Chapter 3: CloudLink Center
After deployment, the CloudLink environment is managed with the CloudLink Center web application accessible via a HTTPS session.
Managing User Accounts
CloudLink Center defines three user roles: secadmin, admin, and observer. The default user credentials for CloudLink Center are as follows:
User name: secadmin Password: clsecadmin
Note: If you’re deploying from the AWS Marketplace, enter the AWS instance ID of the CloudLink Center instance as the default password.
The secadmin user has full access to all CloudLink Center functionality including user account management.
WARNING: For security purposes, you should change the default secadmin password to prevent unauthorized access. For more information, see “Changing Local User Account Passwords”.
User Accounts
Each person who needs to work with CloudLink must have a user account in CloudLink Center. The access role of a CloudLink Center user account defines what functions the user is permitted to perform in the CloudLink system.
You can create two types of CloudLink Center user accounts:
Local accounts: These user accounts exist in and are applicable only to the CloudLink system.
Domain accounts: Rather than creating users specifically for your CloudLink needs, you can reuse existing user accounts in your organization’s Microsoft Active Directory (AD) domain and assign those accounts the appropriate CloudLink Center access role.
Note: Before you can add Domain accounts, you must configure an Active Directory Domain. For more information, see “Configuring an Active Directory Domain for User Accounts”.
User account parameters are as follows:
User Name: Name to identify the user in the system.
Access Role: The access roles are secadmin, admin, and observer.
The secadmin user has full access to all CloudLink Center functionality, including secure storage management and keystore configuration. This user can create user accounts in CloudLink Center and change passwords for users. The secadmin user is the only user who is authorized to see the Security Events log and results of Security Audit tests.
The admin user has full access to all CloudLink Center functionality, except secure storage management and keystore configuration. The admin user can not see the Security Events log and results of Security Audit tests. This user can change the passwords for admin and observer users.
The observer user can monitor statistics on the CloudLink Center and view SLA test results.
User Type: The options are local and domain. If you select domain, the user will be able to reuse the password from the domain user account to log on to CloudLink Center. If you select local, the user must enter a password to access CloudLink Center.
Verifying Your Access Role for the Current Session
To verify your access role for the current CloudLink Center session, note the current session user name in the top right corner of the CloudLink Center window:
Follow the instructions provided in “Viewing Current User Accounts” and correlate the current session user name with the user account Access Role in the User Accounts panel. For this example, user randall has the admin access role as part of a local account.
Viewing Current User Accounts
You can view user accounts in the User Accounts panel.
The Built-in column displays yes for the default user account secadmin.
Steps
1. From the Topology Tree, select CloudLink Center.
2. On the Administration tab, in the Options panel, click User Accounts.
Adding User Accounts
Steps
1. Log in as a secadmin or admin user.
2. From the Topology Tree, select CloudLink Center.
3. On the Administration tab, in the Options panel, click User Accounts.
4. From the Add User panel, select a user type from the User Type list (see “User Accounts”).
5. Type a user name.
If the user type is domain, type the exact user name from the domain user account. If the specified user name is not found in the Active Directory, the system displays an error message. For information about Active Directory domains, see “Configuring an Active Directory Domain for User Accounts”.
6. From the Access Role list, select a role for the user (see “User Accounts”).
7. Click Add to add a user to the User Accounts panel.
8. For local user types, enter a password for the user. The password must include at least six characters.
Changing Local User Account Passwords
As a secadmin user, you can change the CloudLink Center password of all local users without entering the current user account password. As an admin user, you must enter the current local user password before changing the password of an admin or observer user. Observer account users cannot change their passwords.
Steps
1. Log in as a secadmin or admin user.
2. From the Topology Tree, select CloudLink Center.
3. On the Administration tab, in the Options panel, click User Accounts.
When logged in as an admin user, only the admin and observer accounts are visible from the User Accounts panel.
4. In the User name list, right-click a user account and click Change password.
Here, you can see the options for changing a secadmin user password:
Here, you can see the options for changing an admin user password:
5. In the Change password window, type the current password if required and then type and confirm the new password.
6. Click OK.
Configuring an Active Directory Domain for User Accounts
Rather than creating users specifically for your CloudLink needs, you can reuse existing user accounts in your organization’s Microsoft Active Directory (AD) domain and assign those accounts the appropriate CloudLink Center access roles.
Steps
1. Log in as a secadmin or admin user.
2. From the Topology Tree, select CloudLink Center.
3. On the Administration tab, in the Options panel, click AD Domain.
4. In the Controller Configuration panel, specify the Active Directory parameters:
Host: The Active Directory host IP address (the Active Directory host is a Windows Server where the Active Directory is configured).
Secondary Host: The Active Directory host IP address available for redundancy.
Domain: The domain name configured on the Active Directory host (for example, acme.com).
User: A bind user configured on the Active Directory host with administrator privileges.
Password: The password configured for the bind user.
5. Click Apply to use the configured Active Directory user names and passwords for CloudLink Center.
6. Add users from Active Directory (see “Adding User Accounts”) to allow them to log into CloudLink Center.
The Domain status is Inaccessible (in red text) if the Active Directory host cannot be reached because of a network problem or there is a problem authenticating the configured user. While the Active Directory is inaccessible, all domain login attempts are disabled. Check the Action logs to determine why the domain is inaccessible. For example:
If Active Directory is inaccessible, it may take a few seconds to redisplay the AD Domain table.
Configuring CloudLink Center Session Timeout
CloudLink Center can be configured to close user sessions after a specified period of inactivity. If no operations are performed by the user for the period specified, the user is logged out and the login page is displayed. Actions do not affect the CloudLink system state, such as switching CloudLink Center tabs, do not trigger a reset of the session countdown timer.
Steps
1. Log in as a secadmin or admin user.
2. From the Topology Tree, select CloudLink Center.
3. On the Administration tab, in the Options panel, click Session.
4. Enter a value in minutes from 0 to 60 for Session timeout, where 0 disables the session timeout feature.
5. Click Apply.
Configuring a Domain Name Server
CloudLink Center may be configured to resolve hostnames using a Domain Name Server (DNS).
CloudLink must be configured with a DNS if you wish to resolve vCenter or NTP server hostnames.
This section shows you how to add and delete a DNS from CloudLink Center.
Steps to add a DNS
1. Log in as a secadmin or admin user.
2. From the Topology Tree, select CloudLink Center.
3. Click the Administration tab.
4. Click DNS.
5. Enter the IP address of the DNS in the IP address field and click Add.
Steps to delete a DNS server
1. Log in as a secadmin or admin user.
2. From the Topology Tree, select CloudLink Center.
3. Click the Administration tab.
4. Click DNS.
5. In the DNS Servers list, right-click the DNS you want to delete.
6. Click Delete.
Configuring Network Time Protocol Servers
You can synchronize CloudLink Center with a time of day obtained from Network Time Protocol (NTP) servers. By default, CloudLink is configured with four NTP servers.
If you are planning to use a hostname for the NTP server, ensure that you have configured at least one DNS server first (see “Configuring a Domain Name Server”).
You can add and delete NTP servers.
Steps to add a NTP Server
1. Log in as a secadmin or admin user.
2. From the Topology Tree, select CloudLink Center.
3. On the System tab, in the Options panel, click System Time.
4. In the Configuration panel, type the IP address or hostname of the NTP server in the NTP Server field and click Add.
Steps to delete a NTP server
1. Log in as a secadmin or admin user.
2. From the Topology Tree, select CloudLink Center.
3. On the System tab, in the Options panel, click System Time.
4. In the NTP Servers list, right-click the NTP server.
5. Click Delete.
Managing SecureVM Licenses
SecureVM license files determine the number of VMs that your organization can manage using CloudLink Center and the duration of the license. For example, your license can identify you either by domain or customer ID, and allow you to run 10 VMs in CloudLink Center for 120 days. If your license uses a domain value to identify you, all licenses installed on CloudLink Center must contain the same domain value.
Keep the following in mind when determining the license options you require:
When a new VM is registered, CloudLink Center checks the number of VMs allowed by the remaining active licenses. The current number of VMs registered must be less than the number allowed by the active licenses. If not, the registration is rejected and an event is generated. For information about registering VMs, see the CloudLink SecureVM Deployment Guide.
When a license expires, CloudLink Center rejects new VM registrations if the current number of VMs registered equals the number allowed by the active licenses. No other actions are taken.
Licensing involves the following tasks:
uploading a license file to CloudLink Center (see “Uploading Licenses”)
assigning the license to CloudLink Center (see “Assigning Licenses”)
Uploading Licenses
You upload license files to make licenses available to CloudLink Center. Uploading a license does not activate it. You must assign the license (see “Assigning Licenses”) before it goes into effect. For convenience, you may want to upload licenses when you obtain then, but wait until they are needed to assign them.
Steps
1. Log in as a secadmin user.
2. From the Topology Tree, select CloudLink Center.
3. On the System tab, in the Options panel, select SecureVM License.
4. From the License Registration panel, click the browse button to access the File Upload dialog.
For example:
5. From the File Upload dialog, locate and select a license file, and click OK.
6. Click the Upload button to upload and display the license file in the License Pool panel.
The license appears under the Unassigned heading. The license information for new licenses includes the Type, Platform, Limit (maximum number of VMs), and Duration in days. The Start Date and End Date are not displayed because the license has not been assigned.
Assigning Licenses
You can assign a license that’s been uploaded to CloudLink Center (see “Uploading Licenses”).
When you assign a license, CloudLink Center calculates the license expiry date. Using the current date as the start date, the expiry (or end date) is determined based on the license duration. Each day, CloudLink Center checks whether any active license expires in the next 30 or 60 days. For licenses expiring in the next:
30 days, CloudLink Center creates a "non-compliance warning" event
60 days a "non-compliance reminder" event is created.
These events are created for each separate license that has been uploaded. Events are generated regardless of whether the deployment has enough non-expired licenses to remain in compliance.
Steps
1. Log in to CloudLink Center as a secadmin or admin user.
2. From the Topology Tree, select CloudLink Center.
3. Click the SecureVM tab.
4. In the Options panel, select License.
5. From the License Assignment panel, select a license from the Available Licenses list. Only valid licenses are displayed in the list.
6. Click the calendar icon , and select a start date for the storage license (past, present, or future).
The selected date is reflected in the Start Date field as YYYY-MM-DD.
7. Click Assign.
8. Observe the graph in the License Usage panel.
For each assigned license, the graph heading displays the number of VMs and the license expiry date. The graph depicts the number of VMs and the valid dates for the license. Moving the mouse pointer over the starting point of a graph line displays the start date and moving the mouse pointer over the end point of a graph line displays the end date.
Importing a Signed CA Certificate
By default, the CloudLink Center uses a self-signed certificate. When connecting to CloudLink Center, the web browser may display several security warnings. These warnings are displayed because self-signed certificates do not have the same level of trust as certificates issued and signed by a trusted certification authority (CA).
To stop these warnings from being displayed, you can obtain a certificate for CloudLink Center that has been signed by a trusted CA. You then import this certificate for CloudLink Center. Subsequent web browser connections to CloudLink Center will not display security warnings.
CloudLink supports two certificate formats:
Privacy-Enhanced Electronic Mail format. Certificates using this format are provided in files with the filename extension .pem. Along with the certificate file, the CA provides you with a private key file.
This private key is required to access the certificate in the .pem file.
PKCS#12 format. Certificates using this format are provided in files with the filename extension .p12.
Along with the certificate file, the CA provides you with a password that’s required to access the certificate in the .p12 file via its private key.
You can view information about the current certificate. This information includes the certificate subject, expiration date and SHA1 fingerprint.
Steps
1. Log in as a secadmin or admin user.
2. From the Topology Tree, select CloudLink Center.
3. On the Certificates tab, in the Options panel, click Web SSL.
4. From the Configuration panel, select a certificate format from the Certificate Format list.
5. From the Certificate Source box, click the browse button to access the File Upload dialog.
6. From the File Upload dialog, access the location where the certificate is stored, select the certificate file, and click Open.
7. Do one of the following:
For a certificate using the .pem format, from the Key Source box, click the browse button to access the File Upload dialog. Locate the private key file and click Open.
For a certificate using the .p12 certificate format, in the Password box, type the password provided with the certificate file.
8. Click Upload.
9. Verify the Subject, End Date, and SHA1 Fingerprint information to ensure this is the certificate you want to use.
10. Click Apply.
11. Click OK to confirm that the web server will restart and the connection will be terminated.
Managing Encryption Keystores
CloudLink Center can provide one or more encrypted volumes. The volumes are encrypted with a default encryption key. You must change the default encryption key before using the storage. You can trigger automatic encryption key changes based on a time interval.
CloudLink provides several options to store encryption keys (keystore):
Local (the default keystore)
Active Directory
Amazon S3
RSA Data Protection Manager (DPM)
Note: Initially, the storage status shown in the CloudLink Center is Unlocked, and the key name is shown as Undefined, which means that the storage was opened using the default encryption key.
If you’re creating a CloudLink Center cluster, you must use the local database. After creating the cluster, you can change to an external keystore.
All encryption key operations are available from CloudLink Center only and require the secadmin user account.
This section shows you how to:
Manage Encryption Keys Using the Local Keystore
Display the Current Location of the Encryption Keystore
Configure Microsoft Active Directory as the Keystore
Configure Amazon S3 as the Keystore
Configure RSA DPM as the Keystore
Change Encryption Keystores
Manage Encryption Keys Using the Local Keystore
By default, the Local keystore is used and all encryption keys are stored in CloudLink Center.
A secadmin user can save and restore the keys using the Export Keys and Import Keys options available from the CloudLink Center Security, Key Store panel.
To retain access to encrypted data in the event of an unrecoverable failure of CloudLink Center when using Local keystore, you should export the encryption keys on a regular basis and store them in a secure environment. All keys are exported as a set into a single file. The exported keys allow you to access the encrypted data from another CloudLink Center.
Display the Current Location of the Encryption Keystore
Steps
1. Log in as a secadmin user.
2. From the Topology Tree, select CloudLink Center.
3. Click the Key Store tab.
Configure Microsoft Active Directory as the Keystore
To use Microsoft Active Directory for the CloudLink keystore, you must deploy a Windows server so that it is reachable by CloudLink Center. For information on configuring an Active Directory on a Windows server, see “Appendix A: Configuring Microsoft Active Directory as the Keystore”.
Before configuring Active Directory as the keystore, you must configure the DNS server (see “Configuring a Domain Name Server”).
Note: All encryption key and storage management operations require the secadmin user account. The storage state and storage statistics can also be viewed by admin and observer users.
Steps
1. Configure Active Directory.
2. Log in as a secadmin user.
3. From the Topology Tree, select CloudLink Center.
4. On the Key Store tab, in the Options panel, click Active Directory.
5. In the Active Directory Configuration panel, specify the Active Directory parameters:
Host: The name of the Active Directory in FQDN format.
Port The TCP port number configured on the Active Directory host (for example, 389).
Base DN: The base domain name for the security group configured on the Active Directory host.
User: The login name for the bind user in the security group.
Password: The password configured for the bind user.
Key Store Password:
The value used to encrypt the keys stored on Active Directory. You can type any password, but ensure that you record it in another location. This password is required to recover keys in the event of CloudLink Center failure.
When configuring the keystore for a CloudLink Center cluster, ensure that you specify the same key password for both the master and slave server.
Note: The Port, Base DN, User and Password parameters are part of the Active Directory configuration of Windows Server.
6. Click Apply to use the configured Active Directory for storage of CloudLink encryption keys.
The keystore status is Inaccessible in red if the Active Directory host cannot be reached because of a
The keystore status is Inaccessible in red if the Active Directory host cannot be reached because of a