Fortanix Data Security Manager Installation on VMware

1.0 Introduction

The purpose of this article is to describe the Fortanix-Data-Security-Manager (DSM) Open Virtual Appliance (OVA) Installation steps for VMware vSphere version 6.7 or above.

2.0 Prerequisites

Ensure the following:

• VMware vSphere V6.7 or above.

• The central processing unit (CPU) must support RDRAND and RDSEED.

• Minimum requirements:

  • Cores: 8 Cores

  • Memory: 32GB Ram

  • 600 GB hard disk space.

  • Linux or Ubuntu 64 bits machine

  NOTE

  This OVA is compatible with the VMXnet3 network adapter, as it includes the latest version of open-vm-tools (2:11.3.0-2ubuntu0~ubuntu20.04.7).

3.0 Installation Steps

3.1 Using VSphere

Perform the following steps for each VM:

1. Go to the vSphere web.

2. From the Actions menu, select Deploy OVF Template.  

   

3. Click Select an OVF Template from the left menu to create a new Virtual Machine (VM) from OVF/OVA.

   1. Add the URL of the OVA location or upload the OVA.

   2. Click Next.

   

4. Select the location for the Virtual Machine and click NEXT.  

   

5. Select the Compute Resource/ESXi Node and click NEXT.  

   

6. Select the Network to be used by the VM.

7. Review the configuration and click FINISH.

8. To edit the VM configuration, click Edit Settings in the ACTIONS menu.  

   

9. Further customizations can be configured by changing the settings of the VM.

   NOTE

   The default OVA settings are:

   1. Username - administrator

   2. Password – contact Fortanix support ([email protected]) for the password.

   3. IP - <VM IP address>

For the rest of the deployment steps refer to the Fortanix DSM Installation Guide.

3.2 Using ESXi

Perform the following steps for each VM:

1. Log in to the ESXi Host Client server, navigate to the Virtual Machines menu item, and click the Create/Register VM option to create or register the required VM machine.

   

   The New virtual machine dialog box appears on the screen.

2. On the Select creation type tab, select the required option from the drop down menu.

   

   Download the latest OVA package on your system from DSM Installation Package (On-Prem): DSM 4.31 Patch OVA Package. Now you can select OVF to upload OVA from your system.

3. On the Select OVF and VMDK files tab, enter the name of the VM and upload OVA file.

   

4. On the Select storage tab, select the required storage type.

5. On the Deployment options tab, enter the following details:

   • Network mappings: Select the required VM Network from the drop down menu.

   • Disk provisioning: Select the radio button for Thin option.

   • Power on automatically: Select the check box to enable the feature.

     

6. On the Ready to complete tab, review the summary and click the Finish button.

   

   Wait for a few minutes for the OVA to be uploaded and the VM to be created. The following screen displays the results:

   

4.0 Configuring the VMs

Perform the following steps:

1. Log in to the VM.

2. Run the following command to update the network interface:

   sudo nano /etc/network/interfaces

   For example,

   address 10.197.65.239
   gateway 10.197.65.254

   OR

   address 10.197.192.240
   gateway 10.197.192.254

3. Save the changes.

4. Run the following command to restart the networking to reflect the saved changes:

   sudo systemctl restart networking

5.0 Logging in the Node

Perform the following steps:

1. Log in to the required node with the same IP address configured in Section 4: Configuring the VMs.

2. Create the cluster directly by setting config.yaml file:

   sudo sdkms-cluster create --self=nodeip --config ./config.yaml

   For example,

   global:
     localntp: true
     attestation: null
     externalLoadBalancer: true
   sdkms:
     clusterIp: 1.2.3.4
   keepalived:
     nwIface: ens5

3. Run the following command to sign the certificates:

   sudo get_csrs
   sudo install_certs

4. Run the following command to update the hostnames of other nodes that are required to be added to the cluster:

   sudo nano /etc/hostname
   sudo nano /etc/hosts
   sudo reboot

5. Run the following command to join the node:

   sudo sdkms-cluster join --peer=cluster ip --token=<token_id> --self=node ip

   NOTE

   There is no requirement for cleanup and installation, as the upload of the OVA package will automatically initiate the build installation.

6.0 Backup and Restore on VMWare

The backup and restore process remains exactly the same as other Fortanix DSM hardware-based deployments. But when deployed on VMWare, on VMs without SGX capability, a deployment key is created in software. This deployment-key is not backed-up to the backup location along with the backup data due to security reasons.

NOTE

Deployment-key is required to restore the backup in case the cluster is being reset/re-created. Hence the deployment key must be backed-up in a safe location. Backup cannot be restored (will be rendered unusable) without this deployment key during the restoration process.

1. Locate the deployment key.

   $ kubectl get secrets sdkms-deployment-key-store

2. Save the deployment key.

   $ kubectl get secrets sdkms-deployment-key-store -o yaml > sdkms-deployment-key-store.yaml

   Save the file sdkms-deployment-key-store.yaml in a secure location (do not save it along with the backup).

3. Restore the deployment key after the cluster reset. 
   When a new cluster is created, a new random deployment-key gets auto-created. But as we are restoring the cluster from the backup, we need to delete the deployment key and restore the saved deployment key.

   1. Delete any existing deployment key (which was created after a fresh cluster).

      $ kubectl delete secrets sdkms-deployment-key-store

   2. Create a deployment key from a safe location.

      $ kubectl create -f sdkms-deployment-key-store.yaml

      After the above step, the restore process can be started as documented in the Fortanix Data Security Manager Backup and Restore Guide.

7.0 Support

For production deployment of Fortanix DSM on VMware, click here to download the VMware OVA Software.