Vormetric Data Firewall for AWS. All-in-Cloud Installation Guide

(1)

Vormetric Data Firewall for AWS

All-in-Cloud Installation Guide

Document Version 1.2

January 29, 2014

(2)

All-in-Cloud Installation Guide

Document Version 1.2 January 29, 2014 50-1000008-07

Produced in the United States of America

Vormetric is a registered trademark of Vormetric, Inc. in the United States (U.S.) and certain other countries. Microsoft, Windows, Windows XP, Windows NT, SQL Server and the Windows logo are trademarks of Microsoft Corporation in the U.S., other countries, or both.

UNIX is a registered trademark of The Open Group in the U.S. and other countries. Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.

Oracle, Oracle ASM, Solaris, SPARC, Oracle Enterprise Linux and Java are registered trademarks of Oracle Corporation and/or its affiliates.

IBM, IBM logo, ibm.com, AIX, DB2, PowerPC, DB2 Universal Database are trademarks of International Business Machines Corporation in the U.S., other countries, or both.

Intel, Intel logo, Intel Xeon, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the U.S. and other countries.

HP-UX is registered trademark of Hewlett-Packard Company in the U.S., other countries, or both.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the U.S., other countries, or both.

X Window System is a trademark of the Massachusetts Institute of Technology.

Red Hat and Red Hat Enterprise Linux, are trademarks of Red Hat, Inc., registered in the United States and other countries.

SUSE and SLES are a registered Trademarks of Novell, Inc.All other products described in this document are trademarks of their respective holders.

The Software and documentation contains confidential and proprietary information that is the property of Vormetric, Inc. The Software and documentation are furnished under Vormetric's Standard Master License Software Agreement (Agreement) and may be used only in accordance with the terms of the Agreement. No part of the Software and documentation may be reproduced, transmitted, translated, or reversed engineered, in any form or by any means, electronic, mechanical, manual, optical, or otherwise.

Licensee shall comply with all applicable laws and regulations (including local laws of the country where the Software is being used) pertaining to the Software including, without limitation, restrictions on use of products containing encryption, import or export laws and regulations, and domestic and international laws and regulations pertaining to privacy and the protection of financial, medical, or personally identifiable information. Without limiting the generality of the foregoing, Licensee shall not export or re-export the Software, or allow access to the Software to any third party including, without limitation, any customer of Licensee, in violation of U.S. laws and regulations, including, without limitation, the Export Administration Act of 1979, as amended, and successor legislation, and the Export

Administration Regulations issued by the Department of Commerce.

Any provision of any Software to the U.S. Government is with "Restricted Rights" as follows: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.277.7013, and in subparagraphs (a) through (d) of the Commercial Computer-Restricted Rights clause at FAR 52.227-19, and in similar clauses in the NASA FAR Supplement, when applicable. The Software is a "commercial item" as that term is defined at 48 CFR 2.101, consisting of "commercial computer software" and "commercial computer software documentation", as such terms are used in 48 CFR 12.212 and is provided to the U.S. Government and all of its agencies only as a commercial end item. Consistent with 48 CFR 12.212 and DFARS 227.7202-1 through 227.7202-4, all U.S. Government end users acquire the Software with only those rights set forth herein. Any provision of Software to the U.S. Government is with Limited Rights. Vormetric is Vormetric, Inc. at 2545 N 1st St., San Jose, CA, 95131-1003, (408) 433-6000.

VORMETRIC, INC., PROVIDES THIS SOFTWARE AND DOCUMENTATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT OF THIRD PARTY RIGHTS, AND ANY WARRANTIES ARISING OUT OF CONDUCT OR INDUSTRY PRACTICE. ACCORDINGLY, VORMETRIC DISCLAIMS ANY LIABILITY, AND SHALL HAVE NO RESPONSIBILITY, ARISING OUT OF ANY FAILURE OF THE SOFTWARE TO OPERATE IN ANY ENVIRONMENT OR IN

(3)

All-in-Cloud Installation Guide

CONNECTION WITH ANY HARDWARE OR TECHNOLOGY, INCLUDING, WITHOUT LIMITATION, ANY FAILURE OF DATA TO BE PROPERLY PROCESSED OR TRANSFERRED TO, IN OR THROUGH LICENSEE'S COMPUTER ENVIRONMENT OR ANY FAILURE OF ANY TRANSMISSION HARDWARE, TECHNOLOGY, OR SYSTEM USED BY LICENSEE OR ANY LICENSEE CUSTOMER. VORMETRIC SHALL HAVE NO LIABILITY FOR, AND LICENSEE SHALL DEFEND, INDEMNIFY, AND HOLD VORMETRIC HARMLESS FROM AND AGAINST, ANY SHORTFALL IN PERFORMANCE OF THE SOFTWARE, OTHER HARDWARE OR TECHNOLOGY, OR FOR ANY INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS, AS A RESULT OF THE USE OF THE SOFTWARE IN ANY ENVIRONMENT. LICENSEE SHALL DEFEND, INDEMNIFY, AND HOLD VORMETRIC HARMLESS FROM AND AGAINST ANY COSTS, CLAIMS, OR LIABILITIES ARISING OUT OF ANY AGREEMENT BETWEEN LICENSEE AND ANY THIRD PARTY. NO PROVISION OF ANY AGREEMENT BETWEEN LICENSEE AND ANY THIRD PARTY SHALL BE BINDING ON VORMETRIC.

Protected by U.S. patents: 6,678,828

6,931,530 7,143,288 7,283,538 7,334,124

Vormetric Data Security includes a restricted license to the embedded IBM DB2 database. That license stipulates that the database may only be used in conjunction with the Vormetric Security Server. The license for the embedded DB2 database may not be transferred and does not authorize the use of IBM or 3rd party tools to access the database directly.

(4)

Document Version 1.2 All-in-Cloud Installation Guide

Preface . . . i

Intended audience . . . i

Typographical conventions . . . i

Service updates and support information . . . ii

Sales and Support . . . ii

1 Overview . . . 1

Assumptions . . . 1

Installation Process . . . 2

2 Vormetric Data Security on Amazon VPC . . . 3

Installing a Data Security Manager (DSM) in the Amazon VPC . . . 3

Installing Protected Hosts in the Amazon VPC . . . 23

3 Vormetric Data Security on Amazon EC2 Classic . . . 29

To install a Data Security Manager (DSM) in EC2 Classic . . . 29

To Install Protected hosts in EC2 Classic . . . 56

(5)

. . .

PREFACE

This document describes how to install the Vormetric Data Firewall for Amazon Web Services in your AWS account.

. . .

DOCUMENTATION VERSION RELEASE NOTES

The following table describes the documentation changes made for each document release.

INTENDED AUDIENCE

The All-in-Cloud Installation Guide is intended for system administrators who install the Vormetric DSM and connect it to the network.

TYPOGRAPHICAL CONVENTIONS

In this guide, text that uses any of the following conventions has the special meaning described in the table: Documentation Changes

Documentation

Version

Date

Changes

1.0 9/10/13 Initial Release.

1.1 10/25/13 Added chapter on installing VDS in Amazon VPC.

1.2 1/28/14 Removed instructions on connecting to instances using MindTerm. Suggested

using PuTTY. Cleaned up minor issues. Fixed external hyperlinks.

Typographical Conventions

Convention

Usage

Example

__ double underscore A double underscore indicates a

keyboard or mouse action to take __ Click User

(6)

Document Version 1.2 All-in-Cloud Installation Guide

SERVICE UPDATES AND SUPPORT INFORMATION

Vormetric's Master Software License and Hardware Purchase Agreement (“MSLA”) defines software updates and upgrades, support and services, and governs the terms under which they are provided. Any statements made in this guide or collateral documents that conflict with the definitions or terms in Vormetric's MSLA, shall be superseded by the definitions and terms of the MSLA. Any references made to “upgrades” in this guide or collateral documentation can apply either to a software update or upgrade.

SALES AND SUPPORT

For support and troubleshooting issues:

• help.vormteric.com

• Email questions to [email protected].

For Vormetric Sales:

• http://enterprise-encryption.vormetric.com/contact-sales.html

• (888) 267-3732 • [email protected]

Italics Name of a pop-up, panel, or view. New term or concept.

Emphasis

The Create User pop-up opens.

Administrators are assigned to domains.

Do not click reboot.

fixed width (courier new)

keyboard or mouse input command line input or output File names, paths, and directories Code examples

Type root in the Uname field. -bash-4.1# useradd demo-user2 /vipdata2/helloworld.txt If(y=x)THEN GOTO STOP

Italics fixed width

Variable in code, path or command line to be replaced with a real value.

cd c:/Users/userName/Desktop

GregsPort

“quotes” File extensions

Literal Values Attribute values

Terms used in special senses

“.js”, “.ext” Enter “more” “true” “false”, “0” “1+1” hot standby failover

Typographical Conventions

(7)

. . . . .

. . . .

O

VERVIEW

1

The Vormetric Data Firewall, henceforth called Vormetric Data Security or VDS, consists of a

Data Security Manager (DSM) and File System Agents that reside in your AWS hosts. The DSM is

the central server that stores and manages the encryption keys, data access policies,

administrative domains, and administrator profiles for your protected hosts. File System Agents are installed on each host containing data to be protected.

Once you install the agent on the host and register it with the DSM it is called a protected host.

VDS security administrators can create data access policies for that host that specify who can

access what files, at what times, with what commands, and then whether that data is encrypted. The agents communicate with the DSM and enforce data access policies on that host.

These concepts are explored further in the AWS All-in-Cloud Getting Started Guide.

Figure 1: Vormetric Data Security Architecture with protected hosts

. . .

ASSUMPTIONS

(8)

Document Version 1.2 All-in-Cloud Installation Guide Overview

You need the following to complete this manual:

• An Amazon Web Services (AWS) account and experience creating AWS Elastic Cloud Compute (EC2) instances.

• Experience working in the command line interface of your host operating system. • Knowledge of how to open TCP and ICMP port connections on your protected hosts.

. . .

INSTALLATION PROCESS

The installation process described in this guide requires that you use CentOS 6.3 for your protected hosts. If you would like support in protecting other platforms, contact

[email protected].

Before installing VDS, you must choose to install your instances in the Amazon Virtual Private

Cloud (VPC) or Amazon EC2 Classic. See the Amazon EC2 and Amazon Virtual Private Cloud (VPC) for a discussion on the differences.

Once you have decided on the AWS platform, go the respective chapters:

Chapter 2, Installing Vormetric Data Security in the Amazon VPC, on page 3.

(9)

I

NSTALLING

V

ORMETRIC

D

ATA

S

ECURITY

. . . . .

. . . .

IN

THE

A

MAZON

VPC

2

This chapter describes how to install Vormetric Data Security (VDS) in the Amazon Web Services (AWS) Virtual Private Cloud (VPC). Before proceeding, create a VPC and subnet in your AWS account where you will install the DSM and protected hosts. See the Amazon Virtual Private Cloud User Guide for information on VPCs and how to create them.

This chapter consists of the following steps:

• “Installing a Data Security Manager (DSM) in the Amazon VPC” on page 3

• “Installing Protected Hosts in the Amazon VPC” on page 23

Note: Images and layout may have been updated by Amazon since this document was

published.

INSTALLING A DATA SECURITY MANAGER (DSM) IN THE

. . .

AMAZON VPC

Installing DSM on a VPC consists of the following procedures:

• Create a VPC and subnet in your AWS account where you will install the DSM and protected hosts. See the Amazon Virtual Private Cloud User Guide for information on VPCs and how to create them.

• Create an Amazon EC2 Key Pair. See Amazon EC2 Key Pairs. • Choose 1-Click or EC2 Classic to launch your DSM AMI (step 1). • Launch the DSM AMI with 1-Click (step 2) or EC2 Console (step 3). • Configure the DSM (step 5).

• Get the DSM Deployment Details (step 6). • Test the DSM installation (step 7).

(10)

Document Version 1.2 All-in-Cloud Installation Guide Installing Vormetric Data Security in the Amazon VPC

There are two ways to launch a Vormetric DSM AMI, the 1-Click Launch and the Launch with EC2

Console.

a: __ Go to the Amazon marketplace and search for "Vormetric". The Vormetric Data Firewall

for AWS - 5 Client page appears.

Figure 2: Vormetric AWS website

(11)

. . . . .

I N S T A L L I N G A D A T A S E C U R I T Y M A N A G E R ( D S M ) I N T H E A M A Z O N V P C |5

Figure 3: Launch on EC2 page

The next step describes the 1-Click Launch. If you prefer to launch with the EC2 Console, go to step 4: Launch DSM instance with EC2 Console.

2: Launch the DSM instance with 1-Click Launch.

(If you prefer to launch with the EC2 Console, skip this step and go to step 4.) Before launching the instance, set the parameters in the 1-Click Launch tab:

(12)

Figure 4: 1-Click Launch parameters

a: Set 1-Click Launch parameters. __ Version. Select version.

__ Region. Choose your desired region.

Figure 5: Region

(13)

. . . . .

Figure 6: EC2 Instant Type

__ VPC Settings: Choose the previously created VPC or click Create a VPC.

Figure 7: VPC Settings

(14)

__ Security Group: Choose Create new based on seller settings. This choice will create a security group called Vormetric Data Firewall for - 5 Client. The Security Group rules should be the same as shown in Table 1, “VDS Security Group Rules,” on page 11.

Figure 9: Security Group

__ Key Pair: Choose a previously created key pair. Make sure you have access to the key file as you will need this later.

Figure 10: Key Pair

(15)

. . . . .

Figure 11: Instance overview

__ Note the Key Pair and the Instance ID. These will be used later. c: Go to AWS Management Console to see the instance.

__ Search for the instance using the Instance ID.

Figure 12: DSM instance in dashboard

__ Give the instance a name. Right click the instance, select Add/edit tags, and type a name. For example: DSM-1.

d: Make sure All ICMP is added to the Security Group.

Amazon may restrict Internet Control Message Protocol (ICMP) in the default configuration, so you may have to add ICMP in the security group.

(16)

__ In the EC2 Dashboard, click on Security Groups. __ In the Viewing: pulldown, select VPC Security Groups.

__ Select the Vormetric Data Firewall for AWS 5 Client ... security group.

__ Click the Inbound tab, click the Create a new rule pull-down, and select All ICMP.

Figure 13: Security Group view

__ Click Add Rule. The ICMP port is added to the Security Group. __ Click Apply Rules Changes.

(17)

. . . . .

Figure 14: ICMP All added to security group

e: The DSM AMI can take 10-15 minutes to instantiate depending on the AWS load.

Skip step 4: Launch DSM instance with EC2 Console.the next step since you just performed a

1-Click Launch.

3: Allocate a new EIP address for VPCs and associate it with the DSM instance.

This step is required for 1-Click installation.

__ In the AWS EC2 Dashboard, click on Elastic IPs.

__ Click Allocate New Address, select EIP used in VPC and Yes, Allocate.

__ Select this new address, click Associate Address, select the DSM instance on which to associate the EIP and click Associate.

__ Use this EIP address to set up your SSH session.

4: Launch DSM instance with EC2 Console.

If you launched with 1-Click Launch (step 2), skip this step. a: Create a new EC2 security group with the following port rules.

Table 1: VDS Security Group Rules

Protocol Port (service) Source

ICMP All 0.0.0.0/0 TCP 22 (SSH) 0.0.0.0/0 TCP 443 (HTTPS) 0.0.0.0/0 TCP 5696 0.0.0.0/0 TCP 7024 0.0.0.0/0 TCP 8080 (HTTP*) 0.0.0.0/0

(18)

__ In your EC2 Dashboard click on Security Groups > Create Security Groups to bring up this pop-up:

Figure 15: Create Security Group pop-up

__ Enter a Name and Description. Select the VPC that you created for the DSM and your protected hosts. Click Yes, Create.

b: Add the port rules.

__ In the EC2 Dashboard, click Security Groups, then Viewing: VPC Security Groups. Select the security group you just created. Click the Inbound tab. In the Create a new rule pull-down, select All ICMP.

TCP 8444 0.0.0.0/0 TCP 8445 0.0.0.0/0 TCP 50000 0.0.0.0/0 UDP 123 0.0.0.0/0 UDP 161 0.0.0.0/0 UDP 7025 0.0.0.0/0

(19)

. . . . .

Figure 16: Security Group Inbound tab

__ Click Add Rule to add rule to the security group.

Figure 17: Security Group Add Rule button

__ Do this for all the ports in the table. For TCP Ports, select Custom TCP rule. For UDP Ports, select Custom UPD rule.

(20)

Figure 18: Security Group with all the rules

__ Click Apply Rule Changes.

__ Click the Refresh button in the top right corner.

c: __ On the Vormetric website in the AWS Marketplace. Click on the Launch with EC2 Console tab.

(21)

. . . . .

Figure 19: Vormetric website in the AWS Marketplace

d: __ Select your desired region and click Launch with EC2 Console.

(22)

Figure 20: Instance Type

__ Click General purpose > m1.large then click Next: Configuration Instance Details.

(23)

. . . . .

Figure 21: Instance details

e: Enter Instance details. Use the following values:

__ Network: Select a VPC that you created earlier or click Create a new VPC. __ Subnet: Select a VPC that you created earlier or click Create a new subnet.

__ Check Automatically assign a public IP address to your instances. This public IP address is how you will later access the DSM to configure it and to get the DSM details.

Note: Another way to access the DSM is to create an EIP used in VPC and associate it to the

DSM instance after it is created. All other values can be kept as is. __ Click Next: Add Storage.

(24)

Step 4, Add Storage page opens.

Figure 22: Advanced Instance Options

f: No changes are required here. __ Click Next: Tag Instance.

Step 5: Tag Instance opens.

(25)

. . . . .

__ Enter a name for this instance (example: Host -1), then click Next: Configure Security

Group.

Step 6: Configure Security Group opens.

Figure 24: Security groups

g: __ Highlight the security group that you had created earlier (step 3a: Create a new EC2 security group with the following port rules.) and click Review and Launch.

h: __Review the instance parameters and click Launch.

(26)

Figure 25: Key pairs

i: __ Select Choose from your existing Key Pair (if you have one) or Create a new Key Pair. Download the key and remember your key path (location of the .pem file) as you will need

this later.

__ Check the Acknowledgment checkbox and click Launch Instances. The instance is launched.

j: Return to the EC2 Instances page to view your newly created instance. __ AWS returns you to the EC2 Management Console. Click Instances.

Figure 26: Instance view of new DSM

__ Search for the name of your DSM. The DSM instance is now running.

(27)

. . . . .

The DSM configuration script is on the DSM instance. The script starts when you connect to your DSM instances with an SSH client. There are many ways to start an SSH session, see Connecting to Linux/UNIX Instances from Windows Using PuTTY.

Note: You may have to wait 10-20 minutes after the DSM is instantiated (see Figure 27) before you can make an SSH connection to the DSM. If you try to make an SSH connection and you get a pop-up that reads Connection Refused, then continue waiting.

a: Connect an SSH client to your DSM instance and login with the user name: ec2-user. This automatically starts the DSM configuration script. Use the following values to start the SSH session.

__ Host Name (or IP address). Use the Public DNS or an EIP address. Your Public DNS is displayed under the Description tab in the Instance view.

Figure 27: Public DNS

__ Private key path: Enter the path of the .pem (or .ppk if you are using PuTTY) file that you generated earlier (Figure 25: “Key pairs”). In the PuTTY Configuration pop-up, under

Category, click the + icon next to SSH, select Auth, then enter the path to your .ppk file in the

Private key file for authentication: field

b: __ Log in as ec2-user. This starts the configuration program. You will see a terminal window that displays the following:

Welcome to the Vormetric Data Security Manager configuration wizard Please enter the information below to configure your Security Manager

(28)

Add hosts to protect? (yes/no) no

__Enter no. The following is displayed:

This security manager instance has been launched in AWS VPC. If you wish to access it by it's internal host name,

- on Unix platform, please add an entry to the /etc/hosts file - on Windows platform, please add an entry to the

C:\WINDOWS\system32\drivers\etc\hosts file.

The instance is going to restart now. After restarting, the security manager configuration will take about 15 minutes. Please wait for it to complete.

Press any key to continue

__ Press any key. The system terminates your SSH session and starts configuration.

6: Get the DSM Deployment Details.

The DSM Deployment Details provides all the information you need log on to the DSM Management Console, access the DSM CLI, and install agents on your protected hosts. Wait for the DSM configuration to complete before accessing the deployment details. This process can take up to fifteen minutes.

a: __ Connect to the new DSM instance with an SSH session and log in as ec2-user.

Note: If you log in before DSM configuration is complete, you’ll get the message Configuration

no Complete. Please try later. Then the terminal will close. After you log in, the DSM Deployment Details are displayed.

login as: ec2-user

Welcome to the Vormetric Data Security Manager. Data Security Manager details

=============================

Management console URL is https://ec2-54-208-235-131.compute-1.amazonaws.com

Management console internal URL is https://ip-10-1-0-61.ec2.internal System administrator credentials are admin / Vb3]%@V$3$C2WRcY

ALL administrator credentials are awsadmin / Qx2[S4GYB53wi CLI administrator credentials are cliadmin / Qa3(kpBVfu@m Please download the agent install script from

https://awsportal.vormetric.com/downloads/agent/5.1.1/install?lic_id= FSAJTALB6TX3LPU

(29)

. . . . .

I N S T A L L I N G P R O T E C T E D H O S T S I N T H E A M A Z O N V P C |23

7: Test the DSM installation.

__ Wait a few minutes after you receive your DSM Deployment Details.

__ Open a browser and enter the DSM URL listed in the Deployment Details. For example:

https://ec2-54-208-235-131.compute-1.amazonaws.com

__ Log in as awsadmin using the information in the Deployment details. awsadmin / Qx2[S4GYB53wi

The Vormetric Data Security page opens.

Figure 28: Vormetric Management Console dashboard

If the DSM dashboard is not responsive--for example, when you point to a drop-down menu nothing happens, log off and wait a few minutes for the configuration process to complete.

. . .

INSTALLING PROTECTED HOSTS IN THE AMAZON VPC

A protected host is a host in the Amazon cloud whose data is protected by a Vormetric agent. VDS protects hosts running many different operating systems including various versions of Microsoft Windows, Linux and UNIX. However, the installation process described here requires that you use CentOS 6.3 for your protected hosts. If you would like support in protecting other platforms, contact [email protected].

(30)

• Instantiate the host you want to protect (step 1).

• Run the agent install and registration script on the host (step 2). • Verify that the protected host is registered with the DSM (step 3). • For each protected host, save the deployment information (step 4). • Repeat this process for each protected host (step 4).

Gather the following information for these steps: __ The VPC and subnet where you installed the DSM.

__ Agent install script url. (See step 6: Get the DSM Deployment Details.)

__ The Security Group you created. (See step 3a: Create a new EC2 security group with the following port rules.).

Note: Currently we only support protected hosts running CentOS 6.3. You can use any CentOS

6.3 AMI.

1: Instantiate your protected host.

AWS protected host instances can be of any size. For each DSM you can have up to five protected hosts.

a: __ Log in to your Amazon account.

b: __ Instantiate your protected host AMI (not the DSM AMI) using the following parameters (valid for either 1-Click or EC2 Console launching):

__ Region. Choose one.

__ EC2 Instance Type. Instances can be of any size.

__ Network: Choose the same VPC where you installed the DSM. __ Subnet: Choose the same subnet where you installed the DSM.

__ Check Automatically assign a public IP address to your instances. You will use this public IP address to access the host in subsequent steps.

__ Tag Instance. Add a name for your protected host.

__ Security Group. Use the same group you used when you instantiated the DSM (Figure 9

and Figure 24).

__ Click Review and Launch.

__ Key Pair. Choose a Key Pair that you previously created or create a new key pair and download the private key. Remember your private key path (location of the .pem/.ppk file) as you will need this later.

__ Note the instance ID as this will be useful for the next step.

2: Run the agent installation and registration script on the host.

After your host instance is running (the time it takes depends on the size of the host and the AWS EC2 load), connect to it with an SSH Client to download the agent installation and registration script. This script installs the agent and registers it with the DSM.

(31)

. . . . .

There are many ways to start an SSH session.See Connect to Your Amazon Instance. a: Launch an SSH client on your host instance and login with the user name root. Use the

following parameters to launch your SSH session.

__ Host Name (or IP address). Enter the IP address or Public DNS of the protected host. If you installed the host using the EC2 Console, highlight the host name in the Instances view of the EC2 Dashboard. The Public DNS is displayed under the Description tab. Figure 26 shows an example of what you should see.

If you launched the host with 1-Click, you need to allocate a new EIP address for VPCs and associate it with the host instance:

__ In the AWS EC2 Dashboard, click on Elastic IPs.

__ Click Allocate New Address, select EIP used in VPC and Yes, Allocate.

__ Select this new address, click Associate Address and select the host instance on which to associate the EIP.

__ Use this EIP address to set up your SSH session.

__ Private key path: Enter the path of the .pem (or .ppk if you are using PuTTY) file that you

generated earlier (Figure 25: “Key pairs”).

Some AMIs only allow you to first log in as ec2-user. If you can't log in as root, log in as ec2-user, then do a "sudo su -" in the terminal to run as root.

b: Make sure the firewall on the protected host allows the following TCP Port connections: ICMP Ping Incoming/Outgoing

TCP 7024 Incoming TCP 8080 Outgoing TCP 8443 Outgoing TCP 8444 Outgoing

c: From the SSH terminal, copy and run the agent install program. __ Run the following commands as root user:

# wget -O installer --no-check-certificate <Agent_Install_Script_url>

Agent_install_script_url is part of the DSM details (6: Get the DSM Deployment Details.). (If the wget command fails with "wget not found," execute yum -y install wget

and try again.)

# ls installer

# chmod +x installer # ./installer

Welcome to the Vormetric Data Security agent installer

Your instance has been launched with the following security groups:

(32)

allow outgoing connections to TCP ports 8443, 8444 and 8080 and ICMP ping requests and incoming connections to TCP port 7024 and ICMP ping requests before proceeding

Proceed? (yes/no) yes

(Installation continues until you get the following screen output.)

Cleaning up... Installing agent

Please enter the information below to configure your agent instance Enter hostname of the Security Manager: ip-10-1-0-61.ec2.internal (Important: For “hostname of the Security Manager,” use the private DNS of the DSM, not the

public DNS. You can get this from Figure 28: “Vormetric Management Console dashboard”)

Adding host ip-10-1-0-252.ec2.internal to Data Security Manager. Enter password for awsadmin user on the Security Manager - &*($d($@Ed9

(Get this from step 6, Get the DSM Deployment Details. on page 22)

Host ip-10-1-0-252.ec2.internal added to Security Manager

After restarting, this instance will be registered to the Security Manager hosted at ip-10-1-0-61.ec2.internal

The instance is going to restart now. Continue? (yes/no) yes

Type yes. The host goes down for a reboot and after a few minutes is registered with the DSM.

3: Verify that the protected host is registered with the DSM.

a: __ Open a browser and enter the DSM URL. See step 6, Get the DSM Deployment Details. on page 22

Figure 29: Management Console Login

__ Login as awsadmin with the password from your DSM Deployment Details.

(33)

. . . . .

Figure 30: VDS Dashboard

b: Switch to domain, awsdomain. __ Click Domains > Switch Domains

Figure 31: Switch domains

(34)

Figure 32: Switch to domain

__ Select awsdomain, then click Switch to domain. c: View the hosts in the domain.

__ Click Hosts > Hosts in the top menu bar to bring up the Hosts page. The new protected host is added and under Pushing Status it says Pending or Done. It may take a few minutes to complete registration. If it says N/A, then the registration did not complete. See Chapter 4, Additional Help, on page 64 to re-register.

Figure 33: Hosts page

4: Repeat the instantiation (step 1), agent installation and registration (step 2), and verification

process (step 3) for each protected host.

5: See the Vormetric Data Security on AWS: Getting Started Guide to learn how to use the

(35)

I

NSTALLING

V

ORMETRIC

D

ATA

S

ECURITY

. . . . .

. . . .

IN

A

MAZON

EC2 C

LASSIC

3

This chapter describes how to install Vormetric Data Security (VDS) in the Amazon Web Services (AWS) EC2 Classic Platform. This chapter consists of the following steps:

• “To install a Data Security Manager (DSM) in EC2 Classic” on page 29

• “To Install Protected hosts in EC2 Classic” on page 57

TO INSTALL A DATA SECURITY MANAGER (DSM) IN EC2

. . .

CLASSIC

DSM installation in EC2 Classic consists of the following steps:

• Create an EIP address for your DSM and any hosts you will create (step 2).

• Create an AWS Identity and Access Management (IAM) user with Elastic Internet Protocol (EIP) AssociateAddress permissions (step 3).

• Choose a DSM AMI launch method (1-Click or EC2 Console). See step 4. • Launch the DSM AMI using either the 1-Click (step 5) or EC2 Console (step 6). • Configure the DSM (step 7).

• Get the DSM Deployment Details (step 8). • Test the DSM installation (step 9).

These steps are described in the following sections.

Note: The following AWS snapshots were current when we wrote this document. Although the

images and layout may differ if Amazon changes them in the future, the concepts and content remains the same.

(36)

Document Version 1.2 All-in-Cloud Installation Guide Installing Vormetric Data Security in Amazon EC2 Classic

One commercial license allows you to install one DSM with five agents on your AWS hosts. Create and allocate one Elastic IP (EIP) address for each DSM and protected host in your system. For example, for one DSM with five protected hosts, you will need six EIP addresses.

2: Create Elastic IP (EIP) addresses in your AWS account.

EIP addresses can be created any time before you configure the DSM or protected hosts. You can create these addresses now or later in the installation process.

a: __ Log on to your AWS account and display the Amazon Web Services.

Figure 34: Amazon Web Services

(37)

. . . . .

TO I N S T A L L A D A T A S E C U R I T Y M A N A G E R ( D S M ) I N E C 2 C L A S S I C |31

Figure 35: EC2 Dashboard

(38)

Figure 36: Elastic IPs view

c: __ Click Allocate New Address.

Figure 37: Allocate New Address pop-up

d: __ Select EIP used in: EC2. Then click Yes, Allocate. An unassigned EIP address appears in your Elastic IP view.

(39)

. . . . .

e: __ Repeat until you have the desired number of EIP addresses.

__ Note your EIP addresses, as you will need them during the DSM and host configuration processes.

IMPORTANT: Once an EIP address is assigned to an instance, do not release or reuse it until

the instances are terminated.

3: Create an Identity and Access Management User (IAM) user with EIP AssociateAddress

permissions

VDS requires an IAM user to ensure proper handshaking between agents and the DSM (see

Amazon Web Sevices IAM page for more information). Specifically, the DSM instance needs a host name associated with a consistent IP address. To maintain IP address consistency, you must have an IAM user with EIP AssociateAddress permissions.

a: __ Log on to your AWS account and go to the Amazon Web Services page.

Figure 39: Amazon Web Services

(40)

Figure 40: IAM Dashboard

b: Create a new IAM user.

__ Click Users to display the Users view.

(41)

. . . . .

__ Click Create New Users to display the Create User pop-up.

Figure 42: Create User pop-up

__ Enter a user name, for example, DSM-Install.

__ Make sure Generate an access key for each User is checked. __ Click Create (no need to create a password).

__ Click Show User Security Credentials to display and the new IAM user credentials (Access

Key ID and Secret Access Key). Copy and save these in a safe place. You will need this when

you configure the DSM and hosts. You can also click Download Credentials to save it on your computer.

(42)

__ Click Close Window.

The Users view is displayed with the new user.

Figure 44: Users view showing a new IAM user

c: Give the new user EIP AssociateAddress permissions.

__ Select the checkbox next to the new user name and click the Permissions tab.

Figure 45: IAM User Permissions view

(43)

. . . . .

Figure 46: Manage User Permissions pop-up

d: Set EIP AssociateAddress permissions.

__ Click Custom Policy, then Select. The Policy Name and Policy Document text fields appears.

Figure 47: Granting AssociateAddress permissions

__ In Policy Name, type in a name (for example, Vormetric_EIP_Policy).

__ In Policy Document, copy and paste the following:

{"Statement": [{"Action": ["ec2:AssociateAddress",

(44)

You now have an IAM user named DSM-Install with EIP AssociateAddress permissions.

IMPORTANT: Do not delete or modify this user until the instance is terminated.

4: Go to the Vormetric website in the Amazon marketplace and choose a launch method for your

Vormetric DSM AMI.

There are two ways to launch a Vormetric DSM AMI, the 1-Click Launch and the Launch with EC2

Console. We recommend the 1-Click Launch because it's a bit simpler.

a: __ Go to the Amazon marketplace and search for "Vormetric". The Vormetric Data Firewall

for AWS - 5 Client page appears.

Figure 48: Vormetric AWS website

(45)

. . . . .

Figure 49: Launch on EC2 page

The recommended 1-Click Launch is described in the next step. If you want to launch with the EC2 Console, skip the next step and go to step 6.

5: Launch the DSM instance with 1-Click Launch. (Skip this step if you want to launch with the

EC2 Console.)

(46)

Figure 50: 1-Click Launch parameters

a: Set 1-Click Launch parameters: __ Version. Select version.

__ Region. Choose your desired region.

Figure 51: Region

(47)

. . . . .

Figure 52: EC2 instant Type

__ VPC Settings: Choose EC2 Classic (no VPC)

Figure 53: VPC Settings

__ Security Group: Choose Vormetric Data Firewall for - 5 Client. If this doesn’t exist, choose

Create new based on seller settings. This choice will create a security group called Vormetric Data Firewall for -5 Client. The security group you end up with should have the port

(48)

Figure 54: Security Group

__ Key Pair: Choose a key pair that you created. Make sure you have access to the key file as you will need this later.

Figure 55: Key Pair

(49)

. . . . .

Figure 56: Instance overview

__ Note the Key Pair, Instance ID and the Security Group. These will be used later. c: Go to AWS Management Console to see the instance.

Search for the instance using the Instance ID.

Figure 57: DSM instance in dashboard

__ Give the instance a name. Right click the instance, select Add/edit tags, and type a name. For example: DSM-1.

d: Add All ICMP to the Security Group.

Amazon restricts Internet Control Message Protocol (ICMP) in the default configuration, so you must add ICMP in the security group as described below.

(50)

__ In the EC2 Dashboard, click on Security Groups. __ Select the Vormetric Data Firewall security group.

__ Click the Inbound tab, click the Create a new rule pull-down, and select All ICMP.

Figure 58: Security Group view

__ Click Add Rule., then click Apply Rule Changes. The ICMP port is added to the Security Group.

(51)

. . . . .

Figure 59: ICMP All added to security group

e: The DSM AMI can take 10-15 minutes to instantiate depending on the AWS load. Skip the next step since you won't need to launch with EC2 Console.

6: Launch DSM instance with EC2 Console. (If you launched with 1-Click Launch, skip this step.)

a: Create a new EC2 security group with the following port rules>

Table 1: DSM Security Group Port Rules

__ In your EC2 Dashboard click on Security Groups > Create Security Group to bring up this pop-up:

Protocol Port (service) Source

ICMP All 0.0.0.0/0 TCP 22 (SSH) 0.0.0.0/0 TCP 443 (HTTPS) 0.0.0.0/0 TCP 5696 0.0.0.0/0 TCP 7024 0.0.0.0/0 TCP 8080 (HTTP*) 0.0.0.0/0 TCP 8443 (HTTPS*) 0.0.0.0/0 TCP 8444 0.0.0.0/0 TCP 8445 0.0.0.0/0 TCP 50000 0.0.0.0/0 UDP 123 0.0.0.0/0 UDP 161 0.0.0.0/0 UDP 7025 0.0.0.0/0

(52)

Figure 60: Create Security Group pop-up

__ Type in a Name and Description. For example, VDS_Security _Group. Select No VPC. Click

Yes, Create.

b: Add the port rules.

__ In the EC2 Dashboard, click Security Groups, then Viewing: VPC Security Groups. Select the security group you just created. Click the Inbound tab. In the Create a new rule pull-down, select All ICMP.

Figure 61: Security Group Inbound tab

(53)

. . . . .

Figure 62: Security Group Add Rule button

__ Do this for all the ports in Table 1 on page 45. For TCP Ports, select Custom TCP rule. For UDP Ports, select Custom UPD rule.

Figure 63: Security Group with all the rules

__ Click Apply Rule Changes.

__ Click the Refresh button in the top right corner.

c: __ On the Vormetric website in the AWS Marketplace. Click on the Launch with EC2 Console tab.

(54)

Figure 64: Vormetric website in the AWS Marketplace

d: __ Select your desired region and click Launch with EC2 Console.

(55)

. . . . .

Figure 65: Instance Type

__ Click General purpose > m1.large, then click Next: Configuration Instance Details.

(56)

Figure 66: Instance details

e: Enter instance details. Use the following values: __ Network: Select Launch into EC2-Classic. All other values can be kept as is.

(57)

. . . . .

Step 4, Add Storage page opens.

Figure 67: Advanced Instance Options

f: No changes are required for VDS in Step 4: Add Storage. __ Click Next: Tag Instance. Step 5: Tag Instance opens.

Figure 68: Tag Instance

(58)

Step 6: Configure Security Group opens.

Figure 69: Security groups

__ Click Select an existing security group, then select the security group that you had created earlier (step 6a: Create a new EC2 security group with the following port rules>) and click Review

(59)

. . . . .

Step 7: Review Instance Launch opens.

Figure 70: Review Instance Launch

g: __Review the instance parameters and click Launch.

Select an existing key pair or create a new key pair pop-up opens.

(60)

Download the key and remember your key path (location of the .pem file) as you will need

this later.

__ Check the Acknowledgment checkbox and click Launch Instances. The instance is launched.

i: Return to the EC2 Instances page to view your newly created instance. __ AWS returns you to the EC2 Management Console. Click Instances.

Figure 72: Instance view of new DSM

__ Search for the name of your DSM. The DSM instance is now running.

7: Configure the DSM.

The DSM configuration script is on the DSM instance. The script starts when you connect to your DSM instances with an SSH client. There are many ways to start an SSH session, see Connect to Your Amazon Instance.

Note: You may have to wait 10-20 minutes after the DSM is instantiated before you can make

an SSH connection to the DSM. If you try to make an SSH connection and you get a pop-up that reads Connection Refused, then continue waiting.

a: Connect an SSH client to your DSM instance and login with the user name: ec2-user. This

automatically starts the DSM configuration script. Use the following values to start the SSH session.

__ Host Name (or IP address). Enter the IP address or Public DNS.

Your Public DNS is displayed under the Description tab in the Instance view. See Figure 27: “Public DNS”.

__ Private key path: Enter the path of the .pem (or .ppk if you are using PuTTY) file that you

generated earlier (Figure 71: “Key pairs”). In the PuTTY Configuration pop-up, under

Category, click the + icon next to SSH, select Auth, then ent

(61)

. . . . .

b: __ Log in as ec2-user. This starts the configuration script.

As soon as a successful SSH connection is made, the DSM configuration script runs and you will see a terminal window like this:

Figure 73: Entering DSM configuration information

c: Enter the data requested by the DSM configuration script to start configuration. This data was created in earlier steps.

Enter the following when prompted:

__ IAM user access key and secret key (Figure 43: “IAM User Credentials”). __ Elastic IP address (Figure 38: “New EIP address”)

__ When asked: "Add hosts to protect?" type no and press Enter. The terminal displays the following:

The public IP address of this instance is going to change to <the EIP

Address entered>

The instance is going to restart now. After restarting, the security manager configuration will take about 15 minutes. Please wait for it to complete.

Press any key to continue

__ Press any key. The system terminates your SSH session and starts configuration.

8: Get the DSM Deployment Details

The DSM Deployment Details provides all the information you need log on to the DSM Management Console, access the DSM CLI, and install agents on your protected hosts. Wait for the DSM configuration to completed before accessing the deployment details. This process can take up to fifteen minutes.

(62)

After you successfully log in, the DSM Deployment Details is displayed.

login as: ec2-user

Welcome to the Vormetric Data Security Manager. Data Security Manager details

=============================

Management console URL is https://ec2-54-208-235-131.compute-1.amazonaws.com

Management console internal URL is https://ip-10-1-0-61.ec2.internal System administrator credentials are admin / Vb3]%@V$3$C2WRcY

ALL administrator credentials are awsadmin / Qx2[S4GYB53wi CLI administrator credentials are cliadmin / Qa3(kpBVfu@m Please download the agent install script from

https://awsportal.vormetric.com/downloads/agent/5.1.1/install?lic_id= FSAJTALB6TX3LPU

__ Save these Deployment Details as you will need them later.

Note: Once an EIP address is assigned to an instance, do not release or reuse it until the

instances are terminated.

9: Test the DSM installation.

__ Wait a few minutes after you receive your DSM Deployment Details.

__ Open a browser and enter the DSM URL listed in the Deployment Details. For example,

https://ec2-54-208-235-131.compute-1.amazonaws.com

__ Log in as awsadmin using the information in the Deployment details. For example:

awsadmin / Qx2[S4GYB53wi

(63)

. . . . .

TO I N S T A L L P R O T E C T E D H O S T S I N E C 2 C L A S S I C |57

Figure 74: Vormetric DSM banner page

If the DSM dashboard is not responsive--for example, when you point to a drop-down menu nothing happens, log off and wait a few minutes for the configuration process to complete.

. . .

TO INSTALL PROTECTED HOSTS IN EC2 CLASSIC

Once your DSM is installed and configured, you can create protected hosts. A protected host is a host in the Amazon cloud whose data is protected by a Vormetric agent. Installing an agent on your host involves the following steps:

• Instantiate the host you want to protect (step 1).

• Create an EIP address for each host you instantiate (see step 2, Create Elastic IP (EIP) addresses in your AWS account. on page 30).

• Run the agent install and registration script on the host (step 2). • Verify that the protected host is registered with the DSM (step 3). • For each protected host, save the deployment information (step 4). • Repeat this process for each protected host (step 5).

Gather the following information to complete these steps:

__ Agent install script url (See step 8, Get the DSM Deployment Details on page 55).

__ IAM user access key and secret key (See step 3, Create an Identity and Access Management User (IAM) user with EIP AssociateAddress permissions on page 33).

(64)

Document Version 1.2 All-in-Cloud Installation Guide Installing Vormetric Data Security in Amazon EC2 Classic 1: Instantiate your protected host.

AWS protected host instances can be of any size, but the installation process described in this guide requires that you use CentOS 6.3 for your protected host. If you would like support in protecting other platforms, contact [email protected]. For each DSM you can have up to five protected hosts.

a: __ Log in to your Amazon account.

b: __ Instantiate your host AMI (not the DSM AMI) using the following parameters (valid for either 1-Click or EC2 launching):

__ Region. Choose one.

__ EC2 Instance Type. Instances can be of any size. __ Network: Choose Launch into EC2-Classic. __ Tag Instance. Add a name for your protected host.

__ Security Group. Use the same group you used when you instantiated the DSM (Figure 54

and Figure 69). If you launched the DSM with 1-Click Launch, choose Vormetric Data Firewall

for AWS. If you launched the DSM with the EC2 Console and manually created the security

group, choose the security group that you manually created. __ Click Review and Launch.

__ Key Pair. Choose a Key Pair that you previously created or create a new key pair and download the private key. Remember your private key path (location of the .pem file) as you

will need this later.

__ Note the instance ID as this will be useful for the next step.

2: Run the agent installation and registration script on the host. The location of this script is

provided in the DSM Details. See step 8: Get the DSM Deployment Details

After your host instance is running (the time it takes depends on the size of the host and the AWS EC2 load), connect to it with an SSH Client to download the agent installation and registration script. This script installs the agent and registers it with the DSM.

There are many ways to start an SSH session. See Connect to Your Amazon Instance. a: Launch an SSH client on your host instance and login with the user name: root. Use the

following parameters to launch your SSH session.

__ Host Name (or IP address). Enter the IP address or Public DNS of the protected host. __ Private key path: Enter the path of the .pem (or .ppk if you are using PuTTY) file that you

generated earlier. (See Figure 71: “Key pairs”.)

Some AMIs only allow you to first log in as ec2-user. If you can't log in as root, log in as ec2-user, then do a "sudo su -" in the terminal to run as root.

b: Make sure the firewall on this host allows the following TCP Port connections: ICMP Ping Incoming/Outgoing

(65)

. . . . .

c: From the SSH terminal, copy and run the agent install program. __ Run the following commands as root user:

# wget -O installer --no-check-certificate <Agent_Install_Script_url>

Agent_install_script_url is part of the DSM details (step 8: Get the DSM Deployment Details). (If the wget command fails with "wget not found," execute yum -y install wget and

try again.)

# ls installer

# chmod +x installer # ./installer

Welcome to the Vormetric Data Security agent installer

Your instance has been launched with the following security groups:

<Name of your security Group>

Please ensure that the security groups and firewall on this machine allow outgoing connections to TCP ports 8443, 8444 and 8080 and ICMP ping requests and incoming connections to TCP port 7024 and ICMP ping requests before proceeding

Proceed? (yes/no) yes

(Installation continues until you get the following screen output.)

Cleaning up... Installing agent

Please enter the information below to configure your agent instance

Enter hostname of the Security Manager:

ec2-54-221-233-78.compute-1.amazonaws.com

(Important: For “hostname of the Security Manager,” get the hostname from your DSM

banner page. An example of the banner page is on Figure 74: “Vormetric DSM banner page”.

Enter IAM user access key - AKIAJ5EORN6MFQUIDWMGA

See step 3, Create an Identity and Access Management User (IAM) user with EIP AssociateAddress permissions on page 33.

Enter IAM user secret key - 2qpXcK/K4YIj7I6h/clgjK34jkKWbNa/ZYz69PQ

See step 3, Create an Identity and Access Management User (IAM) user with EIP AssociateAddress permissions on page 33.

(66)

Enter Elastic IP - 54.204.19.103

This is the EIP you created for a protected host, not the EIP for the DSM. See step 2, Create Elastic IP (EIP) addresses in your AWS account. on page 30

Adding host ec2-54-204-19-103.compute-1.amazonaws.com to Data Security Manager.

Enter password for awsadmin user on the Security Manager - Zs4{&SKqL]!aj

Get the password from your DSM deployment details. See step 8, Get the DSM Deployment Details on page 55.

Host ec2-54-204-19-103.compute-1.amazonaws.com added to Security Manager

The IP address of this instance is going to change to 54.204.19.103 and host name is going to change to

ec2-54-204-19-103.compute-1.amazonaws.com.

After restarting, this instance will be registered to the Security Manager hosted at ec2-54-204-10-124.compute-1.amazonaws.com

The instance is going to restart now. Continue? (yes/no)yes

The host reboots and after a few minutes is registered with the DSM.

3: Verify that the protected host is registered with the DSM.

Registration can take up to 15 minutes.

a: __ Open a browser and enter the DSM URL. See step 5, Repeat this process for each protected host. on page 62.

Figure 75: Management Console Login

__ Login as awsadmin with the password from your DSM Deployment Details.

(67)

. . . . .

Figure 76: VDS Dashboard

b: Switch to domain, awsdomain. __ Click Domains > Switch Domains

Figure 77: Switch domains

(68)

Figure 78: Switch to domain

__ Select awsdomain, then click Switch to domain. c: View the hosts in the domain.

__ Click Hosts > Hosts in the top menu bar to bring up the Hosts page. The new protected host is added and under Pushing Status it says Done. It may take a few minutes to complete registration. If it says N/A, then the registration did not complete. See Chapter 4, Additional Help, on page 64 to re-register.

Figure 79: Hosts page

4: For each protected host, save the deployment information.

__ The Key Pair used to instantiate the host. For example: VODKey

__ The DNS public name of the protected host. For example: ec2-54-221-239-78.compute-1.amazonaws.com

(69)

. . . . .

6: See the Vormetric Data Security on AWS: Getting Started Guide to learn how to use the

(70)

Document Version 1.2 All-in-Cloud Installation Guide Additional Help

. . . . .

. . . .

4

What Next: After successfully installing Vormetric Data Security, see the VDS for AWS

All-in-Cloud: Getting Started Guide to learn about major concepts and procedures.

For support go to https://help.vormetric.com/home

Manually re-register your host. If the Pushing Status of a protected host says N/A, then the

registration failed.

Figure 80: Pushing Status N/A.

Make sure the firewall on the protected host allows the following TCP Port connections: ICMP Ping Incoming/Outgoing

Then run the register_host command to Register the host with the DSM:

(71)

. . . . .

|65

If you get a connection timeout and cannot log in, close the Connect to instance pop-up, press the refresh key in the top right corner of the EC2 dashboard and try logging in again.

2: Register the host by entering register_host command:

# /opt/vormetric/DataSecurityExpert/agent/vmd/bin/register_host

Welcome to the Vormetric Encryption Expert File System Agent Registration Program

Agent Type: Vormetric Encryption Expert File System Agent Agent Version: 5.1.1.15

In order to register the Vormetric Encryption Expert File System Agent with a Vormetric Data Security Server:

1) you must know the host name of the machine running the Security Server (the host name is displayed on the Dashboard window of the Management Console), and

Note: Security Server is the same as the DSM.

2) the agent's host machine must be pre-configured on the Security Server as a host with the 'Reg. Allowed' checkbox enabled for this agent type on the Hosts window of the Management Console.

Do you want to continue with agent registration? (Y/N) [Y]:

Please enter the primary Security Server host name: ec2-54-221-237-111.compute-1.amazonaws.com

Important: Enter the DSM private DNS Server name from the VDS Dashboard (Figure 12: DSM instance in dashboard)

You entered the host name ec2-54-221-237-111.compute-1.amazonaws.com Is this host name correct? (Y/N) [Y]:

Please enter the host name of this machine, or select from the following list. The name you provide must precisely match the name used on the "Add Host" page of the Management Console.

[1] ec2-54-221-239-78.compute-1.amazonaws.com [2] ip-10-178-40-181.ec2.internal

[3] 10.178.40.181

Enter a number, or type a different host name or IP address in manually: What is the name of this machine? [1]:

(72)

Document Version 1.2 All-in-Cloud Installation Guide Additional Help

Signing certificate...done.

Generating certificate signing request...done. Generating certificate signing request...done. Signing certificate...done.

The following is the fingerprint of the CA certificate. Please verify that it matches the fingerprint shown on the Dashboard page of the Management Console. If they do not match, it can indicate an unsuccessful setup or an attack.

D0:59:F3:A7:46:74:66:2A:E6:4E:AD:30:06:47:C9:12:DB:FE:B8:0F Do the fingerprints match? (Y/N) [Y]:

Successfully registered the Vormetric Encryption Expert File System Agent with the primary Vormetric Data Security Server on ec2-54-221-237-111.compute-1.amazonaws.com

#