vormetric data security platformgo.thalesesecurity.com/rs/480-lwa-970/images/vor... · “.js”,...

Vormetric Transparent Encryption for AWS All-in-Cloud Installation Guide

Document Version 4

September 9, 2015

Vormetric Data Security Platform

Vormetric Data Security Platform Vormetric Transparent Encryption for AWSAll-in-Cloud Installation Guide v4Copyright © 2009 - 2015 Vormetric, Inc. All rights reserved.

NOTICES, LICENSES, AND USE RESTRICTIONSVormetric is a registered trademark of Vormetric, Inc. in the United States (U.S.) and certain other countries. Microsoft, Windows, Windows XP, Windows NT, SQL Server and the Windows logo are trademarks of Microsoft Corporation in the U.S., other countries, or both. UNIX is a registered trademark of The Open Group in the U.S. and other countries. Linux is a trademark of Linus Torvalds in the U.S., other countries, or both. Oracle, Oracle ASM, Solaris, SPARC, Oracle Enterprise Linux and Java are registered trademarks of Oracle Corporation and/or its affiliates.IBM, IBM logo, ibm.com, AIX, DB2, PowerPC, DB2 Universal Database are trademarks of International Business Machines Corporation in the U.S., other countries, or both.Intel, Intel logo, Intel Xeon, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the U.S. and other countries. HP-UX is registered trademark of Hewlett-Packard Company in the U.S., other countries, or both.Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the U.S., other countries, or both. X Window System is a trademark of the Massachusetts Institute of Technology.Red Hat and Red Hat Enterprise Linux, are trademarks of Red Hat, Inc., registered in the United States and other countries.SUSE and SLES are a registered Trademarks of Novell, Inc. All other products described in this document are trademarks of their respective holders.The Software and documentation contains confidential and proprietary information that is the property of Vormetric, Inc. The Software and documentation are furnished under Vormetric's Standard Master License Software Agreement (Agreement) and may be used only in accordance with the terms of the Agreement. No part of the Software and documentation may be reproduced, transmitted, translated, or reversed engineered, in any form or by any means, electronic, mechanical, manual, optical, or otherwise. Licensee shall comply with all applicable laws and regulations (including local laws of the country where the Software is being used) pertaining to the Software including, without limitation, restrictions on use of products containing encryption, import or export laws and regulations, and domestic and international laws and regulations pertaining to privacy and the protection of financial, medical, or personally identifiable information. Without limiting the generality of the foregoing, Licensee shall not export or re-export the Software, or allow access to the Software to any third party including, without limitation, any customer of Licensee, in violation of U.S. laws and regulations, including, without limitation, the Export Administration Act of 1979, as amended, and successor legislation, and the Export Administration Regulations issued by the Department of Commerce.Any provision of any Software to the U.S. Government is with "Restricted Rights" as follows: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.277.7013, and in subparagraphs (a) through (d) of the Commercial Computer-Restricted Rights clause at FAR 52.227-19, and in similar clauses in the NASA FAR Supplement, when applicable. The Software is a "commercial item" as that term is defined at 48 CFR 2.101, consisting of "commercial computer software" and "commercial computer software documentation", as such terms are used in 48 CFR 12.212 and is provided to the U.S. Government and all of its agencies only as a commercial end item. Consistent with 48 CFR 12.212 and DFARS 227.7202-1 through 227.7202-4, all U.S. Government end users acquire the Software with only those rights set forth herein. Any provision of Software to the U.S. Government is with Limited Rights. Vormetric is Vormetric, Inc. at 2545 N 1st St., San Jose, CA, 95131-1003, (408) 433-6000.VORMETRIC, INC., PROVIDES THIS SOFTWARE AND DOCUMENTATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT OF THIRD PARTY RIGHTS, AND ANY WARRANTIES ARISING OUT OF CONDUCT OR INDUSTRY PRACTICE. ACCORDINGLY, VORMETRIC DISCLAIMS ANY LIABILITY, AND SHALL HAVE NO RESPONSIBILITY, ARISING OUT OF ANY FAILURE OF THE SOFTWARE TO OPERATE IN ANY ENVIRONMENT OR IN CONNECTION WITH ANY HARDWARE OR TECHNOLOGY, INCLUDING, WITHOUT LIMITATION, ANY FAILURE OF DATA TO BE PROPERLY PROCESSED OR TRANSFERRED TO, IN OR THROUGH LICENSEE'S COMPUTER ENVIRONMENT OR ANY FAILURE OF ANY TRANSMISSION HARDWARE, TECHNOLOGY, OR SYSTEM USED BY LICENSEE OR ANY LICENSEE CUSTOMER. VORMETRIC SHALL HAVE NO LIABILITY FOR, AND LICENSEE SHALL DEFEND, INDEMNIFY, AND HOLD

Vormetric Data Security User Guide

VORMETRIC HARMLESS FROM AND AGAINST, ANY SHORTFALL IN PERFORMANCE OF THE SOFTWARE, OTHER HARDWARE OR TECHNOLOGY, OR FOR ANY INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS, AS A RESULT OF THE USE OF THE SOFTWARE IN ANY ENVIRONMENT. LICENSEE SHALL DEFEND, INDEMNIFY, AND HOLD VORMETRIC HARMLESS FROM AND AGAINST ANY COSTS, CLAIMS, OR LIABILITIES ARISING OUT OF ANY AGREEMENT BETWEEN LICENSEE AND ANY THIRD PARTY. NO PROVISION OF ANY AGREEMENT BETWEEN LICENSEE AND ANY THIRD PARTY SHALL BE BINDING ON VORMETRIC.Protected by U.S. patents:6,678,8286,931,5307,143,2887,283,5387,334,124Vormetric Data Security includes a restricted license to the embedded IBM DB2 database. That license stipulates that the database may only be used in conjunction with the Vormetric Security Server. The license for the embedded DB2 database may not be transferred and does not authorize the use of IBM or 3rd party tools to access the database directly.

Vormetric Transparent Encryption for AWS All-in-Cloud Installation Guide 4

. . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iDocumentation Version Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iIntended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iScope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iAssumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiRelated Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiTypographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiGuide to Vormetric Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

Core documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiSpecialized documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ivSearching through all the documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Vormetric Data Security Platform—Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viService Updates and Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiSales and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Installing Vormetric Transparent Encryption in the Amazon VPC . . . . . . . 3Installing a Data Security Manager (DSM) in the Amazon VPC . . . . . . . . . . . . . . . . . 3Installing Protected Hosts in the Amazon VPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3 Installing VTE in Amazon EC2 Classic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29To install a Data Security Manager (DSM) in EC2 Classic . . . . . . . . . . . . . . . . . . . . . 29To Install Protected hosts in EC2 Classic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

4 Installing VTE in an Amazon VPC with the AMI from Vormetric . . . . . . . . . 62

Vormetric Security Intelligence 0.1 All-in-Cloud Installation Guide v4

. . .

. .

To Launch a Data Security Manager (DSM) AMI in the Customer’s Amazon Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Installing Protected Hosts in the Amazon VPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

5 Additional Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Vormetric Transparent Encryption for AWS All-in-Cloud Installation Guide v4

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PrefaceThis document describes how to install the Vormetric Transparent Encryption (VTE) for Amazon Web Services (AWS) in your AWS account. You may notice the platform name, Vormetric Data Security (VDS), sometimes used interchangeably with the product name, Vormetric Transparent Encryption (VTE). Vormetric Data Security refers to the platform upon which all Vormetric product are built. Vormetric Transparent Encryption refers to the specific file and raw data protection product offered by Vormetric. See “Vormetric Data Security Platform—Overview” on page vi.

Documentation Version Release NotesThe following table describes the documentation changes made for each document release.

Intended audienceThe All-in-Cloud Installation Guide is intended for system administrators who will install the Vormetric Transparent Encryption (VTE) for Amazon Web Services (AWS) in your AWS account.

ScopeThe scope of this document is limited to the installation and configuration of Vormetric Transparent Encryption (VTE) for Amazon Web Services (AWS) in your AWS account.

Documentation Changes

Document Version

Date Changes

1.0 9/10/13 Initial Release.

1.1 10/25/13 Added chapter on installing VDS in Amazon VPC.

1.2 1/28/14 Removed instructions on connecting to instances using MindTerm. Suggested using PuTTY. Cleaned up minor issues. Fixed external hyperlinks.

1.3 8/13/15 Added instructions for installing a VDS AMI in a customer’s AWS account.

4 9/9/15 Changed product name from Vormetric Data Firewall for AWS to Vormetric Transparent Encryption for AWS. Changed document numbering to whole numbers.

P r e f a c e


ii

AssumptionsThis documentation assumes:

• Knowledge and practice of using AWS.

Related DocumentsThe related documents are available to registered users on the Vormetric Web site at:

https://support.vormetric.com

Typographical ConventionsThis section lists the common typographical conventions for Vormetric technical publications.

Typographical Conventions

Convention Usage Example

bold regular font GUI labels, and options. Click the System tab and select General Preferences.

bold, monotype font

commandsargumentsswitchesoptionsvariableselementsproperties, objects, parameters, events

session set

appname=

regular monotype font

Command and code examplesXML examples

Example: session start

iptarget=192.168.253.102

P r e f a c e


iii

Guide to Vormetric Documentation

Core documentation*Page count does not include Table of Contents, Preface, Glossary or Index. Pictures includes blank pages.

1. Vormetric Transparent Encryption (VTE) Getting Started Guide (~98 pages, 45% pictures). Read this first! Provides most of the general knowledge and procedures you need to protect your data with VTE. Audience: Anyone who wants to know about VTE and how to set it up.

2. Data Security Manager (DSM) Installation and Configuration Guide (~40 pages 25% pictures). Use this to install the Data Security Manager. Audience: Administrator who installs security hardware and software.

3. Vormetric Transparent Encryption (VTE) Agent Installation and Configuration Guide (~40 pages 18% pictures). Use this to install agents on the hosts you want to protect. Audience: Administrator who installs security software on hosts with data to be protected.

italic regular font

GUI dialog box titles The General Preferences window opens.

Non-literal symbols myport, Failover.Port

File names, paths, and directories /usr/bin/

URLs and names of protocols http://server.domain.com:90/

Text to be replaced

Emphasis Do not resize the page.

New terminology CDF (Carousel Definition Format)

bold italics font Command line variable. # cd Vormetric_OracleTDE_Library_Path

“quotes” File extensions Attribute values Terms used in special senses

“.js”, “.ext” “true” “false”, “0” “1+1” hot standby failover

Typographical Conventions

Convention Usage Example

P r e f a c e


iv

4. Vormetric Data Security (VDS) Platform Administrators Guide (~304+ pages, 10% pictures). Refer to this book for detailed DSM Administrator procedures such as configuring the DSM for HA, installing license files, configuring host groups and so on. This book is divided into sections for DSM System Administrators, DSM Domain Administrators, DSM Security Administrators, VDS Host Administrators and Other Administrators. Audience: DSM Administrators and anyone using the Getting Started Guide to set up VTE and needs additional instructions.

5. Vormetric Transparent Encryption (VTE) Data Transformation Guide (~85 pages, 20% pictures). Detailed information on 1) doing the initial encryption of your clear data, and 2) rekeying GuardPoints (key rotation).

6. DSM Release Notes (~10 pages). Lists compatible browsers, hardware, software, resolved issues, limitations, known issues, and upgrade instructions for a particular DSM release. Audience: Anyone interested in upgrading their DSM.

7. Releases Notes for DSM, VTE Agents and other products(~10 pages each). Lists compatible operating systems, browsers, hardware, resolved and known issues, and upgrade notes. Audience: Anyone interested in upgrading their VDS products.

Specialized documentation1. Vormetric Key Management (VKM) Configuration and Procedures Guide(~60 pages, 15%

pictures). Describes the VDS Certificate and Key Vault, KMIP support, how to migrate the Oracle Database TDE MEK to the DSM, and how to encrypt the Microsoft SQL Server with TDE DEK with an asymmetric key stored in the DSM.

2. Vormetric Security Intelligence Configuration Guide (~35 pages, 30% pictures). Use this to integrate your Vormetric Data Security Platform with the ArcSight ESM, Splunk, or IBM QRadar security information and event management (SIEM) systems.

3. Vormetric Applications Encryption (VAE) Installation Guide and API Reference Guide (~80 pages, 5% pictures). For developers who want to use the VDS Platform for application encryption with Vormetric’s implementation of PKCS#11. See also the Vormetric Application Encryption Release Notes.

4. Vormetric Protection for Teradata Database: Installation and Reference. (~27 pages, 20% pictures). For developers who want to use the VDS Platform for application encryption in a Teradata database environment.

5. Vormetric Data Security (VDS) Platform Event and Log Messages Reference (~700 pages, 0% pictures). A listing of all the VDS Platform event and log messages with severity, long and short form, and description.

6. Vormetric Data Security Manager (DSM) Automation Reference (~40 pages, 0% pictures). Describes the DSM Automation CLI (VMSSC) to the DSM. Allows you to automate deployments, script routine and repetitive tasks, and perform unattended batch processing. Advanced users only!

P r e f a c e


v

7. Vormetric Data Security (VDS) Platform Web Services Description Language Reference (~140 pages, 0% pictures). Describes the web services available in the VDS WSDL. Intended for experienced software developers with knowledge of web services.

8. Vormetric Tokenization: Installation, Administration, and Programming Guide. (~50 procedure pages, 50 reference pages, 15% pictures). For security professionals who want to implement tokenization in their applications.

Searching through all the documentsTechnical information for Vormetric products can be spread across many documents. Instead of searching through each individual document to find the information you need, you can use the following procedure to search all of the VTE documents with a single search in Windows (the same process should work for UNIX/Linux):

1. Copy all the .pdf files of a specific product into a single directory. For example, using the Vormetric Transparent Encryption:C:\Documents\PDFs\5.2.3>dir Admin_Guide_V1.pdf Agent_Install_&_Config_Guide_v2.pdf Data_Transformation_Guide_v1.pdf DSM_Automation_Reference_v1.pdf DSM_Install_Guide_v1.pdf Event_&_Log_Messages_Ref_v1.pdf GettingStarted_v1.pdf VSI_Reference_v1.pdf RN_DSM.pdf

RN_Linux.pdf RN_RHEL7.pdf RN_UNIX.pdf RN_Windows.pdf VDSCompatibilityMatrix.pdf

2. Bring up Adobe Reader or Adobe Acrobat.

3. Open any pdf file from that directory: File > Open > Select File.

4. Click Edit > Advanced Search.

5. Under "Where would you like to search?" click "All PDF Documents in", then select the directory containing all the VTE PDF files. In this case, C:\Documents\PDFs\5.2.3

6. In the "What word or phrase would you like to search for?" enter the search phrase and click search.

You can do this with any set of PDF files.

P r e f a c e


vi

Vormetric Data Security Platform—OverviewThe Vormetric Data Security (VDS) Platform protects data-at-rest, wherever it resides. The platform solves security and compliance issues with encryption, key management, privileged user access control, and security intelligence logging. It protects data in databases, files, and Big Data nodes across public, private, hybrid clouds and traditional infrastructures.

The platform consists of products that share a common, extensible infrastructure. At the heart of the platform is the Data Security Manager (DSM), which manages policies, keys, and the collection of security intelligence, all of which is managed and observed through your browser. In addition to the DSM, the Vormetric Data Security Platform consists of the following products:

• Vormetric Transparent Encryption (VTE) secures any database, file, or volume across your enterprise without changing the applications, infrastructure, or user experience.

• Vormetric Application Encryption (VAE) provides a framework to deliver application-layer encryption such as column-level encryption in databases or encrypt specific fields in files.

• Vormetric Tokenization replaces sensitive data in your database with unique identification symbols called tokens. This reduces the number of places that clear text sensitive data reside, and thus reduces the scope of complying with PCI DSS and corporate security policies.

• Vormetric Key Management (VKM) centralizes the storage and management of KMIP and Transparent Data Encryption (TDE) keys as well as Vormetric and non-Vormetric encryption keys and certificates.

P r e f a c e


vii

• Vormetric Security Intelligence provides comprehensive logging combined with Security Information Event Management Systems (SIEM) to detect of advanced persistent threats and insider threats. In addition, the logs satisfy compliance and regulatory audits.

Service Updates and Support InformationVormetric's Master Software License and Hardware Purchase Agreement (“MSLA”) defines software updates and upgrades, support and services, and governs the terms under which they are provided. Any statements made in this guide or collateral documents that conflict with the definitions or terms in Vormetric's MSLA, shall be superseded by the definitions and terms of the MSLA. Any references made to “upgrades” in this guide or collateral documentation can apply either to a software update or upgrade.

For support and troubleshooting issues:

• help.vormetric.com

• [email protected]

• (877) 267-3247

For Vormetric Sales:

• http://enterprise-encryption.vormetric.com/contact-sales.html


• (888) 267-3732

Sales and SupportFor support and troubleshooting issues:

• help.vormteric.com

• Email questions to [email protected].

For Vormetric Sales:

• http://enterprise-encryption.vormetric.com/contact-sales.html

• (888) 267-3732


http://help.vormetric.commailto: [email protected]:/www.help.vormetric.comhttp://enterprise-encryption.vormetric.com/contact-sales.htmlmailto: [email protected]:/www.help.vormetric.com

. . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Overview 1

The Vormetric Transparent Encryption (VTE) for Amazon Web Services (AWS), consists of a separate Data Security Manager (DSM) and File System Agents that reside in your AWS protected hosts. The DSM is the central server that stores and manages the encryption keys, data access policies, administrative domains, and administrator profiles for your protected hosts. File System Agents are installed on each host containing data to be protected.

Once you install the agent on the host and register it with the DSM it is called a protected host. DSM administrators can create data access policies for that host that specify who can access what files, at what times, with what commands, and whether that data is encrypted. The agents communicate with the DSM and enforce data access policies on that host.

These concepts are explored further in the AWS All-in-Cloud Getting Started Guide.Figure 1: Vormetric Transparent Encryption Architecture with protected hosts

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . AssumptionsThis documentation assumes knowledge of network configuration. The system administrator must have root permissions for the systems on which VTE software is installed.

You need the following to complete this manual:


O v e r v i e wInstallation Process

. . .

. .2

• An Amazon Web Services (AWS) account and experience creating AWS Elastic Cloud Compute (EC2) instances.

• Experience working in the command line interface of your host operating system.

• Knowledge of how to open TCP and ICMP port connections on your protected hosts.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installation ProcessInstalling VTE in the Amazon cloud consists of three basic steps:

1. Installing a DSM AMI.

2. Installing up to five host AMIs to protect.

NOTE: VTE protects hosts running many different operating systems including various versions of Microsoft Windows, Linux and UNIX. However, the installation process described here requires that you use CentOS 6.3 for your protected hosts. For support in protecting other platforms, contact [email protected].

3. Installing a Vormetric File System agent on each protected host.

There are three ways to install and configure VTE, each with its own chapter of instructions:

• If you obtained the DSM AMI through the AWS Marketplace and want to install it in an Amazon Virtual Private Cloud (VPC), see Chapter 2, “Installing Vormetric Transparent Encryption in the Amazon VPC” on page 3.

• If you obtained the DSM AMI through Vormetric Sales and Support who placed it in your AWS account, and want to install it in an Amazon Virtual Private Cloud (VPC), see Chapter 4, “Installing VTE in an Amazon VPC with the AMI from Vormetric” on page 62.

• If you obtained the DSM AMI through the AWS Marketplace and want to install it in an Amazon EC2 Classic platform, see Chapter 3, “Installing VTE in Amazon EC2 Classic” on page 29.

For a discussion on the differences between the two platforms, see Amazon EC2 and Amazon Virtual Private Cloud (VPC).


http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html

Installing Vormetric Transparent

. . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Encryption in the Amazon VPC 2

This chapter describes how to install Vormetric Transparent Encryption (VTE) in the Amazon Web Services (AWS) Virtual Private Cloud (VPC). It assumes you are obtaining the DSM AMI through the AWS Marketplace. If you obtained the DSM AMI through Vormetric Sales and Support who placed it in your AWS account, and want to install it in an Amazon Virtual Private Cloud (VPC), see Chapter 4, “Installing VTE in an Amazon VPC with the AMI from Vormetric” on page 62.

This chapter consists of the following sections:

• “Installing a Data Security Manager (DSM) in the Amazon VPC” on page 3

• “Installing Protected Hosts in the Amazon VPC” on page 23

NOTE: Images and layout may have been updated by Amazon since this document was published.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing a Data Security Manager (DSM) in the Amazon VPCInstalling DSM on a VPC consists of the following procedures:

• Create a VPC and subnet in your AWS account where you will install the DSM and protected hosts. See the Amazon Virtual Private Cloud User Guide for information on VPCs and how to create them.

• Create an Amazon EC2 Key Pair. See Amazon EC2 Key Pairs.

Choose 1-Click or Manual Launch with EC2 Console to launch your DSM AMI (1).

• Launch the DSM AMI with 1-Click (2) or EC2 Console (3).

• Configure the DSM (5).

• Get the DSM Deployment Details (6).

• Test the DSM installation (7).

1. Choose a launch method for your Vormetric DSM AMI in the Amazon marketplace.


http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

I n s t a l l i n g Vo r m e t r i c Tr a n s p a r e n t E n c r y p t i o n i n t h e A m a z o n V P CInstalling a Data Security Manager (DSM) in the Amazon VPC

. . .

. .4

There are two ways to launch a Vormetric DSM AMI, the 1-Click Launch and the Launch with EC2 Console. a. __ Go to the Amazon marketplace and search for "Vormetric". The Vormetric Data Firewall for

AWS - 5 Client page appears.

Figure 2: Vormetric AWS website

b. __Click Continue. The Launch on EC2 page is displayed.



. . .

. .5

Figure 3: Launch on EC2 page The next step describes the 1-Click Launch. If you prefer to launch with the EC2 Console, go to step 4.

2. Launch the DSM instance with 1-Click Launch.

(If you prefer to launch with the EC2 Console, skip this step and go to 4.)

Before launching the instance, set the parameters in the 1-Click Launch tab:



. . .

. .6

Figure 4: 1-Click Launch parametersa. Set 1-Click Launch parameters.

__ Version. Select version.

__ Region. Choose your desired region.

Figure 5: Region

__ EC2 Instant Type: Standard Large (m1.large) is the appropriate size.



. . .

. .7

Figure 6: EC2 Instant Type

__ VPC Settings: Choose the previously created VPC or click Create a VPC.

Figure 7: VPC Settings

__ Subnet. Choose the previously created subnet or click Create a subnet.



. . .

. .8

Figure 8: Subnet Settings

__ Security Group: Choose Create new based on seller settings. This choice will create a security group called Vormetric Data Firewall for - 5 Client. The Security Group rules should be the same as shown in Table 1, “VTE Security Group Rules,” on page 11.

Figure 9: Security Group

__ Key Pair: Choose a previously created key pair. Make sure you have access to the key file as you will need this later.

Figure 10: Key Pair

b. __ Click Launch with 1-Click. An overview of the instance is displayed.



. . .

. .9

Figure 11: Instance overview

__ Note the Key Pair and the Instance ID. These will be used later.c. Go to AWS Management Console to see the instance.

__ Search for the instance using the Instance ID.

Figure 12: DSM instance in dashboard

__ Give the instance a name. Right click the instance, select Add/edit tags, and type a name. For example: DSM-1.

d. Make sure All ICMP is added to the Security Group.Amazon may restrict Internet Control Message Protocol (ICMP) in the default configuration, so you may have to add ICMP in the security group.

__ In the EC2 Dashboard, click on Security Groups.



. . .

. .10

__ In the Viewing: pulldown, select VPC Security Groups.__ Select the Vormetric Data Firewall for AWS 5 Client ... security group.

__ Click the Inbound tab, click the Create a new rule pull-down, and select All ICMP.

Figure 13: Security Group view

__ Click Add Rule. The ICMP port is added to the Security Group.

__ Click Apply Rules Changes.



. . .

. .11

Figure 14: ICMP All added to security group

e. The DSM AMI can take 10-15 minutes to instantiate depending on the AWS load.

Skip step 4.the next step since you just performed a 1-Click Launch.3. Allocate a new EIP address for VPCs and associate it with the DSM instance.

This step is required for 1-Click installation.__ In the AWS EC2 Dashboard, click on Elastic IPs.__ Click Allocate New Address, select EIP used in VPC and Yes, Allocate. __ Select this new address, click Associate Address, select the DSM instance on which to associate the EIP and click Associate. __ Use this EIP address to set up your SSH session.

4. Launch DSM instance with EC2 Console.

If you launched with 1-Click Launch (2), skip this step.a. Create a new EC2 security group with the following port rules.

Table 1: VTE Security Group Rules

Protocol Port (service) SourceICMP All 0.0.0.0/0TCP 22 (SSH) 0.0.0.0/0TCP 443 (HTTPS) 0.0.0.0/0TCP 5696 0.0.0.0/0TCP 7024 0.0.0.0/0TCP 8080 (HTTP*) 0.0.0.0/0TCP 8443 (HTTPS*) 0.0.0.0/0TCP 8444 0.0.0.0/0TCP 8445 0.0.0.0/0



. . .

. .12

__ In your EC2 Dashboard click on Security Groups > Create Security Groups to bring up this pop-up:

Figure 15: Create Security Group pop-up__ Enter a Name and Description. Select the VPC that you created for the DSM and your protected hosts. Click Yes, Create.

b. Add the port rules.

__ In the EC2 Dashboard, click Security Groups, then Viewing: VPC Security Groups. Select the security group you just created. Click the Inbound tab. In the Create a new rule pull-down, select All ICMP.

TCP 8446 0.0.0.0/0TCP 8447 0.0.0.0/0TCP 8448 0.0.0.0/0TCP 50000 0.0.0.0/0UDP 123 0.0.0.0/0UDP 161 0.0.0.0/0UDP 7025 0.0.0.0/0

Protocol Port (service) Source



. . .

. .13

Figure 16: Security Group Inbound tab

__ Click Add Rule to add rule to the security group.

Figure 17: Security Group Add Rule button

__ Do this for all the ports in the table. For TCP Ports, select Custom TCP rule. For UDP Ports, select Custom UPD rule.



. . .

. .14

Figure 18: Security Group with all the rules

__ Click Apply Rule Changes.

__ Click the Refresh button in the top right corner.

c. __ On the Vormetric website in the AWS Marketplace. Click on the Launch with EC2 Console tab.



. . .

. .15

Figure 19: Vormetric website in the AWS Marketplace

d. __ Select your desired region and click Launch with EC2 Console.

Step 2: Choose and Instance Type page opens.



. . .

. .16

Figure 20: Instance Type

__ Click General purpose > m1.large then click Next: Configuration Instance Details.

Step 3: Configure Instance Details Instance Details opens.



. . .

. .17

Figure 21: Instance details

e. Enter Instance details. Use the following values:

__ Network: Select a VPC that you created earlier or click Create a new VPC.__ Subnet: Select a VPC that you created earlier or click Create a new subnet. __ Check Automatically assign a public IP address to your instances. This public IP address is how you will later access the DSM to configure it and to get the DSM details.

NOTE: Another way to access the DSM is to create an EIP used in VPC and associate it to the DSM instance after it is created.

All other values can be kept as is.

__ Click Next: Add Storage.



. . .

. .18

Step 4, Add Storage page opens.

Figure 22: Advanced Instance Options

f. No changes are required here.

__ Click Next: Tag Instance.

Step 5: Tag Instance opens.

Figure 23: Tag Instance

__ Enter a name for this instance (example: Host -1), then click Next: Configure Security Group.



. . .

. .19

Step 6: Configure Security Group opens.

Figure 24: Security groups

g. __ Highlight the security group that you had created earlier (3a.) and click Review and Launch.

h. __Review the instance parameters and click Launch.

Select an existing key pair of create a new key pair pop-up opens.



. . .

. .20

Figure 25: Key pairs

i. __ Select Choose from your existing Key Pair (if you have one) or Create a new Key Pair.

Download the key and remember your key path (location of the .pem file) as you will need this later.

__ Check the Acknowledgment checkbox and click Launch Instances.

The instance is launched.

j. Return to the EC2 Instances page to view your newly created instance.

__ AWS returns you to the EC2 Management Console. Click Instances.

Figure 26: Instance view of new DSM

__ Search for the name of your DSM. The DSM instance is now running.

5. Configure the DSM.

The DSM configuration script is on the DSM instance. The script starts when you connect to your DSM instances with an SSH client. There are many ways to start an SSH session, see Connecting to Linux/UNIX Instances from Windows Using PuTTY.

NOTE: You may have to wait 10-20 minutes after the DSM is instantiated (see Figure 27) before you can make an SSH connection to the DSM. If you try to make an SSH connection and you get a pop-up that reads Connection Refused, then continue waiting.

a. Connect an SSH client to your DSM instance and login with the user name: ec2-user. This automatically starts the DSM configuration script. Use the following values to start the SSH session.

__ Host Name (or IP address). Use the Public DNS or an EIP address.

Your Public DNS is displayed under the Description tab in the Instance view.


http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html


. . .

. .21

Figure 27: Public DNS

__ Private key path: Enter the path of the .pem (or .ppk if you are using PuTTY) file that you generated earlier (Figure 25: “Key pairs”). In the PuTTY Configuration pop-up, under Category, click the + icon next to SSH, select Auth, then enter the path to your .ppk file in the Private key file for authentication: field

b. __ Log in as ec2-user. This starts the configuration program. You will see a terminal window that displays the following:

Welcome to the Vormetric Data Security Manager configuration wizard

Please enter the information below to configure your Security Manager instance

Add hosts to protect? (yes/no) no

__Enter no. The following is displayed:This security manager instance has been launched in AWS VPC.If you wish to access it by it's internal host name,- on Unix platform, please add an entry to the /etc/hosts file- on Windows platform, please add an entry to the C:\WINDOWS\system32\drivers\etc\hosts file.

The instance is going to restart now. After restarting, the security manager configuration will take about 15 minutes. Please wait for it to complete.

Press any key to continue

__ Press any key. The system terminates your SSH session and starts configuration.



. . .

. .22

6. Get the DSM Deployment Details.

The DSM Deployment Details provides all the information you need log on to the DSM Management Console, access the DSM CLI, and install agents on your protected hosts.

Wait for the DSM configuration to complete before accessing the deployment details. This process can take up to fifteen minutes.

a. __ Connect to the new DSM instance with an SSH session and log in as ec2-user.

NOTE: If you log in before DSM configuration is complete, you’ll get the message Configuration no Complete. Please try later. Then the terminal will close.

After you log in, the DSM Deployment Details are displayed.login as: ec2-userWelcome to the Vormetric Data Security Manager.

Data Security Manager details=============================Management console URL is https://ec2-54-208-235-131.compute-1.amazonaws.comManagement console internal URL is https://ip-10-1-0-61.ec2.internalSystem administrator credentials are admin / Vb3]%@V$3$C2WRcYALL administrator credentials are awsadmin / Qx2[S4GYB53wiCLI administrator credentials are cliadmin / Qa3(kpBVfu@m

Please download the agent install script from https://awsportal.vormetric.com/downloads/agent/5.1.1/install?lic_id=FSAJTALB6TX3LPU

__ Save these Deployment Details as you will need them later. Close the SSH terminal.7. Test the DSM installation.

__ Wait a few minutes after you receive your DSM Deployment Details. __ Open a browser and enter the DSM URL listed in the Deployment Details. For example: https://ec2-54-208-235-131.compute-1.amazonaws.com

__ Log in as awsadmin using the information in the Deployment details. awsadmin / Qx2[S4GYB53wi

The Vormetric Data Security page opens.


I n s t a l l i n g Vo r m e t r i c Tr a n s p a r e n t E n c r y p t i o n i n t h e A m a z o n V P CInstalling Protected Hosts in the Amazon VPC

. . .

. .23

Figure 28: Vormetric Management Console dashboard

If the DSM dashboard is not responsive--for example, when you point to a drop-down menu nothing happens, log off and wait a few minutes for the configuration process to complete.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing Protected Hosts in the Amazon VPCA protected host is a host in the Amazon cloud whose data is protected by a Vormetric agent. VTE protects hosts running many different operating systems including various versions of Microsoft Windows, Linux and UNIX. However, the installation process described here requires that you use CentOS 6.3 for your protected hosts. If you would like support in protecting other platforms, contact [email protected].

Once your DSM is installed and configured, you can create protected hosts. Installing an agent on your host involves the following steps:

• Instantiate the host you want to protect (1).

• Run the agent install and registration script on the host (2).

• Verify that the protected host is registered with the DSM (3).

• For each protected host, save the deployment information (4).

• Repeat this process for each protected host (4).

Gather the following information for these steps:



. . .

. .24

__ The VPC and subnet where you installed the DSM.__ Agent install script url. (See step 6.)__ The Security Group you created. (See 3a.).

NOTE: Currently we only support protected hosts running CentOS 6.3. You can use any CentOS 6.3 AMI.

1. Instantiate your protected host.

AWS protected host instances can be of any size. For each DSM you can have up to five protected hosts.

a. __ Log in to your Amazon account.

b. __ Instantiate your protected host AMI (not the DSM AMI) using the following parameters (valid for either 1-Click or EC2 Console launching):

__ Region. Choose one.__ EC2 Instance Type. Instances can be of any size.__ Network: Choose the same VPC where you installed the DSM.__ Subnet: Choose the same subnet where you installed the DSM.__ Check Automatically assign a public IP address to your instances. You will use this public IP address to access the host in subsequent steps. __ Tag Instance. Add a name for your protected host. __ Security Group. Use the same group you used when you instantiated the DSM (Figure 9 and Figure 24).__ Click Review and Launch.__ Key Pair. Choose a Key Pair that you previously created or create a new key pair and download the private key. Remember your private key path (location of the .pem/.ppk file) as you will need this later.

__ Note the instance ID as this will be useful for the next step.

2. Run the agent installation and registration script on the host.

After your host instance is running (the time it takes depends on the size of the host and the AWS EC2 load), connect to it with an SSH Client to download the agent installation and registration script. This script installs the agent and registers it with the DSM.

There are many ways to start an SSH session.See Connect to Your Amazon Instance.

a. Launch an SSH client on your host instance and login with the user name root. Use the following parameters to launch your SSH session.

__ Host Name (or IP address). Enter the IP address or Public DNS of the protected host.

If you installed the host using the EC2 Console, highlight the host name in the Instances view of the EC2 Dashboard. The Public DNS is displayed under the Description tab. Figure 26 shows an example of what you should see.

If you launched the host with 1-Click, you need to allocate a new EIP address for VPCs and associate it with the host instance:


http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html


. . .

. .25

__ In the AWS EC2 Dashboard, click on Elastic IPs.__ Click Allocate New Address, select EIP used in VPC and Yes, Allocate. __ Select this new address, click Associate Address and select the host instance on which to associate the EIP. __ Use this EIP address to set up your SSH session.

__ Private key path: Enter the path of the .pem (or .ppk if you are using PuTTY) file that you generated earlier (Figure 25: “Key pairs”).

Some AMIs only allow you to first log in as ec2-user. If you can't log in as root, log in as ec2-user, then do a "sudo su -" in the terminal to run as root.

b. Make sure the firewall on the protected host allows the following TCP Port connections:

ICMP Ping Incoming/OutgoingTCP 7024 IncomingTCP 8080 OutgoingTCP 8443 OutgoingTCP 8444 Outgoing

c. From the SSH terminal, copy and run the agent install program.

__ Run the following commands as root user:

# wget -O installer --no-check-certificate

Agent_install_script_url is part of the DSM details (6.). (If the wget command fails with "wget not found," execute yum -y install wget and try again.)

# ls installer# chmod +x installer# ./installer

Welcome to the Vormetric Data Security agent installerYour instance has been launched with the following security groups:

Please ensure that the security groups and firewall on this machine allow outgoing connections to TCP ports 8443, 8444 and 8080 and ICMP ping requests and incoming connections to TCP port 7024 and ICMP ping requests before proceeding

Proceed? (yes/no) yes

(Installation continues until you get the following screen output.)Cleaning up... Installing agent

Please enter the information below to configure your agent instance Enter hostname of the Security Manager: ip-10-1-0-61.ec2.internal



. . .

. .26

(Important: For “hostname of the Security Manager,” use the private DNS of the DSM, not the public DNS. You can get this from Figure 28: “Vormetric Management Console dashboard”)

Adding host ip-10-1-0-252.ec2.internal to Data Security Manager.

Enter password for awsadmin user on the Security Manager - &*($d($@Ed9

(Get this from step 6, Get the DSM Deployment Details. on page 22)

Host ip-10-1-0-252.ec2.internal added to Security Manager

After restarting, this instance will be registered to the Security Manager hosted at ip-10-1-0-61.ec2.internal

The instance is going to restart now. Continue? (yes/no) yes

Type yes. The host goes down for a reboot and after a few minutes is registered with the DSM.

3. Verify that the protected host is registered with the DSM.

a. __ Open a browser and enter the DSM URL. See step 6, Get the DSM Deployment Details. on page 22

Figure 29: Management Console Login

__ Login as awsadmin with the password from your DSM Deployment Details.The VDS Dashboard appears:



. . .

. .27

Figure 30: VDS Dashboard

b. Switch to domain, awsdomain.

__ Click Domains > Switch Domains

Figure 31: Switch domains

You will have a domain called awsdomain.



. . .

. .28

Figure 32: Switch to domain

__ Select awsdomain, then click Switch to domain.

c. View the hosts in the domain.

__ Click Hosts > Hosts in the top menu bar to bring up the Hosts page. The new protected host is added and under Pushing Status it says Pending or Done. It may take a few minutes to complete registration. If it says N/A, then the registration did not complete. See Chapter to re-register.

Figure 33: Hosts page

4. Repeat the instantiation (1), agent installation and registration (2), and verification process (3) for each protected host.

5. See the Vormetric Transparent Encryption on AWS: Getting Started Guide to learn how to use the product.


Installing VTE in Amazon EC2

. . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Classic 3

This chapter describes how to install Vormetric Data Security (VDS) in the Amazon Web Services (AWS) EC2 Classic Platform. This chapter consists of the following steps:

• “To install a Data Security Manager (DSM) in EC2 Classic” on page 29

• “To Install Protected hosts in EC2 Classic” on page 56

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . To install a Data Security Manager (DSM) in EC2 Classic DSM installation in EC2 Classic consists of the following steps:

• Create an EIP address for your DSM and any hosts you will create (2).

• Create an AWS Identity and Access Management (IAM) user with Elastic Internet Protocol (EIP) AssociateAddress permissions (3).

• Choose a DSM AMI launch method (1-Click or EC2 Console). See 4.

• Launch the DSM AMI using either the 1-Click (1) or EC2 Console (5).

• Configure the DSM (6).

• Get the DSM Deployment Details (7).

• Test the DSM installation (8).

These steps are described in the following sections.

NOTE: The following AWS snapshots were current when we wrote this document. Although the images and layout may differ if Amazon changes them in the future, the concepts and content remains the same.

1. Decide how many DSMs and protected hosts you want for this DSM installation.

One commercial license allows you to install one DSM with five agents on your AWS hosts. Create and allocate one Elastic IP (EIP) address for each DSM and protected host in your system. For example, for one DSM with five protected hosts, you will need six EIP addresses.

2. Create Elastic IP (EIP) addresses in your AWS account.


. . .

. .TO I N S T A L L A D A T A S E C U R I T Y M A N A G E R ( D S M ) I N E C 2 C L A S S I C |30

EIP addresses can be created any time before you configure the DSM or protected hosts. You can create these addresses now or later in the installation process.

a. __ Log on to your AWS account and display the Amazon Web Services.

Figure 34: Amazon Web Services

__ Click EC2 to open the EC2 Dashboard.


. . .


Figure 35: EC2 Dashboard

b. __ Click Elastic IPs to open the Elastic IPs view.


. . .


Figure 36: Elastic IPs viewc. __ Click Allocate New Address.

Figure 37: Allocate New Address pop-upd. __ Select EIP used in: EC2. Then click Yes, Allocate.

An unassigned EIP address appears in your Elastic IP view.

Figure 38: New EIP address

e. __ Repeat until you have the desired number of EIP addresses.

__ Note your EIP addresses, as you will need them during the DSM and host configuration processes.

IMPORTANT: Once an EIP address is assigned to an instance, do not release or reuse it until the instances are terminated.

3. Create an Identity and Access Management User (IAM) user with EIP AssociateAddress permissions

VDS requires an IAM user to ensure proper handshaking between agents and the DSM (see Amazon Web Sevices IAM page for more information). Specifically, the DSM instance needs a host name associated with a consistent IP address. To maintain IP address consistency, you must have an IAM user with EIP AssociateAddress permissions. a. __ Log on to your AWS account and go to the Amazon Web Services page.


http://aws.amazon.com/iam/

. . .


Figure 39: Amazon Web Services

__ Click IAM. The IAM Dashboard appears.


. . .


Figure 40: IAM Dashboardb. Create a new IAM user.

__ Click Users to display the Users view.

Figure 41: User's view showing IAM users__ Click Create New Users to display the Create User pop-up.

Figure 42: Create User pop-up__ Enter a user name, for example, DSM-Install.__ Make sure Generate an access key for each User is checked.

__ Click Create (no need to create a password).


. . .


__ Click Show User Security Credentials to display and the new IAM user credentials (Access Key ID and Secret Access Key). Copy and save these in a safe place. You will need this when you configure the DSM and hosts. You can also click Download Credentials to save it on your computer.

Figure 43: IAM User Credentials

__ Click Close Window.

The Users view is displayed with the new user.

Figure 44: Users view showing a new IAM userc. Give the new user EIP AssociateAddress permissions.

__ Select the checkbox next to the new user name and click the Permissions tab.


. . .


Figure 45: IAM User Permissions view __ Click Attach User Policy. The Manage User Permissions pop-up is displayed.

Figure 46: Manage User Permissions pop-upd. Set EIP AssociateAddress permissions.

__ Click Custom Policy, then Select. The Policy Name and Policy Document text fields appears.


. . .


Figure 47: Granting AssociateAddress permissions

__ In Policy Name, type in a name (for example, Vormetric_EIP_Policy).__ In Policy Document, copy and paste the following:

{"Statement": [{"Action": ["ec2:AssociateAddress", "ec2:DescribeAddresses"], "Resource": "*", "Effect": "Allow"}]}

__ Click Apply Policy.

You now have an IAM user named DSM-Install with EIP AssociateAddress permissions. IMPORTANT: Do not delete or modify this user until the instance is terminated.

4. Go to the Vormetric website in the Amazon marketplace and choose a launch method for your Vormetric DSM AMI.

There are two ways to launch a Vormetric DSM AMI, the 1-Click Launch and the Launch with EC2 Console. We recommend the 1-Click Launch because it's a bit simpler. a. __ Go to the Amazon marketplace and search for "Vormetric". The Vormetric Data Firewall for

AWS - 5 Client page appears.


. . .


Figure 48: Vormetric AWS website

b. __Click Continue. The Launch on EC2 page is displayed.


. . .


Figure 49: Launch on EC2 page The recommended 1-Click Launch is described in the next step. If you want to launch with the EC2 Console, skip the next step and go to 5.

1: Launch the DSM instance with 1-Click Launch. (Skip this step if you want to launch with the EC2 Console.)

Before launching the instance, set the parameters in the 1-Click Launch tab:


. . .


Figure 50: 1-Click Launch parametersa. Set 1-Click Launch parameters:

__ Version. Select version.

__ Region. Choose your desired region.

Figure 51: Region

__ EC2 Instant Type: m1.large is the appropriate size for the DSM.


. . .


Figure 52: EC2 instant Type

__ VPC Settings: Choose EC2 Classic (no VPC)

Figure 53: VPC Settings

__ Security Group: Choose Vormetric Data Firewall for - 5 Client. If this doesn’t exist, choose Create new based on seller settings. This choice will create a security group called Vormetric Data Firewall for -5 Client. The security group you end up with should have the port configuration shown in Table 1 on page 44.


. . .


Figure 54: Security Group

__ Key Pair: Choose a key pair that you created. Make sure you have access to the key file as you will need this later.

Figure 55: Key Pair

b. __ Click Launch with 1-Click. An overview of the instance is displayed.

Figure 56: Instance overview

__ Note the Key Pair, Instance ID and the Security Group. These will be used later.c. Go to AWS Management Console to see the instance.

Search for the instance using the Instance ID.


. . .


Figure 57: DSM instance in dashboard

__ Give the instance a name. Right click the instance, select Add/edit tags, and type a name. For example: DSM-1.

d. Add All ICMP to the Security Group.Amazon restricts Internet Control Message Protocol (ICMP) in the default configuration, so you must add ICMP in the security group as described below.

__ In the EC2 Dashboard, click on Security Groups.

__ Select the Vormetric Data Firewall security group.__ Click the Inbound tab, click the Create a new rule pull-down, and select All ICMP.


. . .


Figure 58: Security Group view

__ Click Add Rule., then click Apply Rule Changes. The ICMP port is added to the Security Group.

Figure 59: ICMP All added to security group

a: The DSM AMI can take 10-15 minutes to instantiate depending on the AWS load.

Skip the next step since you won't need to launch with EC2 Console.

5. Launch DSM instance with EC2 Console. (If you launched with 1-Click Launch, skip this step.)

a. Create a new EC2 security group with the following port rules>

Table 1: DSM Security Group Port Rules

Protocol Port (service) SourceICMP All 0.0.0.0/0TCP 22 (SSH) 0.0.0.0/0TCP 443 (HTTPS) 0.0.0.0/0TCP 5696 0.0.0.0/0TCP 7024 0.0.0.0/0TCP 8080 (HTTP*) 0.0.0.0/0TCP 8443 (HTTPS*) 0.0.0.0/0TCP 8444 0.0.0.0/0TCP 8445 0.0.0.0/0TCP 50000 0.0.0.0/0UDP 123 0.0.0.0/0UDP 161 0.0.0.0/0UDP 7025 0.0.0.0/0


. . .


__ In your EC2 Dashboard click on Security Groups > Create Security Group to bring up this pop-up:

Figure 60: Create Security Group pop-up__ Type in a Name and Description. For example, VDS_Security _Group. Select No VPC. Click Yes, Create.

b. Add the port rules.

__ In the EC2 Dashboard, click Security Groups, then Viewing: VPC Security Groups. Select the security group you just created. Click the Inbound tab. In the Create a new rule pull-down, select All ICMP.

Figure 61: Security Group Inbound tab

__ Click Add Rule to add rule to the security group.


. . .


Figure 62: Security Group Add Rule button

__ Do this for all the ports in Table 1 on page 44. For TCP Ports, select Custom TCP rule. For UDP Ports, select Custom UPD rule.

Figure 63: Security Group with all the rules

__ Click Apply Rule Changes.

__ Click the Refresh button in the top right corner.

c. __ On the Vormetric website in the AWS Marketplace. Click on the Launch with EC2 Console tab.


. . .


Figure 64: Vormetric website in the AWS Marketplace

d. __ Select your desired region and click Launch with EC2 Console.

Step 2: Choose an Instance Type opens.


. . .


Figure 65: Instance Type

__ Click General purpose > m1.large, then click Next: Configuration Instance Details.

Step 3: Configure Instance Details opens.


. . .


Figure 66: Instance details

e. Enter instance details. Use the following values:

__ Network: Select Launch into EC2-Classic.

All other values can be kept as is.

__ Click Next: Add Storage.


. . .


Step 4, Add Storage page opens.

Figure 67: Advanced Instance Options

f. No changes are required for VDS in Step 4: Add Storage.

__ Click Next: Tag Instance. Step 5: Tag Instance opens.

Figure 68: Tag Instance

__ Enter a name for this instance (example: DSM-1), then click Next: Configure Security Group.

Step 6: Configure Security Group opens.


. . .


Figure 69: Security groups

__ Click Select an existing security group, then select the security group that you had created earlier (5a.) and click Review and Launch.


. . .


Step 7: Review Instance Launch opens.

Figure 70: Review Instance Launch

g. __Review the instance parameters and click Launch.

Select an existing key pair or create a new key pair pop-up opens.

Figure 71: Key pairs

h. __ Select Choose from your existing Key Pair (if you have one) or Create a new Key Pair.


. . .


Download the key and remember your key path (location of the .pem file) as you will need this later.

__ Check the Acknowledgment checkbox and click Launch Instances.

The instance is launched.

i. Return to the EC2 Instances page to view your newly created instance.

__ AWS returns you to the EC2 Management Console. Click Instances.

Figure 72: Instance view of new DSM

__ Search for the name of your DSM. The DSM instance is now running.

6. Configure the DSM.

The DSM configuration script is on the DSM instance. The script starts when you connect to your DSM instances with an SSH client. There are many ways to start an SSH session, see Connect to Your Amazon Instance.

NOTE: You may have to wait 10-20 minutes after the DSM is instantiated before you can make an SSH connection to the DSM. If you try to make an SSH connection and you get a pop-up that reads Connection Refused, then continue waiting.

a. Connect an SSH client to your DSM instance and login with the user name: ec2-user. This automatically starts the DSM configuration script. Use the following values to start the SSH session.

__ Host Name (or IP address). Enter the IP address or Public DNS.

Your Public DNS is displayed under the Description tab in the Instance view. See Figure 27: “Public DNS”.

__ Private key path: Enter the path of the .pem (or .ppk if you are using PuTTY) file that you generated earlier (Figure 71: “Key pairs”). In the PuTTY Configuration pop-up, under Category, click the + icon next to SSH, select Auth, then enter the path to your .ppk file in the Private key file for authentication: field.


http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html

. . .


b. __ Log in as ec2-user. This starts the configuration script.

As soon as a successful SSH connection is made, the DSM configuration script runs and you will see a terminal window like this:

Figure 73: Entering DSM configuration information

c. Enter the data requested by the DSM configuration script to start configuration. This data was created in earlier steps.

Enter the following when prompted:

__ IAM user access key and secret key (Figure 43: “IAM User Credentials”).

__ Elastic IP address (Figure 38: “New EIP address”)

__ When asked: "Add hosts to protect?" type no and press Enter.

The terminal displays the following:

The public IP address of this instance is going to change to The instance is going to restart now. After restarting, the security manager configuration will take about 15 minutes. Please wait for it to complete.

Press any key to continue

__ Press any key. The system terminates your SSH session and starts configuration.

7. Get the DSM Deployment Details

The DSM Deployment Details provides all the information you need log on to the DSM Management Console, access the DSM CLI, and install agents on your protected hosts.

Wait for the DSM configuration to completed before accessing the deployment details. This process can take up to fifteen minutes.

a. __ Connect to the new DSM instance with an SSH session and log in as ec2-user.


. . .


After you successfully log in, the DSM Deployment Details is displayed.login as: ec2-userWelcome to the Vormetric Data Security Manager.

Data Security Manager details=============================Management console URL is https://ec2-54-208-235-131.compute-1.amazonaws.comManagement console internal URL is https://ip-10-1-0-61.ec2.internalSystem administrator credentials are admin / Vb3]%@V$3$C2WRcYALL administrator credentials are awsadmin / Qx2[S4GYB53wiCLI administrator credentials are cliadmin / Qa3(kpBVfu@m

Please download the agent install script from https://awsportal.vormetric.com/downloads/agent/5.1.1/install?lic_id=FSAJTALB6TX3LPU

__ Save these Deployment Details as you will need them later.

NOTE: Once an EIP address is assigned to an instance, do not release or reuse it until the instances are terminated.

8. Test the DSM installation.

__ Wait a few minutes after you receive your DSM Deployment Details. __ Open a browser and enter the DSM URL listed in the Deployment Details. For example, https://ec2-54-208-235-131.compute-1.amazonaws.com

__ Log in as awsadmin using the information in the Deployment details. For example: awsadmin / Qx2[S4GYB53wi

The Vormetric Data Security page opens.


. . .

. .TO I N S T A L L P R O T E C T E D H O S T S I N E C 2 C L A S S I C |56

Figure 74: Vormetric DSM banner page

If the DSM dashboard is not responsive--for example, when you point to a drop-down menu nothing happens, log off and wait a few minutes for the configuration process to complete.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . To Install Protected hosts in EC2 ClassicOnce your DSM is installed and configured, you can create protected hosts. A protected host is a host in the Amazon cloud whose data is protected by a Vormetric agent. Installing an agent on your host involves the following steps:

• Instantiate the host you want to protect (1).

• Create an EIP address for each host you instantiate (see step 2, Create Elastic IP (EIP) addresses in your AWS account. on page 29).

• Run the agent install and registration script on the host (2).

• Verify that the protected host is registered with the DSM (3).

• For each protected host, save the deployment information (4).

• Repeat this process for each protected host (5).

Gather the following to complete these steps:

__ Agent install script url (See step 7, Get the DSM Deployment Details on page 54).__ IAM user access key and secret key (See step 3, Create an Identity and Access Management User (IAM) user with EIP AssociateAddress permissions on page 32).__ Elastic IP address (See step 2, Create Elastic IP (EIP) addresses in your AWS account. on page 29).__ A CentOS 6.3 AMI.

1. Instantiate your protected host.

AWS protected host instances can be of any size, but the installation process described in this guide requires that you use CentOS 6.3 for your protected host. If you would like support in protecting other platforms, contact [email protected]. For each DSM you can have up to five protected hosts.

a. __ Log in to your Amazon account.

b. __ Instantiate your host AMI (not the DSM AMI) using the following parameters (valid for either 1-Click or EC2 launching):

__ Region. Choose one.__ EC2 Instance Type. Instances can be of any size.__ Network: Choose Launch into EC2-Classic.__ Tag Instance. Add a name for your protected host.__ Security Group. Use the same group you used when you instantiated the DSM (Figure 54 and Figure 69). If you launched the DSM with 1-Click Launch, choose Vormetric Data Firewall


. . .


for AWS. If you launched the DSM with the EC2 Console and manually created the security group, choose the security group that you manually created.__ Click Review and Launch.__ Key Pair. Choose a Key Pair that you previously created or create a new key pair and download the private key. Remember your private key path (location of the .pem file) as you will need this later.

__ Note the instance ID as this will be useful for the next step.

2. Run the agent installation and registration script on the host. The location of this script is provided in the DSM Details. See step 7.

After your host instance is running (the time it takes depends on the size of the host and the AWS EC2 load), connect to it with an SSH Client to download the agent installation and registration script. This script installs the agent and registers it with the DSM.

There are many ways to start an SSH session. See Connect to Your Amazon Instance.

a. Launch an SSH client on your host instance and login with the user name: root. Use the following parameters to launch your SSH session.

__ Host Name (or IP address). Enter the IP address or Public DNS of the protected host.

__ Private key path: Enter the path of the .pem (or .ppk if you are using PuTTY) file that you generated earlier. (See Figure 71: “Key pairs”.)

Some AMIs only allow you to first log in as ec2-user. If you can't log in as root, log in as ec2-user, then do a "sudo su -" in the terminal to run as root.

b. Make sure the firewall on this host allows the following TCP Port connections:

ICMP Ping Incoming/OutgoingTCP 7024 IncomingTCP 8080 OutgoingTCP 8443 OutgoingTCP 8444 Outgoing

c. From the SSH terminal, copy and run the agent install program.

__ Run the following commands as root user:

# wget -O installer --no-check-certificate

Agent_install_script_url is part of the DSM details (step 7.). (If the wget command fails with "wget not found," execute yum -y install wget and try again.)# ls installer# chmod +x installer# ./installer

Welcome to the Vormetric Data Security agent installerYour instance has been launched with the following security groups:


http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html

. . .


Please ensure that the security groups and firewall on this machine allow outgoing connections to TCP ports 8443, 8444 and 8080 and ICMP ping requests and incoming connections to TCP port 7024 and ICMP ping requests before proceeding

Proceed? (yes/no) yes

(Installation continues until you get the following screen output.)

Cleaning up... Installing agent

Please enter the information below to configure your agent instance Enter hostname of the Security Manager: ec2-54-221-233-78.compute-1.amazonaws.com

(Important: For “hostname of the Security Manager,” get the hostname from your DSM banner page. An example of the banner page is on Figure 74: “Vormetric DSM banner page”.

Enter IAM user access key - AKIAJ5EORN6MFQUIDWMGA

See step 3, Create an Identity and Access Management User (IAM) user with EIP AssociateAddress permissions on page 32.

Enter IAM user secret key - 2qpXcK/K4YIj7I6h/clgjK34jkKWbNa/ZYz69PQ

See step 3, Create an Identity and Access Management User (IAM) user with EIP AssociateAddress permissions on page 32.

Enter Elastic IP - 54.204.19.103

This is the EIP you created for a protected host, not the EIP for the DSM. See step 2, Create Elastic IP (EIP) addresses in your AWS account. on page 29

Adding host ec2-54-204-19-103.compute-1.amazonaws.com to Data Security Manager.

Enter password for awsadmin user on the Security Manager - Zs4{&SKqL]!aj

Get the password from your DSM deployment details. See step 7, Get the DSM Deployment Details on page 54.

Host ec2-54-204-19-103.compute-1.amazonaws.com added to Security Manager


. . .


The IP address of this instance is going to change to 54.204.19.103 and host name is going to change to ec2-54-204-19-103.compute-1.amazonaws.com.After restarting, this instance will be registered to the Security Manager hosted at ec2-54-204-10-124.compute-1.amazonaws.com

The instance is going to restart now. Continue? (yes/no)yes

The host reboots and after a few minutes is registered with the DSM.

3. Verify that the protected host is registered with the DSM.

Registration can take up to 15 minutes.

a. __ Open a browser and enter the DSM URL. See step 5, Repeat this process for each protected host. on page 61.

Figure 75: Management Console Login

__ Login as awsadmin with the password from your DSM Deployment Details.The VDS Dashboard appears:


. . .


Figure 76: VDS Dashboard

b. Switch to domain, awsdomain.

__ Click Domains > Switch Domains

Figure 77: Switch domains

You will have a domain called awsdomain.


. . .


Figure 78: Switch to domain

__ Select awsdomain, then click Switch to domain.

c. View the hosts in the domain.

__ Click Hosts > Hosts in the top menu bar to bring up the Hosts page. The new protected host is added and under Pushing Status it says Done. It may take a few minutes to complete registration. If it says N/A, then the registration did not complete. See Chapter to re-register.

Figure 79: Hosts page

4. For each protected host, save the deployment information.

__ The Key Pair used to instantiate the host. For example: VODKey__ The DNS public name of the protected host. For example: ec2-54-221-239-78.compute-1.amazonaws.com

5. Repeat this process for each protected host.

6. See the Vormetric Data Security on AWS: Getting Started Guide to learn how to use the product.



Installing VTE in an Amazon VPC

. . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .with the AMI from Vormetric 4

This chapter describes how to install Vormetric Transparent Encryption (VTE) from the DSM AMI placed in a customer’s Amazon Web Services (AWS) account into an Amazon VPC. The previous two chapters, “Installing Vormetric Transparent Encryption in the Amazon VPC” on page 3 and “Installing VTE in Amazon EC2 Classic” on page 29 describe how to install VTE from the AWS Marketplace in a new VPC or EC2 Classic environment. In this situation, Vormetric is sharing the VTE AMI with the customer‘s account number.

This chapter consists of the following steps:

• “To Launch a Data Security Manager (DSM) AMI in the Customer’s Amazon Account” on page 62

• “Installing Protected Hosts in the Amazon VPC” on page 74

NOTE: Screen shots may have been updated by Amazon since this document was published.

To Launch a Data Security Manager (DSM) AMI in the Customer’s

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Amazon AccountThe DSM is the central component of VTE. The first step in implementing VTE is to deploy the DSM AMI in your AWS VPC.

1. Obtain the DSM AMI from Vormetric.

The AMI can be found in the AWS Dashboard at EC2 >IMAGES > AMIs > Private images:

. . .

. .TO L A U N C H A D A T A S E C U R I T Y M A N A G E R ( D S M ) A M I I N T H E C U S T O M E R ’S A M A Z O N A C C O U N T


|63

Figure 80: DSM AMI location.

2. Make sure your VPC DNS resolution and DNS hostnames parameters are set to yes.

Go to the AWS VPC Dashboard. Select the VPC where you will install the DSM AMI. If DNS resolution and DNS hostnames are not set to yes, click Actions > Edit, and change both values to yes.

3. Create a new EC2 security group with the following port rules.

Table 1: VTE Security Group Rules

Protocol Port (service) SourceICMP All 0.0.0.0/0TCP 22 (SSH) 0.0.0.0/0TCP 443 (HTTPS) 0.0.0.0/0TCP 5696 0.0.0.0/0TCP 7024 0.0.0.0/0TCP 8080 (HTTP*) 0.0.0.0/0TCP 8443 (HTTPS*) 0.0.0.0/0TCP 8444 0.0.0.0/0

. . .

. .TO L A U N C H A D A T A S E C U R I T Y M A N A G E R ( D S M ) A M I I N T H E C U S T O M E R ’S A M A Z O N A C C O U N T


|64

a. In your EC2 Dashboard click on Security Groups > Create Security Groups to bring up this pop-up:

Figure 81: Create Security Group pop-up

Enter a Name and Description for your Security Group, then click Yes, Create.b. Add the port rules.

In the EC2 Dashboard, click Security Groups, then