This article describes what needs to be in place before installing Fortanix Self-Defending KMS.
Reserve Static IP Addresses
- IPMI Interface for each appliance - By default, the FX2200 II appliance will use DHCP for IP configuration. Be sure to reserve and configure a static address.
- Ethernet Interface - Reserve and configure IP addresses for each appliance for Ethernet. There are two Ethernet interfaces on the FX2200 II appliances and can be bonded.
- Virtual IP (External load balancing) – If you wish to let the cluster perform its own load balancing, reserve an IP address for the keepalived service running on the Fortanix Self-Defending KMS cluster.
The list of ports required for Fortanix Self-Defending KMS to function properly is provided in the following URL. Ensure to configure rules between your nodes, clients, and external services as per the needs of your deployment.
There are three types of ports:
- Node-to-node - these are the ports used for intra-cluster traffic only.
- Inbound - the ports that are required for the incoming traffic to be allowed to the server.
- Outbound - the ports that are required for the traffic to leave from the server to certain destinations.
Define Hostnames for Each Node
Each Fortanix Self-Defending KMS node will need a unique hostname. Determine and configure each node prior to deployment of the cluster.
Identify NTP (Network Time Protocol) Sources
NTP configuration is required to run Fortanix Self-Defending KMS. You can use public pools, your own NTP servers, or run an NTP service on the appliances to synchronize time. Once Fortanix Self-Defending KMS is installed, you will be able to configure your sources.
Determine services to be implemented
- Attestation Services:
- These appliances will need access to the internet, either directly or through a proxy. Identify the Proxy settings.
- Monitoring and Alerting:
- Provision VM for installation of Sensu.
- Determine where you will save backup files. You can use SCP to ship backup files to another location -OR- you can back up directly to Amazon S3.
- Determine proxy settings for S3.
- Determine the credentials for your selected destination.
- Determine if you will ship logs to Syslog or Splunk.
- Determine settings for your log collection implementation.