Zettaset XCrypt Full Disk Deployment Prerequisites

1min
Select whether to install prerequisites online or offline and follow the instructions:
Install prerequisites online
Install prerequisites offline
Perform the following steps on each target node in your deployment:
1
Confirm that the operating system is either CentOS or RHEL 6.x - 9.0 by viewing /etc/redhat-release:
Text
$ cat /etc/issue.net
CentOS Linux release 7.2.1511 (Core)
$ cat /etc/issue.net
CentOS Linux release 7.2.1511 (Core)
﻿
2
Confirm that java, 1.7 or later, is installed:
Text
$ java -version
java version "1.7.0"
$ java -version
java version "1.7.0"
﻿
3
Install libselinux-python, 2.0.94 or later.
Text
$ yum install libselinux-python -y
$ yum install libselinux-python -y
﻿
4
Install cryptsetup if OS is CentOS or RHEL 6.x:
Text
$ yum install cryptsetup-luks -y
$ yum install cryptsetup-luks -y
﻿
5
Confirm that wget, 1.12 or later, is installed:
Text
$ wget --version
$ wget --version
﻿
Install if needed:
Text
$ yum install wget -y
$ yum install wget -y
﻿
6
Confirm that netstat is installed:
Text
$ netstat --version
$ netstat --version
﻿
Install if needed:
Text
$ yum install netstat -y
$ yum install netstat -y
﻿
7
Update nss, which must be version 3.21 or later.
Text
yum update nss -y
yum update nss -y
﻿
8
If encrypting an xfs file system, xfsprogs and xfsdump libraries must be installed on the node running xfs. The xfs partitions must be unmounted before installing Zettaset XCrypt Full Disk.
9
Open the ports used by your Key Manager. For example, when using the Zettaset software-based Key Manager open ports 6666 and 8789:
When using iptables:
Text
$ iptables -I INPUT -p tcp --dport 6666 --syn -j ACCEPT
$ iptables -I INPUT -p tcp --dport 8789 --syn -j ACCEPT
$ service iptables save
$ service iptables restart
$ iptables -L -n # confirm
$ iptables -I INPUT -p tcp --dport 6666 --syn -j ACCEPT
$ iptables -I INPUT -p tcp --dport 8789 --syn -j ACCEPT
$ service iptables save
$ service iptables restart
$ iptables -L -n # confirm
﻿
When using firewalld:
Text
$ firewall-cmd --get-active-zones # use the active zone
$ firewall-cmd --zone=public --add-port=6666/tcp --permanent
$ firewall-cmd --zone=public --add-port=8789/tcp --permanent
$ firewall-cmd --reload
$ firewall-cmd --list-all # confirm
$ firewall-cmd --get-active-zones # use the active zone
$ firewall-cmd --zone=public --add-port=6666/tcp --permanent
$ firewall-cmd --zone=public --add-port=8789/tcp --permanent
$ firewall-cmd --reload
$ firewall-cmd --list-all # confirm
﻿
If using an external, third-party Key Manager, ensure that the necessary ports are open in your cluster.
10
When enabling KMIP HA on CentOS or RHEL 7.x, open ports 2181, 2888, 3888 on the zookeeper nodes to establish communication between those devices. For example, if using firewalld:
Text
$ firewall-cmd --zone=public --add-port=2181/tcp --permanent
$ firewall-cmd --zone=public --add-port=2888/tcp --permanent
$ firewall-cmd --zone=public --add-port=3888/tcp --permanent
$ firewall-cmd --reload
$ firewall-cmd --list-all # confirm
$ firewall-cmd --zone=public --add-port=2181/tcp --permanent
$ firewall-cmd --zone=public --add-port=2888/tcp --permanent
$ firewall-cmd --zone=public --add-port=3888/tcp --permanent
$ firewall-cmd --reload
$ firewall-cmd --list-all # confirm
﻿
Then open port 24007 and one port per [kmip] node starting from 49152 on the [kmip] nodes.
Text
$ firewall-cmd --zone=public --add-port=24007/tcp --permanent
$ firewall-cmd --zone=public --add-port=29152-29154/tcp --permanent
$ firewall-cmd --reload
$ firewall-cmd --zone=public --add-port=24007/tcp --permanent
$ firewall-cmd --zone=public --add-port=29152-29154/tcp --permanent
$ firewall-cmd --reload
﻿
11
Open the port used by the Futurex PKCS #11 (FXPKCS11) library to connect to the . The default  Host API port is 2001.
When using iptables:
Text
$ iptables -I INPUT -p tcp --dport 2001 --syn -j ACCEPT
$ service iptables save
$ service iptables restart
$ iptables -L -n # confirm
$ iptables -I INPUT -p tcp --dport 2001 --syn -j ACCEPT
$ service iptables save
$ service iptables restart
$ iptables -L -n # confirm
﻿
When using firewalld:
Text
$ firewall-cmd --get-active-zones # use the active zone
$ firewall-cmd --zone=public --add-port=2001/tcp --permanent
$ firewall-cmd --reload
$ firewall-cmd --list-all # confirm
$ firewall-cmd --get-active-zones # use the active zone
$ firewall-cmd --zone=public --add-port=2001/tcp --permanent
$ firewall-cmd --reload
$ firewall-cmd --list-all # confirm
﻿
12
Install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files:
Download the file from https://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html or https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html﻿
Extract the jar files and install them in $JAVA_HOME/lib/security.
13
FIPS mode is only supported in CentOS or RHEL 7.x and later. If you are setting fips_mode to true:
Confirm that the FIPS version openssl installed on all nodes is at least version 1.0.1e-fips.
14
A License Server port must be open, the default is 21800. To change the default value, edit the following files:
/usr/share/zts/config/license-config.xml (on the License Server nodes)
/etc/zts/conf.default/license-server_ssl.xml (on the slave nodes)
Perform the following steps on the installer node, referred to as "installer01" in the code samples.
15
Establish ssh trust between the installer node and all target nodes. This prevents errors when running ssh commands. To create ssh trust:
Generate an ssh key for the installer, if not already present:
Distribute the key to each target node:
In addition to copying the ssh key to the KMIP primary and secondary nodes, the ssh key must also be copied to the installer node itself.
16
Install ansible (any version between 1.7.2 and 2.4.2.0) on the installer node:
Text
$ yum install python36-devel markupsafe epel-release gcc ansible -y
$ easy_install pip==1.5.6
$ pip install paramiko PyYAML jinja2 httplib2
$ pip install ansible==2.3.0
$ yum install python36-devel markupsafe epel-release gcc ansible -y
$ easy_install pip==1.5.6
$ pip install paramiko PyYAML jinja2 httplib2
$ pip install ansible==2.3.0
﻿
17
Install the Zettaset archive and license files:
Text
$ scp -P 22 zts-xcrypt-full-disk-9.0.0.tar.gz root@installer01:/opt
$ scp -P 22 sample.license root@installer01:/opt
$ scp -P 22 zts-xcrypt-full-disk-9.0.0.tar.gz root@installer01:/opt
$ scp -P 22 sample.license root@installer01:/opt
﻿
18
Extract the archive:
Text
$ ssh installer01
$ cd /opt
$ tar zxvf zts-xcrypt-full-disk-9.0.0.tar.gz
$ ssh installer01
$ cd /opt
$ tar zxvf zts-xcrypt-full-disk-9.0.0.tar.gz
﻿
19
Copy hosts.inv.example to hosts.inv.
When deploying Zettaset XCrypt Full Disk to a cluster that does not have access to the internet or a central package repository, use the Zettaset pre-installer to install the required RPMs.
To use the pre-installer:
1
Copy the tar.gz file to all of the nodes on which you plan to deploy the Zettaset software and on the node that serves as the Zettaset XCrypt Full Disk installer node.
2
Extract the archive file on each node:
Text
$ tar -xvf zts-offline-preinstall.tar.gz
$ tar -xvf zts-offline-preinstall.tar.gz
﻿
3
Prepare the installer node by executing the following command:
Text
$ ./preinstall.py ansible.lst
$ ./preinstall.py ansible.lst
﻿
This statement installs the RPMs needed to run the Zettaset XCrypt Full Disk installation.
4
Prepare the nodes in the Zettaset deployment by executing the following command on each node:
Text
$ ./preinstall.py deps.lst
$ ./preinstall.py deps.lst
﻿

This statement installs the RPMs required by the Zettaset deployment.
You can now continue with the Zettaset XCrypt Full Disk installation.
Futurex PKCS11 installation and configuration
Configure the inventory file