Install the Zettaset XCrypt Full Disk deployment prerequisites
Select one of the following options and perform the steps to install the Zettadisk Xcrypt Full Disk prerequisites either online or offline:
Perform the following steps on each target node in your deployment:
Run thonfirm that the operating system is either CentOS or RHEL 6.x - 9.0 by viewing /etc/redhat-release:
Confirm that the java installation is 1.7 or later.
Install libselinux-python, 2.0.94 or later.
If you use CentOS or RHEL 6.x, install cryptsetup.
Confirm that the wget installation is 1.12 or later.
If it's not installed, run the following command to install it:
Confirm that netstat is installed.
If it's not installed, run the following command to install it:
Update nss, which must be version 3.21 or later.
If encrypting an xfs file system, install xfsprogs and xfsdump libraries on the node running xfs. Unmount the xfs partitions before installing Zettaset XCrypt Full Disk.
Open the ports used by your Key Manager. For example, when using the Zettaset software-based Key Manager, open ports 6666 and 8789:
When using iptables, run the following commands:
When using firewalld, run the following commands:
If using an external, third-party Key Manager, ensure that the necessary ports are open in your cluster.
When enabling KMIP HA on CentOS or RHEL 7.x, open ports 2181, 2888, and 3888 on the [zookeeper] nodes to establish communication between those devices. For example, if using firewalld:
Then open port 24007 and one port per [kmip] node starting from 49152 on the [kmip] nodes.
Open the port used by the PKCS #11 (FXPKCS11) library to connect to the HSM. The default Excrypt production port on HSMs is port 9100.
When using iptables, run the following commands:
When using firewalld, run the following commands:
Install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files:
- Extract the jar files and install them in $JAVA_HOME/lib/security.
Only CentOS or RHEL 7.x and later support FIPS mode.
If you set fips_mode to true, confirm that the FIPS version openssl installed on all nodes is 1.0.1e-fips or later.
You must open a License Server port (the default is 21800). To change the default value, edit the following files:
- /usr/share/zts/config/license-config.xml (on the License Server nodes)
- /etc/zts/conf.default/license-server_ssl.xml (on the slave nodes)
Perform the following steps on the installer node, referred to as installer01 in the code samples:
Establish ssh trust between the installer node and all target nodes. This prevents errors when running ssh commands. To create ssh trust, perform the following steps:
- To generate an ssh key for the installer, if not already present, run: ssh-keygen.
- Distribute the key to each target node, run the following commands:
In addition to copying the ssh key to the KMIP primary and secondary nodes, also copy it to the installer node.
Install ansible (any version between 1.7.2 and 2.4.2.0) on the installer node:
Install the Zettaset archive and license files:
Extract the archive:
Copy hosts.inv.example to hosts.inv.
You can then continue with the Zettaset XCrypt Full Disk installation.