Skip to main content
Select one of the following options and perform the steps to install the Zettadisk Xcrypt Full Disk prerequisites either online or offline, and then continue with the Zettaset XCrypt Full Disk installation.:

Install prerequisites online

Perform the following steps on each target node in your deployment:
1
Run the following command to confirm that the operating system is either CentOS or RHEL 6.x - 9.0 by viewing /etc/redhat-release:
Shell
cat /etc/issue.net
CentOS Linux release 7.2.1511 (Core)
2
Confirm that the java installation is 1.7 or later.
Shell
java -version
java version "1.7.0"
3
Install libselinux-python, 2.0.94 or later.
Shell
yum install libselinux-python -y
4
If you use CentOS or RHEL 6.x, install cryptsetup.
Shell
yum install cryptsetup-luks -y
5
Confirm that the wget installation is 1.12 or later.
Shell
wget --version
If it’s not installed, run the following command to install it:
Shell
yum install wget -y
6
Confirm that netstat is installed.
Shell
netstat --version
If it’s not installed, run the following command to install it:
Shell
yum install netstat -y
7
Update nss, which must be version 3.21 or later.
Shell
yum update nss -y
8
If encrypting an xfs file system, install xfsprogs and xfsdump libraries on the node running xfs. Unmount the xfs partitions before installing Zettaset XCrypt Full Disk.
9
Open the ports used by your Key Manager. For example, when using the Zettaset software-based Key Manager, open ports 6666 and 8789:When using iptables, run the following commands:
Shell
iptables -I INPUT -p tcp --dport 6666 --syn -j ACCEPT
iptables -I INPUT -p tcp --dport 8789 --syn -j ACCEPT
service iptables save
service iptables restart
iptables -L -n # confirm
When using firewalld, run the following commands:
Shell
firewall-cmd --get-active-zones # use the active zone
firewall-cmd --zone=public --add-port=6666/tcp --permanent
firewall-cmd --zone=public --add-port=8789/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all # confirm
If using an external, third-party Key Manager, ensure that the necessary ports are open in your cluster.
10
When enabling KMIP HA on CentOS or RHEL 7.x, open ports 2181, 2888, and 3888 on the [zookeeper] nodes to establish communication between those devices. For example, if using firewalld:
Shell
firewall-cmd --zone=public --add-port=2181/tcp --permanent
firewall-cmd --zone=public --add-port=2888/tcp --permanent
firewall-cmd --zone=public --add-port=3888/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all # confirm
Then open port 24007 and one port per [kmip] node starting from 49152 on the [kmip] nodes.
Shell
firewall-cmd --zone=public --add-port=24007/tcp --permanent
firewall-cmd --zone=public --add-port=29152-29154/tcp --permanent
firewall-cmd --reload
11
Open the port used by the Futurex PKCS #11 (FXPKCS11) library to connect to the Vectera Plus HSM. The default Excrypt production port on Futurex HSMs is port 9100.When using iptables, run the following commands:
Shell
iptables -I INPUT -p tcp --dport 9100 --syn -j ACCEPT
service iptables save
service iptables restart
iptables -L -n # confirm
When using firewalld, run the following commands:
Shell
firewall-cmd --get-active-zones # use the active zone
firewall-cmd --zone=public --add-port=9100/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all # confirm
12
Install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files:
  1. Download the file from https://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html or https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
  2. Extract the jar files and install them in $JAVA_HOME/lib/security.
13
Only CentOS or RHEL 7.x and later support FIPS mode.If you set fips_mode to true, confirm that the FIPS version openssl installed on all nodes is 1.0.1e-fips or later.
14
You must open a License Server port (the default is 21800). To change the default value, edit the following files:
  • /usr/share/zts/config/license-config.xml (on the License Server nodes)
  • /etc/zts/conf.default/license-server_ssl.xml (on the slave nodes)
Perform the following steps on the installer node, referred to as installer01 in the code samples:
1
Establish ssh trust between the installer node and all target nodes. This prevents errors when running ssh commands. To create ssh trust, perform the following steps:
  1. To generate an ssh key for the installer, if not already present, run: ssh-keygen.
  2. Distribute the key to each target node, run the following commands:
In addition to copying the ssh key to the KMIP primary and secondary nodes, also copy it to the installer node.
Shell
ssh-copy-id target01
ssh-copy-id target02
ssh-copy-id target03
2
Install ansible (any version between 1.7.2 and 2.4.2.0) on the installer node:
Shell
yum install python36-devel markupsafe epel-release gcc ansible -y
easy_install pip==1.5.6
pip install paramiko PyYAML jinja2 httplib2
pip install ansible==2.3.0
3
Install the Zettaset archive and license files:
Shell
scp -P 22 zts-xcrypt-full-disk-8.5.2.tar.gz root@installer01:/opt
scp -P 22 sample.license root@installer01:/opt
4
Extract the archive:
Shell
ssh installer01
cd /opt
tar zxvf zts-xcrypt-full-disk-8.5.2.tar.gz
5
Copy hosts.inv.example to hosts.inv.
Shell
cd /opt/zettaset/xcrypt-full-disk/8.5.2
cp hosts.inv.example hosts.inv

Install prerequisites offline

When deploying Zettaset XCrypt Full Disk to a cluster that does not have access to the internet or a central package repository, use the Zettaset pre-installer to install the required RPMs. To use the pre-installer:
1
Copy the tar.gz file to all nodes on which you plan to deploy the Zettaset software and on the node that serves as the Zettaset XCrypt Full Disk installer node.
2
Extract the archive file on each node:
Shell
tar -xvf zts-offline-preinstall.tar.gz
3
Prepare the installer node by executing the following command:
Shell
./preinstall.py ansible.lst
This statement installs the RPMs needed to run the Zettaset XCrypt Full Disk installation.
4
Prepare the nodes in the Zettaset deployment by executing the following command on each node:
Shell
./preinstall.py deps.lst
This statement installs the RPMs required by the Zettaset deployment.