Configure the inventory file
The inventory file, hosts.inv, sets the configuration properties for the installation. The Zettaset software includes an annotated sample file, hosts.inv.example. This section provides additional information.
In the ALL NODES section, list each node in your deployment using hostnames or IP addresses. For each node, include the following variables:
- encrypted_blockdev: Enter the block device to be encrypted (such as /dev/sdb1). Disk partition name is expected. To use disk partition labels, set use_labels=true.
- encrypted_mountpoint: Enter a mount point for the device (such as /data1). The mount point must exist before the installation.
- encrypted_mountnames: Enter a partition name. Each name must be unique for each partition on the node. (such as crypt1)
- encrypted_preserve: Use one of the following values:
- y: Preserves existing data. Mount the file system before performing the installation. If the partition is not mounted, the data wis overwritten. The partition must also be unmountable. If a process prevents the unmount, encryption cannot start. Only ext file systems can be preserved.
- n: Does not preserve existing data. You must unmount the partition.
- w: Securely wipes the partition before the new encrypted file system is created. You must unmount the partition.
- fstype - Must be set to the type of file system to make when encrypted_preserve is y or w. Must be set to the existing file system type when encrypted_preserve=n. Typical file system types include ext4 and xfs.
- newfsargs - A string of arguments to pass to the MKFS command. If there are spaces between multiple arguments, surround the string in double quotes (for example "-b 2048 -d su=64k,sw=4"). When no arguments are to be passed, set this value to none.
- mountargs - A string of mount options to pass to the crypt_mount.sh script. If there are spaces between multiple arguments, surround the string in double quotes (for example, "noatime,inode64,allocsize=16m"). When no arguments are to be passed, set this value to none.
- kmip_client_jks - The location of the keystore that contains the client certificate. The keystore must be in this location on the installer node before installation.
- kmip_client_jks_password - The password for the jks file.
When encrypting multiple partitions on a node, use commas to separate values.
For newfsargs, use colons to separate values. Include values for all settings. For example:
The preceding hostnames must resolve. If some nodes are separated by a proxy (similar to deploying to nodes in Skytap from your laptop), use the ansible_ssh_host and ansible_ssh_port variables. Otherwise, do not use those variables.
Displays the product name.
Include the full path to the license file.
Set to true to enable FIPS 140 mode. All ZTS processes run in FIPS mode. fips_mode set to true is currently only supported for OS versions 7.x and later.
By default, the Zettaset software expects the encrypted_blockdev value used above to point to a disk partition, such as /dev/sdb. To use disk partition labels instead, set use_labels=true.
You need a CA to authenticate nodes within your deployment. To use your pre-defined CA, set internal_ca=false and enter the full path to the CA pem file in external_ca_cert_source. This is the location of the CA pem file on the installer node.
While using an external CA, you can ignore the ca_org_* values.
You need a KMIP server server to process key requests. To use an external KMIP server, set internal_kmip=false, and set the kmip_master_ip and kmip_master_port to point to your third-party device.
Use kmip_client_timeout to configure the timeout setting, or keep the default value of 300000.
When using an external KMIP server, use kmip_client_jks_test and kmip_client_jks_passwd to enter the jks path and password and check the KMIP server connectivity before installing XCrypt. These values install a KMIP client on the installation node. Leave these values blank if you do not need to check external KMIP connectivity or install a KMIP client on the installation node.
A software or hardware-based HSM is necessary for key storage. To use the Vectera Plus HSM for hardware-based key storage, set the values for each of the following parameters:
- hsm_so_pin and hsm_user_pin: Password for the identity created on the Vectera Plus and set inside the PKCS #11 (FXPKCS11) configuration file.
- hsm_slot: Slot number configured in the FXPKCS11 configuration file, fxpkcs11.cfg. The slot number is 0 by default.
- hsm_lib_cfg_env_var: Specify COMPAT_MODE=3.
- hsm_lib_file: Path and filename for the FXPKCS11 module.
The bracketed values indicate functions a node has at deployment. Ensure that these settings agree with the other values in this file.
[ca_master] - The node that stores licenses and generates the CA. If using an external CA, set this value to a node within the cluster.
[kmip] - List of the KMIP server and backup server nodes. The first entry must be the kmip_master. Comment out when using an external KMIP server.
[kmip_master] - The KMIP master node. Must be the same as kmip_master_ip. Comment out when using an external KMIP server.
[slave] - List of the nodes that have encrypted partitions.
[license_server] - List of the nodes where you plan to install the License server. Must not intersect with [kmip] or [slave] nodes.
[zookeeper] - List of the zookeeper nodes used when you enable KMIP HA. List at least three nodes. These nodes cannot be members of the [kmip] group.