Fortanix Data Security Manager Installation on VMware

1.0 Introduction

The purpose of this article is to describe the Fortanix Data Security Manager (DSM) Open Virtual Appliance (OVA) Installation steps for VMware vSphere version 6.7.

2.0 Prerequisites

Ensure the following:

  • VMware vSphere V6.7 or above.
  • The central processing unit (CPU) must support RDRAND and RDSEED.
  • Minimum requirements:
    • Cores: 2+Cores
    • Memory: 32GB Ram
    • 600 GB hard disk space.
    • Linux or Ubuntu 64 bits machine
    NOTE
    You may face installation issues if you have less RAM and disk space.

3.0 Installation Steps

3.1 Using VSphere

Perform the following steps for each VM:

  1. Go to the vSphere web.
  2. From the Actions menu, select Deploy OVF Template. VMware-install1.png Figure 1: Deploy OVF Template
  3. Click Select an OVF Template from the left menu to create a new Virtual Machine (VM) from OVF/OVA.
    1. Add the URL of the OVA location or upload the OVA.
    2. Click Next.
    VMware-install2.png Figure 2: Create new OVA template
  4. Select the location for the Virtual Machine and click NEXT. VMware-install3.png Figure 3: Select the VM location
  5. Select the Compute Resource/ESXi Node and click NEXT. VMware-install4.png Figure 4: Select compute node resource
  6. Select the Network to be used by the VM.
  7. Review the configuration and click FINISH.
  8. To edit the VM configuration, click Edit Settings in the ACTIONS menu. VMware-install5.pngFigure 5: Edit VM settings VMware-install6.pngFigure 6: Edit the VM configuration
  9. Further customizations can be configured by changing the settings of the VM.
    NOTE
    The default OVA settings are:
    1. Username - administrator
    2. Password – contact Fortanix support (support@fortanix.com) for the password.
    3. IP - <VM IP address>

For the rest of the deployment steps refer to the Fortanix DSM Installation Guide.

3.2 Using EXSi

Perform the following steps for each VM:

  1. Log in to the ESXi Host Client server, navigate to the Virtual Machines menu item, and click the Create/Register VM option to create or register the required VM machine.
    Screenshot from 2024-01-02 17-18-27.png
    Figure 7: ESXi Client Server The New virtual machine dialog box appears on the screen.
  2. On the Select creation type tab, select the required option from the drop down menu.
    Screenshot from 2024-01-02 17-18-38.png
    Figure 8: Select Creation Type Tab Download the OVA package on your system from the following S3 location : https://s3.console.aws.amazon.com/s3/object/sdkms-release?region=us-west-1&prefix=vmware. Now you can select OVF to upload OVA from your system.
  3. On the Select OVF and VMDK files tab, enter the name of the VM and upload OVA file.
    Screenshot from 2024-01-02 17-18-51.png
    Figure 9: Select OVF and VMDK Files Tab
  4. On the Select storage tab, select the required storage type.
  5. On the Deployment options tab, enter the following details:
    • Network mappings: Select the required VM Network from the drop down menu.
    • Disk provisioning: Select the radio button for Thin option.
    • Power on automatically: Select the check box to enable the feature.
      Screenshot from 2024-01-02 17-19-17.png
      Figure 11: Deployment Options Tab
  6. On the Ready to complete tab, review the summary and click the Finish button.
    Screenshot from 2024-01-02 17-19-38.png
    Figure 12: Summary Tab Wait for a few minutes for the OVA to be uploaded and the VM to be created. The following screen displays the results:
    Screenshot from 2024-01-02 17-19-53.png
    Figure 13: Results Screen

4.0 Configuring the VMs

Perform the following steps:

  1. Log in to the VM.
  2. Run the following command to update the network interface:
    sudo nano /etc/network/interfaces
    For example,
    address 10.197.65.239
    gateway 10.197.65.254
    OR
    address 10.197.192.240
    gateway 10.197.192.254
  3. Save the changes.
  4. Run the following command to restart the networking to reflect the saved changes:
    sudo systemctl restart networking

5.0 Logging in the Node

Perform the following steps:

  1. Log in to the required node with the same IP address configured in Section 4: Configuring the VMs.
  2. Create the cluster directly by setting config.yaml file:
    sudo sdkms-cluster create --self=nodeip --config ./config.yaml
    For example,
    global:
    localntp: true
    attestation: null
    externalLoadBalancer: true
    sdkms:
    clusterIp: 1.2.3.4
    keepalived:
    nwIface: ens5
  3. Run the following command to sign the certificates:
    sudo get_csrs
    sudo install_certs
  4. Run the following command to update the hostnames of other nodes that are required to be added to the cluster:
    sudo nano /etc/hostname
    sudo nano /etc/hosts
    sudo reboot
  5. Run the following command to join the node:
    sudo sdkms-cluster join --peer=cluster ip --token=<token_id> --self=node ip
    NOTE
    There is no requirement for cleanup and installation, as the upload of the OVA package will automatically initiate the build installation.

6.0 Backup and Restore on VMWare

The backup and restore process remains exactly the same as other Fortanix DSM hardware-based deployments. But when deployed on VMWare, on VMs without SGX capability, a deployment key is created in software. This deployment-key is not backed-up to the backup location along with the backup data due to security reasons.

NOTE
Deployment-key is required to restore the backup in case the cluster is being reset/re-created. Hence the deployment key must be backed-up in a safe location. Backup cannot be restored (will be rendered unusable) without this deployment key during the restoration process.
  1. Locate the deployment key.
    $ kubectl get secrets sdkms-deployment-key-store
  2. Save the deployment key.
    $ kubectl get secrets sdkms-deployment-key-store -o yaml > sdkms-deployment-key-store.yaml
    Save the file sdkms-deployment-key-store.yaml in a secure location (do not save it along with the backup).
  3. Restore the deployment key after the cluster reset. 

    When a new cluster is created, a new random deployment-key gets auto-created. But as we are restoring the cluster from the backup, we need to delete the deployment key and restore the saved deployment key.
    1. Delete any existing deployment key (which was created after a fresh cluster).
      $ kubectl delete secrets sdkms-deployment-key-store
    2. Create a deployment key from a safe location.
      $ kubectl create -f sdkms-deployment-key-store.yaml

      After the above step, the restore process can be started as documented in the Fortanix Data Security Manager Backup and Restore Guide.

7.0 Support

For production deployment of Fortanix DSM on VMware, click here to download the VMware OVA Software.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful