Fortanix Data Security Manager Installation on VMware

Prev Next

1.0 Introduction

The purpose of this article is to describe the Fortanix-Data-Security-Manager (DSM) Open Virtual Appliance (OVA) Installation steps for VMware vSphere version 6.7 or above.

2.0 Prerequisites

Ensure the following:

  • VMware vSphere V6.7 or above.

  • The central processing unit (CPU) must support RDRAND and RDSEED.

  • Minimum requirements:

    • Cores: 8 Cores

    • Memory: 32GB Ram

    • 600 GB hard disk space.

    • Linux or Ubuntu 64 bits machine

    NOTE

    This OVA is compatible with the VMXnet3 network adapter, as it includes the latest version of open-vm-tools (2:11.3.0-2ubuntu0~ubuntu20.04.7).

3.0 Installation Steps

3.1 Using VSphere

Perform the following steps for each VM:

  1. Go to the vSphere web.

  2. From the Actions menu, select Deploy OVF Template.  

    VMware-install1.png

    Figure 1: Deploy OVF Template

  3. Click Select an OVF Template from the left menu to create a new Virtual Machine (VM) from OVF/OVA.

    1. Add the URL of the OVA location or upload the OVA.

    2. Click Next.

    VMware-install2.png

    Figure 2: Create new OVA template

  4. Select the location for the Virtual Machine and click NEXT.  

    VMware-install3.png

    Figure 3: Select the VM location

  5. Select the Compute Resource/ESXi Node and click NEXT.

    VMware-install4.png

    Figure 4: Select compute node resource

  6. Select the Network to be used by the VM.

  7. Review the configuration and click FINISH.

  8. To edit the VM configuration, click Edit Settings in the ACTIONS menu.  

    VMware-install5.png

    Figure 5: Edit VM settings

    Figure 6: Edit the VM Configuration

  9. Further customizations can be configured by changing the settings of the VM.

    NOTE

    The default OVA settings are:

    1. Username - administrator

    2. Password – contact Fortanix support ([email protected]) for the password.

    3. IP - <VM IP address>

For the rest of the deployment steps, refer to Section 4.0: Configuring the VMs and Section 5.0: Fortanix DSM Installation.

3.2 Using ESXi

Perform the following steps for each VM:

  1. Log in to the ESXi Host Client server, navigate to the Virtual Machines menu item, and click the Create/Register VM option to create or register the required VM machine.

    Screenshot from 2024-01-02 17-18-27.png

    Figure 7: ESXi Client Server

    The New virtual machine dialog box appears on the screen.

  2. On the Select creation type tab, select the required option from the drop down menu.

    Screenshot from 2024-01-02 17-18-38.png

    Figure 8: Select Creation Type Tab

    Download the latest OVA package on your system from DSM Installation Package (On-Prem): DSM 4.31 Patch OVA Package. Now you can select OVF to upload OVA from your system.

  3. On the Select OVF and VMDK files tab, enter the name of the VM and upload OVA file.

    Screenshot from 2024-01-02 17-18-51.png

    Figure 9: Select OVF and VMDK Files Tab

  4. On the Select storage tab, select the required storage type.

    Figure 10: Select Storage tab

  5. On the Deployment options tab, enter the following details:

    • Network mappings: Select the required VM Network from the drop down menu.

    • Disk provisioning: Select the radio button for Thin option.

    • Power on automatically: Select the check box to enable the feature.

      Screenshot from 2024-01-02 17-19-17.png

      Figure 11: Deployment Options Tab

  6. On the Ready to complete tab, review the summary and click the Finish button.

    Screenshot from 2024-01-02 17-19-38.png

    Figure 12: Summary Tab

    Wait for a few minutes for the OVA to be uploaded and the VM to be created. The following screen displays the results:

    Screenshot from 2024-01-02 17-19-53.png

    Figure 13: Results Screen

For the rest of the deployment steps, refer to Section 4.0: Configuring the VMs and Section 5.0: Fortanix DSM Installation.

4.0 Configuring the VMs

Perform the following steps:

  1. Log in to the VM.

  2. Run the following command to update the network interface:

    sudo nano /etc/network/interfaces

    For example,

    address 10.197.65.239
    gateway 10.197.65.254
    netmask 255.255.255.0
    dns-nameserver 1.1.1.1

    For more information on the network interface configuration, refer to the Fortanix Data Security Manager Installation Guide - On-Prem.

  3. Run the following command to update the hostnames of other nodes that are required to be added to the cluster:

    sudo nano /etc/hostname
    sudo nano /etc/hosts
    sudo reboot
    • To set the hostname on each node, in the /etc/hostname file, remove sdkms-server and replace it with the intended hostname.

    • In the /etc/hosts file, add the corresponding IP address, hostname, and/or FQDN.

  4. Save the changes.

  5. Run the following command to restart the networking to reflect the saved changes:

    sudo systemctl restart networking

5.0 Fortanix DSM Installation

Perform the following steps:

  1. Log in to the required node with the same IP address configured in Section 4: Configuring the VMs.

  2. For step-by-step instructions on setting up the deployment-specific configuration file during Fortanix DSM installation and configuration, refer to the Fortanix Data Security Manager Installation Guide - On-Prem.

  3. For information on the certificate installation and signing process, refer to the Fortanix Data Security Manager Installation Guide – On-Prem.

NOTE

There is no requirement for cleanup and installation, as the upload of the OVA package will automatically initiate the build installation.

5.1 Configure Other Nodes for Joining the Cluster

After completing the installation, run the following command to join all other nodes to the cluster:

sudo sdkms-cluster join --peer=cluster ip --token=<token_id> --self=node ip

Here,

  • Cluster IP address (cluster ip) corresponds to the node’s IP address on which the cluster was created. Specify it with the subnet.

  • The node IP (node ip) address corresponds to the IP address of the joining node.

6.0 Backup and Restore on VMWare

The backup and restore process remains exactly the same as other Fortanix DSM hardware-based deployments. But when deployed on VMWare, on VMs without SGX capability, a deployment key is created in software. This deployment-key is not backed-up to the backup location along with the backup data due to security reasons.

For more information on configuring the backup, refer to Fortanix Data Security Manager Backup and Restore.

NOTE

Deployment-key is required to restore the backup in case the cluster is being reset/re-created. Hence the deployment key must be backed-up in a safe location. Backup cannot be restored (will be rendered unusable) without this deployment key during the restoration process.

  1. Run the following command to locate the deployment key:

    $ kubectl get secrets sdkms-deployment-key-store
  2. Run the following command to create a deployment key from the previous backup stored in a safe location:

    $ kubectl get secrets sdkms-deployment-key-store -o yaml > sdkms-deployment-key-store.yaml

    Save sdkms-deployment-key-store.yaml file in a secure location (do not save it along with the backup).

  3. Restore the deployment key after the cluster reset.
    When a new cluster is created, a new random deployment key gets auto-created. But as we are restoring the cluster from the backup, we need to delete the deployment key and restore the saved deployment key.

    1. Run the following command to delete any existing deployment key (which was created after a fresh cluster):

      $ kubectl delete secrets sdkms-deployment-key-store
    2. Run the following command to create a deployment key from a safe location:

      $ kubectl create -f sdkms-deployment-key-store.yaml

      After the above step, the restore process can be started as documented in the Fortanix DSM Restoration Guide - Automated guide.

7.0 Support

For production deployment of Fortanix DSM on VMware, click here to download the VMware OVA Software.