Dell EMC CloudLink Version 6.7
Deployment Guide for VxFlex OS 302-002-836 REV 08 Copyright © 2014-2018 Dell Inc. or its subsidiaries. All rights reserved.
Published June 2018
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.
Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published in the USA.
Dell EMC Hopkinton, Massachusetts 01748-9103 1-508-435-1000 In North America 1-866-464-7381 www.DellEMC.com
2 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS CONTENTS
Chapter 1 Introduction 5 About this document...... 6 Related documents...... 6 CloudLink overview...... 6
Chapter 2 Deployment Considerations 7 CloudLink components...... 8 CloudLink Center server address...... 8 Requirements for CloudLink Center server addresses in clusters.... 8 Encryption keys...... 8 Key release policies...... 9 Machine groups...... 9 Encryption key location and protector options...... 10 Key location access control and backup recommendations...... 12 CloudLink Vault...... 12 Machine IP addresses...... 13 CloudLink Center clusters...... 13 Deployment scenario...... 14 Deployment workflow...... 14 System requirements...... 15 CloudLink Center requirements...... 15 Machine requirements...... 16
Chapter 3 Deploying and Configuring CloudLink Center 17 Overview...... 18 Deploying CloudLink Center for VMware vSphere...... 18 Deploying the CloudLink Center OVF template...... 18
Chapter 4 Preparing to Deploy CloudLink Agent 21 Overview...... 22 Access CloudLink Center...... 22 Initial server configuration considerations...... 22 Configuring the CloudLink Center server...... 22 Configure machine groups and device encryption policy...... 23
Chapter 5 Deploying CloudLink Agent to Machines 25 Overview...... 26 Managing self-encrypting drives...... 26 Standard CloudLink Agent deployment...... 27 Downloading CloudLink Agent installer...... 27 Running the installer...... 28 Custom CloudLink Agent deployment for Linux...... 29 Downloading the CloudLink Agent deployment package for Linux .... 29 Installing the CloudLink Agent deployment package ...... 29 Configuring CloudLink Agent ...... 30
Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS 3 CONTENTS
Verifying deployment...... 30 Verifying CloudLink Agent deployment on Linux machines...... 30 Refreshing the CloudLink Agent service on Linux machines...... 30 Uninstalling CloudLink Agent...... 31 Uninstalling CloudLink Agent on a Linux machine:...... 31
Chapter 6 Using the CloudLink Center Update Menu 33 Overview...... 34 Connecting to the CloudLink Center console...... 34 Update Menu options...... 34
Chapter 7 Using VxFlex OS devices 35 Overview...... 36 Requirements to encrypt VxFlex OS devices...... 36 Encrypt a new VxFlex OS device...... 36 Encrypt an existing VxFlex OS device...... 37
4 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS CHAPTER 1 Introduction
This chapter presents the following topics:
l About this document...... 6 l Related documents...... 6 l CloudLink overview...... 6
Introduction 5 Introduction
About this document
This guide describes how to deploy and configure Dell EMC CloudLink for VxFlex OS. It is intended for IT administrators who are responsible for the deployment and maintenance of machines in the CloudLink Center environment, but not necessarily for the security of data on those machines.
Related documents
The following Dell EMC publications provide additional information:
l CloudLink Administration Guide for VxFlex OS
l CloudLink Release Notes for VxFlex OS
CloudLink overview
Enterprises have many reasons for encrypting their data, from addressing regulatory compliance to protecting against theft of customer data and sensitive intellectual property. CloudLink offers significant benefits for environments that use Dell EMC VxFlex OS resources. VxFlex OS is a software-defined solution that allows you to transform direct-attached storage (DAS) on existing hardware into shared block storage. It offers considerable scalability and extreme performance with flexible and elastic storage capacity and nodes. CloudLink provides software-based Data at Rest Encryption (DARE) for VxFlex OS Storage Data Servers (SDS) that is completely transparent to the features and operation of the VxFlex OS solution. It uses dm-crypt, a native Linux encryption package, to secure SDS devices. A proven high-performance volume encryption solution, dm-crypt is widely implemented for Linux machines. CloudLink encrypts the SDS devices with unique keys that are controlled by enterprise security administrators. CloudLink Center provides centralized, policy-based management for these keys, enabling single-screen security monitoring and management across one or more VxFlex OS deployments.
6 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS CHAPTER 2 Deployment Considerations
This chapter presents the following topics:
l CloudLink components...... 8 l CloudLink Center server address...... 8 l Encryption keys...... 8 l Key release policies...... 9 l Machine groups...... 9 l Encryption key location and protector options...... 10 l CloudLink Vault...... 12 l Machine IP addresses...... 13 l CloudLink Center clusters...... 13 l Deployment scenario...... 14 l Deployment workflow...... 14 l System requirements...... 15
Deployment Considerations 7 Deployment Considerations
CloudLink components
CloudLink consists of:
l CloudLink Center—The web-based interface for CloudLink that is used to manage machines that belong to the CloudLink environment (those machines on which CloudLink Agent has been installed). CloudLink Center communicates with machines over Transport Layer Security (TLS). It manages the encryption keys used to secure the devices for the machines, configures the security policies, monitors the security and operation events, and collects logs. l CloudLink Agent—The agent that runs on individual machines. It communicates with CloudLink Center for pre-startup authorization and decryption of dm-crypt encryption keys. CloudLink Center is packaged as a virtual appliance that can be deployed in the enterprise on VMware ESXi. Download CloudLink Agent from CloudLink Center.
CloudLink Center server address
You use the CloudLink Center server address frequently. For example, you provide the address in the URL used to access the CloudLink Center user interface and in commands used to download installation files. You can specify the CloudLink Center server address in one of the following formats: IP address (default) Ensure that a static IP address is used. Hostname If the Domain Name System (DNS) has an entry for CloudLink Center, Dell EMC recommends that you specify the CloudLink Center server address as a hostname (in fully qualified domain name (FQDN) format, such as clc.example.com). For more information, see CloudLink Administration Guide for VxFlex OS.
Requirements for CloudLink Center server addresses in clusters
In a CloudLink Center cluster, servers and CloudLink Agents use the CloudLink Center server address for communication. You define this address, referred to as the Server Name/Address, when deploying a new server. You can use either the IP address or hostname (FQDN format). Ensure that you specify the server address using the preferred format for each CloudLink Center server before creating the cluster. You can use a mix of FQDNs and IP addresses in a cluster, but you cannot change the server address format after creating a cluster.
Encryption keys
Disposition: / Status: This content also appears in the Administration Guide. CloudLink uses the following types of encryption keys to secure machines:
l A device/volume key encryption key (VKEK) pair that is generated by CloudLink. CloudLink generates a VKEK for each device.
8 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS Deployment Considerations
l A device encryption key that is used by native technologies in the machine’s operating system. A unique device encryption key is generated for each encrypted device. These keys are stored in the CloudLink Center keystore. For more information, see Encryption key location and protector options on page 10. Device encryption keys secure the encrypted devices. The VKEK key pair protects the device encryption keys:
l When CloudLink Center receives a request from CloudLink Agent to encrypt a device on its machine, CloudLink Center generates a new VKEK in the current keystore and uses it to encrypt the device encryption key. You must understand the difference between the types of encryption keys used to secure machines. Because device encryption keys are created and managed by native technologies in machines’ operating systems, CloudLink documentation does not discuss keys in detail. Unless specified otherwise, the terms encryption keys and keys in this documentation refer to VKEKs.
Key release policies
Before CloudLink Center automatically releases keys, a machine must:
l Meet key release policies l Use an IP address that belongs to an approved network l Belong to an approved location l Not have been previously removed Key release policies may be required to allow:
l A machine to boot as part of the pre-startup authorization process l Access to encrypted devices If a machine does not meet the policies, CloudLink Center puts the machine in the pending state. You must manually choose whether to allow the key release. Key release policies are set for a machine group. For more information, see Machine groups on page 9. The following key release policies are available. IP Change Determines whether CloudLink Center allows keys to be released when it starts up with an IP address that is different from the one recorded in the CloudLink Center database.
Machine Clone Determines whether CloudLink Center allows a cloned machine to boot automatically.
You can change these key release policies. For more details and information about approved networks, moved devices, cloned machines, and the pending state, see CloudLink Administration Guide for VxFlex OS.
Machine groups
You can organize machines into groups for administrative or operational purposes. For example, you might group machines for your finance department and apply a device
Key release policies 9 Deployment Considerations
encryption policy that requires encryption of all devices. Each machine group might have a different administrator. Each machine must belong to a machine group. A machine is assigned to a machine group during deployment. If you do not specify a group during deployment, the machine is assigned to the built-in machine group named Default. You can change the machine group that a machine belongs to after deployment. All machines in a group use the same:
l Key release policies that determine when CloudLink Center automatically releases keys to a machine. For more information, see Key release policies on page 9.
l Keystore where encryption keys are stored. For more information, see Encryption key location and protector options on page 10.
l Only users belonging to a managing role for a machine group can view, make changes, and perform operations on the machines belonging to it.
l Approved networks, which are network locations that allow automatic start up for machines in a machine group.
l Approved location used to verify that a machine is in the correct place.
l Key lifetime that determines how frequently and at what intervals CloudLink Center updates encryption keys for machines in the group.
l New machine detection policy. If a new machine that has an approved IP address is added to CloudLink Center, you can chose to allow it to automatically register with CloudLink Center (default) or to require manual approval.
l CloudLink Agent upgrade policy, which determines whether CloudLink Agents are upgraded when CloudLink Center is upgraded, or if CloudLink Agents are upgraded individually. For information about machine groups, device encryption policy, managing roles, approved networks, and key lifetimes, see CloudLink Administration Guide for VxFlex OS.
Encryption key location and protector options CloudLink supports a variety of encryption key location and protection options. Keystores The term keystore refers to the combination of a key location and a key protector. Encryption keys are stored in a key location and are encrypted, or protected, by a key protector. The following figure shows the relationship between encryption keys, key locations, and key protectors.
10 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS Deployment Considerations
Figure 1 Keystore diagram
Key locations CloudLink Center supports several options for the key location used to store encryption keys: Local Database An internal key location. Microsoft Active Directory An external key location. Amazon S3 An external key location. You must have an Amazon Web Services (AWS) account to use this location. S3-compatible bucket An external S3-compatible key location.
Key protectors CloudLink Center supports several options for encryption key protectors.
Note
The type of available key protector depends on the selected key location.
CloudLink Vault An internal key protector. SafeNet LunaSA An external key protector using a hardware security module (HSM) for protection. Microsoft Azure or Azure Stack Key Vault An external key protector using an Azure or Azure Stack Key Vault for protection. KMIP server An external key protector using a Key Management Interoperability Protocol (KMIP) server for protection. Password The encryption key is protected with a password.
Encryption key location and protector options 11 Deployment Considerations
Key location access control and backup recommendations
You are responsible for your encryption keys and for ensuring that the appropriate access control and backup policies and procedures are in place to protect the keys against loss or theft. If your keys become unavailable, you cannot access any data that was encrypted using those keys. CloudLink Center backups are critical for restoring CloudLink Center. It is important to have a backup of CloudLink Center so that you can deploy a new server and restore CloudLink Center. If you are using the local database, device encryption keys are stored in CloudLink Center. Backups are the only method of restoring keys so that you can access encrypted data. For information about VKEKs and device encryption keys, see CloudLink Administration Guide for VxFlex OS. The following table identifies which key protectors are available for each type of key location.
Table 1 Key location and key protector options
Key Local Microsoft Amazon S3 S3-compatible protectors database key Active key location bucket key location Directory key location location
CloudLink Vault Yes Not allowed Not allowed Not allowed
SafeNet Yes LunaSA
Microsoft Azure Yes or Azure Stack Key Vault
KMIP key Yes Yes Yes Yes manager
Password Not allowed Yes Yes Yes
Note
Ensure that you meet all prerequisites for restoring CloudLink Center from backup, otherwise you cannot access encrypted data after restoring from a backup file.
For more information about CloudLink Center backups and restoring from a backup file, see CloudLink Administration Guide for VxFlex OS.
CloudLink Vault
CloudLink Center includes an encrypted container, CloudLink Vault, which is created during the deployment and configuration of CloudLink. CloudLink Vault:
l Encrypts credentials used to access remote resources For example, CloudLink Vault stores credentials required to access FTP or SFTP servers or external keystores.
l Provides an initial, internal key protector
12 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS Deployment Considerations
You can continue to use this initial CloudLink Vault as the keystore or configure a different key protector. When used as the key protector, CloudLink Vault encrypts device key encryption keys (VKEKs). For more information, see the CloudLink Administration Guide for VxFlex OS. When a CloudLink Center server restarts, it must unlock CloudLink Vault before CloudLink Center can authorize machine operations, ensuring that a stolen copy of CloudLink Vault or the disk on which it is stored does not contain any unprotected secrets or encryption keys. You can configure CloudLink Vault to open:
l Manually by providing a passcode. When configuring CloudLink Vault, you specify up to three passcodes. Only one passcode is required to open the vault.
l Automatically by using a server-specific key.
Note
During CloudLink Center initial configuration, the default vault unlock mode is automatic. You can choose to set the CloudLink Vault to unlock manually.
Machine IP addresses
In some circumstances, the IP address of a machine under CloudLink Center management might change, such as when a Dynamic Host Configuration Protocol (DHCP) server assigns IP addresses. When a machine starts up with a changed IP address, CloudLink Center might put the machine in the pending state. Before startup can continue, you must manually accept the machine. For more information about accepting machines in the pending state, see the CloudLink Administration Guide for VxFlex OS. To avoid the need to manually accept machines in the pending state because of changed IP addresses, you can change the key release policies for the machine group to allow CloudLink Center to release keys to machines starting up with changed IP addresses. See Key release policies on page 9 for more information.
CloudLink Center clusters
A CloudLink Center cluster provides for high availability if one CloudLink Center server in the cluster becomes unavailable, whether due to planned maintenance or an unexpected issue. A CloudLink Center cluster consists of up to four CloudLink Center servers, where each server is active at all times. There is no master server. The agents can be actively connected to any server in the cluster. CloudLink Center replicates configuration information between all servers in a cluster. This replication means that all servers contain the same critical configuration information:
l CloudLink licenses
l Volume encryption policy
l User accounts
l Manual passcodes for unlocking CloudLink Vault
l Actions
Machine IP addresses 13 Deployment Considerations
l Alarms
l Security events Data from external resources, such as key locations, key protectors, and key management servers, are not replicated. For information about creating a CloudLink Center server cluster, see the CloudLink Administration Guide for VxFlex OS.
Deployment scenario
CloudLink can be deployed to support a variety of VxFlex OS environments, as illustrated in the figure below. The CloudLink Agent can be deployed on physical and virtual Linux VxFlex OS Storage Data Servers (SDSs) and supports fully converged, two-layer, and mixed configurations. CloudLink Center must be accessible by all encrypted SDSs. Figure 2 CloudLink deployment scenario
Deployment workflow
The CloudLink workflow is as follows: 1. Deploy CloudLink Center, as described in Deploying and Configuring CloudLink Center on page 17. 2. Prepare to deploy CloudLink Agent to machines, as described in Preparing to Deploy CloudLink Agent on page 21. 3. Deploy CloudLink Agent to machines, as described in Deploying CloudLink Agent to Machines on page 25. Encryption (if any) based on the selected device encryption policy for the machine group begins automatically after you deploy CloudLink Agent to machines. For more
14 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS Deployment Considerations
information about the device encryption policy, see CloudLink Administration Guide for VxFlex OS.
System requirements
This section describes the system requirements for CloudLink Center and for the machines to which CloudLink Agent will be deployed. You must meet these requirements before deployment.
CloudLink Center requirements
The CloudLink Center system requirements are:
l For VMware deployments:
n vSphere 5.1 or later
l 2 vCPU for up to 500 machines or 4 vCPU for 500 or more machines
l 6 GB vRAM
l Web browser—Google Chrome 38 or higher or Mozilla Firefox 28 or higher. TLS 1.2 must be enabled in your browser settings to connect to CloudLink Center. Some web browsers (such as Google Chrome 64 or higher and Mozilla Firefox 58 or higher) enable this option by default. The following table lists the network ports used by CloudLink for various services.
Table 2 CloudLink network ports
Port TCP UDP Service
Incoming
80 Yes CloudLink Agent download and cluster communication
443 Yes CloudLink Center web access and cluster communication
1194 Yes Yes CloudLink Agent communication
5696 Yes Key Management Interoperability Protocol (KMIP)
Outgoing
123 Yes Network Time Protocol (NTP)
443 Yes External keystores other than Microsoft Active Directory
514 Yes Syslog
System requirements 15 Deployment Considerations
Machine requirements
For information about currently supported platforms, see CloudLink Release Notes for VxFlex OS.
16 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS CHAPTER 3 Deploying and Configuring CloudLink Center
This chapter presents the following topics:
l Overview...... 18 l Deploying CloudLink Center for VMware vSphere...... 18
Deploying and Configuring CloudLink Center 17 Deploying and Configuring CloudLink Center
Overview
This chapter provides instructions for deploying and configuring CloudLink Center on VMware vSphere. Before deploying CloudLink Center, ensure that you are familiar with all the deployment considerations, including system requirements. For more information, see Deployment Considerations on page 7.
Deploying CloudLink Center for VMware vSphere
CloudLink uses one interface to enable CloudLink Center to communicate with the CloudLink Agent that is installed on individual machines. This interface is supported through a virtual network interface that is included in the Open Virtualization Format (OVF) template used to deploy CloudLink Center. The interface is configured when you first log in to CloudLink Center.
Deploying the CloudLink Center OVF template
Before you begin This procedure assumes that you have obtained the CloudLink Center Open Virtualization Format (OVF) template used for deployment. Procedure 1. From vSphere Client, select File > Deploy OVF Template. 2. From the Deploy OVF Template window, go to the template folder, select the CloudLink Center template, and click Next. 3. Verify that the OVF template details are correct and click Next. 4. Type a name, select an inventory location for the deployed template, and click Next. 5. Select a host or cluster to run the deployed template and click Next. 6. If a series of warnings is displayed, click Yes to continue with the deployment. 7. Select a resource pool and click Next. 8. Select a storage location for the machine files and click Next. 9. Select the disk format for the virtual disk and click Next. 10. Select a destination network and click Next. 11. In the Deployment Settings panel, review the selected options and click Finish. 12. When you see the Deployment Completed Successfully dialog box, click Close. The CloudLink Center virtual machine is displayed in the VMware vSphere virtual machine list. 13. In vSphere Client, right-click the CloudLink Center virtual machine and select Power > Power on. Results The CloudLink Center virtual machine defaults to Dynamic Host Configuration Protocol (DHCP) and generates a random hostname for CloudLink Center if a DHCP
18 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS Deploying and Configuring CloudLink Center
server is available on your network. Continue to Access CloudLink Center on page 22 if a DHCP server is available on your network. Go to Configuring static network values in vSphere Client on page 19 if you need to set static network values.
Note
Before you log in to CloudLink Center or the console, wait until vSphere Client reports that VMware Tools is installed and running. Otherwise you might experience network configuration problems.
Configuring static network values in vSphere Client
You must set static network values if a DHCP server is not available. Use the CloudLink Center console to configure the network settings. Procedure 1. In vSphere Client, right-click the CloudLink Center virtual machine and select Open Console. 2. Log in to the CloudLink Center console with the login name cloudlink and the default password cloudlink. You must change the default password. 3. When prompted, type a new password for the CloudLink Center console. 4. Press down arrow and type the password again to confirm it. 5. Press Tab and then OK to accept the password change. Subsequent logins to the console prompt for the new password, which you can change at any time from the Update Menu in the CloudLink Center console. For more information, see Using the CloudLink Center Update Menu on page 33. 6. Select Static and then press OK. 7. Type the IP address, netmask, and gateway address for CloudLink Center. 8. Press Tab and then OK. 9. Wait for the network configuration to complete. This process might take some time.
Results After CloudLink Center network configuration is complete, a summary of its settings is displayed, as shown in the following figure. These settings include the URL to access CloudLink Center from a web browser and network configuration information.
Deploying the CloudLink Center OVF template 19 Deploying and Configuring CloudLink Center
Figure 3 CloudLink Center Summary screen for VMware vSphere
Press OK to close the Summary screen and return to the Update Menu. You can log out of the console. The Summary Screen is displayed every time you log in to the CloudLink Center console. See Using the CloudLink Center Update Menu on page 33 for more information about using the CloudLink Center console's Update Menu.
20 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS CHAPTER 4 Preparing to Deploy CloudLink Agent
This chapter presents the following topics:
l Overview...... 22 l Access CloudLink Center...... 22 l Initial server configuration considerations...... 22 l Configure machine groups and device encryption policy...... 23
Preparing to Deploy CloudLink Agent 21 Preparing to Deploy CloudLink Agent
Overview
After deploying and configuring CloudLink Center, prepare to deploy CloudLink Agent to machines by accessing CloudLink Center and setting up CloudLink licenses.
Access CloudLink Center Use a web browser to log in to CloudLink Center after it is deployed. HTTPS and JavaScript must be enabled in the web browser. To log in, you need the URL, or clc_address, for CloudLink Center. If you have a DHCP server on your network, the clc_address is in the CloudLink Center virtual machine's General panel in vCenter Client or the Networking tab in Hyper-V Manager. If you configured network settings in the CloudLink Center console, the clc_address is in the Summary screen in the console's Update Menu. For more information, see Using the CloudLink Center Update Menu on page 33. Dell EMC recommends that you configure Microsoft Windows domain integration so that you can access CloudLink Center with Windows domain credentials. In this case, you do not provide CloudLink Center credentials. The secadmin user account remains a local account. For information about user accounts and configuring Microsoft Windows domain integration, see CloudLink Administration Guide for VxFlex OS.
Initial server configuration considerations Be aware of the following before you configure the CloudLink Center server.
l CloudLink license files determine the number of machine instances or amount of encrypted storage capacity that your organization can manage with CloudLink Center, and the duration of the license. During initial configuration, you must upload one license. You can upload additional licenses after the initial deployment. For information about CloudLink license files, see CloudLink Administration Guide for VxFlex OS.
l The cluster server name is used primarily for CloudLink Center clusters, but it must be specified even if you do not plan to use clusters. For more information, see Requirements for CloudLink Center server addresses in clusters on page 8.
l The public key of the RSA-2048 backup key pair is saved in CloudLink Center. You download the private key.
l Dell EMC recommends that you use Manual Unlock mode when choosing how CloudLink Center opens the CloudLink Vault on restarts. This mode opens CloudLink Vault only when an administrator provides an appropriate passcode. For more information, see CloudLink Vault on page 12.
Configuring the CloudLink Center server Use this procedure to access CloudLink Center and configure the server. Procedure 1. In your web browser, type the URL for CloudLink Center in the following format: https://clc_address See Access CloudLink Center on page 22 if you need to locate the clc_address.
22 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS Preparing to Deploy CloudLink Agent
2. Accept the license agreement. 3. The password for the built-in secadmin user must be changed the first time you log in. Type the secadmin password, retype it to confirm, and click Change Password. You can change the password for the secadmin user account at any time after the first-time login. For more information, see CloudLink Administration Guide for VxFlex OS. 4. Type the CloudLink Center console password, type it again to confirm it, and click Change Console Password.
Note
Step 4 is not applicable if you have already logged in to the CloudLink Center console.
5. Accept or change the CloudLink Center hostname. 6. From the Deployment Type list, select New Server, and click Next. 7. Select the capacity license file and click Upload. You can browse to the license file. 8. In the Cluster Server Name/Address box, type the DNS name or IP address used to connect to this server and click Next. For more information, see CloudLink Center server address on page 8. 9. Click Generate and Download. 10. Save the private key to an appropriate location. By default, the private key is saved to your web browser’s download folder. 11. Click Next. 12. Click I Acknowledge. 13. Select Manual Unlock or Auto Unlock and click Next. 14. Type at least one CloudLink Vault passcode and type it again to confirm it. 15. Click Set Codes.
Configure machine groups and device encryption policy
Before deploying CloudLink Agent to machines, you may want to set up machine groups and their device encryption policy. For more information, see Machine groups on page 9. CloudLink Center assigns machines to an existing machine group during CloudLink Agent deployment. Creating machine groups before starting to deploy CloudLink Agent to machines lets you assign a machine to the appropriate group during deployment. The benefit is that, on registration of the machine, encryption begins automatically based on the device encryption policy for the machine group. If you do not specify an existing machine group during deployment, CloudLink Center assigns the machine to the Default group. By default, this group uses the Manual device encryption policy, which does not require encryption of any type of device on machines in the group.
Configure machine groups and device encryption policy 23 Preparing to Deploy CloudLink Agent
You can move machines to other groups after deployment. Depending on the device encryption policy for the original and new group, you may need to manually encrypt devices so that the machine complies with the new group’s device encryption policy. For more information about creating machine groups and defining device encryption policy, see the CloudLink Administration Guide for VxFlex OS.
24 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS CHAPTER 5 Deploying CloudLink Agent to Machines
This chapter presents the following topics:
l Overview...... 26 l Standard CloudLink Agent deployment...... 27 l Custom CloudLink Agent deployment for Linux...... 29 l Verifying deployment...... 30 l Refreshing the CloudLink Agent service on Linux machines...... 30 l Uninstalling CloudLink Agent...... 31
Deploying CloudLink Agent to Machines 25 Deploying CloudLink Agent to Machines
Overview
You can deploy CloudLink Agent using a standard or custom installation.
l The standard installation is an automated method that requires minimal intervention by you. It is useful for deploying CloudLink Agent to machines on an individual basis. l The custom installation requires more intervention by you, but it provides more flexibility for deployment. Unlike the standard installation, the custom installation does not automatically register the machine with CloudLink Center. A custom installation is useful for the following purposes:
n Deploying CloudLink Agent to machines before deploying CloudLink Center n Deploying CloudLink Agent with configuration management tools Choose either the standard or custom installation based on the level of automation or points of manual intervention you require. At a high level, deployment includes the following processes:
l The machine might automatically restart several times to install and configure dm- crypt. l The machine is automatically registered with CloudLink Center. This is the default setting, but a machine group could require manual approval for new machines. l Encryption (if any), based on the device encryption policy for the specified machine group, begins. For more information about the pending state and device encryption policy, see CloudLink Administration Guide for VxFlex OS. The table below describes the deployment processes for Linux. This table is intended to help you determine the appropriate installation based on your deployment requirements.
Table 3 Deployment processes
Installation type CloudLink Agent for Linux
Standard installation Download the online installer. Run the installer to complete installation and configuration.
Custom installation Download the operating-system-specific deployment package. Install the package. Configure the CloudLink Center server address.
You can view registered machines in CloudLink Center and perform management operations. For information, see CloudLink Administration Guide for VxFlex OS.
Managing self-encrypting drives
If you install CloudLink Agent on a physical machine that has self-encrypting drives (SEDs) attached, you must enable the machine group policy Manage SED Drives so CloudLink Center can manage the SED encryption keys. This policy is only available if
26 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS Deploying CloudLink Agent to Machines
you have an SED license and select either the All Data or Boot and All Data encryption policy for a machine group. See the Managing Secure Machines chapter in the CloudLink Administration Guide for VxFlex OS for more information.
Standard CloudLink Agent deployment
Standard CloudLink Agent deployment to Linux machines involves the following tasks: 1. Downloading the installer using the CloudLink Center interface or directly from the server 2. Running the installer from the command line to complete installation and configuration
Downloading CloudLink Agent installer
Download the CloudLink Agent installer from CloudLink Center. For Linux, the installer is provided in the Linux installer script clagent.sh. You can download the installer in one of the following ways:
l Log in to CloudLink Center and download the installer using the CloudLink Center user interface
l Download the installer from the CloudLink Center server without logging in
l Download the installer using a command line interface If you are not responsible for completing the installation, provide the downloaded software to the appropriate person.
Download from CloudLink Center user interface Procedure 1. Log in to CloudLink Center. For more information, see Access CloudLink Center on page 22. 2. From Agents, select Agent Download. 3. From the Downloads screen, select the Linux installer script and click Download Selected. 4. Click Save File. Results The installer is downloaded to your download folder.
Download directly from CloudLink Center Procedure 1. In a web browser, type the following:
http://clc_address:8080/cloudlink/agent where clc_address is the CloudLink Center server address. For more information, see CloudLink Center server address on page 8.
2. Click Save File. For Linux, use the file name clagent.sh.
Standard CloudLink Agent deployment 27 Deploying CloudLink Agent to Machines
Results The installer is downloaded to your download folder.
Download using the Linux command line Procedure 1. Use a command line application such as wget or curl. 2. Type one of the following commands:
l wget http://clc_address/cloudlink/agent
l curl -o agent.sh http://clc_address/cloudlink/agent
where clc_address is the CloudLink Center server address. For more information, see CloudLink Center server address on page 8.
Results The Linux installer is downloaded to the current directory.
Running the installer
Before you begin After downloading the CloudLink Agent installer from CloudLink Center, run it from the command line, providing the:
l CloudLink Center server address
l Registration code for the machine group to which you want to assign this machine (optional). For more information, see Machine groups on page 9. The registration code is available from CloudLink Center on the Agents > Machine Groups page. For more information, see CloudLink Administration Guide for VxFlex OS. If you do not provide a registration code, CloudLink Center assigns the machine to the Default machine group.
Running the installer on Linux
Note
After CloudLink Agent is installed on a Linux machine and the boot partition is encrypted, kernel upgrades and any upgrades that involve rebuilding the kernel or initrd are not supported.
Procedure 1. In the command line on the machine, type the following command to run the installer for a Linux machine in the location where the installer was downloaded (by default, to the current folder): sudo sh clagent -S clc_address [- G group_code] where -S clc_address specifies the CloudLink Center server address. For more information, see CloudLink Center server address on page 8.
28 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS Deploying CloudLink Agent to Machines
-G group_code specifies the registration code for the machine group to which you want to assign this machine.
Custom CloudLink Agent deployment for Linux
Deploying CloudLink Agent using the custom installation involves the following tasks:
l Downloading the CloudLink Agent deployment package
l Installing the CloudLink Agent deployment package
l Configuring CloudLink Agent
Downloading the CloudLink Agent deployment package for Linux
CloudLink Agent deployment packages are available as RPM, TGZ, or DEB files that you download from CloudLink Center. To download the CloudLink Agent deployment package: Procedure 1. Log in to CloudLink Center. 2. From Agents, select Agent Download. 3. From the Downloads page, select the 64-bit Linux package you want to use. The package URL is displayed below the selected package. For example, securevm.centos.x86_64.rpm 4. In the Linux machine to be encrypted, open a command line client and type one of the following commands:
l wget http://clc_address:8080/cloudlink/agent/url_of_package
l curl –O http://clc_address:8080/cloudlink/agent/ url_of_package
where clc_address is the CloudLink Center server address and url_of_package is the package URL. For example,
wget http://192.168.112.157:8080/cloudlink/agent/ securevm.centos.x86_64.rpm
Results The deployment package is downloaded to the Linux machine to be encrypted.
Installing the CloudLink Agent deployment package
After downloading the deployment package for your operating system from CloudLink Center, install the package using the package manager for your platform.
Custom CloudLink Agent deployment for Linux 29 Deploying CloudLink Agent to Machines
Note
After CloudLink Agent is installed on a Linux machine and the boot partition is encrypted, kernel upgrades and any upgrades that involve rebuilding the kernel or initrd are not supported.
Configuring CloudLink Agent
The deployment package installation installs the CloudLink Agent, which provides the svm subcommand for configuring CloudLink Agent. During configuration, the machine is registered with CloudLink Center. Procedure 1. Type the following command to configure CloudLink Agent:
svm [-v ] [-G group_code]-S clc_address
where
l -v uses verbose mode.
l -G group_code specifies the registration code for the machine group that you want to assign this machine to.
l -S clc_address specifies the CloudLink Center server address. For more information, see CloudLink Center server address on page 8. 2. Restart the machine.
Verifying deployment
Confirm that CloudLink Agent has been deployed by logging in to CloudLink Center and viewing the machine status. For information about managing machines, including viewing their status, see CloudLink Administration Guide for VxFlex OS. You can also confirm deployment from the machine as described in the following sections.
Verifying CloudLink Agent deployment on Linux machines
Confirm deployment from the machine command line and encryption status of devices by typing the following command:
svm status
Refreshing the CloudLink Agent service on Linux machines
For Linux machines, if the networking configuration is changed on the client after CloudLink Agent deployment, refresh the CloudLink Agent service.
30 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS Deploying CloudLink Agent to Machines
Refresh the CloudLink Agent service from the machine command line by typing the following command:
svm refresh
Uninstalling CloudLink Agent
You might need to uninstall CloudLink Agent, for example, when you put a machine under management of a different CloudLink Center. For more information about moving a machine to a different CloudLink Center, see CloudLink Administration Guide for VxFlex OS. If you are uninstalling the SDS package from the VxFlex OS Storage Data Server, Dell EMC recommends uninstalling the CloudLink Agent first. See Erase a VxFlex OS SDS device in CloudLink Administration Guide for VxFlex OS for instructions to erase a device.
Uninstalling CloudLink Agent on a Linux machine: Procedure 1. Erase any encrypted devices on the machine. 2. Type the following command:
svm uninstall
Uninstalling CloudLink Agent 31 Deploying CloudLink Agent to Machines
32 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS CHAPTER 6 Using the CloudLink Center Update Menu
This chapter presents the following topics:
l Overview...... 34 l Connecting to the CloudLink Center console...... 34 l Update Menu options...... 34
Using the CloudLink Center Update Menu 33 Using the CloudLink Center Update Menu
Overview
After you have configured CloudLink Center, the Update Menu is displayed every time you log in using the CloudLink Center console, as shown in the figure below. Figure 4 CloudLink Center Update Menu
Connecting to the CloudLink Center console
Procedure 1. Do one of the following:
l In vSphere Client, right-click the CloudLink Center virtual machine and select Open Console.
l In Hyper-V Manager, right-click the CloudLink Center virtual machine and click Connect.
l Open an SSH session to the CloudLink Center machine. 2. The default console login name is cloudlink. You changed the default console password the first time you logged in to the console or CloudLink Center.
Update Menu options
The Update Menu options are:
l Summary—Displays a summary of CloudLink Center settings.
l Password—Changes the current password used to log in to the CloudLink Center console.
l Network—Resets the network settings, after which you can reconfigure them. If you select this option, all current network settings are removed.
l Unlock User—Unlocks the secadmin user account.
l Diagnostics—Intended only for use as directed by your Dell EMC representative.
34 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS CHAPTER 7 Using VxFlex OS devices
This chapter presents the following topics:
l Overview...... 36 l Requirements to encrypt VxFlex OS devices...... 36
Using VxFlex OS devices 35 Using VxFlex OS devices
Overview
VxFlex OS is a software-only, server-based storage area network (SAN) that combines storage and compute resources to form a single layer. It uses existing local disks and LANs so that the host can create a virtual SAN with external storage. The VxFlex OS software consists of the following software components: Metadata Manager (MDM) Configures and monitors the VxFlex OS system. MDM can be configured in redundant Cluster Mode, with three members on three servers, or in Single Mode on a single server. VxFlex OS Storage Data Server (SDS) Manages the capacity of a single server and acts as a back-end for data access. SDS is installed on all servers contributing storage devices to the VxFlex OS system. VxFlex OS Storage Data Client (SDC) SDC is a lightweight device driver situated in each host whose applications or file system requires access to the VxFlex OS virtual SAN block devices. SDC exposes block devices representing the VxFlex OS devices that are currently mapped to that host.
Requirements to encrypt VxFlex OS devices
The VxFlex OS Storage Data Server (SDS) software must be installed on each target machine. You can only view raw devices or VxFlex OS devices in CloudLink Center or the terminal if SDS software is detected. You can only encrypt a raw device with no partitions (such as /dev/sdb) or a partition with no file system (such as /dev/sdb1). The raw device may contain the SDS device header, which indicates that VxFlex OS is using the raw device. The raw device is encrypted using CloudLink Center. The raw device must be removed from the SDS before it is encrypted. You can add the device back to VxFlex OS using the new device path after it is encrypted.
Note
The device mapping name changes after the device is encrypted.
Encrypt a new VxFlex OS device
The Linux virtual machine must have CloudLink Agent installed, and it must be registered with CloudLink Center. To encrypt a new device: Procedure
1. In CloudLink Center, select Agents > Machines. 2. Select the Linux virtual machine that you want to add to VxFlex OS. 3. Encrypt the raw device.
36 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS Using VxFlex OS devices
4. Copy the encrypted device name. For example, /dev/mapper/svm_sdb
5. Open the VxFlex OS GUI. 6. Right-click the target VxFlex OS Storage Data Server and select Add Device. 7. Type or paste the device name and click OK. VxFlex OS begins a rebalance operation and finishes adding the device. When the device is added to VxFlex OS, CloudLink Center detects the VxFlex OS Storage Data Server (SDS) device header, and the device type is changed to SDS. You can also use the VxFlex OS command line tools or REST APIs to add the device to the pool.
Encrypt an existing VxFlex OS device
You can encrypt devices that are already attached to VxFlex OS. You must remove the device using the VxFlex OS Storage Data Server (SDS) GUI or the command line on the Metadata Manager (MDM) server.
Note
A rebalance operation occurs when the device is added back, because all data on the device is erased as part of the encryption process.
To encrypt an existing device: Procedure 1. Using the VxFlex OS GUI, remove the device from VxFlex OS. 2. Wait until the device is removed from VxFlex OS. The device type is changed to an unencrypted raw device in CloudLink Center.
3. In CloudLink Center, select Agents > Machines. 4. Select the device you want to encrypt. 5. In the Actions menu, select Encrypt. CloudLink Center encrypts the device.
6. Copy the encrypted device name. For example, /dev/mapper/svm_sdb
7. Open the VxFlex OS GUI. 8. Right-click the target SDS and select Add Device. 9. Type or paste the device name and click OK. VxFlex OS begins a rebalancing operation and finishes adding the device.
Encrypt an existing VxFlex OS device 37 Using VxFlex OS devices
38 Dell EMC CloudLink 6.7 Deployment Guide for VxFlex OS