1.0 Introduction
The purpose of this article is to describe the Fortanix-Data-Security-Manager (DSM) Open Virtual Appliance (OVA) Installation steps for VMware vSphere version 6.7 or above.
2.0 Prerequisites
Ensure the following:
VMware vSphere V6.7 or above.
The central processing unit (CPU) must support
RDRANDandRDSEED.Minimum requirements:
Cores: 8 Cores
Memory: 32GB Ram
600 GB hard disk space.
Linux or Ubuntu 64 bits machine
NOTE
This OVA is compatible with the
VMXnet3network adapter, as it includes the latest version ofopen-vm-tools (2:11.3.0-2ubuntu0~ubuntu20.04.7).
3.0 Installation Steps
3.1 Using VSphere
Perform the following steps for each VM:
Go to the vSphere web.
From the Actions menu, select Deploy OVF Template.
Figure 1: Deploy OVF Template
Click Select an OVF Template from the left menu to create a new Virtual Machine (VM) from OVF/OVA.
Add the URL of the OVA location or upload the OVA.
Click Next.
Figure 2: Create new OVA template
Select the location for the Virtual Machine and click NEXT.
Figure 3: Select the VM location
Select the Compute Resource/ESXi Node and click NEXT.
Figure 4: Select compute node resource
Select the Network to be used by the VM.
Review the configuration and click FINISH.
To edit the VM configuration, click Edit Settings in the ACTIONS menu.
Figure 5: Edit VM settings
Figure 6: Edit the VM Configuration
Further customizations can be configured by changing the settings of the VM.
NOTE
The default OVA settings are:
Username - administrator
Password – contact Fortanix support ([email protected]) for the password.
IP - <VM IP address>
For the rest of the deployment steps, refer to Section 4.0: Configuring the VMs and Section 5.0: Fortanix DSM Installation.
3.2 Using ESXi
Perform the following steps for each VM:
Log in to the ESXi Host Client server, navigate to the Virtual Machines menu item, and click the Create/Register VM option to create or register the required VM machine.
Figure 7: ESXi Client Server
The New virtual machine dialog box appears on the screen.
On the Select creation type tab, select the required option from the drop down menu.
Figure 8: Select Creation Type Tab
Download the latest OVA package on your system from DSM Installation Package (On-Prem): DSM 4.31 Patch OVA Package. Now you can select OVF to upload OVA from your system.
On the Select OVF and VMDK files tab, enter the name of the VM and upload OVA file.
Figure 9: Select OVF and VMDK Files Tab
On the Select storage tab, select the required storage type.
Figure 10: Select Storage tab
On the Deployment options tab, enter the following details:
Network mappings: Select the required VM Network from the drop down menu.
Disk provisioning: Select the radio button for Thin option.
Power on automatically: Select the check box to enable the feature.
Figure 11: Deployment Options Tab
On the Ready to complete tab, review the summary and click the Finish button.
Figure 12: Summary Tab
Wait for a few minutes for the OVA to be uploaded and the VM to be created. The following screen displays the results:
Figure 13: Results Screen
For the rest of the deployment steps, refer to Section 4.0: Configuring the VMs and Section 5.0: Fortanix DSM Installation.
4.0 Configuring the VMs
Perform the following steps:
Log in to the VM.
Run the following command to update the network interface:
sudo nano /etc/network/interfacesFor example,
address 10.197.65.239 gateway 10.197.65.254 netmask 255.255.255.0 dns-nameserver 1.1.1.1For more information on the network interface configuration, refer to the Fortanix Data Security Manager Installation Guide - On-Prem.
Run the following command to update the hostnames of other nodes that are required to be added to the cluster:
sudo nano /etc/hostname sudo nano /etc/hosts sudo rebootTo set the
hostnameon each node, in the/etc/hostnamefile, removesdkms-serverand replace it with the intended hostname.In the
/etc/hostsfile, add the corresponding IP address, hostname, and/or FQDN.
Save the changes.
Run the following command to restart the networking to reflect the saved changes:
sudo systemctl restart networking
5.0 Fortanix DSM Installation
Perform the following steps:
Log in to the required node with the same IP address configured in Section 4: Configuring the VMs.
For step-by-step instructions on setting up the deployment-specific configuration file during Fortanix DSM installation and configuration, refer to the Fortanix Data Security Manager Installation Guide - On-Prem.
For information on the certificate installation and signing process, refer to the Fortanix Data Security Manager Installation Guide – On-Prem.
NOTE
There is no requirement for cleanup and installation, as the upload of the OVA package will automatically initiate the build installation.
5.1 Configure Other Nodes for Joining the Cluster
After completing the installation, run the following command to join all other nodes to the cluster:
sudo sdkms-cluster join --peer=cluster ip --token=<token_id> --self=node ipHere,
Cluster IP address (
cluster ip) corresponds to the node’s IP address on which the cluster was created. Specify it with the subnet.The node IP (
node ip) address corresponds to the IP address of the joining node.
6.0 Backup and Restore on VMWare
The backup and restore process remains exactly the same as other Fortanix DSM hardware-based deployments. But when deployed on VMWare, on VMs without SGX capability, a deployment key is created in software. This deployment-key is not backed-up to the backup location along with the backup data due to security reasons.
For more information on configuring the backup, refer to Fortanix Data Security Manager Backup and Restore.
NOTE
Deployment-key is required to restore the backup in case the cluster is being reset/re-created. Hence the deployment key must be backed-up in a safe location. Backup cannot be restored (will be rendered unusable) without this deployment key during the restoration process.
Run the following command to locate the deployment key:
$ kubectl get secrets sdkms-deployment-key-storeRun the following command to create a deployment key from the previous backup stored in a safe location:
$ kubectl get secrets sdkms-deployment-key-store -o yaml > sdkms-deployment-key-store.yamlSave
sdkms-deployment-key-store.yamlfile in a secure location (do not save it along with the backup).Restore the deployment key after the cluster reset.
When a new cluster is created, a new random deployment key gets auto-created. But as we are restoring the cluster from the backup, we need to delete the deployment key and restore the saved deployment key.Run the following command to delete any existing deployment key (which was created after a fresh cluster):
$ kubectl delete secrets sdkms-deployment-key-storeRun the following command to create a deployment key from a safe location:
$ kubectl create -f sdkms-deployment-key-store.yamlAfter the above step, the restore process can be started as documented in the Fortanix DSM Restoration Guide - Automated guide.
7.0 Support
For production deployment of Fortanix DSM on VMware, click here to download the VMware OVA Software.