mount command to get the device name = /dev/mapper/grp_log_secured

2. umount /data

3. lvextend –size +1G grp/log

4. cryptsetup resize grp_log_secured

5. e2fsck –f /dev/mapper/grp_log_secured

6. resize2fs /dev/mapper/grp_log_secured

CHAPTER 8: Upgrade ProtectV


36

CHAPTER 8 Upgrade ProtectV

Upgrade ProtectV Manager and ProtectV Clients to the Latest Version This chapter describes how to upgrade the ProtectV Manager and ProtectV Clients to the latest version.

The ProtectV Client upgrade process has not changed, however, please note that starting in version 1.5, the ProtectV Manager upgrade has changed. The upgrade API and CLI commands are no longer used. Now, upgrades are performed through export/import functionality.

Before you begin, please review the pre-upgrade information sections below, and then continue to “Upgrade of ProtectV Manager via Export/Import Process.”

Pre-upgrade Information for the ProtectV Manager • Please make sure that you have access to and login credentials for SafeNet’s Technical Support

Customer Portal site at https://serviceportal.safenet-inc.com, so you can provision a new version of ProtectV Manager.

• The 1.5 (and higher) upgrade process for ProtectV Manager is very different from the pre-1.5 upgrade process.

• In order to upgrade to the current version from the previous version, you would need to “Export” all the configuration and operational data from the previous version of ProtectV Manager and import that data into a new version of ProtectV Manager. If you do not have an export package, please refer to “Create an Export Package” in the “Upgrade of ProtectV Manager via Export/Import Process” section.

• Please note that in version 1.4, export of ProtectV Manager data is only possible via GUI (not available in API or CLI).

• If the previous version of the ProtectV Manager that you desire to upgrade from is in the HA configuration then:

• The export of the configuration should only be done from the “Primary Node” of the HA setup of the previous version of ProtectV Manager. The node that has the virtual IP is the “Primary Node.”

• Once the export of the data is done from the previous version of ProtectV Manager, please shutdown both nodes of the previous version of the ProtectV Manager.

• Please note that the version of the export package must be less than or equal to the version of the ProtectV Manager you are importing to. For example, a version 1.4.188 PVM export package can be imported into a 1.5.190 PVM, but a version 1.5.192 export package cannot be imported into a 1.5.190 PVM.

https://serviceportal.safenet-inc.com/�



37

• Before you proceed with a ProtectV Manager upgrade via the new import process, please ensure that the export package is of the same Cloud as ProtectV Manager

• Please “shutdown” the previous version of ProtectV Manager before importing the data into the new version of Protectv Manager. Please do not terminate the previous version of ProtectV Manager.

(i.e., you cannot import an AWS settings package to vSphere, or vice-versa).

• Launch and boot up a new “fresh” version of ProtectV Manager, so you can import the information exported from the prior version.

• Once the import of the data is completed (see the “Upgrade a Single Server Configuration (non-HA) via Import” section) into this “fresh” version of the ProtectV Manager, then this is the “new”, “upgraded” ProtectV Manager that you should use. For HA configuration, this node will be the primary node. You need to setup the fresh network configuration, HA setup etc., since these settings are not imported.

• If HA configuration is desired after this upgrade, then pair-up a “fresh” new ProtectV Manager as the secondary node to the above created (and upgraded) primary node. Please note that you should NOT perform any imports into this secondary node—it will synch with the data from the primary during HA synch-up (see the “Upgrade an HA Configuration via Import” section).

• In ProtectV version 1.5 (and higher), the default update interval for aggregate statistics by the ProtectV Manager dashboard has been increased from 5 to 30 minutes.

This enhancement improves and the dashboard performance. After an upgrade is complete, you can change this value (if desired) by calling the updateAggregateRefreshRate API function, the status update refresh CLI command, or by clicking on the pencil icon next to the interval on the Dashboard in the ProtectV Manager Console.

• If the upgrade fails via the import, please launch a new version ProtectV AMI before attempting the import again. Please do not try import more than once under any circumstances.

• ProtectV Manager can only be upgraded from the previous version

Pre-upgrade Information for the ProtectV Client

.

• Before you begin the ProtectV Client upgrade, please make sure that you have access to and login credentials for SafeNet’s Technical Support Customer Portal site at https://serviceportal.safenet-inc.com, so you can get support for the product.

• Download the ProtectV Client Windows or Linux installer package for the appropriate platform from the Protect Manager Console, and install it to a local server prior to the upgrade. For download instructions, please refer to “Configure the ProtectV Client Virtual Server.”

• It is recommended that you always upgrade ProtectV Manager prior to upgrading the ProtectV Clients.

• Before you proceed with the ProtectV Linux Client upgrade, please be aware that an AWS Linux client upgrade will fail if the instance has not been encrypted (and therefore has no SafeNet StartGuard partition to change).

https://serviceportal.safenet-inc.com/�https://serviceportal.safenet-inc.com/�



38

Upgrade of ProtectV Manager via Export/Import Process

Items Not Included in the Export Package

CAUTION: Please note that the following are not

• Active operations

exported/imported:

• Non-active operations

• Network configurations (import will not maintain network interface, DNS, route settings)

• AWS proxy settings

• HA Virtual IP and Heartbeat parameters

This implies that these items need additional setup after importing the data on the new version of the ProtectV Manager.

EC2 vs. VPC

The upgrade process is the same for all clouds, but may require additional setup as some of the setup items listed above are not imported/exported.

HA vs. Non-HA

The following table summarizes the HA and non-HA (single server) configuration upgrade processes.

I have a previous version of ProtectV Manager in HA... how do I upgrade? I have a single node...how do I upgrade?

• Go to the primary node of the previous version of the ProtectV Manager HA configuration using the virtual IP.

• Export the ProtectV Manager configuration data from the primary node. (Please note in version 1.4, export is only available via the GUI.)

• Export the ProtectV Manager configuration data from the primary node.

• Save the export package in a safe place.

• Save the export package in a safe place. • Shutdown (do not terminate) the previous version of ProtectV Manager.

• Shutdown (do not terminate) both nodes of the HA configuration of the previous version of ProtectV Manager.

Do not skip this step!

(The ProtectV Clients will continue to run even if the server is temporarily shut down.)

Do not skip this step!

• Launch and boot up a new version of the ProtectV Manager, and then import the configuration data package into this new version of ProtectV Manager. You will need to setup the fresh network configuration, etc., since these settings are not imported. (Please note that in version 1.5 and higher, import is available via GUI, CLI and API.)



39

I have a previous version of ProtectV Manager in HA... how do I upgrade? I have a single node...how do I upgrade?

• Launch and boot up a new version of the ProtectV Manager, and then import the configuration data package into this new version of ProtectV Manager. You will need to setup the fresh network configuration, HA setup etc., since these settings are not imported. This node is the “new” upgraded Primary node for your HA configuration. (Please note that in version 1.5 and higher, import is available via GUI, CLI and API.

• Pair up the new, upgraded primary node above with a “fresh” new version of the ProtectVManager. You do not need to import on this node.

Will There be Downtime During the Upgrade?

Yes. When importing settings to the target PVM, the original PVM (where the export was performed) must be stopped.

CAUTION: If the original PVM is not stopped during the import process, the following fatal errors can occur:

• Client identity corruption

• Client communication conflict

Create the Export Package The exported configuration package from the “previous” version of ProtectV Manager is required and should be readily available for the import portion of the upgrade process. It is recommended to always have a current configuration saved as part of your system maintenance routine.

ProtectV Manager settings can be exported at any time. Just make sure that any active crypto jobs are complete before exporting.

During the upgrade process, the exported settings (cloud credentials, KeySecure settings, physical server machine, etc., are imported and restored) in a new PVM. However, there are some items (such as Active operations, Non-active operations, Network configurations) that import will not maintain.

NOTES:

• Any time you create an export file, it is highly recommended that you store the exported archive in a secure location to prevent tampering by unauthorized personnel.

• If there is not enough space for the export to complete, an “Disk Full. Insufficient disk space to export settings” message will display.



40

• Only one export operation is supported at a time. Do not attempt to perform additional exports while there is one already in progress.

• If an export file already exists, it may be overwritten with the new one. The default naming convention is pvm.backup.__.tar. Rename the export file if you do not want to overwrite the existing one.

• If export operation fails eith an error message from ‘tar’ command, please try the operation again after few minutes.

Export Using the ProtectV Manager Console

Make sure that any active crypto jobs are complete before exporting.

If you are upgrading an HA configuration, please be sure to create the export package from your current PRIMARY ProtectV Manager.

1. Log in to the ProtectV Manager Console.

2. Click the Administration tab.

3. Click the System Settings tab.

4. Click Export Settings.

5. Click Export. A “Generating and downloading...” dialog is displayed.

6. Save the file. (You can opt to rename the file as it may be overwritten if a previous one exists.)

Depending on the browser you are using (and the browser settings), the dialogs will differ. For example:

• If you are using Internet Explorer, choose Save, specify a secure location to download the file, click Save, and then click OK.

• If you are using Firefox, choose Save File, and then click OK. The file is automatically saved to the default download directory. It is recommended that you move this file to a more secure location when you have completed this procedure.

7. Proceed to the upgrade procedure for the appropriate configuration (HA, single server, etc.).



41

Export Using the API



1. Connect to the instance via python SOAPpy module to establish a SOAP API connection to the current PVM. $ python Python 2.5.1 (r251:54863, May 5 2011, 18:37:34) [GCC 4.0.1 (Apple Inc. build 5465)] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import SOAPpy >>> pvm = SOAPpy.SOAPProxy("https://admin:[email protected]:8080/soap") >>> pvm.getVersion() [0, '', '1.6.0.210'] >>>

2. Export the settings of the current PVM by specifying its export settings. The parameters needed to execute this protocol API: a) protocol = ftp, sftp or scp b) host = IP address of the host to export the settings to. c) user = login id for above host d) password = password for the above login e) directory = the directory on the host to transfer export settings file to f) force = parameter is only needed if multiple exports are being done as only one export operation is supported. This parameter is used to “force” to another one simultaneously Please ensure that the host is accessible, and the login credentials are correct. >>> pvm.exportSettings({"protocol":"scp", "host":"ec2-54-224-211-240.compute-1.amazonaws.com", "user":"root", "password":"********", "directory":"/tmp", "force":False}) [0, '', '/tmp/backup/pvm.backup.1.6.0.210_20131018_1029.tar'] >>>

The tar file shown on the output is the exported file of current PVM settings.

Export Using the CLI



1. Connect to the instance via ssh as user admin to enter the CLI mode. $ ssh [email protected] Warning: Permanently added 'ec2-50-19-46-29.compute-1.amazonaws.com,50.19.46.29' (RSA) to the list of known hosts. Password: --------------------------- Welcome to ProtectV 1.6.0.210 CLI --------------------------- press enter to list commands (PVM)



42

2. Export the settings of the current PVM by specifying its export settings. The parameters needed to execute this protocol are: a) protocol = ftp, sftp or scp b) host = IP address of the host to export the settings to. c) user = login id for above host d) password = password for the above login e) directory = the directory on the host to transfer export settings file to f) force = parameter is only needed if multiple exports are being done as only one export operation is supported. This parameter is used to “force” to another one simultaneously Please ensure that the host is accessible, and the login credentials are correct. (PVM) system export settings protocol="scp",host="ec2-54-224-211-240.compute-1.amazonaws.com",user="root",password="*****",directory="/tmp",force=False '/tmp/backup/pvm.backup.1.6.0.210_20131018_0931.tar' (PVM)

The tar file shown on the output is the exported file of current PVM settings.

Upgrade a Single Server Configuration (non-HA) via Import This upgrade process requires you to launch a fresh new ProtectV Manager (PVM) usin