Install the Zettaset XCrypt Full Disk deployment prerequisites

select one of the following options and perform the steps to install the zettadisk xcrypt full disk prerequisites either online or offline perform the following steps on each target node in your deployment run thonfirm that the operating system is either centos or rhel 6 x 9 0 by viewing /etc/redhat release cat /etc/issue net centos linux release 7 2 1511 (core) confirm that the java installation is 1 7 or later java version java version "1 7 0" install libselinux python , 2 0 94 or later yum install libselinux python y if you use centos or rhel 6 x, install cryptsetup yum install cryptsetup luks y confirm that the wget installation is 1 12 or later wget version if it's not installed, run the following command to install it yum install wget y confirm that netstat is installed netstat version if it's not installed, run the following command to install it yum install netstat y update nss , which must be version 3 21 or later yum update nss y if encrypting an xfs file system, install xfsprogs and xfsdump libraries on the node running xfs unmount the xfs partitions before installing zettaset xcrypt full disk open the ports used by your key manager for example, when using the zettaset software based key manager, open ports 6666 and 8789 when using iptables , run the following commands iptables i input p tcp dport 6666 syn j accept iptables i input p tcp dport 8789 syn j accept service iptables save service iptables restart iptables l n # confirm when using firewalld , run the following commands firewall cmd get active zones # use the active zone firewall cmd zone=public add port=6666/tcp permanent firewall cmd zone=public add port=8789/tcp permanent firewall cmd reload firewall cmd list all # confirm if using an external, third party key manager, ensure that the necessary ports are open in your cluster when enabling kmip ha on centos or rhel 7 x, open ports 2181 , 2888 , and 3888 on the \[zookeeper] nodes to establish communication between those devices for example, if using firewalld firewall cmd zone=public add port=2181/tcp permanent firewall cmd zone=public add port=2888/tcp permanent firewall cmd zone=public add port=3888/tcp permanent firewall cmd reload firewall cmd list all # confirm then open port 24007 and one port per \[kmip] node starting from 49152 on the \[kmip] nodes firewall cmd zone=public add port=24007/tcp permanent firewall cmd zone=public add port=29152 29154/tcp permanent firewall cmd reload open the port used by the {{futurex}} pkcs #11 (fxpkcs11) library to connect to the {{vectera}} hsm the default excrypt production port on {{futurex}} hsms is port 9100 when using iptables , run the following commands iptables i input p tcp dport 9100 syn j accept service iptables save service iptables restart iptables l n # confirm when using firewalld , run the following commands firewall cmd get active zones # use the active zone firewall cmd zone=public add port=9100/tcp permanent firewall cmd reload firewall cmd list all # confirm install the java cryptography extension (jce) unlimited strength jurisdiction policy files download the file from https //www oracle com/technetwork/java/javase/downloads/jce 7 download 432124 html https //www oracle com/technetwork/java/javase/downloads/jce 7 download 432124 html or https //www oracle com/technetwork/java/javase/downloads/jce8 download 2133166 html https //www oracle com/technetwork/java/javase/downloads/jce8 download 2133166 html extract the jar files and install them in $java home/lib/security only centos or rhel 7 x and later support fips mode if you set fips mode to true, confirm that the fips version openssl installed on all nodes is 1 0 1e fips or later you must open a license server port (the default is 21800 ) to change the default value, edit the following files /usr/share/zts/config/license config xml (on the license server nodes) /etc/zts/conf default/license server ssl xml (on the slave nodes) perform the following steps on the installer node, referred to as installer01 in the code samples establish ssh trust between the installer node and all target nodes this prevents errors when running ssh commands to create ssh trust, perform the following steps to generate an ssh key for the installer, if not already present, run ssh keygen distribute the key to each target node, run the following commands in addition to copying the ssh key to the kmip primary and secondary nodes, also copy it to the installer node ssh copy id target01 ssh copy id target02 ssh copy id target03 install ansible (any version between 1 7 2 and 2 4 2 0) on the installer node yum install python36 devel markupsafe epel release gcc ansible y easy install pip==1 5 6 pip install paramiko pyyaml jinja2 httplib2 pip install ansible==2 3 0 install the zettaset archive and license files scp p 22 zts xcrypt full disk 8 5 2 tar gz root\@installer01 /opt scp p 22 sample license root\@installer01 /opt extract the archive ssh installer01 cd /opt tar zxvf zts xcrypt full disk 8 5 2 tar gz copy hosts inv example to hosts inv cd /opt/zettaset/xcrypt full disk/8 5 2 cp hosts inv example hosts inv when deploying zettaset xcrypt full disk to a cluster that does not have access to the internet or a central package repository, use the zettaset pre installer to install the required rpms to use the pre installer copy the tar gz file to all nodes on which you plan to deploy the zettaset software and on the node that serves as the zettaset xcrypt full disk installer node extract the archive file on each node tar xvf zts offline preinstall tar gz prepare the installer node by executing the following command /preinstall py ansible lst this statement installs the rpms needed to run the zettaset xcrypt full disk installation prepare the nodes in the zettaset deployment by executing the following command on each node /preinstall py deps lst this statement installs the rpms required by the zettaset deployment you can then continue with the zettaset xcrypt full disk installation