Configuring the Vormetric Data Security

Manager
Lab Exercises:

Vormetric Software

Contents
Introduction ................................................................................................................................ 3
Part 1

Configure the DSM ...................................................................................................... 5

1.1

Set the DSM timezone, date, and time ......................................................................... 5

1.2

Configure DSM networking .......................................................................................... 7

1.3

Update DSM hostname ................................................................................................ 9

1.4

Setup the NTP (optional).............................................................................................10

1.5

Configure name resolution ..........................................................................................10

1.6

Generate the certificate authority ................................................................................11

Part 2

Configure the failover DSM .........................................................................................12

2.1

Set the DSM timezone, date, and time ........................................................................12

2.2

Configure failover DSM networking .............................................................................12

2.3

Update DSM hostname ...............................................................................................14

2.4

Setup the NTP (optional).............................................................................................14

2.5

Configure name resolution ..........................................................................................14

2.6

Test networking between DSMs ..................................................................................15

Part 3

Configure HA pairing...................................................................................................16

3.1

Enable the primary DSM for communication to the failover .........................................16

3.2

Convert the failover DSM ............................................................................................18

3.3

Synchronize the primary and failover DSM .................................................................19

Additional Tasks........................................................................................................................21
Appendix A.

Reference Material ...........................................................................................22

Appendix B.

FAQs ...............................................................................................................23

Vormetric Corporation Inc, 2012

Page 2

Vormetric Software

Introduction
The purpose of this lab is to introduce the setup of the Vormetric Data Security Manager (DSM)
appliance. After completing the lab you will be able to perform the significant administrative
tasks of DSM setup including:

Configuring DSM networking

Configuring DSM date and time information
Changing the default CLI password
Generating the DSM Certificate Authority
Setup DSM high availability
Backing up the DSM

Lab Architecture
At the completion of the Lab you will have generated the DSM setup as illustrated in Figure 1.
Figure 1 Lab Architecture

Web Based
Management Console
hostname = admin-gui

TCP/8445

TCP/50000

Primary DSM
hostname = dsm-server-1
eth0 = 192.168.10.10
eth1 = (tbd) [public]

Failover DSM
hostname = dsm-server-2
eth0 = 192.168.10.11 (private)
eth1 = (tbd) [public]

User ID and password list

Table 1 lists the User IDs and passwords used in the lab. You may be prompted to update the
password while performing the lab tasks. You may use a new password of your choosing or
use the recommended password update.

Page 3

Vormetric Software
Table 1 User IDs and password

1
2
3

Server
DSM servers
Web Console
admin-gui

User ID
cliadmin
admin
Administrator

Vormetric Corporation Inc, 2012

Default Password
cliadmin123
admin123
Admin123!

Recommened Update
Admin123!

Page 4

Vormetric Software

Part 1

Configure the DSM

A DSM is preconfigured with all the necessary software components installed. The only
customization required is to update the DSM configuration with relevant networking and
geography information for your location. The configuration of the DSM includes:
Date and time
Networking
CA generation

1.1

Set the DSM timezone, date, and time

Time is an interesting component of DSM setup. Not only is time configuration important for
knowing when an event happened but certificate exchange is time sensitive. If the time
difference between the DSM and a certificate signing requester is too far askew, based on GMT
not absolute time, the signing request will fail. Ensuring the DSM date/time and the date/time of
any agent systems is close to accurate will solve this issue.
__1.

Login to the DSM, dsm-sever-1, ID = cliadmin and password = cliadmin123

Note: The DSM CLI has a very limited command structure. To view the current
command options, type a ?. To move between the command options type the name of
the command group you wish to use, example Network. If within a command group you
want to return to previous command group type up.

__2.

Type ? to view current command group.

Page 5

Vormetric Software
__1.

Type maintenance to move to the maintenance command group

Note: You do not have to type in the entire word as long as you type enough of the
keyword to be unique. Example: maint would be sufficient

__2.

List the command options using ?

__3.

View the current settings for date, time, and time zone
date
time
gmttimezone show

Vormetric Corporation Inc, 2012

Page 6

Vormetric Software

__4.

List the time zones available

gmttimezone list

__5.

Set the time zone for your local

gmttimezone set America/Chicago

__6.

Set date
date 08/17/2012

__7.

[use current date]

Set time
time 09:43:00

[use current time]

1.2

Configure DSM networking

1.2.1

Add eth1 network

__1.

Return to the main DSM CLI menu

up

__2.

Move to the network command group

network

Page 7

Vormetric Software
__3.

View the current network settings

ip address show

Note: The default IP address of the DSM eth0 is 192.168.10.1. The easiest way to
configure a physical appliance is to attach a network cable to this NIC and laptop and
change the laptop network settings to match the default network of eth0. The best
order would be to setup eth1 and ensure connectivity to this NIC before changing eth0.
This way if you accidentally set eth0 incorrectly you will lose connectivity and be limited
to the serial interface.
__4.

Add the IP for network of eth1 [use the network from VMnet8] (
ip address add 192.168.6.10/24 dev eth1
Note: Change the IP address and subnet. The network should be the network
discovered in Lab 1 for VMnet8. The subnet is using shorthand notation (24 =
255.255.255.0). Refer to appendix for link to shorthand annotation of netmask.
yes

__5.

Ping the eth1 address from the host machine

ping 192.168.6.1

1.2.2

Add default gateway

The only network that can reach the external network given the setup steps of this lab is
VMnet8, the NAT network. The examples used in these steps reflect network 192.168.6.0. Be
sure and use the proper network as discovered in Lab 1 for your VMnet8 environment.
__1.

Add a default gateway

ip route add default table main.table via 192.168.6.254

1.2.3

Configure eth0 network

__1.

Delete the IP address for eth0

ip address delete 192.168.10.1/16 dev eth0
yes

Vormetric Corporation Inc, 2012

Page 8

Vormetric Software

__2.

Add the IP address for eth0

ip address add 192.168.10.10/24 dev eth0
yes

__3.

Ping the IP address for eth0

ping 192.168.10.10

__4.

Show the IP address setup

ip address show

After configuring the network, you can use a SSH terminal window to connect to CLI
DSM interface.

1.3

Update DSM hostname

Setting the DSM hostname is very important. The DSM hostname is a significant factor when
generating and registering certificates. Networking changes can be dynamic and do not affect
certificates.
__1.

Return to the main DSM CLI menu

up

__2.

Move to the system command group

system

__3.

Use the setinfo command to set the hostname to dsm-server-1

setinfo hostname dsm-server-1
Note: You can ignore the message for the need to re-sign the server certificate as the
certificate has not be generated.

Page 9

Vormetric Software

1.4

Setup the NTP (optional)

It is a good practice to use a time server to synchronize system clocks across your data center
and this includes the DSM. This section will only work with an external network connection.
__1.

Return to the main DSM CLI menu

up

__2.

Move to the maintenance menu

main

__3.

Add ntp server entry

ntpdate add 66.160.141.161
Note: Refer to Appendix A for a list of public NTP servers

__4.

Synchronize time with the ntp server

ntpdate sync

__5.

Turn ntp service on

ntpdate on

1.5

Configure name resolution

No DNS server is available for performing the lab exercises; in this section you will configure
static name resolution. You will add host entries for the following hosts:
dsm-server-2
data-node-1
__1.

Return to the main DSM CLI menu

up

__2.

Move to the network menu

Network

__3.

Add network entries

host add dsm-server-2 192.168.10.11
host add data-node-1 192.168.10.20

__4.

Display the host entries

host show

Vormetric Corporation Inc, 2012

Page 10

Vormetric Software

1.6

Generate the certificate authority

After successful generation of the certificate authority CA the DSM will be ready to start
managing data security.
__1.

Return to the main DSM CLI menu

up

__2.

Move to the system menu

system

__3.

Generate the CA
security genca
yes
Note: It is not necessary to edit any of the entries as prompted by the CA generation.
None of the entries will be validated against an external registration authority and can
be simply bypassed by pressing the Enter/Return key. The CA generation can take as
long as 10 minutes depending on resources.

Page 11

Vormetric Software

Part 2

Configure the failover DSM

2.1

Set the DSM timezone, date, and time

__1.

Login to the DSM, dsm-server-2, ID = cliadmin and password = cliadmin123

__2.

Type maintenance to move to the maintenance command group

__3.

Set the time zone for your local

gmttimezone set America/Chicago

__4.

Set date
date 08/17/2012 [use current date]

__5.

Set time
time 09:43:00

[use current time]

2.2

Configure failover DSM networking

2.2.1

Add eth1 network

__1.

Return to the main DSM CLI menu

up

__2.

Move to the network command group

network

__3.

View the current network settings

ip address show

__4.

Add the IP for network of eth1 [use the network from VMnet8]
ip address add 192.168.6.11/24 dev eth1

Vormetric Corporation Inc, 2012

Page 12

Vormetric Software
yes
__5.

Ping the eth1 address from the host machine

ping 192.168.6.11

2.2.2

Add default gateway

__1.

Add a default gateway

ip route add default table main.table via 192.168.6.254

2.2.3

Configure eth0 network

__2.

Delete the IP address for eth0

ip address delete 192.168.10.1/16 dev eth0
yes

__3.

Add the IP address for eth0

ip address add 192.168.10.11/24 dev eth0
yes

__4.

Ping the IP address for eth0

ping 192.168.10.11

__5.

Show the IP address setup

ip address show

After configuring the network, you can use a SSH terminal window to connect to CLI
DSM interface.

Page 13

Vormetric Software

2.3

Update DSM hostname

__1.

Return to the main DSM CLI menu

up

__2.

Move to the system command group

system

__3.

Use the setinfo command to set the hostname to dsm-server-1

setinfo hostname dsm-server-2
Note: You can ignore the message for the need to re-sign the server certificate as the
certificate has not be generated.

2.4

Setup the NTP (optional)

It is a good practice to use a time server to synchronize system clocks across your data center
and this includes the DSM. This section will only work with an external network connection.
__1.

Return to the main DSM CLI menu

up

__2.

Move to the maintenance menu

main

__3.

Add ntp server entry

ntpdate add 66.160.141.161
Note: Refer to Appendix A for a list of public NTP servers

__4.

Synchronize time with the ntp server

ntpdate sync

__5.

Turn ntp service on

ntpdate on

2.5

Configure name resolution

Add the following host entries for the following hosts:

dsm-server-1

Vormetric Corporation Inc, 2012

Page 14

Vormetric Software

data-node-1
__1.

Return to the main DSM CLI menu

up

__2.

Move to the network menu

network

__3.

Add network entries

host add dsm-server-1 192.168.10.10
host add data-node-1 192.168.10.20

__4.

Display the host entries

host show

2.6

Test networking between DSMs

__1.

From network menu of dsm-server-1, ping dsm-server-2

ping dsm-server-2

__2.

From network menu of dsm-server-2, ping dsm-server-1

ping dsm-server-1

__3.

Form host machine, ping each DSM

ping 192.168.10.10
ping 192.168.10.11

Page 15

Vormetric Software

Part 3

Configure HA pairing

To pair and synchronize the primary and failover DSM you must enable communication. In this
section you will do the following:
Configure the primary DSM for communication
Convert failover DSM
Enable synchronization

3.1

Enable the primary DSM for communication to the failover

__1.

Login to the Management Console, from a Web browser enter the following address
https://192.168.10.10:8445
Note: For the most consistent interface results use Internet Explorer.

__2.

When prompted, click Continue at any message concerning certificate error.

__3.

Login, credentials = admin/admin123

__4.

Trust the content from the DSM

Vormetric Corporation Inc, 2012

Page 16

Vormetric Software

__5.

Change the password as prompted, recommended Admin123!

Note: Do not use a password with a $ as this will cause an error in later steps. The
password is case sensitive.

__6.

Click the High Availability tab

__7.

Click Add to add the failover server to the High Availability Servers list

__8.

Type the name of the failover server in the Server Name field and click Ok
Page 17

Vormetric Software

3.2

Convert the failover DSM

__1.

Login to the failover DSM, ID = cliadmin and password = cliadmin123

Note: Ensure you are on the failover DSM. If you run the following steps on the primary
DSM you will have to start over.

__2.

Move to the ha menu

ha

__3.

Convert the DSM to a failover

convert2failover
yes
dsm-server-1
admin

(note: this is the admin account and not cliadmin)

Admin123! (note: this is the password I you used the

recommended, password is not displayed when typed)
dsm-server-2 (note: it is not necessary to type the name if the
name within the square brackets is accurate)
Note: It is not necessary to edit any of the entries as prompted
by the CA generation. None of the entries will be validated
against an external registration authority and can be simply
bypassed by pressing the Enter/Return key
yes

Vormetric Corporation Inc, 2012

Page 18

Vormetric Software

The convert2failover can take as long as 30 minutes to finish.

3.3

Synchronize the primary and failover DSM

__1.

From the management console, click the High Availability tab

Note: The failover DSM now shows registered.

Page 19

Vormetric Software

__2.

Select the dsm-server-2 and click Config Replication

__3.

When prompted, click OK to continue

Note: This can take as long as 20 minutes to complete. When complete the
synchronization time fields will be populated as well as Synchronization Status.

Vormetric Corporation Inc, 2012

Page 20

Vormetric Software

Additional Tasks
Answer the following questions concerning DSM setup and use.
__1.

To install the DSM license you would require which of the following

__2.

Cliadmin access
System administrator access
Domain administrator access
Security administrator access

Which of the following are replicated with a DSM HA configuration, mark all that apply

Host IP information
License information
User account information, keys, and polices
Keys and policies only
Keys, policies, and audit records

__3.

You must use the Serial Port interface to setup the initial DSM configuration.
(True,False)

__4.

DHCP is supported for eth1 but must use static addresses for eth0. (True,False)

__5.

The DSM can store two versions of the DSM software. (True,False)

__6.

What must be generated to move objects between DSMs such as configuration

backups?

__7.

The CLI Admin can reset which of the following accounts passwords

Other CLI Admin

Other CLI Admin + System Admin
System Admin
None

Page 21

Vormetric Software

Appendix A.

Reference Material

IP Address shorthand:
http://www.sustworks.com/site/prod_ipr_subnets.html
Public NTP servers:
http://www.pool.ntp.org/en/

Vormetric Corporation Inc, 2012

Page 22

Vormetric Software

Appendix B.

FAQs

Page 23