EncrypTight Installation Guide
The EncrypTight™ Manager Installation Guide
provides detailed information on how to install
and configure EncrypTight Manager software.
ET0010A
ET0100A
ET1000A
ET10000A
Customer
Support
Information
Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500)
FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746
Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018
Web site: w ww.blackbox.com • E-mail: info @blackbox.com
Table Of Contents
About This Document ...................................................................................................5
EncrypTight Manager 3.3 Installation Options ..............................................................7
Virtual Machine Options ................................................................................................7
EncrypTight-Manager-3.3-standalone ................................................................................. 7
EncrypTight-Manager-3.3 ....................................................................................................8
Hardware Options .........................................................................................................8
Installation Options .............................................................................................................. 8
Firewall Information .......................................................................................................9
Installation Examples ....................................................................................................9
Single Server Install ............................................................................................................. 9
Configuring Networking Parameters .................................................................................... 10
Running the Installation Script .............................................................................................11
System Requirements ................................................................................................... 11
Virtual Machine Cluster Install .............................................................................................11
Hardware Cluster Install ......................................................................................................12
Disaster Recovery Option ............................................................................................. 14
Run the installation scripts: ........................................................................................... 14
Ordering of actions is important. ..................................................................................15
Disaster Recovery Install .....................................................................................................15
Using Single Server For Main Site ................................................................................15
Testing Disaster Recovery ............................................................................................ 16
EncrypTight Manager Upgrade of an Existing ETM Instance .......................................17
Upgrade Non-Cluster Instance of ETM ............................................................................... 17
SCP upgrade file to ETM (Non-Cluster) ........................................................................17
Execute the upgrade on the ETM server (Non-Cluster) ................................................18
Upgrade ETM Cluster Instances ......................................................................................... 21
SCP upgrade file to ETM (Cluster) ................................................................................ 21
Node Shut Down ........................................................................................................... 22
Execute the upgrade on EACH Server in the Cluster in ORDER ................................. 22
Start up EACH Server in the Cluster in ORDER ........................................................... 24
Backing out of an upgrade ...................................................................................................25
Backup and Restore of EncrypTight Manager ..............................................................25
General Guidelines ..............................................................................................................25
Backup components provided by ETM ................................................................................ 26
Hardware Server specifics ................................................................................................... 26
Drive failures .................................................................................................................26
Other hardware component failures .................................................................................... 27
Damage to the ETM software or database ........................................................................... 27
Damage to the OS or filesystem .......................................................................................... 27
Example backup and restore procedures ............................................................................27
EncrypTight Manager Installation Guide 3
Procedure 0. copying drives with dd (only for non-RAID systems!!!!) ........................... 27
Procedure 1. Backing up the entire filesystem .............................................................. 27
Procedure 2. Restoring the complete filesystem, including the OS ..............................28
Procedure 3. Backing up the ETM software and data ................................................... 28
Procedure 4. Restoring the ETM software and data ..................................................... 29
Procedure 5. Backing up the ETM database ................................................................29
Procedure 6. Restoring the ETM database ...................................................................29
Restoring to factory defaults ......................................................................................... 30
VM Server specifics .............................................................................................................30
Appendices ...................................................................................................................31
Hardware Disaster Recovery Cluster Install ........................................................................31
Run the installation scripts: ........................................................................................... 32
Ordering of actions is important. ..................................................................................33
Preparation for DR listening .......................................................................................... 33
Actions on DR activation (failover occurs) .................................................................... 33
Failback .........................................................................................................................33
EncrypTight Manager OVA Deployment Using vSphere Client ........................................... 34
Applications .........................................................................................................................34
Installing the CSM OVA .......................................................................................................34
Setup Networking ................................................................................................................ 44
4 EncrypTight Manager Installation Guide
Preface
About This Document
Purpose
The EncrypTight Manager Installation Guide provides detailed information on how to install and
configure EncrypTight Manager software.
Intended Audience
This document is intended for network managers and security administrators who are familiar with setting
up and maintaining network equipment. Some knowledge of network security issues and encryption
technologies is assumed.
Assumptions
This document assumes that its readers have an understanding of the following:
• Black Box encryption appliance features, installation and operation
• Basic principles of network security issues
• Basic principles of encryption technologies and terminology
• Basic principles of TCP/IP networking, including IP addressing, switching and routing
• Personal computer (PC) operation, common PC terminology, use of terminal emulation software and
FTP operations
• Basic knowledge of the Linux operating system
Conventions used in this document
Bold Indicates one of the following:
• a menu item or button
• the name of a command or parameter
Italics Indicates a new term
Monospaced Indicates machine text, such as terminal output and filenames
Monospaced bold
Indicates a command to be issued by the user
How to comment
Customer comments on Black Box documents are welcome. Send your comments to:
EncrypTight Manager Installation Guide 5
Preface
Black Box Corporation
1000 Park Drive
Lawrence, PA 15055-1018
email: info@blackbox.com
Contacting Customer Support
Technical support services are accessible through the Black Box support center.
US (toll free) 1-877-877-BBOX
International outside U.S. call 724-746-5500
Email
Web
FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746
info@blackbox.com
www.blackbox.com
6 EncrypTight Manager Installation Guide
EncrypTight Manager 3.3 Installation Options
EncrypTight Manager 3.3 Installation Options
• Virtual Machines
• EncrypTight-Manager-3.3-standalone
• EncrypTight-Manager-3.3
• single server
• cluster high availability
• single server disaster recovery
• Hardware
• EncrypTight-Manager-3.3
• single server
• cluster high availability
• single server disaster recovery
We will be using RedHat kickstart technology to install directly to hardware and to build the Virtual
Machines. This allows us to define the exact same packaging for both Virtual Machines and bare metal.
The base operating system used will be CentOS 6 with the current released updates applied.
Virtual Machine Options
EncrypTight-Manager-3.3-standalone
• These virtual machine appliances will be distributed as zip files that contain the VMware files that
can be used in VMware Player.
• Once started the standalone version will boot up and become available on the network.
• VMware will startup without any modification to the configuration and will use dhcp to connect to
the hosts bridged network
• Standalone will be started with 1024MB of RAM and 20G of disk, the 20G of disk will be an auto
expanding disk.
• Standalone will be preconfigured with everything necessary to run, no user interaction will be needed
before it is available to the end user.
• The Standalone version will be only available as a 32 bit appliance. So it can be run on both 32 bit
and 64 bit hosts.
• Standalone will only have access to 25 concurrent threads for PEP communication.
Supported Virtual Machines for EncrypTight-Manager-3.3-standalone
• VMware Player
EncrypTight Manager Installation Guide 7
EncrypTight-Manager-3.3
NOTE
• Available in 32 and 64 bit architectures
• Expects to be run in an environment where the VM has at least 2GB of RAM and 40GB of disk
• This virtual machine is setup so that when it first boots it will initialize the operating system for use
by EncrypTight Manager. It will not be fully configured until there is some user interaction to finish
the installation options of EncrypTight Manager.
Installation Options
• Single server
• 1 VM
• High Availability cluster
• Minimum 2 VMs on different hardware
• Disaster recovery server
• 1 VM
• Communication over ports must be possible to the Main site. Port 22 must be available on the DR
server and port 8764 must be available on each server in the main cluster.
These ports are made available by default.
Supported Virtual Machines for EncrypTight-Manager-3.3
• VMware
Hardware Options
• Hardware is provided, (either Dell r310s or r200s, with a minimum of 4GB of RAM).
• Hardware versions are exactly the same as the Virtual Machine offerings, they are just installed
directly to hardware.
Installation Options
• Single server - 1 server
• High Availability cluster - Minimum 2 servers
• Disaster recovery server - 1 server, communication over ports must be possible to the Main site: 22
and 8764
8 EncrypTight Manager Installation Guide
Firewall Information
NOTE
Servers in cluster must have the following ports available:
TCP 21
TCP 2221
TCP 22
TCP 80
TCP 8080
TCP 443
TCP 8443
TCP 8764
TCP 5432
TCP 47788
TCP 47799
UDP 45588
UDP 46688
UDP 45599
UDP 46699
Firewall Information
These ports are made available by default.
Installation Examples
Single Server Install
Either deploy the EncrypTight Manager virtual machine using management software such as VMware
vSphere or power on the ETM server hardware. When the machine is ready, switch to the console view.
You should see a screen similar to this:
EncrypTight Manager Installation Guide 9
Figure 1 EncrypTight Manager Console view
Configuring Networking Parameters
Once the machine is running, you can configure networking parameters. This includes assigning a static
IP address, netmask, and gateway address.
To configure an IP address and netmask:
1 Click in the console window to activate it.
2 Use the arrow keys to highlight Configure Network and press Enter.
3 At the Network Configuration Main Menu, type
4 At the prompt to configure an IPv4 address, type
5 At the prompt to use DHCP, type
6 At the IPv4 prompt enter the IP address that you want to use and press Enter.
7 At the Netmask prompt, enter the netmask that you want to use and press Enter.
8 When you are prompted for confirmation, type
To configure the gateway address:
1 At the Main Menu, type
2 At the prompt to choose an interface to associate with the default gateway, type the number and press
Enter.
3 At the IPv4 default Gateway prompt, type the IP address of the gateway and press Enter.
2 and press Enter.
n and press Enter.
6 and press Enter.
y and press Enter.
y and press Enter.
10 EncrypTight Manager Installation Guide
4Type 1 and press Enter to exit the menu.
Note that you can use the same menu to assign a hostname, specify a DNS server, set up a proxy server,
or view the current networking configuration.
Running the Installation Script
Once the virtual machine has been deployed and networking parameters are configured, you need to run a
script to specify the type of installation you are setting up. The options include:
• Stand alone - a single virtual machine
• Cluster - multiple virtual machines
• Disaster recovery - a virtual machine that services as a disaster recovery server for either a stand
alone installation or a cluster.
You must log into the virtual machine in order to complete the installation. Log in using the default
account of root with the password pserver.
To run the stand alone installation script:
• In the console window, use the arrow keys to highlight Login and press Enter.
• At the login prompt, type root and press Enter.
• At the Password prompt, type pserver and press Enter.
Installation Examples
If you would like to modify settings you can edit /opt/scripts/policyserver-init.conf. Emacs, nano, and vi
are available on the OS.
Once modified you can run the installation script:
/etc/init.d/policyserver-install
System Requirements
VM
• 2G of RAM
• 40G of disk space
• 1 processor core
Hardware
• 2G of RAM
• 40G of disk space
• 1 processor core
Virtual Machine Cluster Install
These install options are valid in a VM or on hardware
If you are going to have the cluster on node1 = 192.168.80.1 and node2 = 192.168.80.2 then you would
run like this on both installs:
EncrypTight Manager Installation Guide 11
• Modify the /opt/scripts/policyserver-init.conf and set the following. Emacs, nano, and vi are available
on the OS.
########################################################################
#######
#######
####### Cluster options
#######
#
## for
a clustered installation node1 and node2 must be set the same
## on each of the hosts in the cluster, same ordering
node1=192.168.80.1
node2=192.168.80.2
#
# clusterJdbcMcast=229.10.10.10
# clusterMcast=228.10.10.10
# clusterName=policyserver
#
###############################################################################
Run the installation script:
/etc/init.d/policyserver-install
It is important that the ordering of IP addresses stays the same for node1 and node2 on both machines in
the cluster.
Ordering of actions is important.
You should install in the following steps:
1 Deploy OVA app server #1 (See Appendices - EncrypTight Manager OVA Deployment Using
vSphere Client)
2 Deploy OVA app server #2 (See Appendices - EncrypTight Manager OVA Deployment Using
vSphere Client)
3 Assign IP of app server #1
4 Assign IP of app server #2
5 Run cluster install on app server #1 ( same order of IP addresses on both )
6 IMPORTANT: WAIT for app server #1 to fully start
7 Run cluster install on app server #2 ( same order of IP addresses on both )
Once installation is complete you can view the web interface from either of the cluster nodes IP
addresses.
To verify that the cluster is in place check the Platform -> Utilities page DB Nodes and Appserver Nodes.
HardwareClusterInstall
If you are going to have the cluster on node1 = 192.168.80.1 and node2 = 192.168.80.2 then you would
run like this on both installs:
Modify the /opt/scripts/policyserver-init.conf and set the following. Emacs, nano, and vi are available on
the OS.
12 EncrypTight Manager Installation Guide
Installation Examples
NOTE
Support for a crossover cable connection between node1 and node2 has been added in the hardware
cluster installation.
########################################################################
#######
#######
####### Cluster options
#######
#
## for
a clustered installation node1 and node2 must be set the same
## on each of the hosts in the cluster, same ordering
node1=192.168.80.1
node2=192.168.80.2
- THE IP OF NODE 1
- THE IP OF NODE 2
#
# clusterJdbcMcast=229.10.10.10
# clusterMcast=228.10.10.10
# clusterName=policyserver
#
########################################################################
#######
########################################################################
#######
#######
####### VM tuning options
#######
#
## max number of workder threads in the application server, MUST be more
than 2
x mdbQueueThreads
maxServerThreads=500
## max number of high queue threads, max number of low queue threads
mdbQueueThreads=200
#
## at least 2G of RAM
# minMemory=512
# maxMemory=768
# permSize=128
# maxPermSize=256
#
## at least 4G of RAM
minMemory=768
maxMemory=1280
permSize=128
maxPermSize=384
#
## additional JVM options
# javaOpts="-XX:+UseFastAccessorMethods"
#
###############################################################################
EncrypTight Manager Installation Guide 13
Disaster Recovery Option
If this cluster is going to have a disaster recovery site assigned to it then you need to modify the
following section of the /opt/scripts/policyserver-init.conf:
########################################################################
#######
#######
####### Disaster Recovery options
#######
#
## When this
heartbeatEnabled=true
disasterEnabled=true
disasterHost=192.168.80.X - THE IP OF THE DISASTER RECOVERY SERVER
# disasterUser=pserver
# disasterPass=pserver
# heartbeatPort=8764
#
#
## When this
# disasterServer=true
# disasterServerUser=admin
# heartbeatInterval=30000
## comma separated list of hosts to check
# heartbeatHosts= COMMA SEPARATED LIST OF SERVERS IN THE MAIN SITE
#
#
###############################################################################
server will use a disaster recovery site set the following:
server IS the disaster recovery site set the following:
Run the installation scripts:
It is important that the ordering of IP addresses stays the same for node1 and node2 on both machines in
the cluster.
Be sure that the following TCP and UDP ports are available between each server in the cluster:
TCP 21
TCP 2221
TCP 22
TCP 80
TCP 8080
TCP 443
TCP 8443
TCP 8764
TCP 5432
TCP 47788
TCP 47799
UDP 45588
UDP 46688
UDP 45599
UDP 46699
14 EncrypTight Manager Installation Guide
Ordering of actions is important.
NOTE
You should install in the following steps:
1 Power on both servers
2 Assign IP to server #1
3 Assign IP to server #2
4 Make sure that server #1 can see server #2 on the network
5 Run /etc/init.d/policyserver-install on server #1 ( same order of IP addresses on both )
6 IMPORTANT: WAIT for server #1 to fully complete the install and startup
7 Run /etc/init.d/policyserver-install on server #2 ( same order of IP addresses on both )
Once installation is complete you can view the web interface from either of the cluster nodes IP
addresses.
To verify that the cluster is in place check the Platform -> Utilities page DB Nodes and Appserver Nodes.
Disaster Recovery Install
Installation Examples
Using Single Server For Main Site
Main Site
• Assign an IP to the Main site installation.
• Modify the /opt/scripts/policyserver-init.conf and set the following. Emacs, nano, and vi are available
on the OS.
The disasterHost IP should be the IP of the Disaster Recovery server.
########################################################################
#######
#######
####### Disaster Recovery options
#######
#
## When this
heartbeatEnabled=true
disasterEnabled=true
disasterHost=192.168.80.X - THE IP OF THE DISASTER RECOVERY SERVER
disasterUser=pserver
disasterPass=pserver
heartbeatPort=8764
#
#
## When this
# disasterServer=true
# disasterServerUser=admin
# heartbeatInterval=30000
server will use a disaster recovery site set the following:
server IS the disaster recovery site set the following:
EncrypTight Manager Installation Guide 15
Loading...