Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

The inventory file, hosts.inv, sets the configuration properties for the installation. The Zettaset software includes an annotated sample file, hosts.inv.example. Additional information is provided here for the file sections:

ALL NODES

ALL NODES is a section of the inventory file.
None
# ALL NODES
target01 encrypted_blockdev=/dev/sdb1 encrypted_mountpoint=/data1
encrypted_mountnames=crypt1 encrypted_preserve=n fstype=ext4 newfsargs=none
mountargs=none

target02 encrypted_blockdev=/dev/sdb1 encrypted_mountpoint=/data1
encrypted_mountnames=crypt1 encrypted_preserve=n fstype=ext4 newfsargs=none
mountargs=none

target03 encrypted_blockdev=/dev/sdb1 encrypted_mountpoint=/data1
encrypted_mountnames=crypt1 encrypted_preserve=n fstype=ext4 newfsargs=none
mountargs=none
In this section, list each node in your deployment by using hostnames or IP addresses. When encrypting multiple partitions on a node, use commas to separate values. For each node, include the following variables:
VariableDescription
encrypted_blockdevEnter the block device to be encrypted (for example, /dev/sdb1). Disk partition name is expected. To use disk partition labels, set use_labels=true.
encrypted_mountpointEnter a mount point for the device (for example, /data1). The mount point must exist before the installation.
encrypted_mountnamesEnter a partition name. Each name must be unique for each partition on the node. (for example, crypt1)
encrypted_preserve Use one of the following values:
  • y: Preserves existing data.
    • The file system must be mounted before the installation. If the partition is not mounted, the data is overwritten.
    • The partition must also be unmountable. If a process prevents the unmount, encryption cannot start.
    • Only ext file systems can be preserved.
  • n: Does not preserve existing data.
    • The partition must be unmounted.
  • w: Securely wipes the partition before the new encrypted file system is created.
    • The partition must be unmounted.
fstypeMust be set to the type of file system to make when encrypted_preserve is y or w.
Must be set to the existing file system type when encrypted_preserve=n.
Typical file system types include ext4 and xfs.
newfsargsA string of arguments to pass to the mkfs command.
If spaces exist between multiple arguments, surround the string in double quotes (for example, “-b 2048 -d su=64k,sw=4”).
When no arguments are to be passed, set this value to none.
Use colons to separate values.
mountargsA string of mount options to pass to the crypt_mount.sh script.
If spaces exist between multiple arguments, surround the string in double quotes (for example, “noatime,inode64,allocsize=16m”).
When no arguments are to be passed, set this value to none.
kmip_client_jksThe location of the keystore that contains the client certificate.
The keystore must be in this location on the installer node before installation.
kmip_client_jks_passwordThe password for the jks file.
Include values for all settings. In the following example, the hostnames provided must resolve. If some nodes are separated by a proxy (such as if you deploy to nodes in skytap from your laptop), use the ansible_ssh_host and ansible_ssh_port variables. Otherwise, do not use those variables.
None
target03 encrypted_blockdev=/dev/sdb1,/dev/sdb2 encrypted_mountpoint=/data1,/
data2 encrypted_mountnames=crypt1,crypt2 encrypted_preserve=n,n fstype=ext4,xfs
newfsargs=none:"-b size=2048 -d su=64k,sw=4" mountargs=none:"noatime,inode64"

PRODUCT NAME

PRODUCT NAME is a section of the inventory file.
None
# PRODUCT NAME
zts_product=xcrypt_full_disk
This line displays the product name.

SOFTWARE LICENSE

SOFTWARE LICENSE is a section of the inventory file.
None
# SOFTWARE LICENSE
license_file=/path/to/your.license
In this line, include the full path to the license file.

FIPS MODE

FIPS MODE is a section of the inventory file.
None
# FIPS MODE
fips_mode=false
If you use OS versions 7.x and later, you can set fips_mode to true to enable FIPS 140 mode. All ZTS processes run in FIPS mode.

DISK LABELS

DISK LABELS is a section of the inventory file.
None
# DISK LABELS
use_labels=false
By default, the Zettaset software expects the encrypted_blockdev value shown in the ALL NODES section to point to a disk partition, such as /dev/sdb. To use disk partition labels instead, set use_labels=true.

CA CONFIGURATION

CA CONFIGURATION is a section of the inventory file.
None
# CA CONFIGURATION
internal_ca=false
external_ca_cert_source=
ca_org_name=
ca_org_unit=
ca_org_email=
ca_org_locale=
ca_org_state=
ca_org_country=
You must have a CA to authenticate nodes within your deployment. To use your pre-defined CA, set internal_ca=false and enter the full path to the CA PEM file in external_ca_cert_source. This is the location of the CA PEM file on the installer node. While using an external CA, you can ignore the ca_org_* values.

KMIP SERVER CONFIGURATION

KMIP SERVER CONFIGURATION is a section of the inventory file.
None
# KMIP SERVER CONFIGURATION

internal_kmip=false
kmip_master_ip=172.24.166.20
kmip_server_port=9000
kmip_client_timeout=300000
kmip_compatible_user=true
install_ha=false
kmip_client_jks_test=
kmip_client_jks_test_passwd=
You need a KMIP server server to process key requests. To use an external KMIP server, set internal_kmip=false and set the kmip_master_ip and kmip_master_port to point to your third-party device. Use kmip_client_timeout to configure the timeout setting or keep the default value of 300000. When using an external KMIP server, use kmip_client_jks_test and kmip_client_jks_passwd to enter the jks path and password and check the KMIP server connectivity before installing XCrypt. Using these values installs a KMIP client on the installation node. Leave these values blank if you do not need to check external KMIP connectivity or install a KMIP client on the installation node.

HSM CONFIGURATION

HSM CONFIGURATION is a section of the inventory file.
None
# HSM CONFIGURATION

hsm_so_pin=safest
hsm_user_pin=safest
hsm_slot=0
hsm_lib_cfg_env_var=COMPAT_MODE=3
hsm_lib_file=/usr/local/bin/fxpkcs11/libfxpkcs11.so
You need a software or hardware-based HSM for key storage. To use the Vectera Plus HSM for hardware-based key storage, set the values for each of the following parameters:
VariableDescription
hsm_so_pinPassword of identity created on the Vectera Plus and set inside the Futurex PKCS #11 (FXPKCS11) configuration file.
hsm_user_pinPassword of identity created on the Vectera Plus and set inside the Futurex PKCS #11 (FXPKCS11) configuration file.
hsm_slotSlot number configured in the FXPKCS11 configuration file (fxpkcs11.cfg). The slot number is 0 by default.
hsm_lib_cfg_env_varSpecify COMPAT_MODE=3 exactly.
hsm_lib_filePath and filename for the FXPKCS11 module.

NODE FUNCTIONS

NODE FUNCTIONS is a section of the inventory file.
None
# NODE FUNCTIONS

[ca_master]
target01
[kmip]
target01
target02
[kmip_master]
target01
[slave]
target01
target02
target03
[license_server]
target04
[zookeeper]
target01
target02
target03
The values for the bracketed elements in this section indicate the function a node has in the deployment. Be sure that these settings agree with the other values in this file.
Bracketed elementDescription
[ca_master] The node that stores licenses and generates the CA. If using an external CA, set this value to a node within the cluster.
[kmip] List of the KMIP server and backup server nodes. The first entry must be the kmip_master. Ignore when using an external KMIP server.
[kmip_master] The KMIP master node. Must be the same as kmip_master_ip. Ignore when using an external KMIP server.
[slave] List of the nodes that have encrypted partitions.
[license_server]List of the nodes where the License server should be installed. Must not intersect with [kmip] or [slave] nodes.
[zookeeper]List of the zookeeper nodes used when KMIP HA is enabled. List at least three nodes. These nodes cannot be members of the [kmip] group.