Page 1 Data Security Manager DSM Installation and Configuration Guide 6.4.2 Document Version 2 06/18/2020...
Page 2 06/18/2020 All information herein is either public information or is the property of and owned solely by Thales DIS France S.A. and/or its subsidiaries or affiliates who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information.
Page 3: Table Of Contents
Configure appliance with static IP address enabled Assumptions DSM Installation Checklist Pre-configuration tasks Specify host name resolution method Improving DNS Performance Configure DSM ports Configuration tasks Connect to the V6100 appliance DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 4 Configuring a V6000 Appliance Configuring the DSM via DHCP Configuring DSM with DHCP Configure appliance with DHCP enabled Configuring a DSM v6000 via Static IP Addressing Configuring a DSM v6100 via Static IP Address Configure appliance with static IP address enabled Assumptions...
Page 5 Configuring High Availability for network HSM-enabled DSM Managing network HSM-enabled DSM Backing up and Restoring network HSM-enabled DSM Updating a network HSM-enabled DSM Security World High Availability (HA) Configuration for V6000 hardware appliance Chapter 4: Installing and Configuring a DSM Overview Assumptions...
Page 6 Deploying a DSM to GCP through the GCP CLI Uploading the DSM Tar file to GCP Bucket Create the GCP Image-CLI Create the GCP Instance in the CLI KVM Deployment DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 7 Supported Upgrade Paths Migrating from DSM v6.1.0.9229 to DSM 6.4.2 Best Practices for Migration Prerequisites Break up the HA cluster Delete Idle Software Backup current DSM configuration DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 8 Requirements for Remote HSM Administration Obtain a warrant Replacing the ACS ACS replacement guidelines Enabling remote administration for an HA configuration Appendix A: Specifications, Racking, and Cabling for the V6000 and V6100 Hardware Appliance Diagrams Control Panel LEDs DSM Appliance features...
Page 9 Moving a Host to a different Node with the UI Appendix C: IPMI IPMI Overview Configuring and Accessing IPMI on the DSM Configuring IPMI on the DSM Configuring IPMI Network Settings DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 10 Restrict inbound traffic to IPMI through IP Access control Reset Default Configuration Settings DSM IPMI CLI Commands ip set ip delete ip show mask mask set mask delete mask show gateway DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 11 Reset DSM Appliance and Remove All Data Reset Original Security World with Original ACS Quorum Regenerating the DSM certificate authority Create New Security World with New ACS Chassis Issues Indicator Definitions DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 13: Preface
Vormetric Data Security Agents. DSM Hypervisor Support The virtual DSM can be installed on the following hypervisors: VMware 6.0 or higher Microsoft Hyper-V 2012R2, 2016 and 2019 DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 14: Document Conventions
Document Conventions The document conventions describe common typographical conventions and important notice and warning formats used in Thales technical publications. Typographical Conventions This section lists the common typographical conventions for Thales technical publications. Table 3-1: Typographical Conventions Convention Usage Example bold regular font GUI labels and options.
Page 15: Hardware-Related Warnings
If you cannot resolve the issue, contact your supplier or Thales Customer Support. Thales Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between Thales and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you.
Page 16: Chapter 1: The Data Security Manager
Provide flexible administration via a web-based management console, command line interface (CLI), and application programming interfaces (API) including REST and SOAP. This guide describes how to install and configure the DSM V6100 and V6000 hardware appliances, an DSM virtual appliance.
Page 17: Ipmi
The V6000 and V6100 DSM hardware appliances support the Intelligent Platform Management Interface (IPMI). IPMI is a computer interface specification for autonomous computer subsystems. It provides remote access to the V6000 and V6100 hardware appliances. It allows administrators to remotely monitor appliance health (temperature, power consumption, physical drive status, chassis intrusion), perform remote cold boots (power off and power on), and access the DSM CLI from a remote location.
Page 19: Chapter 2: Dsm V6100 Hardware Appliance
Eliminates the need for administrators to be physically present in the lab to administer the DSM Eliminates the need for physical mode switch changes for HSM administration Enables administrators to present smart cards remotely from a PC or laptop DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 20: Requirements
ACS. To configure remote HSM management for your DSM deployment, you must have a remote smart card reader (TVD) and the associated set of smart cards. Contact Thales Sales and Support for more information about ordering these accessories. See "Upgrading the DSM"...
Page 21: Acs
HA node and three geographically distributed HA nodes, and you choose K to be three and N to be sixteen, then you could distribute four cards to each DSM location and only three of those cards need to be available. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 22: V6100 Operations That Require The Acs
N to be created. Requires K from original set of N be inserted before creating new set of N. Note that N cannot be changed. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 23: Configuring A V6100 Appliance
Configuring a V6100 Appliance This section describes how to configure a new V6100 appliance with DSM software 6.4.2. Follow the procedure described in Appendix A: "Specifications, Racking, and Cabling for the V6000 and V6100" on page 122, to install the physical appliance.
Page 24: Configure Appliance With Dhcp Enabled
SUCCESS: Restart server software to pick up the changes. 0002:network$ The following sections below describe how to configure the DSM appliance using a static IP address: DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 25: Configure Appliance With Static Ip Address Enabled
DSM appliance. Trusted verification device (TVD) and set of smart cards (V6100 only) Laptop or PC to connect the TVD (V6100 only) 1u rack space Network Information DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 26 San Jose, not SJC. Name of your state or province. Must be fully spelled out, no abbreviations, e.g., California not CA Two-letter country code DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 27: Pre-Configuration Tasks
Switching the order of resolution can improve the response time for network operations. The DNS server has two options for name resolution order. DNS: Search the DNS server on the network DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 28: Configure Dsm Ports
"Enable DHCP on bond0 interface" on page 81 "Configure NTP, time zone, date, time" on page 81 "Configure the hostname" on page 82 "Verify Web Access" on page 85 "Upload a license file" on page 85 DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 29: Connect To The V6100 Appliance
"Access the DSM Command Line Interface (CLI)" above). CLI commands are grouped into the following categories or submenus. Enter “?” on the CLI command line to lists the categories: DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 30: Configure Network Settings
A complete description of all the DSM CLI commands can be found in the DSM Administrators Guide. Configure network settings 1. Navigate to the commands menu. Type: network 0001:dsm$ network 2. Configure an IP address for the DSM. Type, DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 31 8. If you have a second or third DNS server, set them for the DSM. Type: 0008:network$ dns dns2 <ip address for dns server 2> 9. If you want to set the search domain, type: 0009:network$ dns search <search_domain> DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 32: Configure A Bonded Nic Device
However, the MTU and up/down options can still be used for the device. bond0 DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 33: Bonding Driver Modes
1500 copper auto eth1 1500 copper auto Device State Mode bond0 1500 Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Bonding Mode: load balancing (xor) DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 34: Enable Dhcp On Bond0 Interface
, this step is not necessary.) Type: ntpdate synch 0006:maintenance$ date <mm/dd/yyyy> 9. Set the time. (If you used , this step is not necessary.) Type: ntpdate synch 0007:maintenance$ time <hh:mm:ss> DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 35: Configure The Hostname
The following steps display the DSM CLI commands and output when you create the certificate authority and ACS. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 37 Stopping Security Server Stopping data store Starting data store Starting Security Server SUCCESS: The CA and security certificates are re-generated and the Security Server software is restarted. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 38: Configuring Ipmi
Configuring IPMI on the DSM Before you can use IPMI to configure your DSM V6000/V6100 appliance, you need to configure an IP address, and enable the KVM port for remote Java console support. If you want to configure the IPMI Ethernet port IP address to use an IPv6 address, you must do this via the IPMI GUI—you cannot configure the IPMI Ethernet port IP address via the CLI.
Page 39: Verify Web Access
The default user name and password to log on to the DSM the for first time are; admin and admin123. You will be prompted to reset the password. The password criteria are: Does not have repeating characters Uses at least 1 upper and 1 lower case character DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 40: Upload A License File
2. Turn remote administration on. Type: 0002:hsm$ remoteadmin on HSM remote administration is enabled. SUCCESS: remoteadmin command ran successfully. 3. Return to the main menu. Type: 0003:hsm$ up DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 41: Add More Cli Administrators (Optional)
DSM via the console available from the virtualization application in use. 1. Log on to the console, and enter the System category of commands and type security boot-passphrase set at the prompt; 0001:system$ security boot-passphrase set DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 42 6. Enter the passphrase, the system startup messages will continue to scroll until the system is ready and the log in prompt is displayed. Now you can log into your system as before. Welcome to the Vormetric Data Security Manager on <dsm_server_name>.com <dsm_server_name> login: cliadmin Password: DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 43: Recovering A Lost Passphrase
3. As the DSM reboots, open a console (direct or via IPMI). When the GRUB menu is displayed, use the arrow keys to select the ‘Show Boot Passphrase Recovery Data’ option and press Enter, see the following figure: DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 44 "Full Disk Encryption" on page 40. 5. Enter the passphrase when prompted to do so on the IPMI Java console to unlock the system and boot up the DSM. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 45: Configuring Ipmi
Configuring IPMI on the DSM Before you can use IPMI to configure your DSM V6000/V6100 appliance, you need to configure an IP address, and enable the KVM port for remote Java console support. If you want to configure the IPMI Ethernet port IP address to use an IPv6 address, you must do this via the IPMI GUI—you cannot configure the IPMI Ethernet port IP address via the CLI.
Page 46: Configuring High Availability For V6100
ACS" on page 82. Configuring High Availability for V6100 "Configuring HA for V6x00 and Virtual Appliances" on page 135 for the procedure to configure high availability. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 47: Chapter 3: Dsm V6000 Hardware Appliance
Figure 3-1: V6000 DSM hardware appliance Overview The V6000 and virtual appliances can be network HSM-enabled by connecting them to either a Luna HSM or an nShield Connect HSM. An HSM enables the DSM appliance to create and protect the DSM master key. For more information about using a Luna HSM, see, "Luna SA HSM"...
Page 48: Configure Appliance With Dhcp Enabled
"Add more CLI administrators (optional)" on page 62 Configuring a DSM v6000 via Static IP Addressing Setting the DSM for the V6000 uses the same method as in the V6100. Configuring a DSM v6100 via Static IP Address If you do not want to want to use DHCP, you can turn it off using the CLI and assign static IP addresses to the DSM interfaces.
Page 49: Configure Appliance With Static Ip Address Enabled
Serial console—this should be connected to the DSM appliance using the serial cable included with the appliance. Two network (Ethernet) cables, these are included with the DSM appliance. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 50 (optional): eth1—this interface comes configured with a default IP address; 192.168.10.1. DHCP Server Thales recommends that you retain this configuration in the event that you need a If you choose to use static IP recovery option to access the appliance.
Page 51: Pre-Configuration Tasks
Two-letter country code Email address Pre-configuration tasks Specify host name resolution method Setting the hostname resolution for the V6000 uses the same method as in the V6100. See "Specify host name resolution method" on page 26 for more information. Configure DSM ports If a DSM must communicate with a device behind a firewall, you must open various ports in the firewall.
Page 52: Access The Dsm Command Line Interface (Cli)
‘?’. For example, the submenu is used to provide maintenance utilities: maintenance 0037:dsm$ maintenance 0038:maintenance$ ? config Save/load configuration file showver Show the installed VTS version DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 53: Configure Network Settings
0002:network$ ip address init <DSM IP address>/<subnet mask (e.g. 16 or 24)> dev eth# 0002:network$ ip address init 192.168.10.4/16 dev eth1 IPv6 example 0002:network$ ip address init fa01::3:15:130/64 dev eth1 DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 54: Configure A Bonded Nic Device
This section describes how to aggregate the two NICs on the DSM into a single logical interface to provide load balancing and/or fault tolerance. The bonded NIC device is called bond0 DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 55 The output of this command displays the physical link settings on the system. You can use it to verify any changes to the physical link settings: Example: DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 56: Bonding Driver Modes
100 instead of the default value of 0. miimon To see the supported Bonding driver modes, see Appendix E: "Bonding Driver Modes" on page 173. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 57: Enable Dhcp On Bond0 Interface
0007:maintenance$ time <hh:mm:ss> Where hh is 00 to 23. 10. Verify your settings. Type: 0008:maintenance$ time 0008:maintenance$ date 11. Return to the main menu. Type: 0008:maintenance$ up DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 58: Configure The Hostname
2. Start the client software on the laptop or PC. 3. Generate a new certificate authority for the DSM and create the ACS. At the prompt, type: 0012:system$ security genca DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 59 10:52:18 WARNING: Module #1: preemptively erasing module to see its slots! Create Security World: Module 1: 0 cards of 2 written Module 1 slot 0: empty Module 1 slot 0: unknown card DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 60 Regenerating CA will make certificates at HA node servers and agents invalid. You may need - Re-sign certificates at each HA node server - Cleanup and re-register each agent 0002:system$ Your initial DSM with HSM is now configured. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 61: Configuring Ipmi
Configuring IPMI on the DSM Before you can use IPMI to configure your DSM V6000/V6100 appliance, you need to configure an IP address, and enable the KVM port for remote Java console support. If you want to configure the IPMI Ethernet port IP address to use an IPv6 address, you must do this via the IPMI GUI—you cannot configure the IPMI Ethernet port IP address via the CLI.
Page 62: Verify Web Access
The DSM Management Console has a help icon (?) located on the right-hand side of the title bar, which is located under the menu bar, on each page of the Web UI. Click the icon for help with tasks on a specific page. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 63: Upload A License File
This feature also requires use of the IPMI, see "Configuring IPMI" on page 60 for details and procedures for this feature. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 64: Nshield Connect Integration
Connect Integration nShield Connect Integration DSM appliances that do not have a built in hardware security module (HSM)—DSM V6000 hardware and virtual appliances—can now be configured to utilize an nShield Connect HSM to create and protect the DSM master key. The nShield Connect series includes nShield Connect + and nShield Connect XC, the DSM can be configured with either of these appliances.
Page 65: High Availability
HA cluster for a network HSM-enabled DSM, then all nodes in the cluster must be network HSM-enabled appliances. As this feature is supported on both V6000 and virtual DSMs, an HA cluster for a network HSM-enabled DSM may consist of both V6000 and virtual DSMs, as long as they are all network HSM-enabled.
Page 66: Configure Nshield Connect Appliance And Associated Rfs
6. If there are more nShield HSMs in the same Security World you can add them now using the connect add command. 7. The About page of the DSM Web UI also displays the nShield Connect HSMs that have been configured. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 67: Configuring High Availability For Network Hsm-Enabled Dsm
Figure 3-6: Configured HSM devices on DSM Web UI About page Configuring High Availability for network HSM-enabled DSM When configuring high availability (HA) for network HSM-enabled DSMs, Thales recommends the following: Configure at least two nShield Connect HSMs in the Security World for fault tolerance. This means in the event one of the appliances is not reachable for some reason, the Security World is still available.
Page 68: Backing Up And Restoring Network Hsm-Enabled Dsm
A backup of a non-HSM DSM (V6000 or virtual DSM) Domain level backups can be restored as follows: A domain backup from a network HSM-enabled DSM to a domain on a non network HSM-enabled DSM (V6000 or virtual appliance) and vice versa...
Page 69: Updating A Network Hsm-Enabled Dsm Security World
Chapter 3: DSM V6000 Hardware Appliance High Availability (HA) Configuration for V6000 hardware appliance Updating a network HSM-enabled DSM Security World In the event that the nShield Connect Security World changes, the network HSM-enabled DSM’s Security World must be synchronized with the new one. A Security World change may be triggered for various reasons, for example the ACS has been replaced.
Page 70: Chapter 4: Installing And Configuring A Dsm
DSM appliance. The V6000 and virtual appliances can be HSM-enabled by connecting them to an nShield Connect appliance. The Network HSM support feature enables DSMs that do not have a built-in hardware security module (HSM) —DSM V6000 hardware appliance and the virtual appliance—to utilize an nShield Connect HSM appliance to store the DSM...
Page 71: Assumptions
HD (in GB) for VM above 250 instance Cloud instance Note The disk size change was introduced in v5.3.1, however you can still use “thin” provision to minimize storage utilization. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 72: Configuring A Virtual Appliance
DHCP on the interface; eth0 $ network 0001:network$ ip dhcp release <interface> version 4 Example $ network 0001:network$ ip dhcp release eth0 version 4 DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 73: Virtual Dsm Installation Checklist
IP address, net mask, gateway, and net mask: search domain. It does not configure an appliance default gateway (optional): host name, or an NTP server. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 74: Pre-Configuration Tasks
This section details the installation and pre-configuration tasks required for DSM. It consists of the following tasks: "Specify host name resolution method" on the next page "Configure Ports" on the next page DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 75: Specify Host Name Resolution Method
To enter a submenu, enter a name or just the first few letters of the name. To display the commands for that submenu, enter a ?. For example, the submenu is used to provide maintenance utilities: maintenance DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 76: Virtual Appliance Setup
See "Disk Re-encryption for DSM Fastboot Image" on the next page for details. 1. Launch the VMware vSphere Client. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 78: Disk Re-Encryption After Initial Setup
Virtual Appliance Configuration Configure network settings 1. Navigate to the commands menu. Type: network 0001:dsm$ network 2. Configure an IP address for the DSM. Type, DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 79 8. If you have a second or third DNS server, set them for the DSM. Type: 0008:network$ dns dns2 <ip address for dns server 2> 9. If you want to set the search domain, type: 0009:network$ dns search <search_domain> DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 80: Configure A Bonded Nic Device
However, the MTU and up/down options can still be used for the device. bond0 DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 81: Bonding Driver Modes
1500 copper auto eth1 1500 copper auto Device State Mode bond0 1500 Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Bonding Mode: load balancing (xor) DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 82: Enable Dhcp On Bond0 Interface
, this step is not necessary.) Type: ntpdate synch 0006:maintenance$ date <mm/dd/yyyy> 9. Set the time. (If you used , this step is not necessary.) Type: ntpdate synch 0007:maintenance$ time <hh:mm:ss> DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 83: Configure The Hostname
The following steps display the DSM CLI commands and output when you create the certificate authority and ACS. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 85 Stopping Security Server Stopping data store Starting data store Starting Security Server SUCCESS: The CA and security certificates are re-generated and the Security Server software is restarted. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 86: Verify Web Access
The first time you log on to a DSM, the dashboard displays “License file not found" and only the Dashboard and System tabs display. To upload a license: DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 87: Full Disk Encryption
Connect Integration DSM appliances that do not have a built in hardware security module (HSM)—DSM V6000 hardware appliance and the virtual appliance—can now utilize an nShield Connect HSM or a Luna HSM appliance to create and protect the DSM master key.
Page 88: Configure Virtual Dsm In Ibm Cloud
19. Wait for the DSM to boot up. It will try to boot from network first, time out, and then boot from the ISO image. 20. Click Enter when you see the "Thales" banner to begin the installation. If you receive a message saying “cannot find kickstart file”, type cdrom1 at the boot prompt when you see the Thales banner.
Page 89 0001:vormetric$ network 0002:network$ ip route show 15. To verify DNS settings, type: 0001:vormetric$ network 0002:network$ dns show 16. To verify hostname, type: 0001:vormetric$ system 0002:system$ setinfo show DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 90: Dsm Installation On Hyper-V
11. Connect to the virtual machine console, and power on the machine to build the DSM. Note The installation takes approximately 30 minutes. It runs in the background. Once the DSM is ready, you see a login prompt. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 91: Deploying A Dsm Azure Image
For Azure and AWS platforms, you will need to add this port to your security groups. You can now close port 50000 as it is no longer used. Deployment Procedure To ensure the proper deployment of a DSM Azure image, Thales recommends the configuration parameters described below: 1. Log on to the Azure portal with your credentials.
Page 92: Configure The Hostname
7. SSH to the DSM CLI. The first time you log on to the DSM CLI, you must log in with the default user name and password: Login: cliadmin Password: cliadmin123 DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 93: Generating The Ca
This prevents any targeted Ping/ICMP DDoS flood attacks. Therefore, you cannot ping the Azure VMs from outside Azure. Internally, you can ping from an Azure VM to another Azure VM that is on the same internal network with the current DSM version. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 94: Enabling Ping
2. Select the instance type and click Next. If you plan to use the DSM in a production environment, the minimum requirements are: 2 virtual CPUs 8GB RAM DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 95 2. Select this new address, and click Associate Address. 3. Select the host instance to which to associate the EIP. 4. Use this EIP address to set up your SSH session. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 96: Configuring Ha
"Deploying a DSM to GCP through the GCP CLI" on page 97. Obtain the DSM image for GCP Deployment Download the DSM TAR file from the Thales technical support portal: https://supportportal.thalesgroup.com Note Make sure that the title of the TAR contains the letters: GCP DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group.
Page 97: Upload Dsm Image To Gcp Storage
6. Select the tar file for the image. 7. For location, select Multi-regional. 8. Fill in any other required information. 9. In the Encryption section, select Google-manage Key. 10. Click Create. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 98: Creating A Gcp Instance Of Dsm
IP address> Deploying a DSM to GCP through the GCP CLI After obtaining the DSM tar file from Thales technical support (see "Obtain the DSM image for GCP Deployment" on page 95), you can, as an alternative to the UI method, use the GCP CLI to perform the same operations: "Uploading the DSM Tar file to GCP Bucket"...
Page 99: Create The Gcp Instance In The Cli
4. Change the UUID for the virtual machine, as well as the MAC addresses for the two NICs as necessary. 5. To start the virtual machine, type the following command at the prompt: DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 100: Deploying On A Xen Hypervisor
The virtual machine installation process can take up to 40+ minutes to complete. virsh The virsh instructions are the same for Xen deployment as they are for KVM deployment. See "virsh" on the previous page. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 101: High Availability (Ha) Configuration For Virtual Appliances
High Availability (HA) Configuration for Virtual Appliances High Availability (HA) Configuration for Virtual Appliances "Configuring HA for V6x00 and Virtual Appliances" on page 135 for procedures to configure high availability. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 102: Luna Sa Hsm
This chapter describes how to set up a Luna SA HSM (Hardware Security Module) with a DSM virtual cluster or a V6000. (The V6100 already contains an HSM. It cannot be configured with a Luna SA HSM). The purpose of an HSM is to protect sensitive data from being stolen by providing a highly secure operation structure.
Page 103: Add A Luna Sa Hsm To An Ha Cluster
DSM HA clusters register to the same partition. Note Thales does not recommend having multiple HA clusters registered to the same partition because it decreases fault tolerance. In the PED-authenticated Luna, you can also have multiple clusters using different partitions on the same Luna, or you can use multiple Lunas, for increased fault tolerance.
Page 104: Creating A Partition On The Password-Authenticated Luna
4. To view the existing partition list, at the Password-authenticated Luna prompt, type: lunash:> partition list Partition Name Objects Total Used Free 1394399181013 Luna1_ 409782 409782 Par100 DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 105: Creating A Partition On The Ped-Authenticated Luna
1. Setup the PED-authenticated Luna according to the instructions in the SafeNet Luna Network HSM Configuration Guide. Note: Ensure that the Luna is set up in FIPS mode. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 106: Backup Your Configuration
2. Change to the HSM menu. At the prompt, type: 0001:DSM$ hsm 3. In the HSM menu, add the Luna, type: 0002:hsm$ luna add <LunaHostName/IP_addr> Example 0002:hsm$ luna add 192.168.59.214 DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 107: Verifying The Luna Status
Confirm that the Luna is connected properly. Change back to the HSM menu and, type: 0001:hsm$ luna show HA auto recovery: enabled HA recovery mode: activeEnhanced Maximum auto recovery retry: 500 DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 108: Add Dsm Nodes To A Luna-Enabled Ha Cluster
System Response: This command adds node 'Test95459.i.thales.com' to the HA cluster (with 'Test08648.i.thales.com'), without configuring it for replication. To configure it for replication, login to the CLI of Test95459.i.thales.com' and execute the 'join' command under 'ha' Continue? (yes|no) [no]: yes SUCCESS: Node added to HA cluster.
Page 109: Join A (Missing Or Bad Snippet) Node To An Ha Cluster
Enter the host name of this node. This will be used by Agents to talk to this Security Server. 15. Enter the host name of this node. If the name is already correct, hit Enter. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 110: Monitoring The Luna
Label -> dsmpartition0 Serial Number -> 1394396852245 Model -> LunaSA 7.2.0 Firmware Version -> 7.0.3 Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 111: Upgrading A Dsm Attached To A Luna
DSM again. At the Luna type: lunash:>client delete -client <clientHostName/IP address> Consult the Luna documentation for more information. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 112: Troubleshooting
When a Luna in a DSM cluster is down or not accessible, no audit logs / syslogs / email notifications are generated on the DSM. Therefore, to ensure proper notification for issues, configure syslog on the Luna. Refer to the Luna documentation for information on configuring syslogs. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 113: Chapter 6: Upgrade And Migration
Remote HSM Management for the V6100 appliance. WARNING Thales strongly recommends that you backup your DSM configuration before upgrading or migrating to a new version. An upgrade cannot be rolled back. The only way to go back to a previous version is to restore a backup of the DSM configuration that was made before the upgrade, to the version of the software in use before the upgrade.
Page 114: Migrating From Dsm V6.1.0.9229 To Dsm 6.4.2
To upgrade an HA deployment, follow the procedure described in the HA chapter. If you are upgrading from an earlier version of DSM v5.3 or v5.3.1 with KMIP data, contact Thales e-Security Support. To migrate from a V5800 with HSM appliance to a V6100 appliance, see “Migrating from V5 appliances to V6x00 appliances”...
Page 115: Prerequisites
Dashboard, beneath the fingerprint for the CA. The Wrapper Key Share displayed in the Dashboard window is a toggle. Click Show to display the wrapper key share value. Click Wrapper Key Share value to display the string Show. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 116: Upgrading The Dsm
Note As of release v6.0.3 the DSM supports nShield Connect integration to make the DSM V6000 or virtual DSM a network HSM-enabled DSM. See "nShield Connect Integration"...
Page 117: Migrating From V5 Appliances To V6X00 Appliances
7. Click Browse to locate and select the backup file to restore. Click Ok. The restored file uploads and the DSM disconnects from the Management Console. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 118: Migrating From V5 Appliances To V6X00 Appliance (Kmip)
The warrant, which is similar to a digital certificate, is a security requirement for remote administration. You will need to apply to Thales Support to obtain the warrant. The steps to obtain a warrant are outlined below. Requirements for Remote HSM Administration If you choose to use the remote administration feature, after upgrading to DSM software v6.0, the following are...
Page 119 5. Copy the contents of the warrant file you received at the prompt; KLF2 Warrant for B0FF-8213-3E55 6E4369706865722D6865782D4B4C463257617272616E74000000039E93374B57 41524E2D31B2375061796C6F6164C5EFB33B44656C65676174654B6579943545 43445341365075626C6963384E4953545035323192F4C542014450694D476864 B5B6D5EB57ABC19CDE258232029F59988B5DF7A5326D1FD780344F9ED8E2AF34 AAB987F18163B5A1205C68D2563B2602AB01633E90BB51CB1E05F4C54201D46C 0D3D17BDEC2584930DC77011E3A734098018681A5886BDEAFA952894B5E08F2D 8E625F2C3BAF1088008F1FD20A4F3A17F0B905400A1000376DA3C124AFC7D137 5369674D656368923545434453419235454D53413136534841353132C4165761 7272616E744365727469666963617465547970653A44656C65676174696F6E39 5369676E6174757265C5840021CDF6DEE1FBEB059B7A09C22FFCA50D6BD26AC4 8B1AFB7CB37A9022165589EBB1F3579C80BEDACCBC0930521EA7BD6566C8B2C8 92944533EAE39AE15F4614B28A00E7B0093E043FDF38776159DA1ABD5C5602EE 799DA9D3951022F8D4289E7D8F0A7D55D58BDF01649AD0CA20F6477DBE9B5A78 69BCFE4E665F8EA9F0536A99A016D7B2375061796C6F6164D5016FB6C416456C 656374726F6E696353657269616C4E756D6265722E423045462D383231382D33 453535C414506879736963616C53657269616C4E756D6265722933362D4A3332 38383939417070726F76616C73919437464950533134300203C4114D756C7469 43686970456D626564646564C41657617272616E744365727469666963617465 54797065C41D4669656C64557067726164654D6F64756C65496E666F726D6174 696F6E374B4C463270756294354543445341365075626C6963384E4953545035 323192F4C54201AC3DE0C4B4E1C66B2C80C19B1A6D6BEC7E4FD2A0421D4AA8B4 DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 120: Replacing The Acs
2. To replace your ACS, insert one card from the quorum of the old card set into the old card reader, and at the prompt type and follow the instructions; replaceacs 0002:vormetric$ hsm 0002:hsm$ hsm replaceacs DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 121 The new cards can be used with the old card reader, however, the old cards cannot be read with the new TVD. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 122: Enabling Remote Administration For An Ha Configuration
7. Recreate the cluster. See the HA chapter for more information. Note Remote administration is also available for DSM V6000 or virtual appliances that nShield Connect integration enabled, however this needs to be configured on the nShield Connect device. Refer to the nShield Connect documentation for more information about enabling remote administration.
Page 123: Appendix A: Specifications, Racking, And Cabling For The V6000 And V6100
Appliance Rack Mount Safety Instructions Rack Mounting the Appliance Rack Mounting Instructions Installing and Connecting Cables This chapter provides the V6000/V6100 hardware appliance specifications and installation instructions. Hardware Appliance Diagrams Figure A-1: Front view of DSM hardware appliance with bezel : WARNING The DSM appliance is covered with three FIPS tamper evident stickers.
Page 124: Control Panel Leds
Appendix A: Specifications, Racking, and Cabling for the V6000 and V6100 Hardware Appliance Diagrams Figure A-3: Rear view of V6100 DSM with HSM (V6000 has no HSM) Control Panel LEDs The control panel located on the front of the SC813M chassis has five LEDs. These LEDs provide you with critical information related to different parts of the system.
Page 125: Informational Leds
Appendix A: Specifications, Racking, and Cabling for the V6000 and V6100 DSM Hardware Appliance Specifications Informational LEDs Status Description Solid red An overheat condition has occurred. (This may be caused by cable congestion). Blinking red (1Hz) Fan failure, check for an inoperative fan.
Page 126: Space, Network, And Power Requirements
Appendix A: Specifications, Racking, and Cabling for the V6000 and V6100 Space, Network, and Power Requirements Space, Network, and Power Requirements Physical dimensions 1u, rack-mountable chassis dimensions: 17”x 20-1/2”x 1.75” External connectors two 10/100/1000baseT network connectors one IPMI connector one DB-9 RS-232 serial console connector Power requirements The Vormetric hardware appliance includes two auto-switching, field-replaceable, AC power modules.
Page 127: Rack Mounting The Appliance
Appendix A: Specifications, Racking, and Cabling for the V6000 and V6100 Rack Mounting the Appliance Reduced air flow: Installation of the DSM Appliance in a rack should be such that the amount of airflow required for safe operation is not compromised.
Page 128: General Server Precautions
Appendix A: Specifications, Racking, and Cabling for the V6000 and V6100 Rack Mounting the Appliance General server precautions Review the electrical and general safety precautions that came with the components you are adding to your chassis. Determine the placement of each component in the rack before you install the rails.
Page 129: Rack Mounting Instructions
Rack Mounting Instructions This section provides information on installing the V6000/V6100 chassis into a rack unit with the rails provided. There are a variety of rack units on the market, which may mean the assembly procedure will differ slightly. You should also refer to the installation instructions that came with the rack unit you are using.
Page 130: Locking Tabs
Appendix A: Specifications, Racking, and Cabling for the V6000 and V6100 Rack Mounting Instructions Figure A-5: Identifying the Sections of the Rack Rails Locking tabs Both chassis rails have a locking tab. The tabs lock the server into place when installed and pushed fully into the rack.
Page 131: The Inner Rail Extension (Optional)
Appendix A: Specifications, Racking, and Cabling for the V6000 and V6100 Rack Mounting Instructions Figure A-6: Identifying the Sections of the Rack Rails (right side rail shown) The Inner Rail Extension (Optional) The inner rails are pre-attached and do not interfere with normal use of the chassis if you decide not to use a server rack.
Page 132: Outer Rack Rails
Figure A-7: Assembling the Outer Rails Outer rack rails Outer rails attach to the server rack and hold the server in place. The outer rails for the V6000/V6100 chassis extend between 30 inches and 33 inches. Installing the outer rails to the rack 1.
Page 133: Installing The Chassis Into A Rack
Appendix A: Specifications, Racking, and Cabling for the V6000 and V6100 Rack Mounting Instructions Note Figures are for illustrative purposes only. Always install servers into racks from the bottom up. Installing the chassis into a rack 1. Confirm that chassis includes the inner rails and rail extensions. Also, confirm that the outer rails are installed on the rack.
Page 134: Installing And Connecting Cables
Appendix A: Specifications, Racking, and Cabling for the V6000 and V6100 Installing and Connecting Cables 4. Finish by sliding the chassis into the rack and tightening the brackets to the rack. Installing and Connecting Cables Applying power Connect each power module to an independent, 100-240V, 47-63Hz, 12V 6A power source.
Page 135: Connecting To The Network
Appendix A: Specifications, Racking, and Cabling for the V6000 and V6100 Installing and Connecting Cables Figure A-10: Appliance serial console port pin-out 4. Open a console window, like Windows HyperTerminal, on your system. 5. The console window should display the DSM CLI login prompt. If it does not, press the <Enter> key.
Page 136: Appendix B: Ha For V6X00 And Virtual Appliances
DSM appliances (V6000 or virtual DSM). V6000 and Virtual Appliances An HA cluster may consist of both V6000 and virtual DSMs. If you plan to create an HA cluster for a network HSM-enabled DSM, then all nodes in the cluster must be network HSM-enabled appliances so that they can all connect to the network HSM.
Page 137: Prerequisites
A quorum of activated smart cards to perform administrative actions and their pass phrases. See "Administrator Card Set (ACS)" on page 19 for more about the ACS. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 138: Adding Nodes To An Ha Cluster
WARNING: This server node is about to join an HA cluster. Please make sure the HA cluster is running and has this server node in its HA node list. This may take several minutes. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 139 7. The installation utility creates certificates, completes the installation process, and then starts the HA node. This may take a few minutes. The CA certificate fingerprint is displayed. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 140: Configuring High Availability For Network Hsm-Enabled Nodes
DSM appliances, which do not have a built-in HSM, can be configured to use a network HSM via an nShield Connect HSM. When configuring high availability (HA) for network HSM-enabled DSM, Thales recommends the following: Configure at least two nShield Connect appliances in the Security World for fault tolerance. This means that in the event that one of the appliances is not reachable, the Security World is still available.
Page 141: Configure An Ha Cluster With Hsm-Enabled Nodes
DSM has joined the cluster. "Configuring High Availability for Network HSM-enabled Nodes" on the previous page. See the VDS Administrators Guide for instructions on other HA functions such as: DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 142: Adding A Host To A New Ha Node
6. Once the original HA node is up and running, you can reassign the VTE Agent(s) back to the original node, if desired. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 143: Upgrading An Ha Cluster
4. After removing the nodes, log on to one of the other nodes, (not the initial one) as CLI Admin and switch to the HA menu. 0001:dsm$ ha 5. Cleanup the HA configuration data on the node, type: DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 144: Upgrade The Initial Ha Node
6. For HSMs like a V6100, repeat these steps to upgrade each of the other nodes in the HA cluster. Note If you plan to enable nShield Connect integration on a DSM V6000 or virtual DSM HA cluster see, "Configuring High Availability for network HSM-enabled DSM" on page 66.
Page 145: Deleting A Node From A Cluster With Hosts Assigned
You can cancel the delete and manually reassign the hosts yourself, or the DSM can perform the reassignment. 1. On the DSM, click High Availability. 2. Select the node to which you want to move the Agent(s). DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 146 4. When you select this last option, the “Node to assign to” menu opens. Select a node from the dropdown menu. 5. Click Delete. Note After deletion, make sure that you log on to the deleted node through the CLI menu and run HA > Cleanup. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 147: Appendix C: Ipmi
Best Practices after IPMI is Configured DSM IPMI CLI Commands The Intelligent Platform Management Interface (IPMI) provides browser-based remote access to the V6000 and V6100 hardware appliances. It allows administrators to remotely monitor appliance health (temperature, power consumption, physical drive status, chassis intrusion, and others), perform cold boots (power-off and power-on), an d access the DSM CLI.
Page 148: Configuring Ipmi On The Dsm
Configuring and Accessing IPMI on the DSM Configuring IPMI on the DSM Before you can use IPMI to configure your DSM V6000/V6100 appliance, you need to configure an IP address, and enable the KVM port for remote Java console support.
Page 149: Configuring Ipmi Network Settings
Select Share for IPMI to connect through the first LAN port (port 0 or port1) on the board. Note Thales recommends that you use a dedicated port for IPMI. 7. The RMCP (Re-mote Mail Checking Protocol) Port allows the user to select the desired RMCP port. The default port is 623.
Page 150: Configuring Date And Time Settings With Ntp Enabled
Administrator System Information Full Access Full Access Full Access Chassis Locator Control View Only Full Access Full Access FRU Reading Full Access Full Access Full Access DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 151: Configuring Ipmi Gui Port Settings
The User ID #1 (Anonymous) is reserved and cannot be modified or deleted. The User ID #2 (ADMIN) cannot be deleted. You can only modify the name and password. Configuring IPMI GUI Port Settings You can configure the following ports for IPMI on the V6000/V6100 DSM hardware appliance. To access: DSM Installation and Configuration Guide...
Page 152: Configuring Fan Settings
WARNING Using reset server, power cycle server and power off server -immediate on a DSM that is running, may risk damaging the file system. Thales recommends only using power off server - orderly shutdown. Launch SOL: Launches SOL (Serial Over LAN) console and allows you to view status messages.
Page 153: Power Control
WARNING Using reset server, power cycle server and power off server -immediate on a DSM that is running, may risk damaging the file system. Thales recommends only using power off server - orderly shutdown. 1. Click Remote Control > Power Control.
Page 154: Configuring Ldap Server
Now, users can log in as any of the IPMI users defined in the LDAP server and they will have the privilege level as defined in the permission attribute. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 155: Maintenance Firmware Update
IP allows administrators to create firewall rules and monitor usage of this system. Sets IPMI LAN interface to Dedicated so that the IPMI must run in a dedicated IPMI-only LAN. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 156: Restore The Ipmi Configuration From A Backup File
1. Click IPMI Configuration. 2. Click Choose File and select the appropriate backup file. 3. Click Reload. Server Health To view sensor readings and event logs: Click Server Health. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 157: Best Practices After Ipmi Is Configured
-subj "/C=US/ST=California/L=San Jose/O=Thales E- Security, Inc./OU=ThalesQA/CN=sys99999.sys5backup.com/ emailAddress=hpotter@thalesesecurity.com" 2. Get the CSR signed by a 3rd party with SHA-256 signature algorithm The following example is from CACert.org: DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 158: Change The Port Through Which You Access Ipmi
Enter the URL to log in again with the new port number as; <IP address or host https:// name> <Port number> Example: https://1.2.3.4:59841 3. Navigate to Remote Control > Console Redirection and click Launch Console. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 159: Change The Ipmi Password
Full Access Event Log View Only Full Access Full Access Alert View Only Full Access LDAP View Only Full Access Mouse Mode Full Access Full Access DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 160: Configuring Alerts
3. Set the severity level, the destination IP address to where you want to send the SNMP trap alert notification, and/or an email address to which to send the notification a subject, and message if desired. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 161: Restrict Inbound Traffic To Ipmi Through Ip Access Control
2. At the ipmi prompt, set the IP address back to the previously used IP address, type: 0002:ip set <IP_address> Example: 0001:ipmi$ ip set 10.10.38.225 IP=10.10.38.2285 SUCCESS: ip set DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 162: Dsm Ipmi Cli Commands
SUCCESS: gateway show DSM IPMI CLI Commands The Intelligent Platform Management Interface (IPMI) provides remote access to the V6000 and V6100 hardware appliances. It allows administrators to remotely monitor appliance health (example: temperature, power consumption, physical drive status, chassis intrusion), perform cold boots (power-off and power-on), and access the DSM CLI. IPMI is not supported by the DSM virtual appliance or hardware appliances earlier than V6000/V6100.
Page 163: Ip Set
Show the IPMI IP address. Syntax ip show The following example shows the IPMI network interface IP address. 0002:ipmi$ ip show IP=0.0.0.0 MAC=00:25:90:F7:12:52 SUCCESS: ip show DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 164: Mask
Example 0002:ipmi$ mask show Subnet Mask=255.255.0.0 SUCCESS: subnet mask show gateway command sets the IPMI gateway. The command includes the following elements: gateway gateway DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 165: Gateway Set
Enable or disable Dynamic Host Configuration Protocol (DHCP). Forces the IPMI IP address to be static. By default it’s off. Syntax dhcp show| dhcp enable| dhcp disable DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 166: Disable
Example 0001:dsm$ ipmi 0002:ipmi$ port enable https SUCCESS: Enable ipmi https web port disable Disable IPMI port. Syntax port disable [https | kvm | vmedia |web] DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 167: Status
DSM IPMI CLI Commands Example 0002:ipmi$ port disable https SUCCESS: Disable ipmi https web port To see which ports can be configured for IPMI on the V6000/V6100 DSM hardware appliance, see "IPMI Ports" page 172. status Check the status or IPMI ports.
Page 168: User Password
Change IPMI user’s privilege. Don't assign administrative privileges to all users. Assign operator or user privilege instead. Syntax user level userID privilege_level Example user level 3 3 DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 169: Clearint
2.87 A Temperature 1 35C/95F Temperature 2 40C/104F Fan 1 6560 RPM Fan 2 0 RPM DC 12V Output Power 36 W AC Input Power 43 W DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 170: Reset
System Response Do you want to reset IPMI controller? It takes about 100 seconds to reset. (yes|no)[no]: BMC cold reset successfully completed! SUCCESS: Reset IPMI hardware DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 171: Selftest
Test that the BMC chip is working. Syntax selftest Example selftest Selftest: Passed. SUCCESS: ipmi selftest version Show IPMI version. Syntax version Example version Firmware Version: 08.55 SUCCESS: ipmi show version DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 172: Appendix D: Ports
8446 is blocked. The agent establishes a secure connection to the DSM, through certificate exchange, using this port. 8444 RSA port via which the Agent log messages are uploaded to DSM, in case 8447 is Agent blocked. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 173: Ipmi Ports
This port is disabled by default. Enable only if you want to attach virtual media. It Browser should be disabled when not in use for security reasons. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 175: Appendix F: Troubleshooting
Reset Original Security World with Original ACS Quorum To reset the current DSM installation to its initial unconfigured state—network configuration remains intact—and retrieve the original security world, do the following; DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 176: Regenerating The Dsm Certificate Authority
What is your email address? []: What is the validity period of the generated certificate (from 2 to 10 years)? [10]: Regenerating the CA and server certificates now... DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 177: Create New Security World With New Acs
System will reboot automatically. Continue? (yes|no)[no]:yes Config reset SUCCESS. You can reboot the Security Server now or it will reboot automatically in 60 seconds. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 178 Module 1: 1 card of 2 written Module 1 slot 2: remove already-written card #1 Module 1 slot 2: empty Module 1 slot 2: unknown card DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 179: Chassis Issues
4. If you are logged into the system with root access and you are not in the CLI menu, type: # /usr/sbin/sdt -r "chassis intrusion” Alternatively, from the IPMI GUI: 1. Navigate to server health > sensor reading. 2. Change the category to Physical Security. DSM Installation and Configuration Guide Copyright 2009 - 2020 Thales Group. All rights reserved.
Page 180: Indicator Definitions
Contact Technical Support if you see this message and arrange a RMA. Boot-up Issues If the DSM has boot-up issues, capture the boot-up logs through the IMPI port and provide them to the Thales technical support team. Once the IPMI has been configured on the DSM, there is a feature for recording the boot-up sequence for troubleshooting. ...

This manual is also suitable for:

V6100

Thales V6000 Installation And Configuration Manual

Chapter 1: The Data Security Manager

Chapter 2: DSM V6100 Hardware Appliance

Chapter 3: DSM V6000 Hardware Appliance

Chapter 4: Installing and Configuring a DSM

Chapter 6: Upgrade and Migration

Appendix A: Specifications, Racking, and Cabling for the V6000 and V6100

Appendix B: HA for V6X00 and Virtual Appliances

Appendix C: IPMI

Quick Links

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Thales V6000

Summary of Contents for Thales V6000