Zettaset XCrypt Full Disk deployment prerequisites
The following sections show how to install the prerequisite software online or offline.
Perform the following steps on each target node in your deployment:
Confirm that the operating system is either CentOS or RHEL 6.x - 9.0 by viewing /etc/redhat-release:
Confirm that the installled java version is 1.7 or later:
Install libselinux-python, 2.0.94 or later:
Install cryptsetup if the OS is CentOS or RHEL 6.x:
Confirm that the installed wget version is 1.12 or later:
Install wget, if needed:
Confirm that netstat is installed:
Install netstat if needed:
Update nss. This application must be version 3.21 or later.
If encrypting an xfs file system, install the xfsprogs and xfsdump libraries on the node running xfs. You must unmount the xfs partitions before installing Zettaset XCrypt Full Disk.
Open the ports used by your Key Manager. For example, when using the Zettaset software-based Key Manager, open ports 6666 and 8789:
When using iptables, run the following commands:
When using firewalld, run the following commands:
If using an external, third-party Key Manager, ensure that the necessary ports are open in your cluster.
When enabling KMIP HA on CentOS or RHEL 7.x, open ports 2181, 2888, 3888 on the [zookeeper] nodes to establish communication between those devices. For example, if using firewalld, run the following commands:
Then, run the following commands to open port 24007 and one port per [kmip] node starting from 49152 on the [kmip] nodes.
Open the port used by the PKCS #11 (FXPKCS11) library to connect to the Vectera Plus HSM. The default Excrypt/Production port on our HSMs is port 9100.
When using iptables, run the following commands:
When using firewalld, run the following commands:
Install the Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files:
Download the file from https://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
or
Then, extract the jar files and install them in $JAVA_HOME/lib/security.
We support FIPS mode only in CentOS or RHEL 7.x and later. If you set fips_mode to true, confirm that the FIPS version openssl installed on all nodes is at least version 1.0.1.e-fips.
You must open a License Server port. The default is 21800. To change the default value, edit the following files:
- /usr/share/zts/config/license-config.xml (on the License Server nodes)
- /etc/zts/conf.default/license-server_ssl.xml (on the slave nodes)
Perform the following steps on the installer node, installer01 in the following code.
Establish ssh trust between the installer node and all target nodes. This prevents errors when running ssh commands. To create ssh trust:
Generate an ssh key for the installer, if not already present:
Distribute the key to each target node:
In addition to copying the ssh key to the KMIP primary and secondary nodes, also copy the ssh key to the installer node itself.
Install ansible (any version between 1.7.2 and 2.4.2.0) on the installer node:
Install the Zettaset archive and license files:
Extract the archive:
Copy hosts.inv.example to hosts.inv:
When deploying Zettaset XCrypt Full Disk to a cluster that does not have access to the internet or a central package repository, use the Zettaset pre-installer to install the required RPMs.
To use the pre-installer:
Copy the tar.gz file to all nodes on which the Zettaset software is deployed and the node that serves as the Zettaset XCrypt Full Disk installer node.
Extract the archive file on each node:
Prepare the installer node by executing the following command:
This command installs the RPMs needed to run the Zettaset XCrypt Full Disk installation.
Prepare the nodes in the Zettaset deployment by executing the following command on each node:
This command installs the RPMs required by the Zettaset deployment.
You can then continue with the Zettaset XCrypt Full Disk installation.