Black Box ET1000A User's Manual
Contents
1. Disaster Recovery Install Using Single Server For Main Site Main Site Assign an IP to the Main site installation Modify the opt scripts policyserver init conf and set the following Emacs nano and vi are available on the OS NOTE The disasterHost IP should be the IP of the Disaster Recovery server HEHEHE HH HHH EH HH EE EE EE EE EE HEE EE EE HE EE EE EE EE EE HEH EEE PEE EE EE HE EH EH HHH HEERE HEERE Disaster Recovery options HEERE When this server will use a disaster recovery site set the following heartbeatEnabled true disasterEnabled true disasterHost 192 168 80 X THE IP OF THE DISASTER RECOVERY SERVER disasterUser pserver disasterPass pserver heartbeatPort 8764 When this server IS the disaster recovery site set the following disasterServer tru disasterServerUser admin heartbeatInterval 30000 EncrypTight Manager Installation Guide 15 comma separated list of hosts to check heartbeatHosts HEGHE EE EE EE EE HE HEH EHH EH HEH EH EE HE EE EE EE EE HEE EH EH HE EE EE EH EE EE EE BE BE RE EE HHH HH HH Run the installation script on the Main site etc init d policyserver install Disaster Recovery Site Assign an IP to the DR site installation Modify the opt scripts policyserver init conf and set the following Emacs nano and vi are available on the OS p 7 NOTE The heartbeatHosts I2. 0 cccecceeceeeeeeeeeneeeeeeeecaeeeeeeenaeeeeseenaeeeeeeenaaes 17 Execute the upgrade on the ETM server Non Cluster 0 ccceeceeeeeeeeeeeeeeeeteeeeeeeee 18 Upgrade ETM Cluster INStances cccccccsecccceecseceaneesetecceneeeseeneaeeeeseceaeaesssenseseeeseaneseeeeseaeae 21 SCP upgrade file to ETM Cluster cceceeeeeeeceeeceeeeeeeeeaeeeeseeeaaeeeeeeeaaeeeesesnaeeeeenenaaes 21 Node Shut DOWN ciiecciieessietevie tect codieecichieectti A T 22 Execute the upgrade on EACH Server in the Cluster in ORDER eceeeeeteees 22 Start up EACH Server in the Cluster in ORDER e eeeeeeeeceeceeeeeeeeeeeeteeeeeneneaeees 24 Backing Out Of AM upgrades sans cecacsebeceedansendcteceassndutadacee EE a Ea TTE 25 Backup and Restore of EncrypTight Manager essesssseeeeeereririreeserrrirrrssssrrrrnrrrnsssrerna 25 General Guidelines serrscrersari niian A E O 25 Backup components provided by ETM cccccececeeeeeeeeeeecnaeceeeeeeeeeeeesesecceuccaeeeeeeeeeneess 26 Hardware Server Specifics ies sccesctssactes dee cad iida aiiai i A aE 26 Drive Talures ssssssiriossmistiri ania an SS 26 Other hardware component failures ccccccececceeeeeeeeeeeeeeeeceeeeeeeeeeeeeseceeeaaeeeeeeeeeeeeeeeeneees 27 Damage to the ETM software or database uaneessseseesssnesssrnnesesrnnensssnnaaaennnnanetannnaanennenns 27 Damage to the OS or filesystem 00 0 etree eee ette eee eee ne eee teenie esse erieeeeeeteeeeeee
3. Name and Location Specify a name and location for the deployed template Source OVF Template Details Name and Location Resource Pool Datastore Disk Format Network Mapping Ready to Complete EncrypTight Manager 3 3 3212 x86 64 Select Next You will see the Host Cluster selection Select the Simulators gt vmhost1 blackbox com EncrypTight Manager Installation Guide Appendices Figure 7 Host Cluster Deploy OVF Template Host Cluster On which host or cluster do you want to run the deployed template Source OVE Template Details AE R vmhost1 blackbox com E Host Cluster Specific Host Resource Pool Simulators Ready to Complete Compatibility Validation not applicable this time Select Next You will see the Resource Pool selection Select the vmhost1 blackbox com gt CSM Testing EncrypTight Manager Installation Guide 39 40 Figure 8 Resource Pool Deploy OVF Template Resource Pool Select a resource pool Source OVE Template Details Name and Location Resource Pool Datastore Disk Format ork Mapping Ready to Complete Select Next Select the resource pool within which you wish to deploy this template Resource pools allow hierarchical management of computing resources within a host or cluster virtual machines and child pools share the resources of their parent pool o m 123 45 67 89 Build Servers You will see
4. above the dd operation for non RAID configured servers also serves as a full filesystem backup It can be performed at important milestones to keep the backup current Procedure 2 Restoring the complete filesystem including the OS Restoring the complete filesystem will depend on how the backup was taken If it was via the example tar command above then restoring would involve untarring the backup like so cd tar xvpfz backup tgz C NOTE If restoring a completely destroyed filesystem on the boot partition the server bootup will have to be done via other media either a CD DVD drive as mentioned at the beginning of this document or a secondary drive if the system is non RAID and the secondary drive holds a backup If using a dd version of backup to restore from the dd operation should be performed in the same manner as was done initially but the if and of arguments should be reversed For example dd if dev sdb of dev sda bs 100M conv notrunc noerror Alternative nix backup methods There are many other methods for backing up and restoring a nix operating system Methods include dar rsync cp scp tar dd clonezilla ghost amanda and many more As mentioned previously it is expected that a customer s IT organization will have already established backup policies and procedures If not or for general reference there are many sites available on the internet that discuss this topic For reference the following ar
5. and install the O F package from the Internet or specify a location accessible From your computer such as a local hard drive a network share or a CD DVD drive Select the Deploy from file option fn os Copy and paste the ova link that is generated from the CSM build server Select Next You will see the OVF Template Details EncrypTight Manager Installation Guide Figure 5 OVF Template Details Deploy OVF Template O F Template Details Verify OVF template details Appendices Help Select Next You will see the Name and Location Source O F Template Details ae Product Name and Location Resource Pool 5 version Dat e Disk Format Venid r Network Mapping Ready to Complete Publisher Download size Size on disk Description EncrypTight Manager 3 3 3212 x86_64 No certificate present 524 6 MB 1 3 GB thin provisioned 43 3 GB thick provisioned None lt Back next gt Cancel 4 Here you will enter a Name for your virtual machine that will be created Use the following naming convention INITIALS BUILDNUMBER SERVERNUMBER Example So for User XX deploying an ova build 2653 server 1 the name would be XX 2653 AS1 For server 2 of the same build the name would be XX 2653 AS2 For Inventory Location select the Simulators section EncrypTight Manager Installation Guide 37 38 Figure 6 Name and Location Deploy OVF Template
6. be a bootable Linux CD DVD a recovery CD made from Clonezilla a Ghost recovery DVD or a generic rescue CD or even USB stick such as this EncrypTight Manager Installation Guide 25 Backup components provided by ETM EncrypTight Manager provides mechanisms for backing up its database and also for backing up the ETM software Customers who do not do full server backups regularly can use those tools to ensure that they can recover as close to a point of failure as possible while backing up the minimal amount of data necessary to restore Using these tools also reduces the need for frequent full system backups Database Backup To capture a known good point in time configuration users can take database snapshots It is recommended that this be done each time they deploy a production set of policies at a minimum See procedure 5 below Database Restore To restore to a known good point in time a database backup can be used to restore from See procedure 6 below If restoring an entire cluster this only needs to be done on one node and then the other node should be sync d via the UI ETM Backup A full ETM backup does not need to be performed as frequently as the database backup as the changes to a ETM distribution are much less frequent than changes to the database However whenever changes are made it is advisable to take a backup Such changes would include Upgrading the ETM software Staging new ETEP software on the ETM ftp server T
7. for both Virtual Machines and bare metal The base operating system used will be CentOS 6 with the current released updates applied Virtual Machine Options EncrypTight Manager 3 3 standalone These virtual machine appliances will be distributed as zip files that contain the VMware files that can be used in VMware Player Once started the standalone version will boot up and become available on the network VMware will startup without any modification to the configuration and will use dhcp to connect to the hosts bridged network Standalone will be started with 1024MB of RAM and 20G of disk the 20G of disk will be an auto expanding disk Standalone will be preconfigured with everything necessary to run no user interaction will be needed before it is available to the end user The Standalone version will be only available as a 32 bit appliance So it can be run on both 32 bit and 64 bit hosts Standalone will only have access to 25 concurrent threads for PEP communication Supported Virtual Machines for EncrypTight Manager 3 3 standalone VMware Player EncrypTight Manager Installation Guide 7 ele Manager 3 3 Available in 32 and 64 bit architectures Expects to be run in an environment where the VM has at least 2GB of RAM and 40GB of disk This virtual machine is setup so that when it first boots it will initialize the operating system for use by EncrypTight Manager It will not be fully configured until there is some us
8. just the ETM database navigate to the Platform gt Utilities page then the DB Nodes tab then select the database for the server you are logged into right click and choose Backup This will create a backup that can be downloaded from the Admin gt Server Files page in the logs folder It will be named like db backup Y YY YMMDD HH MM sql gz Double clicking on it will download it to your local disk from where it should be safely archived Procedure 6 Restoring the ETM database To restore the database from a backup scp the backup to the host being restored and execute the db import sh script For example scp db backup 20110915 15 14 sql gz root etmserver opt filestore ssh root etmserver cd opt filestore gunzip db backup 20110915 15 14 sql gz opt scripts db import sh importFile db backup 20110915 15 14 sql EncrypTight Manager Installation Guide 29 If you changed the database userid or password you will have to supply those options as well root policyserver log opt scripts db import sh help db import sh help dbUser dbUser dbPass dbPassword dbType dbT ype importFile importFile disasterServer true false Cluster notes Restoring a cluster node should not include restoring the database if another cluster node with a database is still active Instead the database on the restored node should be synchronized via the ETM web application On the Platform gt Utilities page on the DB Nodes tab fi
9. main drive to the backup drive 26 EncrypTight Manager Installation Guide Backup and Restore of EncrypTight Manager Other hardware component failures If some component other than a drive has failed that component could be replaced in the field or the server could be RMA d back to Black Box Damage to the ETM software or database If some damage is done to the ETM installation such as unintentional removal of key configuration files or binaries under opt jboss server policyserver then the ETM software should be restored If that is all that occurred then the database does not need to be restored See procedure 4 below for restoring the ETM software Damage to the OS or filesystem If damage is done to other areas of the filesystem such as unintentional removal of OS files or files outside of the ETM root directory then a restore from backup will be necessary Depending on what was damaged either part of the backup or all of the backup may be necessary for the restore For example if the only damage was to etc then only that portion of the backup would be needed to recover If something as drastic as rm rf had occurred then the full backup would be needed and then a subsequent ETM backup or database backup might also need to be applied That would be necessary if such a backup existed that was more recent than the full backup See procedures 2 4 and 6 below Example backup and restore procedures Procedure 0 copying dri
10. the Datastore selection You can select any of the available Datastores Ensure there is at least 45G of Free space available EncrypTight Manager Installation Guide Appendices Figure 9 Datastore Deploy OVF Template Datastore Where do you want to store the virtual machine files Source Select a datastore in which to store the YM files OVE Template Details am Mas PiavwonedT prea tH TRAN 7 Mame and Location adis apacity Provisioned e Type ovisioning Access Resource Pool virtual Machin 144 75 GB 63 05 GB 84 20 GB YMFS Supported Single t Datastore ESXi Data 144 00 G6 561 00 MB 143 45 GB YMFS Supported Single t Disk Format Network Mapping Ready to Complete Select Next You will see the Ready to Complete screen EncrypTight Manager Installation Guide 41 42 Figure 10 Ready to Complete Deploy OVF Template Ready to Complete Are these the options you want to use Source OVE Template Details Name and Location Resource Pool Datastore Disk Format Network Mapping Ready to Complete Select Next When you click Finish the deployment task will be started Deployment settings OVF File 2 1 file location Download size 524 6 MB Size on disk 1 3 GB Name EncrypTight Manager 3 3 3212 x86_64 Host Cluster etm builder blackbox com Resource Pool Build Servers Datastore ESXi Data Disk Format Thick Provisioning Network Mapping bridged to Corporate lt B
11. work exclude opt jboss server policyserver tmp exclude opt jboss server policyserver data tar Removing leading from member names scp_host not set not scp ing policyserver backup 2011 12 14 08 11 tar gz backup anywhere EncrypTight Manager Installation Guide 19 20 Finished server backup Running through the upgrades available KKEKKKKKKK KKK KK KK KK KK KK KK KK KKK KK KK KKK KKK KK KK KKK KK KK KKK KK KKKKKK KK KKKKKAKKK Performing upgrade to 3 1 Application upgrade upgrade common ear cipher ear opt jboss server policyserver deploy upgrade jbossweb jar opt jboss server policyserver deploy jbossweb sar Database upgrade Finished upgrade to 3 1 KKEKKKKKKK KKK KK KK KK KK KK KK KK KKK KK KK KK KKKK KK KK KKK KK KK KKK KK KKKK KK KK KKKKAKKKK KKEKKKKKKK KKK KK KK KKKK KK KKK KKKK KK KK KK KK KK KKK KKK KKK KK KKKKKKKKKKKKKKKKKKKKK Performing upgrade to 3 2 Application upgrade upgrade common deploy cipher ear opt jboss server policyserver deploy upgrade server xml opt jboss server policyserver deploy jbossweb sar upgrade policyserversecuritydomain service xml opt jboss server policyserver deploy getInitConf certPass XXXXXXXX getInitConf keystoreType JCEKS getInitConf asAlias policyserver getInitConf rootCertSubjCN PolicyServer CA Updating policyserver in opt jboss server policyserver conf private keystore jks Updating policyserver ca in opt jboss server policys
12. ET0010A e o ET0100A lt S BLACK BOX ETIOO0A NETWORK SERVICES ET10000A Customer Order toll free in the U S Call 877 877 BBOX outside U S call 724 746 5500 Support FREE technical support 24 hours a day 7 days a week Call 724 746 5500 or fax 724 746 0746 Inf ti Mailing address Black Box Corporation 1000 Park Drive Lawrence PA 15055 1018 JUS et Web site www blackbox com e E mail info blackbox com Table Of Contents About This DOCUMENT ccccceceeeeeeceeeceeeeeaeeeaeeeaeeeeaeaaseeaaaeaaensaeeaaeaaaeeaaeeaaeeaeenaeeeaeeass 5 EncrypTight Manager 3 3 Installation Options ceececeeeeeeeeeeeeeeeeeeeeeeeeeenaaeeeeeeeeenee 7 Virtual Machine Options c ccsseeeseeeeeeeeeeeeeeeaeeaaeeaaeeaaeeaaaeaaeaaaeeaaeaaeeaaeeaaeeaeeeaeeeaaeeas 7 EncrypTight Manager 3 3 standalone cceccseeeceeeeenneeeeeeeeeeeeeeeeeaeeeeeeenaeeeeseeiaeeeeeeenaaes 7 EncrypTight Manager 3 3 ccccecesccseceeeeecceeeeeeeecaeeeeeeeaaeeeeeeeaaeeeeeeeaaeeeeeeeaeeeeeeesnaeeeeeeeeaaes 8 BCNEUCROJ UONE 8 Installation OPUONS dsaieccececsnadad ccanvoncacacseveneedstis sdnedsadansnadxadenvauaastads aa ia a a aa a aaia 8 Firewall Information ccccceccee cece cece cette eee e eee ee tae ea ae ea eae eee eeaeeeseeeeeeeeeesseeneeeseeeee 9 Installation Examples cccecccecceec cece cece eee ee eect eee ee eee eae eee eeeeeeeeeeseeeeeeeeeeasaenseeeneeeeea 9 Single Server Install cc cece entire erent
13. KKKKKKKKKK KKK WARNING This will upgrade your policyserver from 3 1 3451 to 3 2 3971 Are you sure you want to continue the upgrade yes no yes FE AE EEE EE aE EEE EE EE EE EE EE EE EE EE HE EAE EEE EEE EEE EEE AEE EE EEE ERR EAE FE AE Upgrade process started will upgrade from 3 1 3451 to 3 2 3971 FE AE EEE aE EE EE EE EE EE EE EE EE EE EE E AE aE AE EEE EEA EEE EEE EEE EEE EEE RRR EAE FE AE getInitConf nodel localhost getInitConf node2 localhost getConfig ftpServerDir opt ftpserverdir getConfig fileStoreDir opt filestore getConfig companyName Black Box Checking policyserver status Policyserver is running stopping Shutdown message has been posted to the server Server shutdown may take a while check logfiles for completion Waiting for Server to stop Waiting for Server to stop Server has stopped Disconnecting any database users Backing up the current system Backing up the db Compressing backup scp host not set not scp ing opt upgradebackup db backup 2011 12 14 08 ll sql gz backup anywhere keeping backup 1 opt upgradebackup db backup 2011 12 14 08 11 sql gz Finished db backup done Backing up the server dirs opt ftpserverdir opt filestore opt jboss server policyserver tar cfzh policyserver backup 2011 12 14 08 11l tar gz opt ftpserverdir opt filestore opt jboss server policyserver exclude opt jboss server policyserver
14. P should be the IP of the Main Site server HEHEHE HH EH HH HH EE EE EE EE HE HE EE EE EH EE PE EE EE EE EE HEHE EE PEE HE HE HEE HE EE HEH Hitt Hitt Disaster Recovery options Hitt When this server will use a disaster recovery site set the following heartbeatEnabled true disasterEnabled true disasterHost disasterUser pserver disasterPass pserver heartbeatPort 8764 When this server IS the disaster recovery site set the following disasterServer tru disasterServerUser admin heartbeatInterval 30000 comma separated list of hosts to check heartbeatHosts HR EEEE EE EHH EEE EE HEE HH EHH EE EE HH EH EE A HH EE EE HHA AE EE HH HEE EE HH EEE EE EHH EEE Run the installation script on the DR site etc init d policyserver install Testing Disaster Recovery You can bring down the Main Site using the init d script on the Main Site machine 16 EncrypTight Manager Installation Guide EncrypTight Manager Upgrade of an Existing ETM Instance gt etc init d policyserver stop Once that is down you can see that the disaster recovery picks up rekeys by viewing the DR logs on the DR Machine gt tail f opt jboss server policyserver log server log To bring the Main Site back up use the init d script again on the Main Site machine gt etc init d policyserver start EncrypTight Manager Upgrade of an Existing ETM Instance The following information covers upg
15. P to server 2 Make sure that server 1 can see server 2 on the network Run etc init d policyserver install on server 1 same order of IP addresses on both IMPORTANT WAIT for server 1 to fully complete the install and startup Run etc init d policyserver install on server 2 same order of IP addresses on both NY ND WW A WN Once installation is complete you can view the web interface from either of the cluster nodes IP addresses To verify that the cluster is in place check the Platform gt Utilities page DB Nodes and Appserver Nodes Preparation for DR listening Until EncrypTight supports a fully replicated data layer at the DR cluster site you must shut down the database server on the second node Login as root and issue the following command fetc init d postgresql 9 0 stop This will cause that DB node to go inactive You can verify this in the Platform gt Utilities page on the DB Nodes Tabd Actions on DR activation failover occurs When failover occurs in order to ensure the DR cluster is fully redundant including at the data layer you must restart the database server on the second node and activate it via the UI Login to the second server as root and issue the following command fetc init d postgresql 9 0 start Once the database has started login to EncrypTight Manager as a Platform Admin navigate to the Platform gt Utilities page locate the inactive database on the DB tab select it right
16. S ERVERS IN THE MAIN SITE it EncrypTight Manager Installation Guide 31 FE aE aE aE AE AE aE FE ae ae AE AE AE aE aE AE AE E aaa aaa aaa FE AE aE aE AE AE aE FE ae ae AE AE AE aE aE aaa aaa aaa aaa aaa VM tuning options max number of workder threads in the application server MUST be more than 2 x mdbQueueThreads maxServerThreads 500 max number of high queue threads max number of low queue threads mdbQueueThreads 200 at least 2G of RAM minMemory 512 maxMemory 768 permSize 128 maxPermSize 256 at least 4G of RAM minMemory 768 maxMemory 1280 permSize 128 maxPermSize 384 additional JVM options JavaOpts XX UseFastAccessorMethods HHREREE EE EHH EEE EE HEHE HHH HAE HH EEE A HHH EE HEHE AE EE HH HEE EE HH EHH EE BH E Run the installation scripts 32 It is important that the ordering of IP addresses stays the same for nodel and node2 on both machines in the disaster recovery cluster Be sure that the following TCP and UDP ports are available between each server in the disaster recovery cluster TCP 21 TCP 2221 TCP 22 TCP 80 TCP 8080 TCP 443 TCP 8443 TCP 8764 TCP 5432 TCP 47788 TCP 47799 UDP 45588 UDP 46688 EncrypTight Manager Installation Guide Appendices UDP 45599 UDP 46699 Ordering of actions is important You should install in the following steps Power on both servers Assign IP to server 1 Assign I
17. Wait KKK KK KKK KKK KKK KKK KKK KKK KKK KKK KK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKKKKKKKK KKK KKEKKKKKKK KKK KK KK KK KK KK KK KK KKK KK KK KK KK KK KK KK KKK KK KK KKK KK KKKKKKKKKKKAK KKK KKK KKK KKKKK KKK KK KKK UPGRADE WARNING kkkkkk kk Kk kK KKK This will upgrade from 3 2 3971 to 3 3 4364 KKK KKKKK KKEKKKKKKK KKK KK KK KK KK KK KK KK KKK KK KK KK KK KK KK KK KKK KK KK KKK KK KKKKKKKKKKKK KKK KKK WARNING This will upgrade your policyserver from 3 2 3971 to 3 3 4364 Are you sure you want to continue the upgrade yes no yes Application precheck for version 3 3 ERROR invalid input syntax for integer INE 1 select count from co policies where encryption _oid A ERROR invalid input syntax for integer INE 1 select count from co policies where authentication _oid A FE AE E aE E AE a E AE FE a aE a a a EEE EEE EEE EE EE AEE AEE AEE AEE EEE EEE EEE Upgrade process started will upgrade from 3 2 3971 to 3 3 4364 FE AE E AE E AE FE AE FE AE FE AE FE AE FE AE FE AE FE AE FE AE FE AE FE FE FE AE FE FE FE AE FE AE FE AE FE E FE AE FE AE FE AE EAE EE AE AE AE AEE AEE EEE AE AE AE AE E E EEE tInitConf nodel 10 10 10 10 tInitConf node2 10 10 10 11 tConfig ftpServerDir opt ftpserverdir Q Q Q tConfig fileStoreDir opt filestore Q getConfig companyName Black Box Checking policyserver status Disconnec
18. ack Finish Cancel Now vSphere will import the ova into the CSM Testing Resource Pool You will see a dialog with the progress and a complete message once it is done You can close the complete message You can select the newly created VM under the CSM Testing tree and power it on There is a link to power it on under the Basic Tasks section of the VM EncrypTight Manager Installation Guide Appendices Figure 11 Basic Tasks 172 20 1 21 vSphere Client File Edit View Inventory Administration Plug ins Help Gg Home p gH Inventory p Ef Inventory u gt 4 8 amp Bl e e B 123 45 67 89 TrustNet Manage 64 Build Servers B CentOS 5 Appliance Rep Getting Started MEME le mmm steel pci e Tf ed Oe ed GB Centos 6 Appliance Rep close tab x What is a Virtual Machine A virtual machine is a software computer that like a physical computer runs an operating system and applications An operating system installed on a virtual machine is called a guest operating system Because every virtual machine is an isolated computing environment you can use virtual machines as desktop or workstation environments as testing environments or to consolidate server applications Virtual machines run on hosts The same host can run many virtual machines Basic Tasks vSphere Client Dd Power on the virtual machine Edit virtual machine settings i m gt a Re
19. at is a Host A host is a computer that uses virtualization software such as ESX or ESXi to run virtual machines Hosts provide the CPU and memory resources that virtual machines use and give virtual machines access to storage and network connectivity You can add a virtual machine to a host by creating a new one or by deploying a virtual appliance The easiest way to add a virtual machine is to deploy a virtual appliance A virtual appliance is a pre built virtual machine with an operating system and software already installed A new virtual machine will need an operating system installed on it such as Windows or Linux Basic Tasks Change the default password GT Deploy from VA Marketplace Gt Create a new virtual machine Performance Configuration Local Users amp Groups Events Permissions close tab x i Host vSphere Client Explore Further Learn about vSphere Manage multiple hosts eliminate downtime load balance your datacenter with vMotion and more Evaluate vSphere Click on the menu option File gt Deploy OVF Template This will bring up the OVF Template Deploy dialog EncrypTight Manager Installation Guide X 35 36 Figure 4 Deploy OVF Template Deploy OVF Template Source Select the source location Source OVF Template Details Resource Pool Datastore Disk Format Deploy from a File or URL Ready to Complete x Browse Enter a URL to download
20. ble upgrades Upgrading the policyserver init conf Upgrading the database schema sql Upgrading the system scripts HEHEHE EH HEHE HEHE HEE HE EE EH HEE EH HEE HE EE EE EEE EE EE HE HH REAR EHH HE HE HEE Y Upgrade process complete Application version is 3 3 4364 FE AE FE EE EE EE EE EE EE EE EE EE EE EE EE E AEE AE EE AEE EEE EEE EEE EEE EEE EEE ERR RR FE HE The policyserver is ready to be started Start up EACH Server in the Cluster in ORDER AN CAUTION ALL NODES in the ETM Cluster MUST be started in the following order 1 Start the policyserver on EncrypTight Manager Cluster Node 1 YOU MUST wait for the startup to complete before continuing 24 EncrypTight Manager Installation Guide Backup and Restore of EncrypTight Manager root PIT ETM N1 upgrade etc init d policyserver start Server is starting check the log files for application status 2 Start the policyserver on EncrypTight Manager Cluster Node 2 YOU MUST wait for the startup to complete before continuing root PIT ETM N2 upgrade etc init d policyserver start Server is starting check the log files for application status 3 Start the policyserver on Disaster Recovery Server Node 1 YOU MUST wait for the startup to complete before continuing root PIT ETM DR1 upgrade etc init d policyserver start Server is starting check the log files for application status 4 Start the policyserver on Disaster Recovery Server Node 2 Assuming DR Servers are also cluste
21. cent Tasks Name Target or Status contains Clear X Name Target Status Details Initiatedby Requested Start Ti Start Time Completed Time jl f Deploy OVF template e Build Servers Completed 8 18 2011 1 44 25PM 8 18 2011 1 44 25PM 8 18 2011 1 45 25 PM Z Tasks Once the VM begins to power up you right click on the VM and select Open Console You will see the VM operating system boot up and get to the main blue screen EncrypTight Manager Installation Guide 43 Figure 12 Main Screen in BnorypTight Manager 3 3 3212 x66 File View VM a uf 6 8 Ble Black Box EncrypTight Manager 3 3 3212 x86 64 xx Installation is not complete If you need to setup networking then choose Configure Network below Configure the server by editing opt scripts policyserver init conf Run the installation script as root fetc init d policyserver install Keys ER gt to select your choice Setup Networking Once you are on the main blue screen of the virtual machine appliance you can click your mouse inside of it The virtual machine now has control of your mouse You will have to type Ctrl Alt to release the mouse from it You can use the arrow keys in the appliance to select Configure Network You will see the main network config menu Enter 6 and press Enter 44 EncrypTight Manager Installation Guide Appendices Figure 13 Main Network Config Z ETM 2653 AS1 on sw eng blackbox com F
22. click and select Activate This will synchronize the database and the DR site will be fully HA Failback When the DR site fails back to the main site you should once again stop the database on the second DR appserver EncrypTight Manager Installation Guide 33 EncrypTight Manager OVA Deployment Using vSphere Client Applications You need to install vSphere Client onto your workstation The vSphere Client software is only available for Windows platforms Open up the VMware vSphere Client software You will see the login prompt for the client to connect to the server Figure 2 Running vSphere Client VMware vSphere Client vmware VMware vSphere Client To directly manage a single host enter the IP address or host name To manage multiple hosts enter the IP address or name of a vCenter Server IP address Name User name Password I Use Windows session credentials Cose Hep Enter the IP address of ESX server Select the checkbox for Use Windows session credentials Select Login Installing the CSM OVA Once you have logged into vSphere Client you will see the main interface 34 EncrypTight Manager Installation Guide Figure 3 Installing the CSM OVA 172 20 1 21 vSphere Client Appendices File Edit View Inventory Administration Plug ins Help Home p gS Inventory gt fl Inventory E Getting Started EMEA Virtual Machines Resource Allocation Wh
23. e Linux operating system Conventions used in this document Bold Indicates one of the following e a menu item or button e the name of a command or parameter Italics Indicates a new term Monospaced Indicates machine text such as terminal output and filenames Monospaced bold Indicates a command to be issued by the user How to comment Customer comments on Black Box documents are welcome Send your comments to EncrypTight Manager Installation Guide 5 Preface Black Box Corporation 1000 Park Drive Lawrence PA 15055 1018 email info blackbox com Contacting Customer Support Technical support services are accessible through the Black Box support center US toll free 1 877 877 BBOX International outside U S call 724 746 5500 Email info blackbox com Web www blackbox com FREE technical support 24 hours a day 7 days a week Call 724 746 5500 or fax 724 746 0746 EncrypTight Manager Installation Guide EncrypTight Manager 3 3 Installation Options EncrypTight Manager 3 3 Installation Options Virtual Machines EncrypTight Manager 3 3 standalone EncrypTight Manager 3 3 single server cluster high availability single server disaster recovery Hardware EncrypTight Manager 3 3 single server cluster high availability single server disaster recovery We will be using RedHat kickstart technology to install directly to hardware and to build the Virtual Machines This allows us to define the exact same packaging
24. e listed here http www halfgaar net backing up unix http www cyberciti biz fagq rhel backup linux server http www linuxlinks com article 20090105114152803 Backup html http stackoverflow com questions 15208 whats the best linux backup solution http en wikipedia org wiki NetVault Backup Procedure 3 Backing up the ETM software and data 28 To backup the ETM software and data navigate to the Platform gt Utilities page then the AppServer Nodes tab then select the server you are logged into right click and choose Backup This will perform a database backup and then create a tar archive file containing the ETM software the root directory where ETM is installed the database backup and other directories used by ETM specifically the ftp dir and filestore dir It will also optionally scp the backup to a remote server if those configuration properties are setup For convenience these properties are listed here They are named as such in the Admin gt ETM Config page Backup Server ip Backup Server scp Directory EncrypTight Manager Installation Guide Backup and Restore of EncrypTight Manager Backup Server scp User Backup Server scp Password Also note that the ETM root dir is opt jboss server policyserver and that the opt scripts directory is a symlink to opt jboss server policyserver scripts so that directory will be backed up It contains the config files that were used during installation Files in etc i
25. ed upgrade bin file Download and scp the public key pubkey txt over to the ETM server scp pubkey txt root 192 168 X X opt upgrade Scp the external signature for the upgrade bin scp policyserver upgrade lt VERSION gt bin asc root 192 168 X X opt upgrade Import the public key and verify the upgrade bin cd opt upgrade gpg import pubkey txt gpg directory root gnupg created gpg new configuration file root gnupg gpg conf created gpg WARNING options in root gnupg gpg conf are not yet active during this run gpg keyring root gnupg secring gpg created gpg keyring root gnupg pubring gpg created gpg root gnupg trustdb gpg trustdb created gpg key 9B705669 public key Black Box Policy Server lt support blackbox com gt imported gpg Total number processed 1 gpg imported 1 gpg verify policyserver upgrade lt VERSION gt bin asc policyserver upgrade lt VERSION gt bin gpg Signature made Mon 12 Dec 2011 03 19 38 PM EST using DSA key ID 9B705669 gpg Good signature from Black Box Policy Server lt support blackbox com gt gpg WARNING This key is not certified with a trusted signature gpg There is no indication that the signature belongs to the owner Primary key fingerprint B7B6 1E4C EASA 9FEO 19AB 6130 9830 42A5 9B70 5669 Execute the upgrade on the ETM server Non Cluster AN CAUTION The ETM instance will be unavailable re
26. eerie ee ee ee eee te sees ee eieeeeeesaeeeeeeneeeeeniea 9 Configuring Networking Parameters ccceecceeeseeeeeeeeeeene eee eeecneeeeeeeaeeeeeetaeeeeeetiaeeeeeenea 10 Running the Installation Script 2 0 eeeeeeee scene eee eeeeeneeeeeeeeeaeeeeeeeeaeeeeeeeeaeeeeeeeenneeeeenenaes 11 SYSTEM REQUIFCMONUS sseui shecdcuetvepadedadex sd saaedexe uncee des deve evvesneci 11 Virtual Machine Cluster Install 0 cccccceeeecceceeeeceeneeeeeeeecenseeeeeceeeeeeeeeeeeseeeetaceeteneeeneeeeees 11 Hardware Cluster Install sists i ccetdaiieecetiipeaieti haatenes ea E 12 Disaster Recovery Optom eeicececeiicated cies tadede cea tiedecvtas da lade EEE 14 Run the installation Scripts ccccccccceceeeeeeeeeeeceneeceeeeeeeeeeesecseceaeaaeeeeeeeeeeeeeseeseensnsaeess 14 Ordering of actions is important 2 cccccccecceeeceseeceeceeeseceeeneedenceeeeseseeceeseneteeeeeseeteeeaae 15 Disaster Recovery Install cecciciscccecectiecaceceenddetiacssondandanstnsciecasshelvieaceguelenianseadcadaaranbectaaatabeceiess 15 Using Single Server For Main Site ccccccecesceceeeeeeeeeeeeeeeneeeeeeeeeaneeeeeenenneeeeeeseeeeees 15 Testing Disaster RECOVEIY icecccitecctesdesahcateivedaatenesedh ace seil dtene cel NASAAN NANAREN AA NAARAAN 16 EncrypTight Manager Upgrade of an Existing ETM Instance s e 17 Upgrade Non Cluster Instance Of ETM cceeseceeeeeeeeeneeeeeeeeeeeeeeeeeaeeeeeesaaeeeeeesnaeeeeeeeeaas 17 SCP upgrade file to ETM Non Cluster 0 0
27. er interaction to finish the installation options of EncrypTight Manager Installation Options Single server LVM High Availability cluster Minimum 2 VMs on different hardware Disaster recovery server 1 VM Communication over ports must be possible to the Main site Port 22 must be available on the DR server and port 8764 must be available on each server in the main cluster F NOTE These ports are made available by default Supported Virtual Machines for EncrypTight Manager 3 3 VMware Hardware Options Hardware is provided either Dell r310s or r200s with a minimum of 4GB of RAM Hardware versions are exactly the same as the Virtual Machine offerings they are just installed directly to hardware Installation Options Single server 1 server High Availability cluster Minimum 2 servers Disaster recovery server 1 server communication over ports must be possible to the Main site 22 and 8764 8 EncrypTight Manager Installation Guide Firewall Information Firewall Information Servers in cluster must have the following ports available TCP 21 TCP 2221 TCP 22 TCP 80 TCP 8080 TCP 443 TCP 8443 TCP 8764 TCP 5432 TCP 47788 TCP 47799 UDP 45588 UDP 46688 UDP 45599 UDP 46699 F NOTE These ports are made available by default Installation Examples Single Server Install Either deploy the EncrypTight Manager virtual machine using management software such as VMware vSphere or power
28. er to stop Server has stopped Shutdown Disaster Recovery Server Node 2 Assuming DR Servers are also clustered root PIT ETM DR2 upgrade etc init d policyserver stop Shutdown message has been posted to the server Server shutdown may take a while check logfiles for completion Waiting for Server to stop Server has stopped Execute the upgrade on EACH Server in the Cluster in ORDER 1Execute the upgrade on EncrypTight Manager Cluster Node 1 YOU MUST wait for the upgrade to complete before continuing 2 Execute the upgrade on EncrypTight Manager Cluster Node 2 YOU MUST wait for the upgrade to complete before continuing 1 3 Execute the upgrade on Disaster Recovery Server Node 1 YOU MUST wait for the upgrade to complete before continuing 4 Execute the upgrade on Disaster Recovery Server Node 2 Assuming DR Servers are also clustered EncrypTight Manager Installation Guide 22 EncrypTight Manager Upgrade of an Existing ETM Instance YOU MUST wait for the upgrade to complete before continuing EXAMPLE Upgrade from 3 2 3971 to 3 3 4364 root PIT ETM N1 upgrade policyserver upgrade 3 3 4364 bin Verifying archive integrity All good Uncompressing Upgrade to 3 3 4364 occ aces na neiise Aa Eass uE aea pistar senis esses kkkxkxkxkxkxkxkxkxkxkxkxkxkxkxkxkxkxkxkkxkxkkxkkxkxkkxkxkkxkxkxkxkkxkxkxkkxkxkxkxkxkxkkxkxkkkkkxkxkxkxkxkxkxkxkkxkkkxkkkkxk xxk FO ROR KOK UPGRADE Examining System Please
29. erver conf private keystore jks Client truststore upgrade opt jboss server policyserver conf private truststore jks exists not overwriting it Datasource upgrade Database init scripts upgrade App server config upgrade App server startup script upgrade Create certs script upgrade Create client certs script upgrade Install script upgrade Init conf upgrade Database upgrade Updated database schema version to 2 Database upgrade Updated database schema version to 3 Database upgrade Updated database schema version to 4 Database upgrade Updated database schema version to 5 Database upgrade Updated database schema version to 6 Database upgrade Updated database schema version to 7 Database upgrade Updated database schema version to 8 Finished upgrade to 3 2 KKEKKKKKKK KKK KK KK KK KK KK KK KK KKK KK KK KK KK KK KK KK KKK KKKK KKK KKKKKKKK KK KK KKKKKK Finished all available upgrades EncrypTight Manager Installation Guide EncrypTight Manager Upgrade of an Existing ETM Instance Upgrading the policyserver init conf Upgrading the database schema sql Upgrading the system scripts HEHEHE EERE EE EEE EEE EE EE EER EE EH RHEE HEE EE EE HE EE HE EEE EH EERE HHH HE EE HEE Y Upgrade process complete Application version is 3 2 3971 FE E FE EE aE EE aE aE EE EE EEE EE EE EE EE EAE AE EE AE AE EE AEE EEE EEE EEE EAE EE EEE AE AE AE AE RR FE FE Finis
30. hing Server Startup root policyserver Upgrade ETM Cluster Instances AN CAUTION Order Matters All of these instructions MUST be done in the order indicated below SCP upgrade file to ETM Cluster These instructions load the upgrade executable in the the directory opt upgrade on the ETM server opt upgrade is only a suggested path Download the policyserver upgrade lt VERSION gt bin executable to your local machine scp the bin file to your ETM server as root default UID PWD is root pserver to opt upgrade scp db backup 2011 12 14 07 34 sql gz root 192 168 X X opt upgrade Optional Verify the downloaded upgrade bin file Download and scp the public key pubkey txt over to the ETM server scp pubkey txt root 192 168 X X opt upgrade Scp the external signature for the upgrade bin scp policyserver upgrade lt VERSION gt bin asc root 192 168 X X opt upgrade Import the public key and verify the upgrade bin cd opt upgrade gpg import pubkey txt gpg directory root gnupg created gpg new configuration file root gnupg gpg conf created gpg WARNING options in root gnupg gpg conf are not yet active during this run gpg keyring root gnupg secring gpg created gpg keyring root gnupg pubring gpg created gpg root gnupg trustdb gpg trustdb created gpg key 9B705669 public key Black Box Policy Server lt support blackbox com gt imported gpg Tota
31. ile view YM eulpS BARES Main Menu Show Current Configuration scroll with Shift PgUp PgDown Exit this program Default Gateway Hostname DNS Proxy Server IP Address Allocation for eth Enter a menu number 6 6_ Now you will be able to enter your IPv4 address information Configure an IPv4 address for eth0 y n n y Use a DHCPV4 Server instead of a static IPv4 address y n n n IPv4 Address 192 168 4 X Netwmask 255 255 192 0 Is this correct y n y y Make sure you use 255 255 192 0 as the netmask Valid static IP range for the QA CSM VM s are 4 20 to 4 50 Next select option 2 from the menu EncrypTight Manager Installation Guide 45 46 Figure 14 Default Gateway ETM 2653 AS1 on sw eng blackbox com File View VM elljip 08 A nng Main Menu Show Current Configuration scroll with Shift PgUp PgDown Exit this program Default Gateway Hostname DNS Proxy Server IP Address Allocation for eth nter a menu number 8 6 ype Ctrl C to go back to the Main Menu onfigure an IPv4 address for eth y n nl y se a DHCPyv4 Server instead of a static IPv4 address y n nl n IPv4 Address 192 168 686 681 192 168 88 68 etmask 255 255 255 8 255 255 255 8 IPv4 Address 192 168 86 68 255 255 255 6 Is this correct y n y y_ Enter 0 for the interface to configure Enter 192 168 1 1 for the Gateway Optional If you need to setup DNS for external access from the VM select option 4 f
32. in Menu type 2 and press Enter At the prompt to choose an interface to associate with the default gateway type the number and press Enter At the IPv4 default Gateway prompt type the IP address of the gateway and press Enter EncrypTight Manager Installation Guide Installation Examples 4 Type 1 and press Enter to exit the menu Note that you can use the same menu to assign a hostname specify a DNS server set up a proxy server or view the current networking configuration Running the Installation Script Once the virtual machine has been deployed and networking parameters are configured you need to run a script to specify the type of installation you are setting up The options include Stand alone a single virtual machine Cluster multiple virtual machines Disaster recovery a virtual machine that services as a disaster recovery server for either a stand alone installation or a cluster You must log into the virtual machine in order to complete the installation Log in using the default account of root with the password pserver To run the stand alone installation script In the console window use the arrow keys to highlight Login and press Enter At the login prompt type root and press Enter At the Password prompt type pserver and press Enter If you would like to modify settings you can edit opt scripts policyserver init conf Emacs nano and vi are available on the OS Once modified you can run the installa
33. l number processed 1 gpg imported 1 gpg verify policyserver upgrade lt VERSION gt bin asc policyserver upgrade lt VERSION gt bin EncrypTight Manager Installation Guide 21 EST using DSA key ID gpg Signature made Mon 12 Dec 2011 03 19 38 PM 9B705669 gpg Good signature from Black Box Policy Server lt support blackbox com gt th a trusted signature gpg WARNING This key is not certified wi There is no indication that the signature belongs to the gpg owner Primary key fingerprint B7B6 1E4C EA5A 9FEO 19AB 6130 9830 42A5 9B70 5669 Node Shut Down AN CAUTION ALL NODES in the ETM Cluster MUST be shut down in the following order Shutdown EncrypTight Manager Cluster Node 1 root PIT ETM N1 upgrade etc init d policyserver stop Shutdown message has been posted to the server Server shutdown may take a while check logfiles for completion Waiting for Server to stop Server has stopped Shutdown EncrypTight Manager Cluster Node 2 root PIT ETM N2 upgrade etc init d policyserver stop Shutdown message has been posted to the server Server shutdown may take a while check logfiles for completion Waiting for Server to stop Server has stopped Shutdown Disaster Recovery Server Node 1 root PIT ETM DR1 upgrade etc init d policyserver stop Shutdown message has been posted to the server Server shutdown may take a while check logfiles for completion Waiting for Serv
34. naeeeeeneea 27 Example backup and restore procedures cccecceceeeeeeeeeeeeeseceacaaecaeeeeeeeeeeeeeseeteenenaaees 27 EncrypTight Manager Installation Guide Procedure 0 copying drives with dd only for non RAID systems oo eee 27 Procedure 1 Backing up the entire filesystem 0 00 0 ceceeeeeeeeeeeeeeeeeeceeeeeeeteeeeeeeenaeeeeeenea 27 Procedure 2 Restoring the complete filesystem including the OS necesen 28 Procedure 3 Backing up the ETM software and data ccceeeccceeceeeeeteteeeeeeettteeeeeeee 28 Procedure 4 Restoring the ETM software and data eceeceeeeeeeeeeeeeeseeneeeeeeeenaeeees 29 Procedure 5 Backing up the ETM database 00 0 ee cceeceeeeeeeeeeneeeeeeettneeeeeetnaeeeeeeeaa 29 Procedure 6 Restoring the ETM database 00 0 2 ceecceceeeeeeeneeeeeseeeeeeeeseeeneeeeseenaeeees 29 Restoring to factory defaults oo eceee erent eee e eee ee eesti anaes eee eeeeeeeetiaeeeeeetiaeeeeeneaa 30 VMM Serv r Specifies nnana a adrienne ae dae ees 30 Appendice S Hirn ne a a a ttn aes e Aa ae a eai 31 Hardware Disaster Recovery Cluster Install ceeeeseeceeeeeeneeeeeeeenneeeeeeeenaeeeeeeeeteeeeeseaaes 31 Run the installation scripts cccccccececeeeeeeeeeeeceneeceeeeeeeeeeeseesecsaeaaeeeeeeeeseeeeseesenssenaeees 32 Ordering of actions is important sseessssessssiseeeesriiddrrnnndeiiinnaaieiinaasnnaadddianundaiianaaaeain naa 33 Preparation for DR listening sseaaassssseeessrrresesrnnee
35. nd the inactive database right click on it and choose Activate DR notes If restoring a DR datbase which should really never be necessary since the backup can be pushed from the main ETM site via the UI you must supply the disasterServer true command line option Restoring to factory defaults If for some reason a server needs to be set back to the state in which it was delivered from Black Box the opt scripts factory restore sh script can be run The user will be prompted twice before proceeding This script will stop the ETM server delete the database and reset all configuration files to their original state The installer can be re run after performing this operation VM Server specifics 30 VMware specific information is found on the VMware website VMWare backup guide http www vmware com pdf vi3 301 201 vm_backup pdf Hrd 7 NOTE Lf Note that VMWare does not consider VM snapshots backups For more information about snapshots read the following knowledge base articles Understanding VM snapshots http kb vmware com selfservice microsites search do language en_ US amp cmd displayKC amp externaliId 1015180 Best Practices for VM snapshots http kb vmware com selfservice microsites search do language en_US amp cmd displayKC amp externallId 1025279 EncrypTight Manager Installation Guide Appendices Appendices Hardware Disaster Recovery Cluster Install If you are going to have
36. nit d are not included in this tar so those should be backed up separately after installation They should never change after installation Whether or not the backup is scp d to a remote host a copy will be left in the opt jboss server policyserver log dir and can be downloaded via the browser from the Admin gt Server Files page from the logs folder Double clicking on it will download it The database backup will also be located there The names are of the following format lt host ip address gt backup YYYYMMDD HH MM tar gz db backup YYYYMMDD HH MM sql gz Procedure 4 Restoring the ETM software and data To restore from a ETM server backup obtain the backup that was taken for the particular host note that the ip address of the host is part of the backup file name scp it to the ETM host and untar it The application server should be stopped before doing this etc init d policyserver stop For example scp 192 168 80 77 backup 20110101 16 35 tar gz root etmserver ssh root etmserver cd gunzip c 192 168 80 77 backup 20110101 16 35 tar gz tar xvpf At this point the database backup that is located in opt jboss server policyserver log can be used only if necessary to restore the database See procedure 6 Once completed the application server can be restarted etc init d policyserver start See notes below on details related to cluster nodes and DR servers Procedure 5 Backing up the ETM database To backup the
37. on the ETM server hardware When the machine is ready switch to the console view You should see a screen similar to this EncrypTight Manager Installation Guide 9 Figure 1 EncrypTight Manager Console view File view YM a u gt AO A Ble Black Box EncrypTight Manager 3 3 3212 x86_64 xx Installation is not complete nh Abe you need to setup networking then choose Configure Network below Configure the server by editing opt scripts policyserver init conf 3 Run the installation script as root gt fZetc init d policyserver install re Network and lt ER gt to select your choice Set Timezone Current EDT Configuring Networking Parameters Once the machine is running you can configure networking parameters This includes assigning a static IP address netmask and gateway address 10 To configure an IP address and netmask oN DN BP WN Click in the console window to activate it Use the arrow keys to highlight Configure Network and press Enter At the Network Configuration Main Menu type 6 and press Enter At the prompt to configure an IPv4 address type y and press Enter At the prompt to use DHCP type n and press Enter At the IPv4 prompt enter the IP address that you want to use and press Enter At the Netmask prompt enter the netmask that you want to use and press Enter When you are prompted for confirmation type y and press Enter To configure the gateway address 1 2 At the Ma
38. opology changes to a cluster adding or removing a node ETM Restore Restoring from a ETM backup would be necessary if some damage had occurred within the ETM install directories such as unintentional deletion of the policyserver config files or binaries The ETM backup includes a database backup within the archive tar file however it may not be necessary to restore the database If the intention of the restore is to simply fix the filesystem the database does not need to be restored If however a full system recovery is being performed then the most recent ETM backup and database backup should be used for restoration If the most recent database backup is that contained within the ETM backup then that should be used Hardware Server specifics Drive failures A hardware ETM server has two possible configurations a non RAID dual drive system or a RAID 1 dual drive system mirroring RAID system For a drive failure in a RAID configuration simply replacing the failed drive is all that is necessary non RAID system There are two possibilities Failure of the main drive Boot from the backup drive change the BIOS order and restore with either procedure 2 4 or 6 below depending on how many changes were made outside of the ETM software Then replace the failed drive and dd the main drive to the new drive which is now the new backup drive Failure of the backup drive Replace the backup drive and repeat the dd operation to copy the
39. rName policyserver at aE aE E AE AE aE a aE aE AE AE AE HE aE aE AE FE FE aaa aaa aaa it aE aE TE AE AE aE FE ae aE AE AE E aE aE ae aaa aaa aaa aaa VM tuning options max number of workder threads in the application server MUST be more than 2 x mdbQueueThreads maxServerThreads 500 max number of high queue threads max number of low queue threads mdbQueueThreads 200 at least 2G of RAM minMemory 512 maxMemory 768 permSize 128 maxPermSize 256 at least 4G of RAM minMemory 768 maxMemory 1280 permSize 128 maxPermSize 384 additional JVM options JavaOpts XX UseFastAccessorMethods HHREEEEEE EHH EEE HEHEHE HHH EE HH EEE A HH EH EE HEHE AE EE HH HEE HH EEE BH EEE EncrypTight Manager Installation Guide 13 Disaster Recovery Option If this cluster is going to have a disaster recovery site assigned to it then you need to modify the following section of the opt scripts policyserver init conf E AE aE aE AE AE aE E aE aE aE AE E aE FE a ae aa aaa aaa aaa t Disaster Recovery options When this server will use a disaster recovery site set the following heartbeatEnabled true disasterEnabled true disasterHost 192 168 80 X THE IP OF THE DISASTER RECOVERY SERVER disasterUser pserver disasterPass pserver heartbeat Port 8764 When this server IS the disaster recovery site set the following disaste
40. rServer tru disasterServerUser admin heartbeatInterval 30000 comma separated list of hosts to check heartbeatHosts COMMA SEPARATED LIST OF SERVERS IN THE MAIN SITE FE AE E aE E aE E AE FE AE FE a a EEE EE EEE EAE EAE EAE EAE EEE EEE EEE EEE EEE EE EE F Run the installation scripts It is important that the ordering of IP addresses stays the same for nodel and node2 on both machines in the cluster Be sure that the following TCP and UDP ports are available between each server in the cluster TCP 21 TCP 2221 TCP 22 TCP 80 TCP 8080 TCP 443 TCP 8443 TCP 8764 TCP 5432 TCP 47788 TCP 47799 UDP 45588 UDP 46688 UDP 45599 UDP 46699 EncrypTight Manager Installation Guide Installation Examples Ordering of actions is important You should install in the following steps Power on both servers Assign IP to server 1 Assign IP to server 2 Make sure that server 1 can see server 2 on the network Run etc init d policyserver install on server 1 same order of IP addresses on both IMPORTANT WAIT for server 1 to fully complete the install and startup Run etc init d policyserver install on server 2 same order of IP addresses on both NN WW FW NY Once installation is complete you can view the web interface from either of the cluster nodes IP addresses To verify that the cluster is in place check the Platform gt Utilities page DB Nodes and Appserver Nodes
41. rading an existing EncrypTight Manager instance AN CAUTION The ordering of actions is important when upgrading EncrypTight Manager When performing an upgrade on an existing EncrypTight Manager instance first stop the policy servers on all machines Next upgrade the main site first and wait for the upgrade to complete After the upgrade of the main site is completed if there is a disaster recovery server being utilized you must upgrade the disaster recovery site last 7 NOTE Requires ETM 3 0 or higher All instructions must be executed from the ETM server Command Line while logged in as root pserver Upgrade Non Cluster Instance of ETM EncrypTight Manager can be installed either as a single node server or as a Cluster These instructions are for how to upgrade a Non Clustered ETM Instance Upgrading a ETM Cluster is very different from upgrading a ETM Non Cluster instance Instruction for both are provided below SCP upgrade file to ETM Non Cluster AN CAUTION These instructions load the upgrade executable in the directory opt upgrade on the ETM server opt upgrade is only a suggested path Download the policyserver upgrade lt VERSION gt bin executable to your local machine scp the bin file to your ETM server as root default UID PWD is root pserver to opt upgrade scp policyserver upgrade lt VERSION gt bin root 192 168 X xX EncrypTight Manager Installation Guide 17 Optional Verify the download
42. red YOU MUST wait for the startup to complete before continuing root PIT ETM DR2 upgrade etc init d policyserver start Server is starting check the log files for application status Backing out of an upgrade Once the upgrade has completed if there are any problems you can back completely out of the upgrade Go to opt upgradebackup Execute the downgrade sh _ downgrade sh This will take the server back to the version before the upgrade Backup and Restore of EncrypTight Manager General Guidelines There are a variety of failure scenarios that can occur in a production environment and recovering from these scenarios will not always involve the same procedures The procedures to follow will be specific to what type of failure occurred and how much data loss there was as a result The common failure cases addressed here are disk drive failures other hardware component failures damage to the ETM software or database other filesystem damage complete loss of the OS Every IT organization will have policies or practices related to backing up servers so we should learn what a given customer does and ensure that they include the ETM servers in their procedures We should also ensure that their practices include creating or already having some form of bootable media e g DVD so that they can access the disk drives of a ETM server in case some radical damage is done to the OS such as rm rf Common examples would
43. rom the menu and enter the DNS IP settings Use 192 168 1 10 and 192 168 4 2 for DNS servers if you require DNS Select option 1 from the menu to exit the network config EncrypTight Manager Installation Guide Black Box Tech Support FREE Live 24 7 Tech support the way it should be a Great tech support is just 30 seconds away at 724 746 5500 or blackbox com lt BLACK BOX About Black Box Black Box Network Services is your source for an extensive range of networking and infrastructure products You ll find everything from cabinets and racks and power and surge protection products to media converters and Ethernet switches all supported by free live 24 7 Tech support available in 30 seconds or less Copyright 2012 All rights reserved Black Box and the Double Diamond logo are registered trademarks and EncrypTight is a trademark of BB Technologies Inc Any third party trademarks appearing in this manual are acknowledged to be the property of their respective owners ET0010A Manager Installation Guide rev2 724 746 5500 blackbox com
44. ssrnnesatnnnneannannnnntnenaaantannnaaaninnaaanannnnnna 33 Actions on DR activation failover OCCUIS ceeceeeeeeeeeceeeeeeeetneeeeeeeeaeeeeseeteaeeeeeeeaaes 33 FallbAaCK E E E EE E E E E AE EEE EET eats 33 EncrypTight Manager OVA Deployment Using vSphere Client cc ceeeeeeeeeeeneeeeeeeeeees 34 ADPIICALIONS A R EEE E tered EE AN T 34 Installing the CSM OVA eosa iiiaae RTA iant Ra LLT aar Aiea aR AT aaa Pelea RAAT 34 Setup Networking cscarnir iA Aai A E EAA AE aA E ai ri Eada 44 EncrypTight Manager Installation Guide Preface About This Document Purpose The EncrypTight Manager Installation Guide provides detailed information on how to install and configure EncrypTight Manager software Intended Audience This document is intended for network managers and security administrators who are familiar with setting up and maintaining network equipment Some knowledge of network security issues and encryption technologies is assumed Assumptions This document assumes that its readers have an understanding of the following Black Box encryption appliance features installation and operation Basic principles of network security issues Basic principles of encryption technologies and terminology Basic principles of TCP IP networking including IP addressing switching and routing Personal computer PC operation common PC terminology use of terminal emulation software and FTP operations Basic knowledge of th
45. started during the upgrade process ssh to your ETM server as root Make sure the bin is executable chmod x policyserver upgrade lt VERSION gt bin Run the desired policyserver upgrade lt VERSION gt bin executable You will receive an Upgrade warning type yes to continue When the upgrade has completed the upgrade script will create a new directory opt upgradebackup where the previous instance is stored for rollback If there is already a previously backed up version s the new directory created will be opt upgradebackup_ lt TIMESTAMP gt EXAMPLE Upgrade from 3 1 3451 to 3 2 3971 root policyserver policyserver upgrade 3 2 3971 bin Verifying archive integrity All good Uncompressing Upgrade to 3 2 397Li preiei tessaa tees ao aie see 4b a lala a is Save vs 18 EncrypTight Manager Installation Guide EncrypTight Manager Upgrade of an Existing ETM Instance KKEKKKKKKK KKK KK KK KK KK KK KK KK KKK KK KK KK KK KK KK KK KKK KK KK KKK KK KKKKKKKKKKKK KKK KKK Be tenes UPGRADE Examining System Please Wait KKK KK KKK KKK KKK KKK KKK KKK KKK KKK KK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKKKKKKKK KKK KKEKKKKKKK KKK KK KK KK KK KK KKKK KKK KK KK KK KK KK KK KK KKK KK KK KKK KKKKKKKKKKKKKKKKK KKK KKK KKKKK KKK KK KKK UPGRADE WARNING eI RK kkk Kk KKK This will upgrade from 3 1 3451 to 3 2 3971 KKK KKKKK KKEKKKKKKK KKK KK KK KK KKK KKK KK KKK KK KK KKK KKK KKK KKK KKK KK KKK KK KKKKK
46. the disaster recovery cluster on nodel 192 168 80 3 and node2 192 168 80 4 then you would run like this on both installs no E HEHEHE HE tt di di h node2 192 168 80 4 THE IP OF DR NODI Modify the opt scripts policyserver init conf and set the following Emacs nano and vi are available on the OS HEE HH EHH HE HH HE TE HE HEE HE HE HE TE FE TE EE EH HEE EE FE E FE EEE HE HEE EE EE HE HEE HE HEE E FEFE FEFE Cluster options HEHH for a clustered installation nodel and node2 must be set the sam on each of the hosts in the cluster same ordering de1 192 168 80 3 THE IP OF DR NODI 1 2 F H F H clusterJdbcMcast 229 10 10 20 clusterMcast 228 10 10 20 clusterName disasterrecovery i FEAE aE aE AE AE aE FE aE ae AE AE AE FE aE AE AE aaa Pa aaa FERH i at aE aE TE AE AE aE a aE ae AE AE AE FE aE E AE AE FE FE aaa aaa FERH FERH Disaster Recovery options When this server will use a disaster recovery site set the following heartbeatEnabled true disasterEnabled true disasterHost disasterUser pserver disasterPass pserver heartbeatPort 8764 When this server IS the disaster recovery site set the following sasterServer tru sasterServerUser admin artbeatInterval 30000 tit comma separated list of hosts to check heartbeatHosts 192 168 80 1 192 168 80 2 COMMA SEPARATED LIST OF
47. ting any database users pg_terminate backend Backing up the current system Backing up the db Compressing backup EncrypTight Manager Installation Guide 23 scp host not set not scp ing opt upgradebackup db backup 2012 02 15 18 54 v sq l gz backup anywhere keeping backup 1 opt upgradebackup db backup 2012 02 15 18 54 v sql gz Finished db backup done Backing up the server dirs opt ftpserverdir opt filestore opt jboss server p olicyserver tar cfzh policyserver backup 2012 02 15 18 54 v tar gz opt ftpserverdir opt fi lestore opt jboss server policyserver exclude opt jboss server policyserver work exclude opt jboss server policyserver tmp exclude opt jboss serv er policyserver data tar Removing leading from member names scp_host not set not scp ing policyserver backup 2012 02 15 18 54 v tar gz back up anywhere Finished server backup Running through the upgrades available KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KKK KK KKK KKK KKK KKK KKK KKK KKK KKK KKKKEK Performing upgrade to 3 3 Application upgrade upgrade common deploy cipher ear opt jboss server policyserver deploy Post Database upgrade Checking for Mesh Policies with apply to all traffic set Finished checking for Mesh Policies with apply to all traffic set Finished upgrade to 3 3 KKK KKKKKK KKK KK KKKK KK KK KK KK KKK KK KK KK KK KK KK KKKKKKKKKKKKKK KK KK KKK KKK KK KKKK Finished all availa
48. tion script etc init d policyserver install System Requirements VM 2G of RAM 40G of disk space 1 processor core Hardware 2G of RAM 40G of disk space 1 processor core Virtual Machine Cluster Install These install options are valid in a VM or on hardware If you are going to have the cluster on nodel 192 168 80 1 and node2 192 168 80 2 then you would run like this on both installs EncrypTight Manager Installation Guide 11 n n Modify the opt scripts policyserver init conf and set the following Emacs nano and vi are available on the OS HPEE EEE HEE HHH HEE EHH HEE HHH HEHE HHH HEHE EEE HEEB HH EHH HEH HEE HEHE HH HHttH HHttH 4 Cluster options Fett HE fora clustered installation nodel and node2 must be set the sam on each of the hosts in the cluster same ordering ode1 192 168 80 1 ode2 192 168 80 2 clusterJdbcMcast 229 10 10 10 clusterMcast 228 10 10 10 clusterName policyserver FEAE E AE AE AE E AE FE E FE EE a aE a a EE EE EEE EEE AEE AEE AEE AEE AEE AEE AEE EEE EE EE EE F Run the installation script etc init d policyserver install It is important that the ordering of IP addresses stays the same for nodel and node2 on both machines in the cluster Ordering of actions is important You should install in the following steps 1 NH nA fH W Deploy OVA app server 1 See Appendices EncrypTight Manager OVA Deployment Using vSphere Client Deploy OVA app ser
49. ver 2 See Appendices EncrypTight Manager OVA Deployment Using vSphere Client Assign IP of app server 1 Assign IP of app server 2 Run cluster install on app server 1 same order of IP addresses on both IMPORTANT WAIT for app server 1 to fully start Run cluster install on app server 2 same order of IP addresses on both Once installation is complete you can view the web interface from either of the cluster nodes IP addresses To verify that the cluster is in place check the Platform gt Utilities page DB Nodes and Appserver Nodes Hardware Cluster Install 12 If you are going to have the cluster on nodel 192 168 80 1 and node2 192 168 80 2 then you would tun like this on both installs Modify the opt scripts policyserver init conf and set the following Emacs nano and vi are available on the OS EncrypTight Manager Installation Guide Installation Examples TF NOTE Support for a crossover cable connection between node1 and node2 has been added in the hardware cluster installation HEHEHE EEE HHH HEHE HEHE HHH HEHE HH HE HH HH HH HH HH EH HHH HH HE HE EH EH HEH EEE HE EE HH HERH Fett EH Cluster options Fett HE for a clustered installation nodel and node2 must be set the sam on each of the hosts in the cluster same ordering node1 192 168 80 1 THE IP OF NODE 1 node2 192 168 80 2 THE IP OF NODE 2 clusterJdbcMcast 229 10 10 10 clusterMcast 228 10 10 10 cluste
50. ves with dd only for non RAID systems An example command run as root to copy drive a to drive b dd if dev sda of dev sdb bs 100M conv notrunc noerror Be careful with order of if and of You can write a blank disk to a good disk if you get confused More info on dd can be found on wikipedia and also on linuxquestions org The above procedure could be run regularly to snapshot a drive as it is modified to keep the backup as current as desired This procedure can serve as a full filesystem backup alternate for Procedure 1 below for non RAID configured servers However it is subject to drive failure of this backup drive Procedure 1 Backing up the entire filesystem As stated in the General Guidelines each IT organization will should have standardized backup practices At a minimum they should retain a full snapshot of a ETM filesystem at least once after the installation script has been run and they have made whatever configuration changes they wanted to for a given site such as changes to files in etc There are many ways to accomplish this One simple method is using the tar command An example is provided here this should be run as root cd EncrypTight Manager Installation Guide 27 tar cvpzf backup tgz exclude proc exclude lost found exclude backup tgz exclude mnt exclude sys Please familiarize yourself with the tar command and its arguments The man pages are included in the ETM distro As noted
Download Pdf Manuals
Related Search