IBM Cloud Data Encryption Services

(1)

Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp

IBM Cloud Data Encryption Services

Administrator Guide

(2)

IBM Cloud Data Encryption Services Administrative Guide 2

1 Introduction

Authorized Use Permission

1.1

Usage of this software is limited to its owner via the terms of the licensing agreement.

Point of Contact

1.2

For additional information about IBM Cloud Data Encryption Services (ICDES), please visit website at www.i-c-d-e-s.com.

Background and Intention of the Administration Guide

1.3

This document is intended as the primary reference for installation, administration, and use of ICDES on Windows Server® 2008-R2 and Windows Server® 2012 for the purpose of securing data at rest as well as providing High Availability (HA) for data.

(5)

2 General Overview

2.1 System Overview

ICDES is a product that uses cryptographic Data Splitting to provide unprecedented security and High Availability (HA) for Data at Rest. It enables a seamless and secure system that works on the file system level to secure files, along with the added

performance of parallel-paths to a storage device or location via cryptographic data splitting to increase data throughput.

ICDES operates on an “M of N” model, which determines what number of pieces of data is required to rebuild the data (M) out of the total number of pieces created (N). The pieces of data stored, which can be on local or remote locations depending on the license, are referred to as “shares”. The use of multiple shares allows for improved data flow along with the added options for data resiliency and fault tolerance.

M of N Model Example

In this example, the number of pieces required to rebuild the data is 3 (M=3). The total number of shares created is 4 (N=4).

ICDES allows setting the read order of each share to determine the priority of the sequence in which a share will be accessed. The ability to encrypt the filenames of all the files within a share is also available for supported models.

To maintain operations in the event that a share becomes inaccessible, ICDES will begin journaling (recording write operations) until access is restored to the share. Then, journal operations are written to the previously inaccessible share.

(6)

Definition of Models

2.2

This software operates under three modes of operations:

Product Model Description

ICDES SEC Secure

ICDES ADV Advanced Secure

ICDES AMS Advanced Multi-Site

There are three (3) distinct models of ICDES:

 Model SEC- Cryptographically split data (includes encryption). No Fault tolerance with M of N configurations of 1 of 1, or 4 of 4. Default M of N values will be set at 1 of 1. There is no native fault tolerance, but may be provided by storage enclosure RAID configuration.

 Model ADV- Single-site High Availability using cryptographic splitting (includes encryption) where you can have up to N - M failures at the same site. Initial M of N configurations values will be 2 of 3, 2 of 4, 3 of 4 and 4 of 6. Default M of N values will be set at 3 of 4. The drives may be spread across multiple storage enclosures or multiple chassis in the same site. M of N may be defined via the GUI or CLI, but N (total mount points) must be within a single site. Additional M of N configuration properties for this model will evolve in time based on a commercially reasonable roadmap.

 Model AMS- Multi-site Disaster Recovery (DR) across two locations, where you can survive one failure at a primary site (or instead, a failure at the failover site), and can sustain up to N minus M failures amongst shares from both sites. Initial M of N values will be 2 of 6, 3 of 8, and 4 of 10 (Road map item). Default M of N value will be set at 3 of 8. The default configurations (3 of 8) allows for 2 sites - each with 4 mount points that allows for any 3 of the 8 shares to

reconstitute the data, or allowing either site to tolerate 1 mount point failure with the failure of an entire site. Additional M of N configuration properties for this model will evolve in time based on a commercially reasonable roadmap.

(7)

3 Planning Considerations

Prerequisites

3.1

Installation of ICDES is a straight forward process which includes the installation into the “Windows” and “Program Files” directories.

In preparation, it is a good idea to review the installation instructions in their entirety prior to installing the software. Below is a list of prerequisites that will enable the successful installation and operation of the ICDES software. In addition, a prerequisite checklist is provided in “Appendix I: Administrative Procedures” to help ensure the successful installation and deployment of the ICDES software.

1. Operational server with licensed operating system

• Windows Server® 2008R2 or Windows Server® 2012 2. ICDES software with valid license

3. Each system with licensed software requires https (Port 443) outbound

communications to license.i-c-d-e-s.com for License, Metering, and Heartbeat to go beyond the free trial mode of the software.

4. Installer Package:

• ICDES_4.2.10.xxxx.msi

5. Microsoft Internet Information Services (IIS) Web Server role installed

• The GUI uses the Default Web Site Configuration. Additional configuration of web site ports may be required when installing multiple Web Site

Applications

6. Internet Explorer version 10 or later 7. .NET®Framework 2.0 (or newer) installed 8. PHP 5.3 (or newer) installed

9. Must be a System Administrator with full access permissions to install, configure, and maintain Servers and Storage for an ICDES installation.

• Allow Administrative Accounts permissions to log on as a batch job for GUI access

10. Setup designated storage locations for Shares (local or remote, depending on license)

(8)

System Requirements

3.2

Minimum System Requirements

• Dual Core 64-Bit CPU @ 2GHz • 8 GB RAM

• 20 GB of available hard disk space

o 300 MB or more is recommended for log file space • Network Access

• Remote Storage options are available in models SEC, ADV and AMS.

Recommended System Requirements

• Quad Core 64-Bit CPU @ 2GHz with Intel® Advanced Encryption Standard Instructions (AES-NI)

• 16 GB RAM

• 40 GB of available hard disk space

o 500 MB or more is recommended for log file space • Network Access

• Remote Storage options are available in models SEC, ADV and AMS.

3.2.1 Local and Remote Storage Size Requirements

It is recommended for ICDES to allocate at least 20GB of disk space on the host system for the journal. The storage requirements for the shares should be allocated based on the sum file size expected to be monitored by ICDES, and depending on the M of N configuration, an additional amount of space will need to be available for

growth during the splitting of the files. Refer to “Appendix IV: IBM Cloud Encryption Services – Model Space Used Percentages” for a chart of expressed percentages of overhead space used, per model and M:N selection.

Key Management

3.3

ICDES provides the capability to manage and host the master key on the local server, a centrally managed key server, or in the Trusted Platform Module (TPM).

CriticalNote

Wherever you choose to store the master key, it is critical that a backup of both the key and the configuration file be made routinely.

(9)

4 Pre-Installation

Before you install this software, review the following sections to ensure proper installation and best experience with ICDES on your server.

Be sure to manage the server where ICDES and the protected directory reside. ICDES does not require the managed shares to reside on the same machine, but they must be accessible from the server where ICDES is installed and running. Consideration for the read order of the shares will be necessary when pointing ICDES to a network storage location for the shares. Local storage locations should be given a higher precedence in the read order when available in order to maintain local access speeds of the protected data.

If you plan to run Windows and Linux in a SAMBA configuration with shared volumes in a CIFS network, make sure SAMBA does not modify the execution bit of files transferred to Linux systems from a Windows Server. See “SAMBA: Tracing

Executable Permission Sets from Windows to Linux” and/or SAMBA documentation for additional information.

This version of the software works with IBM Security Key Lifecycle Manager (SKLM) and others that adhere to KMIP protocol. Prior to configuration, ensure that SKLM certificates are available and placed in the \Program Files\ Bitfiler-IFXP\ directory.

Installing IIS

4.1

To install the web server, Windows IIS, run the following commands in PowerShell:  Import-Module servermanager

 Add-WindowsFeature web-server

Installing PHP

4.2

To install PHP onto Server, navigate to Microsoft’s website:

http://www.microsoft.com/web/gallery/install.aspx?appid=PHP53 and download PHP installer version 5.3.5. This installer will automatically install PHP and IIS modules. To install PHP manually, download a version of PHP 5.3.5 or later, and make the following change to IIS:

Windows Server 2012 -> Server Roles -> Web Server - > Web Server (IIS) - > Application Development

(10)

IBM Cloud Data Encryption Services Administrative Guide 10 Windows 2008R2 will require CGI checked under Application Development when installing PHP manually.

(11)

5 Installation

Preparing for Installation

5.1

There are two steps for the ICDES installation process: 1. Obtaining the Software

2. Installing the ICDES Software

The sections that follow provide details on the installation steps required in each of these steps. Note that the deployment steps are oriented towards new installs on hosts where there are no existing ICDES drivers or software. If you are installing on previously installed ICDES hosts, proceed to the “Configuration” section of this manual on p. 13 for more information.

Obtaining the Software

5.2

ICDES is available for purchase through the ICDES website at https://www.i-c-d-e-s.com and selecting IBM Cloud Marketplace. After completion of an order, an email reply will be sent with instructions for downloading the software.

Once obtained, please follow the steps in “Installing the IBM Cloud Data Encryption Services Software” to install the software.

(12)

Installing the IBM Cloud Data Encryption Services

5.3 Software

5.3.1 Installation Steps for ICDES from the Software Installation Package

Step 1: With PowerShell running, navigate to the working directory containing the

installer MSI file, and run (replacing “XXXX” for the appropriate version being

installed):

msiexec.exe /i \ICDES-4.2.10-XXXX.msi

A window with a progress bar will appear and close upon completion:

Installer Progress Window

After successful installation of the software, ICDES is now ready to be configured. See the IBM Cloud Data Encryption Services Configuration Overview” for configuration details.

If any requirements are not met, the installer process will display a message box indicating the missing requirement. After fulfilling all requirements, the installer will proceed as described above.

(13)

6 Configuration

IBM Cloud Data Encryption Services Configuration

6.1 Overview

Once ICDES has been installed, the software can be configured for operation. The sections below describe a basic configuration that will comprise of setting the license and designating the share locations for the license.

Licensing and Configuring via the Command Line

6.2 Interface (CLI)

The following steps assume that the ICDES software has been installed. If this has not been performed, please refer to the “Installation” section of this manual.

Perform the following command to enter the license for ICDES: spxconfig -l < License Key >

ICDES can operate in a 30-day trial mode using the command “spxconfig -l” without a license key.

A successful execution of the above will display a default M of N configuration for the associated license. The next step will require the designation of the locations of the shares. See “Appendix V: IBM Cloud Data Encryption Services - Model Presets” for examples of configurations. The following commands will need to be entered as shown:

spxconfig -m:n < M value >:< N value > spxconfig -share < # > -path < share1 path > ...

spxconfig -share < # > -path < shareN path > spxconfig –submit

The share directories do not need to be created in the file system prior to running the “-share” option.

(14)

IBM Cloud Data Encryption Services Administrative Guide 14 The option to encrypt, or hash, filenames of shares is available through the “-hashed”

option that can be initially set during initial configuration. To set the option during initial configuration, the following “spxconfig” command needs to be passed for each share

filename to be hashed:

spxconfig -share < # > -hashed < yes/no >

Additionally, the option to determine the order of priority of which share is accessed is available via the “-readorder” option as shown. Execute the following command for

each share:

spxconfig -share < # > -readorder < # >

To quickly configure all options for a share during the initial configuration, the complete command is as follows:

spxconfig -share < # > -path [path] -hashed < yes/no > -readorder < # >

During initial configuration, shares can be connected to remote NFS shares. This can be accomplished by performing the following configuration options for “spxconfig -share #”

spxconfig –share < # > -type network

spxconfig –share < # > -network <username> <password>

CriticalNote

Must be an Administrator with permissions to the NFS share, and the NFS share must allow for root access with read and write permissions.

ICDES can run only with one license at a time. Once the license has been added, ICDES is now configured. The next step is to test and process the files in a target directory.

6.2.1 Creating and Choosing Protected Directories in the CLI

To process a target directory (creating it if necessary); perform the following:

 Log on as Administrator to the machine with ICDES installed and access to the storage location of the shares.

 Create the directory if no directory exists. (Substitute {protected} with the path of the directory):

(15)

IBM Cloud Data Encryption Services Administrative Guide 15  Run the following command to tell ICDES to process the target directory:

spxenc -e {protected}

This command defines the target directory that will have all contents and subdirectories split and encrypted, depending on the active license. To decrypt a protected directory, the following command is required:

spxenc -d {protected}

This will define the target directory to start the re-assembly and decryption of all of the files and directories under the location named {protected}. This decrypted data will retain encryption protection by the software until uninstallation of ICDES or the file(s) are copied to a new non-protected directory.

For information on uninstalling ICDES Server, see section Uninstallation.

6.2.2 Moving and Copying Files

The Move and Copy command performs different functions.

Move and Copy:

When using move or copy to place files into a protected directory, the file(s) will be automatically encrypted.

Copy and Paste:

When copying a file(s) from a protected directory and pasting to a new non-protected directory, the encryption protection will be removed providing a clear-text version of the file(s).

Move: When moving a file(s) out of a protected target directory, it will retain the encryption protection on files.

Critical Note The “Move” Command

Using the Move command to move a file from one protected directory to another protected directory or a non-protected directory will retain encryption protection. When the “MOVE” command is used to move a single file out of a protected directory, it will create and display an entry in the Protected Directories list in the GUI Configuration Options screen.

When the MOVE command is used to move a protected directory to a new location, it will create and display the new location path in the Protected Directories list and the old protected directory path will also remain in the Protected Directory list.

(16)

6.2.3 SAMBA: Tracing Executable Permission Sets from Windows to Linux

When configuring shares on a Windows or Linux system and mounted to the protected directory through SAMBA (or equivalent product), it is noted that SAMBA will, by default, alter the execution bit of the security permissions such that:

1. The executable bit of files and directories that are marked, will have the execution bit of the user or the group permission modified to true.

2. To set SAMBA to restrict from masking permission bits when transferring the file to the Linux system protected directory.

a. In the /etc/samba/smb.conf file there is a setting that has to be set to no to remove the execute bit. By default, it is set to yes.

3. Inside the smb.conf file there will be a section for global options with the title as:

#======================= Global Settings ===============================

[global]

# --- Filesystem Options --- #

# The following options can be uncommented if the filesystem supports # Extended Attributes and they are enabled (usually by the mount option # user_xattr). These options will let the admin store the DOS attributes # in an EA and make samba not mess with the permission bits.

#

# Note: these options can also be set just per share, setting them in global # makes them the default for all shares

map archive = no ##NEEDS TO BE SET TO NO ; map hidden = no

; map read only = no ; map system = no

; store dos attributes = yes

4. This presents the file to Linux with all other available permissions bits set. Read/write files will remain as read/write.

5. Files that are copied or modified on the Linux will retain the permissions that the Linux system determines (read/write), with the execution bit continuing to be set to no.

Except for the executable bit change, Linux should interact with files unchanged while using SAMBA to access Windows shared data.

(17)

Initial Configuration using IBM Cloud Data Encryption

6.3 Services GUI Interface

GUI Logon Screen

Step 1: Apply all of the installation steps from p. 12 to unpack and place all of the ICDES software onto the operating system.

Step 2: Start the GUI interface using the browser pointing to http://X.X.X.X/ICDES, where the IP address X.X.X.X points to the correct system on which ICDES is installed.

Step 3: For initial configuration, enter in an Administrator User ID and Password. Then enter the license value given by your installation and purchasing agreement.

CriticalNote

Set the administrative accounts logon permissions for batch jobs in User Policy or Domain Policy under User Rights Management.

(18)

GUI Initial Configuration

Step 4: Apply the initial Share Setup M of N properties for the appropriate model as determined by the license type; Share directory paths, Read Order, and whether to encrypt file names; and then set Key Options and Journaling Limits.

(19)

Step 5: Select “Run Initial Config” button to submit the configuration. The GUI will

automatically navigate to the Dashboard. The GUI requires the user to initiate a “Backup ICDES Configuration” before navigating to another GUI screen.

GUI Dashboard

Critical Note

Wherever you choose to store the master key, it is critical that a backup of both the key and the configuration file be made routinely.

(20)

7 Verifying Configuration of IBM Cloud Data

Encryption Services

Verifying Configuration of IBM Cloud Data Encryption

7.1 Services

To verify the configuration of ICDES, via the CLI, PowerShell, run the command “spxconfig –print”, which will display the current configuration.

(21)

Verifying Configuration of IBM Cloud Data Encryption

7.2 Services via GUI

To verify the configuration of ICDES via the GUI, check the following:

 Observe the Dashboard and confirm that the Service Status shows an “OK” status.

 Navigate to the Configuration Options screen, verify that the status is on, and verify that the listed license and M of N configuration match what was

selected during configuration.

 On the Share Maintenance screen, verify that the share statuses are on and the path matches what was designated during configuration. Verify that the shares exist in the file system by navigating to the location in Windows Explorer or via PowerShell.

(22)

8 Operations

IBM Cloud Data Encryption Services Management

8.1

The following sections describe the available commands and their respective

operational descriptions with examples. See “Appendix I: Administrative Procedures” for more details on using the various features of ICDES.

IBM Cloud Data Encryption Services Commands

8.2

The list of ICDES commands: • spxbackup • spxcapacity • spxconfig • spxenc • spxinfo • spxlog • spxnotifytest • spxperformance • spxrestore • spxshare

Changes made after the initial configuration, such as adjusting the OPS Memory and Disk Limits or enabling or disabling SNMP or KMIP, are saved using command:

spxconfig –save

System Reboot is required to commit the changes.

8.2.1 IBM Cloud Data Encryption Services Command Descriptions and

Examples

The following section describes some of the common command arguments that will be used for ICDES. For additional arguments, follow the command with “-h”.

The command “spxbackup” will create and back up all data needed to start ICDES on

another server.

(23)

IBM Cloud Data Encryption Services Administrative Guide 23 The command “spxcapacity” will display available storage and the total and used

storage for each share. The command is utilized as follows: spxcapacity

Protect one or more directories by using the “spxenc -e” command.

spxenc -e {target path}

Once “spxenc -e” is entered, ICDES will begin the process of converting all targeted

directories, subdirectories, and files under those directories to process content. Users with read access to the processed directory will automatically see the reassembled content with any program that reads a file from a processed directory.

To unprotect a protected directory, run the “spxenc -d” command. All sub-directories

and sub-files will be unprotected once ICDES processes them. spxenc -d {target path}

To view protected directories, run “spxinfo -l” will display a list of all protected

directories. spxinfo -l

The command “spxlog” will display the log file, or clear it. Examples of a log filename

are “alert”, or “restore”. spxlog –{logfilename}

The command “spxnotifytest” will run a notification test. spxnotifytest

The command “spxperformance” will run a performance test and report results.

spxperformance

The command “spxreload” will reload keys, registry, and database from a backup file

created via “spxbackup”.

(24)

IBM Cloud Data Encryption Services Administrative Guide 24 The command “spxrestore” will rebuild one or all shares from the stubs left by the

encryption process. spxrestore –all

The command “spxrollback” will rollback ICDES to a previous software version.

spxrollback

The command “spxshare” will allow users to toggle shares offline or online, and using

the “-status” option will list the status of all shares.

spxshare -status

IBM Cloud Data Encryption Services Web-Enabled

8.3 Graphical User Interface (GUI) Screens

ICDES will automatically install a Graphical User Interface (GUI) that appears in the Internet Information Services manager (IIS), during ICDES software installation. IIS must be installed and running on the target computer prior to ICDES installation. The GUI has several screens that perform equivalent functions to the command line interface (CLI). These functions are described, per screen, in the sections below. The GUI website should be added to the Trusted Sites section of the browser interface; otherwise, the GUI may not function. A work-around is to access the GUI locally on the server where ICDES is hosted using the ‘localhost’ address.

(25)

8.3.1 IBM Cloud Data Encryption Services Dashboard Screen

ICDES Dashboard

The dashboard has a collection of widgets that shows the status of the ICDES status and health. A button called “Run Backup” accepts a target directory (empty), to save a backup of the ICDES configuration for the current date.

Critical Note

1. Prior to using the ICDES GUI, creating “ICDES Configuration Backup” is required.

2. Wherever you choose to store the master key, it is critical the key and the configuration file be made routinely.

(26)

8.3.2 IBM Cloud Data Encryption Services Configuration Options Screen

Configuration Options

Configuration Options consist of the choices made at the time of installation of ICDES. These include License Key, Model, and M of N. The IBM Cloud Data Encryption Services Status button will display status of the shares.

The Enabled Directories is the collection of directories under protection by ICDES. If a directory doesn’t exist when it is enabled (added), then the words – PENDING

CREATION are added to the list item (directory). Once the directory is created, ICDES will put that directory under protection.

(27)

8.3.3 IBM Cloud Data Encryption Services Tools Screen

ICDES Tools

In the Tools Screen, Alert Settings and Limit Settings may be altered while ICDES is in operation. Each alert would be a value from zero to 100, which represents the

(28)

IBM Cloud Data Encryption Services Administrative Guide 28 Limit settings involves memory and disk limits that are used during operation to size RAM paging and disk paging. Notice that RAM (Memory Limit) paging is measured in Megabytes (MB) and disk (Disk Limit) paging is measured in Gigabytes (GB).

Critical Note

After making changes to SNMP Alert Settings or Journal Limit Settings, a restart will be required. The services will restart automatically upon a system reboot. It is

important to make a backup of the configuration after any changes.

The SNMP Options section enables the ICDES system to send SNMP v3 traps to a remote SNMP trap receiver. If configured, each of the four input values must be specified:

 SNMP User SNMP v3 authenticating user name  SNMP Password SNMP v3 authenticating password

 SNMP IP Address IP address or resolvable hostname, prefer Fully Qualified Domain Name

 SNMP Port The port on the above remote system that is listening for SNMP traps

The KMIP Options section enables the ICDES system to interact with a remote Key Manager that is compliant with KMIP, (i.e. - IBM Security Key Lifecycle Manager).

 KMIP IP Address IP address or resolvable hostname, prefer Fully Qualified Domain Name

 KMIP Port The port on the above remote system that is listening for KMIP requests

Please refer to the “KMIP Connectivity” section for instructions on setting up the required public and private certificates for use with ICDES.

Note

Each “Validate Options” button is used to verify values prior to submitting them as a part of the current Tools settings. The “Submit” button will changes to the current Tools settings.

(29)

8.3.4 IBM Cloud Data Encryption Services Share Maintenance Screen

ICDES Maintenance

The Share Maintenance screen shows the status and percentage of use for each share that IBM Cloud Data Encryption Services has under management. The shares can be manually disabled using the Share Status field. Read Order can set the order in which each share is read. Shares can be individually restored via the Restore button near the share location. The capacity field measures the amount of remaining space per share. Encrypted Filenames will toggle whether the filename will be stored using an encrypted value, instead of the directory and filename in plain text.

Critical Note

After making changes to Read Order of Shares, a restart will be required. The services will restart automatically upon a system reboot. It is important to make a backup of the configuration after any changes.

(30)

8.3.5 IBM Cloud Data Encryption Services Log Files Screen

ICDES Logs

The Select Log File has a number of selections for each log file on the server where ICDES is installed. The Scroll to Top, Scroll to Bottom and Clear Feed will manage the log. Export Log will allow saving the log as a text file on the local machine.

(31)

8.3.6 ICDES Support Screen

ICDES Support

The support screen provides contact details for Support Website, Telephone Number, and Support E-mail address. The Software Information lists System ID, License Key, Model, Version, and M of N for ICDES Configuration.

(32)

Administration of KMIP, SNMP, and TPM

8.4

The following section covers the spxconfig configuration settings surrounding the Key Management Interoperability Protocol (KMIP), Simple Network Management Protocol (SNMP) server and Trusted Program Module (TPM) device with ICDES.

8.4.1 KMIP Connectivity

This section provides instructions on how to configure the KMIP system to interoperate with the ICDES system. The KMIP system in this example is IBM Security Key

Lifecycle Manager (SKLM). KMIP operations can be configured via the CLI with the following commands:

spxconfig –kmip_ip ‘127.0.0.1’ spxconfig –kmip_port ‘1234’

spxconfig –kmip_certpath ‘C:\cert\certfile.pem’ spxconfig –kmip_key ‘C:\key\keyfile.pem’

spxconfig –validate_kmip spxconfig –kmip on

*The values in single quotes are placeholders and do not correspond to any valid value.

The SKLM server uses certificate-based authentication. Before SKLM can be used with ICDES, the key pair must be generated, the certificate imported into SKLM, and the key pair installed on the ICDES system.

If KMIP capability is configured for an instance of ICDES, an enterprise “Key

Management Server” should be backed up on a regular basis to prevent the loss of the ICDES key.

8.4.2 SKLM Key Configuration

As an Administrator, perform the following:

1. Open PowerShell and navigate the working directory to the WAS_Home\bin directory (example: drive:\Program Files (x86)\IBM\WebSphere\AppServer\bin) and type:

wsadmin -username SKLMAdmin -password {sklm password} -lang jython

2. Create the certificate

print AdminTask.tklmCertCreate ('[-type selfsigned -alias ICDESSSLCert -cn tklmssl -ou development -o IBMCorp -country US -keyStoreName

(33)

IBM Cloud Data Encryption Services Administrative Guide 33 3. Display your certificates

print AdminTask.tklmCertList()

The most recently created certificate will be the last one in the list. Copy the uuid specified, as you will need it for the next command. The following is an example of a uuid:

CERTIFICATE-ff69553c-55xx-4a3d-bxx5-81xx366b76c5

4. Trust the certificate

print AdminTask.tklmCertUpdate('[-uuid {your_uuid} -attributes "{trusted y}"]')

Replace {your_uuid} with what you copied in Step #3 above.

5. Export the certificate using the same uuid

print AdminTask.tklmCertExport ('[-uuid {your_uuid} -format DER -fileName c:\tmp\cert.der]')

6. Export your key, using the alias

print AdminTask.tklmKeyExport ('-alias ICDESSSLCert -fileName

c:\tmp\keys.p12 -keyStoreName defaultKeyStore -type privatekey -password {key_password}')

The {key_password} is setting the password for this key.

7. Exit the WebSphere admin command line interface Quit

8. Convert the certificate from der to pem format cd c:\tmp

openssl x509 -inform der -in cert.der -out cert.pem 9. Convert the key from p12 to pem format

openssl pkcs12 -in keys.p12 -out keys.pem –nodes

10. Copy the converted certificate (cert.pem) and the key (keys.pem) files to the ICDES system in the following directory:

(34)

IBM Cloud Data Encryption Services Administrative Guide 34 11. Before KMIP can be used, the certificate must be imported into SKLM. Log into

SKLM, go to Advanced Configuration > Client Device Certificates

(35)

IBM Cloud Data Encryption Services Administrative Guide 35 13. Enter a unique value for the certificate name. Click the Browse button to locate

(36)

IBM Cloud Data Encryption Services Administrative Guide 36 14. Click “Allow the server to trust this certificate and communicate with the

associated client device”, then click Import.

15. Logout of the SKLM application

8.4.3 SNMP Connectivity

Simple Network Management Protocol (SNMP) manages the message sharing between two systems on a network, enabling the aggregation and dissemination of messages towards administrative system managers. The following spxconfig

commands cover SNMP configuration and message direction. The following is a list of configuration commands:

spxconfig -snmp_username ‘username’ spxconfig -snmp_password ‘password’ spxconfig -snmp_ip ‘127.0.0.1’ spxconfig –snmp port ‘512’ spxconfig -snmp_validate spxconfig –snmp on

(37)

IBM Cloud Data Encryption Services Administrative Guide 37 The values in single quotes are placeholders and do not correspond to any runnable value.

To disable SNMP, simply run the command: spxconfig –snmp off

The SNMP user credentials and account must be created on the SNMP server being connected to in order to provide the SNMP connection. The username, password and engine ID must match on both the SNMP server and ICDES server.

“Appendix II: IBM Cloud Data Encryption Services – Event Identifiers” shows a list of Event Identifiers for SNMP Message Sharing.

8.4.4 TPM Usage

The Trusted Program Module (TPM) is a small hardware device available on most servers. If a TPM is installed and enabled on the server hosting ICDES, the Command Line Interface (CLI) spxconfig options can be run from Windows PowerShell. There are several configuration commands:

spxconfig –tpm

spxconfig –tpm ‘on/off’

spxconfig –tpm_pass ‘password’ spxconfig –validate_tpm

*The values in single quotes are placeholders and do not correspond to any valid value.

Windows Server 2008 and Windows Server 2012 have a built-in feature to administer a TPM.

A TPM cannot be used for the Master Key when using ICDES in a Guest OS on a VM.

Additional Administrative Procedures

8.5

For more on how to operate and manage ICDES, please refer to “Appendix I: Administrative Procedures”, which provides detailed descriptions of all the essential supported features and operations of ICDES.

(38)

9 Uninstallation

Uninstalling IBM Cloud Data Encryption Services

9.1

As an Administrator on the machine where ICDES is installed locally, ICDES can be removed via the Program and Features list in the Control Panel, or running the uninstall process in command line.

Run the command msiexec /x <file path to installer file>, which will:

• Prompt for any protected directories to be decrypted

− If any directories are still encrypted, the uninstallation will not proceed

• Clean all processed files of OSR header information

• Remove ICDES software from the system

Provided in “Appendix I: Administrative Procedures” is an example of the process of performing a backup and recovery of an ICDES installation.

Attention

The uninstall process requires prior planning. The length of time to complete the uninstall process varies with the amount of data that has been processed through ICDES and environment.

(39)

10 Frequently Asked Questions (FAQ)

The Frequently Asked Questions for ICDES is included with the product documentation and available on the support site:

(40)

Appendix I: Administrative Procedures

1. Determining Licensing Differences M:N

2. Prerequisite Checklist

3. Employ Logging

4. Using Backup and Recovery

5. Performing Daily Operation and Maintenance

6. Setting Operational Limits (memory and disk usage for journaling)

7. Viewing Protected Directories (stubs) for Filenames

8. Setting Disk Space Alert Thresholds

9. Rebuilding a Share

10. Adjusting Share Read Order

11. Taking a Share Offline/Online

(41)

1 Determining Licensing Differences M:N

Goal:

To determine the right level of M:N, per the Model purchased, depending on the user’s requirements.

Triggers (to start this case):

1. Administrative user wants to evaluate ICDES software

Administrative user wants to make sure that the model for an already purchased license will match the M:N for which they will need to operate.

Pre-conditions: None

Main Success Scenario:

1. Compile the user’s requirements for systems and shares to be protected. 2. Compile the user’s requirements on shares to be involved in splitting. 3. Select the model as below:

 Model SEC Encryption with no fault tolerance  Model ADV Encryption with High Availability (HA

 Model AMS Encryption with Multi-Site Disaster Recovery (DR)

4. Determine to use data splitting plus encryption (Model SEC, ADV or AMS), per licensed system.

5. Determine the amount of High Availability needed, with an M:N either 2:3, 2:4, 3:4, or 4:6. 6. Determine the amount of Disaster Recovery needed, with an M:N either 2:6 or 3:8.

7. M:N is defined in the Overview, as the number of shares (M) needed to restore the data, out of the total number of shares (N). For the Model, select the appropriate M:N, based on whether fault tolerance or high availability is needed.

 M:N Model SEC-- 1:1 or 4:4 (default 1:1)  M:N Model ADV-- 2:3, 2:4, 3:4 or 4:6 (default 3:4)  M:N Model AMS-- 2:6 or 3:8 (default 3:8)

For example, a 3:4 means that 3 of the 4 shares are needed to reconstruct the data. If one share goes bad, then the share is taken offline and the remaining system operates as normal, while the bad share is reconstructed by the administrator.

8. Determine location of primary and DR sites, and the amount of server shares as per license (N from above M:N)

(42)

IBM Cloud Data Encryption Services Administrative Guide 42 9. Determine and decide M:N value

10. Obtain and pick the license that corresponds to Model SEC, ADV or AMS, where M:N is a possible value within the Model.

11. M:N is determined.

Supporting Information: None

Extension Scenarios: None

Expected Outcome (after case complete):

(43)

2 Prerequisite Checklist

This checklist is provided for convenience during installation of the product.

Key Management Local KMIP TPM

License Key M of N Configuration (M:N)

Share Location, Read Order, Encrypt Filename

(44)

3 Employ Logging

Goal:

To view and analyze logging and alerts for daily operation. Triggers (to start this case):

The administrative user is required to analyze and view logs during normal daily operation. Pre-conditions:

ICDESneeds to be installed and operational. Main Success Scenario:

1. The user needs to have a list of logs that are currently displaying data during operation. The list is as follows:

• service • alert • gui • restore

2. Do: spxlog –‘logname’ 3. Do: spxlog –‘logname’ -n #

The -display option will display the last 20 lines of each log. Adding -n will display the last # lines of the log

4. Do: spxlog –‘logname’ -clear

Clears all log files of all entries and will need to be confirmed.

Expected Outcome (after case complete): View and manage ICDESlog files.

(45)

4 Using Backup and Recovery

Goal:

To utilize backup solutions as a best practice to insure against data loss due to a catastrophic disruption while utilizing ICDES.

To enable the ability to backup data that has been lost because of a catastrophic disruption or accidental deletion of a large percentage of data.

Pre-conditions:

ICDES installed and all the shares configured and backup and disaster recovery plan implemented.

Main Success Scenario: Backup

1. Periodically backup ICDES workgroup keys and configuration. Do: spxbackup <destination path desired for backup>

2. Perform scheduled backup of at least ‘M’ shares in accordance with your backup and disaster recovery plan.

Extension Scenarios: Restore

1a. Restore the configuration and keys to the new system.

Do: spxreload <destination path of backup configuration> 2a. Perform a restore of backup share data to the shares.

3a. Restore the protected directory stubs. Do: spxrestore –stub

4a. Restore the remaining N shares. Do: spxrestore –all

Expected Outcome (after case complete): Data that has been lost is restored.

(46)

5 Performing Daily Operation and Maintenance

Goal:

To perform daily activities to ensure operation and reliability of protected data. Triggers (to start this case):

The administrative user is required to perform daily tasks that ensure that protected data continues to be managed and safe.

Pre-conditions:

ICDES needs to be installed and operational. Shares need to be defined, and at least one directory (and subdirectories) need(s) to be protected.

Main Success Scenario: 1. Do: spxinfo -l

• The command spxinfo –l will display a list of all protected directories.

2. Do: spxshare –share all

• The command will display the status of all shares. 3. Do: spxshare –share [#] -status off

• This command will take a share offline (share number referred to by #). 4. Do: spxshare –share [#] –status on

• This command will take a share back online (share number referred to by #). 5. Do: spxlog –‘logfilename’

• The command spxlog will display the log file referred (alert or restore for example).

6. Do: spxbackup ‘destination path’

• The command spxbackup will create and back up all data needed to start ICDES on another server.

7. Do: spxrestore -all

• This restores all stubs and shares, as ICDES has recorded during the protection of the affected directories.

Extension Scenarios: 7a. Do: spxrestore -share [#]

• This restores stubs and only the share number referred to, by number. Expected Outcome (after case complete):

(47)

6 Setting Operational Limits (memory and disk usage for

journaling)

Goal:

To set disk and memory maximum limits for journaling, during daily operation. Triggers (to start this case):

The administrative user is required to set the disk and memory limits for journaling. Pre-conditions:

ICDES needs to be installed and operational. Main Success Scenario:

1. The user determines the total amount of memory and diskspace that can be afforded to ICDES, from the total memory and diskspace of the system. There are absolute limits that spxconfig will allow for memory limit and disk limit.

2. Do: spxconfig -print

A display will show the current configuration settings, such as the disk and memory limits. 3. Do: spxconfig –opmemlimit [# MB]

• The range for opmemlimit is 0 to 3. Limit range is determined by server. 4. Do: spxconfig –opdisklimit [# GB]

• The range for opdisklimit is 0 to 16. Limit range is determined by server.

5. The memory and disk limits will restrict ICDES operation. Once the operational limits (memory and disk above) are reached, the remaining journal will be written to disk. Extension Scenarios:

None

(48)

7 Viewing Protected Directories (stubs) for Filenames

Goal:

To tour the protected directory in order to view the stubs for filenames that is processed by ICDES.

The need to test and monitor protected directories (stubs) for filenames being processed. Pre-conditions:

ICDES installed and the Model/License configured, with shares not yet set up. Main Success Scenario:

1. Do: mkdir <protected_dir>

2. Do: spxenc –e <protected_dir>

3. Do: cd <protected_dir>

4. Do: echo “Hello There” > 1.txt

5. Do: spxlog –service

• View that 1.txt was processed in the log file.

6. Do: cd <path to share one>\<protected_dir>

7. Do: echo “” >> 1.txt

• 1.txt should be processed.

8. Do: cd <protected_dir>

9. Do: type 1.txt

• 1.txt should appear as “Hello There”, reassembled. This stub appears as plain text, however the file space used for the file is less than the file size. Double check for stubs.

(49)

8 Setting Disk Space Alert Thresholds

Goal:

To set thresholds for various alerts to warn of disk space conditions in order of severity. Triggers (to start this case):

The need to monitor and be alerted to the status of disk space, where data has been processed.

Pre-conditions:

ICDES installed and all the shares are configured. Main Success Scenario:

1. Do: spxconfig –informpct <% disk space threshold of least severity to be informed about>

2. Do: spxconfig –warnpct <% disk space threshold of 2nd least severity to be warned about>

3. Do: spxconfig -minorpct <% disk space threshold of 3rd least severity to be warned about>

4. Do: spxconfig -majorpct <% disk space threshold of 2nd most severity to be alerted about>

5. Do: spxconfig -criticalpct <% disk space threshold of most severity to be alerted about>

Expected Outcome (after case complete): Alert thresholds have been set for ICDES.

(50)

9 Rebuilding a Share

Goal:

To rebuild a Share

Rebuilding of shares after a share or shares has been taken offline. Pre-conditions:

ICDES installed and all the shares configured. Main Success Scenario:

1. Do: spxrestore -all 2. Do: spxshare –share all

Extension Scenarios: Restore of stubs:

1a. Do: spxrestore –stub

Restore of a single share:

1b. Do: spxrestore -share [#]

Expected Outcome (after case complete): Shares and or stubs have been rebuilt.

(51)

10 Adjusting Share Read Order

Goal:

To vary the read order of shares to optimize the performance of the overall system. Triggers (to start this case):

The ability to reorder the read order of shares from 1 to N for optimization of performance. Pre-conditions:

ICDES installed and all the shares configured. Main Success Scenario:

1. Do: spxconfig –share <share #> -readorder <order #>

2. Repeat the previous command until N shares read order have unique values from 1 to N.

Expected Outcome (after case complete): Modified read order of shares.

(52)

11 Taking a Share Offline/Online

Goal:

To take a share offline/online Triggers (to start this case):

The necessary scheduled maintenance of a particular share. Pre-conditions:

1. Do: spxshare –share <share number of your M of N configuration> -status off Note the path of the share that you wish to take offline.

2. Do: spxshare –share all

Extension Scenarios:

1a. Do: spxshare –share <share number of your M of N configuration> -status on

Expected Outcome (after case complete): Bring a share offline/online and view the status.

(53)

12 Setting Up SNMP Traps

Goal:

Setup SNMP Traps for ICDES. Triggers (to start this case):

The need to set up messaging relating to the SNMP system. Pre-conditions:

1. On the ICDES system run the following: Do: spxconfig –print

2. Find the “SNMP-Engine_ID:” String:

The following is an example of the SMNP-Engine_ID: SNMP-Engine_ID = 2f2k163684562t6eb6b67473 3. On the SNMP Server create a snmptrap user:

Stop snmp/snmptrap: Do: Services snmpd stop Do: Services snmptrapd stop

Edit the snmptrapd configuration file: Vim /var/lib/net-snmp/snmptrapd.conf 4. Add the following to the file:

Do: createuser –e <Engine ID String (SNMP-Engine_ ID) > <username> <MD5/SHA> <password> <DES/AES> <des/aes password>

Example

createuser –e 2f2k163684562t6eb6b67473 tester1 MD5 testerpass DES extrapass

5. Start the snmp/snmptrapd Services back up: Do: Services snmpd start

(54)

IBM Cloud Data Encryption Services Administrative Guide 54 6. On the ICDES GUI, under the tools page, add the SNMP Server Information:

SNMP User = <user> Example: SNMP User = tester1

SNMP Password = <password> Example: SNMP Password = testerpass

SNMP IP Address = <SNMP Server IP Address> Example: SNMP IP Address = 172.0.16.111

SNMP Port = <SNMP Port> Example: SNMP Port = 162

7. Once the information is filled in, click on the “Validate Options” button.

(You will be notified under the “SNMP Options” box if it was successful or unsuccessful.) 8. Click on the “Submit” button to save your configuration.

(55)

Appendix II: IBM Cloud Data Encryption

Services - Event Identifiers

List of event identifiers: The following identifiers and descriptions are a list of alerts and notifications from ICDES

10000 Notification test was run

10010 License key value invalid

10050 Port number invalid

10090 OpMemLimit greater than 50% of available memory

10100 OpMemLimit greater than system memory

10110 OpDiskLimit greater than 80% of local disk capacity

10160 Share ‘arg1’ readorder value ‘arg2’ invalid 10330 Not all share paths have been defined

10440 New license key value entered and validated

10470 Value cannot be changed after system is running

20020 Share # offline / online / rebuild / critical

40010 15 day trial period over, read only mode

(56)

Appendix III: IBM Cloud Data Encryption

Services - Modes of Operation Matrix

TYPE ENCRYPTION SPLITTING M-N

Relation

FAULT

TOLERANCE PRESETS DEFAULTS SITE

M = N Encryption Random Splitting M = N Possible with RAID 1 of 1 4 of 4 1 OF 1 Building High Availability Encryption Random Splitting M >= N/2 M-N failures allowable at same site 2 of 3 2 of 4 3 of 4 4 of 6 3 OF 4 Campus Disaster Recovery Encryption Random Splitting M < N/2 (N/2) -1 needed to sustain data. One failure at each site and/or a failure of the entire other site

and

can sustain up to N-M failures at the same site if the other site is

still up 2 of 6 3 of 8 4 of 10* 3 OF 8 Multi-Campus *Future Item

(57)

Appendix IV: IBM Cloud Data Encryption

Services - Model Space Used Percentages

M:N 1 of 1 2 of 3 2 of 4 2 of 6 3 of 4 3 of 8 4 of 4 4 of 6 M o d el # % /s h are % /to tal % /s h are % /to tal % /s h are % /to tal % /s h are % /to tal % /s h are % /to tal % /s h are % /to tal % /s h are % /to tal % /s h are % /to tal SEC 102_% 102_% 27 % 107 % ADV 52 % 156 % 52 % 208 % 35 % 141 % 27 % 161 % AMS 52 % 312 % 35 % 282 %

% represents percentage of the original data space used.

The M of N values represent M shares needed for restore, out of N shares total. Multiplying the “%/share” value by the value of N gives the “%/total” value. Deterministic splitting and/or Encryption may affect the %/total slightly.

(58)

Appendix V: IBM Cloud Data Encryption Services

- Model Presets

MODEL SEC CONFIGURATIONS

Config 1 of 1 STEPS

spxconfig -l <Model SEC License> spxconfig -m:n 1:1

spxconfig -share 1 -path <path to share 1> spxconfig -submit

spxconfig –print

Config 4 of 4 STEPS

spxconfig -l <Model SEC License> spxconfig -m:n 4:4

spxconfig -share 1 -path <path to share 1> spxconfig -share 2 -path <path to share 2> spxconfig -share 3 -path <path to share 3> spxconfig -share 4 –path <path to share 4> spxconfig –submit

(59)

MODEL ADV CONFIGURATIONS

Config 2 of 3 STEPS

spxconfig -l <Model ADV License> spxconfig -m:n 2:3

spxconfig -share 1 -path <path to share 1> spxconfig -share 2 -path <path to share 2> spxconfig -share 3 -path <path to share 3> spxconfig -submit

spxconfig -print

Config 2 of 4 STEPS

spxconfig -share 1 -path <path to share 1> spxconfig -share 2 -path <path to share 2> spxconfig -share 3 -path <path to share 3> spxconfig -share 4 –path <path to share 4> spxconfig -submit

Config 3 of 4 STEPS

spxconfig -share 1 -path <path to share 1> spxconfig -share 2 -path <path to share 2> spxconfig -share 3 -path <path to share 3> spxconfig -share 4 –path <path to share 4> spxconfig –submit

spxconfig –print

Config 4 of 6 STEPS

spxconfig -share 1 -path <path to share 1> spxconfig -share 2 -path <path to share 2> spxconfig -share 3 -path <path to share 3> spxconfig -share 4 –path <path to share 4> spxconfig -share 5 –path <path to share 5> spxconfig -share 6 –path <path to share 6> spxconfig -submit

(60)

MODEL AMS CONFIGURATIONS

Config 2 of 6 STEPS

spxconfig -l <Model AMS License> spxconfig -m:n 2:6

spxconfig -share 1 -path <path to share 1> spxconfig -share 2 -path <path to share 2> spxconfig -share 3 -path <path to share 3> spxconfig -share 4 –path <path to share 4> spxconfig -share 5 –path <path to share 5> spxconfig -share 6 –path <path to share 6> spxconfig -submit

Config 3 of 8 STEPS

spxconfig -l <Model AMS License> spxconfig -m:n 3:8

spxconfig -share 1 -path <path to share 1> spxconfig -share 2 -path <path to share 2> spxconfig -share 3 -path <path to share 3> spxconfig -share 4 –path <path to share 4> spxconfig -share 5 –path <path to share 5> spxconfig -share 6 –path <path to share 6> spxconfig -share 7 -path <path to share 7> spxconfig -share 8 -path <path to share 8> spxconfig -submit

(61)

Appendix VI: IBM Cloud Data Encryption

Services - Commands

Command Option Supporting _Option Effective Result

spxconfig -submit Finalizes configuration and starts up ICDES.

-save Saves the configuration

over the current running configuration (restart required to take effect)

-revert Discards all config

changes not saved.

-l [empty] Sets the trial license.

-l # Sets the license key.

-m:n [m:n] Set M of N

configuration. -guiurl [URL] Sets the GUI URL. -guiport [PORT] Sets the GUI port. -opmemlimit [value] Value is the number of

MB of memory that will be used for journaling. Value must be an

integer between 0 and available memory. -opdisklimit [value] Value is the number of

GB of disk space used for journaling. Value must be an integer between 0 and available local disk space.

-portnum1 [port #] The [port #] is the port that will used by the browser based GUI to communicate with the command line functions. -portnum2 [port #] Set port number 2. -informpct # Set the Inform alert to

the input percentage. -warnpct # Set the Warn alert to

input percentage. -minorpct # Set to Minor alert to

input percentage. -majorpct # Set the Major alert to

input percentage. -critpct # Set the Critical alert

to the input percentage.

IBM Cloud Data Encryption Services

IBM Cloud Data Encryption Services

Administrator Guide

Table of Contents

1 Introduction

Authorized Use Permission

1.1

Point of Contact

1.2

Background and Intention of the Administration Guide

1.3

2 General Overview

2.1

System Overview

Definition of Models

2.2

3 Planning Considerations

Prerequisites

3.1

System Requirements

3.2

3.2.1 Local and Remote Storage Size Requirements

Key Management

3.3

4 Pre-Installation

Installing IIS

4.1

Installing PHP

4.2

5 Installation

Preparing for Installation

5.1

Obtaining the Software

5.2

Installing the IBM Cloud Data Encryption Services

5.3

Software

5.3.1 Installation Steps for ICDES from the Software Installation Package

6 Configuration

IBM Cloud Data Encryption Services Configuration

6.1

Overview

Licensing and Configuring via the Command Line

6.2

Interface (CLI)

6.2.1 Creating and Choosing Protected Directories in the CLI

6.2.2 Moving and Copying Files

6.2.3 SAMBA: Tracing Executable Permission Sets from Windows to Linux

Initial Configuration using IBM Cloud Data Encryption

6.3

Services GUI Interface

7 Verifying Configuration of IBM Cloud Data

Encryption Services

Verifying Configuration of IBM Cloud Data Encryption

7.1

Services

Verifying Configuration of IBM Cloud Data Encryption

7.2

Services via GUI

8 Operations

IBM Cloud Data Encryption Services Management

8.1

IBM Cloud Data Encryption Services Commands

8.2

8.2.1 IBM Cloud Data Encryption Services Command Descriptions and

Examples

IBM Cloud Data Encryption Services Web-Enabled

8.3

Graphical User Interface (GUI) Screens

8.3.1 IBM Cloud Data Encryption Services Dashboard Screen

8.3.2 IBM Cloud Data Encryption Services Configuration Options Screen

8.3.3 IBM Cloud Data Encryption Services Tools Screen

8.3.4 IBM Cloud Data Encryption Services Share Maintenance Screen

8.3.5 IBM Cloud Data Encryption Services Log Files Screen

8.3.6 ICDES Support Screen

Administration of KMIP, SNMP, and TPM

8.4

8.4.1 KMIP Connectivity

8.4.2 SKLM Key Configuration

8.4.3 SNMP Connectivity