Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Install Virtual CipherTrust Manager

Deploying with Cloud-init

search

Please Note:

Deploying with Cloud-init

The Virtual CipherTrust Manager supports initial boot time configuration using cloud-init. On first boot, the appliance can be passed a configuration text file, known as a user-data file. The Virtual CipherTrust Manager reads this file to retrieve various configuration settings. To plan your configuration settings in the user-data file, see Plan Configuration Settings for Deploying with Cloud-Init.

How a cloud-init configuration file is passed to the Virtual CipherTrust Manager appliance depends on the environment in which it runs. Below are examples for each of the supported environments.

Cloud-init configuration (user-data) files uses YAML syntax; indentation is important and tabs can not be used.

Passing the cloud-init file in AWS

When launching the instance from AWS web , at Step 3 - Configure Instance Details, select 'As file' in the 'User data' section and browse to 'config.dat' file. Then continue with the rest of the launch steps.

If launching the instance using AWS CLI, then use the '--user-data' parameter with the run-instances command. Use the 'file://' prefix to pass in the user data from 'config.dat' file.

Verify the user data is 16KB or less, otherwise it will be ignored by AWS. If it is larger then remove unnecessary whitespace (e.g. ident lines with a single space) and comments.

Passing the cloud-init file in Azure

When launching the Azure instance using Azure CLI, use the '-d' or '--custom-data' flag with the vm create command to pass in the user data from 'config.dat' file.

Passing the cloud-init file for a Private Cloud Image

When using the disk image, how the cloud-init data is passed to CipherTrust Manager depends on the virtualization platform - please refer to documentation or notes for your specific cloud environment.

The following are two examples of passing cloud-init data when using a disk image, one using 'libvirt' and one using VMware/vSphere.

Example using 'libvirt'

When launching a virtual machine with the Qcow2 image using 'libvirt', the cloud-init data has to be passed in as an ISO file. The ISO can be generated as follows:

  1. Prepare the user-data file as follows:

    1. Rename the file config.data to user-data.

    2. Because the user's SSH key is used for wrapping a layer of encryption keys, it must be added to the cloud-init config. So, the 'user-data' file should look like:

      1
      2
      3
      4
      5
      6
          #cloud-config
          hostname: <host name for the instance>
          diskenc:
            encrypt: true
          ssh_authorized_keys:
            - <replace with user ssh public key>
      

      'ssh_authorized_keys' can be configured with multiple ssh public keys.

  2. Create a meta-data file and provide instance parameters, for example:

    instance-id: <some instance id>
    
  3. Create an ISO image file:

    1. Make sure genisoimage utility is installed.

    2. Create the ISO file.

      genisoimage -o config.iso -volid cidata -joliet -rock user-data meta-data
      
  4. Launch instance using virt-install. OpenStack example:

    virt-install --virt-type kvm --name <virtual image name> --ram 2048 --disk path=<path to keysecure qcow2 image>,size=16,format=qcow2 --disk path=<path to config.iso> --network network=default --graphics vnc,listen=0.0.0.0 --noautoconsole --os-type=linux --os-variant= ubuntu16.04 --import
    

Example using VMware/vSphere

This example describes how to deploy CipherTrust Manager on VMware with a static IP configuration. In general, if you have virtual machines you intend to use frequently or for extended periods of time, it can be convenient to assign a static IP address, or configure DHCP server to always assign the same IP address, to each of these virtual machines.

For virtual machines that you do not expect to keep for extended periods of time, use DHCP and let it allocate P addresses for these machines.

Use the following procedure to deploy CipherTrust Manager on VMware with a static IP configuration.

This procedure includes preparation of a cloud-init configuration file used to set up a static IP address during launch of the CipherTrust Manager.

  1. Get CipherTrust Manager installation file for VMware from Gemalto Support Portal.

  2. Deploy OVA in ESXi Server.

    1. Select “Deploy OVF Template”.

    2. On the Select an OVF template page, choose OVA file and select NEXT.

    Deploy Template

  3. On the Select a name and folder page, select the name of the virtual machine and its location.

  4. Validate the CipherTrust Manager Virtual Machine Configuration. On the Select a compute resource page, select the destination compute resource (if applicable).

    error

    If you see the above error, please perform the following steps:

    1. Use ovftool.exe to convert ova file into uncompressed file(s).

      Execute the following command:

      ovftool.exe --lax <source_OVA_file> <destination_OVF_file>
      

      OVF with compressed disk is not supported on newer version of Vsphere client. It may work on older versions.

    2. Repeat Step 2 with a new installer file.

  5. On the Review details page, verify the template details of the CipherTrust Manager image and if correct, select NEXT.

    Review Details

    1. On the Select storage page, select the storage location to install the CipherTrust Manager and then select NEXT.

    2. On the Select network page, select the network and then select FINISH.

      Do not launch/start the machine at this time.

  6. Prepare the cloud-init configuration.

    1. Add a CD drive to the VM.

      CD Drive

    2. Before booting up the VM, prepare the cloud-init configuration. The following cloud-init example configures the VM's ens32 port with a static IP address. Copy this example and edit it for your desired network settings.

       1
       2
       3
       4
       5
       6
       7
       8
       9
      10
      #cloud-config
      keysecure:
          netcfg:
              iface:
                  name: ens32
                  type: static
                  address: 192.168.1.150
                  netmask: 255.255.255.0
                  gateway: 192.168.1.1
                  dns1: 192.168.1.100
      

      Cloud-init configuration files use YAML syntax; indentation is important and tabs cannot be used.

    3. Convert the string to base64. To convert to base64, use the openssl command:

      openssl base64 -in <infile> -out <outfile>
      
    4. Save this base64 string to use in next steps.

  7. Add the base64 configuration to the VM. This step shows vSphere web client (Flash) version as demonstration. You may find similar options in other clients.

    1. Select: virtual machine > Configure > Settings > vApp Options

      vAppOptions

    2. Press Edit button on the top right on this page.

    3. Under OVF Settings, select the ISO Image check box, which is next to OVF environment transport.

      ISO Image

    4. On the same page, expand “Properties” to add configuration.

      Properties

    5. Press the New button to add a property for the configuration. On following screen, there are two fields which need to be changed.

      • Label: user-data

      • Default value: <base64 string of configuration, generated in step6-b>

      Key ID will change automatically when you change Label.

      Edit Properties

    6. Press OK to save the Property Settings.

    7. Then press OK again to save the vApp Options page.

  8. Launch the instance. The VM should boot up configured with a static IP.