CloudLink Amazon Web Services Deployment Guide

Transcription

1 June 2014

2 Notice THIS DOCUMENT CONTAINS CONFIDENTIAL AND TRADE SECRET INFORMATION OF AFORE SOLUTIONS INC AND ITS RECEIPT OR POSSESSION DOES NOT CONVEY ANY RIGHTS TO REPRODUCE OR DISCLOSE ITS CONTENTS, OR TO MANUFACTURE, USE, OR SELL ANYTHING THAT IT MAY DESCRIBE. REPRODUCTION, DISCLOSURE, OR USE IN WHOLE OR IN PART WITHOUT THE SPECIFIC WRITTEN AUTHORIZATION OF AFORE IS STRICTLY FORBIDDEN. The information furnished herein is believed to be accurate and reliable to the best of our knowledge. However, AFORE Solutions, Inc. assumes no responsibility for its use, or for any infringements of patents or other rights of third parties resulting from its use. AFORE Solutions, Inc. reserves the right to, without notice, modify all or part of this document and/or change product features or specifications and shall not be responsible for any loss, cost, or damage, including consequential damage, caused by reliance on these materials. If you are in any doubt as to whether this is the correct version of the manual for a particular release, contact the AFORE Solutions, Inc. Trademarks AFORE Solutions and the AFORE Solutions logo are trademarks of AFORE Solutions Inc. All other brands or product names mentioned herein are for identification purposed only and may be trademarks and/or registered trademarks of their respective companies. Copyright 2014 All Rights Reserved AFORE Solutions Inc Queensview Drive, Suite 150 Ottawa, Ontario, K2B 8J9, Canada Tel: (613) Fax: (613) Support Inquiries (866) support@aforesolutions.com General Inquiries afore_info@aforesolutions.com Sales Inquiries afore_sales@aforesolutions.com

3 Table of Contents 1 Introduction Audience and Purpose Typographical Conventions Deployment Guide Organization CloudLink CloudLink Amazon Machine Images Instance Types Storage Modes Storage Access in VPC Environments Storage Access in EC2 Environments Security Security Groups in VPC Environments Security Groups in EC2 Environments Prerequisites CloudLink Deployment CloudLink Deployment in VPC CloudLink Deployment in EC Configuring the CloudLink Environment Accessing CloudLink Center Changing the secadmin Password Assigning Licenses to the Storage Volumes Splitting a Volume Changing the Volume Type Changing the Volume Write Mode to Async Formatting the Volumes Configuring NFS/SMB Access to Secure Storage Configuring iscsi Access to Secure Storage Accessing the Secure Storage Storage Access in an EC2 Environment Storage Access in a VPC Environment Terms and Acronyms Appendix A: AWS Deployment Worksheet Software Version Document Version 1.0

4 1 Introduction CloudLink is a data at rest encryption solution that provides a software defined storage encryption layer on top of existing storage infrastructures whether deployed in the enterprise data center, private clouds or in public clouds. Its cloud security management software enables a single data encryption solution for on-premise enterprise virtualized data centers, hybrid cloud deployments, and public cloud environments such as Amazon AWS, Microsoft Azure, and VMware-based cloud environments. AFORE s CloudLink solution on the AWS Marketplace is a simple to deploy, self-contained AMI that enables customers to get up and running quickly. You install a CloudLink AMI instance from the AWS Marketplace and Amazon will simply add the CloudLink costs to your AWS bill as a separately identified charge. There are two CloudLink AMIs: CloudLink 10TB Edition and CloudLink 1TB Edition. CloudLink instances can be deployed in either Elastic Compute Cloud (EC2) or Virtual Private Cloud (VPC) environments. 1.1 Audience and Purpose This guide is intended for system administrators managing CloudLink deployments in an Amazon Web Services environment. This guide assumes the administrator is experienced with AWS AMI deployment, Amazon Elastic Compute Cloud (EC2) and Virtual Private Cloud (VPC) services, and IP networking. If you are new to AWS, visit the AWS documentation webpage for useful getting started guides at The purpose of this guide is to walk you through the deployment and configuration of CloudLink instances based on CloudLink AMIs available from the AWS Marketplace. Software Version Document Version 1.0

5 1.2 Typographical Conventions This guide uses the following typographical conventions. Convention Used for Black bold User interface elements such as menus, menu items, tabs, boxes, lists, and buttons. For example: In the CloudLink window, select the Options tab. Italics Examples of formats and values. Also used for emphasis. For example: Use the default user name (secadmin) For each CloudLink instance you must 1.3 Deployment Guide Organization This deployment guide consists of the following chapters: Chapter 1, Introduction, introduces you to CloudLink, AWS, and this document. Chapter 2, CloudLink Amazon Machine Images, provides information on the AWS deployment environment. Chapter 3, Prerequisites, provides the necessary prerequisites for the deployment. Chapter 4, CloudLink Deployment, provides a detailed description of CloudLink deployments in VPC and EC2 environments. Chapter 5, Configuring the CloudLink Environment, provides information on how to configure the CloudLink environment. Chapter 6, Accessing the Secure Storage, provides information on how to access the secure storage volumes. Chapter 7, Terms and Acronyms Software Version Document Version 1.0

6 1.4 CloudLink CloudLink is a software solution that is deployed into enterprise virtualization infrastructures and/or public clouds. CloudLink controls the encryption keys used to secure the storage while monitoring the network. The CloudLink operating environment is as follows: CloudLink includes CloudLink Center, a Web-service application that provides a user interface to configure CloudLink instances and manage CloudLink. CloudLink Center provides secure storage encryption management and provides audit trails of actions, alarms, events, and security events. Software Version Document Version 1.0

7 2 CloudLink Amazon Machine Images An Amazon Machine Image (AMI) is a virtual machine preconfigured with a base Linux or Windows operating system (OS) and, optionally, application software such as CloudLink. After you launch a CloudLink instance, it looks like a virtualized server, and you can interact with it as you would any computer. Your CloudLink AMIs must then be configured for security and with Elastic Block Store (EBS) volumes. AFORE Solutions provides a CloudLink 10TB Edition AMI and a CloudLink 1TB Edition AMI. Both CloudLink instances run in one of two supported platforms: EC2 or VPC. The operating environment will vary depending on the selected platform. 2.1 Instance Types The AWS instance type defines the number of cores, number of Elastic Compute Units (ECUs), and storage space for the instance. The supported instance types for each CloudLink edition are as follows: CloudLink 1TB Edition: m1.small, m3.medium, m3.large, m3.xlarge CloudLink 10TB Edition: m3.medium, m3.large, m3.xlarge Use of at least the m3.medium instance type is recommended for CloudLink AMIs. 2.2 Storage Modes By default, EBS volumes assigned to a CloudLink instance at deployment time are merged into a single CloudLink encrypted volume. From CloudLink Center you can split the encrypted volume into the original volumes and assign an encryption key to each volume or keep the merged encrypted volume and assign a single encryption key to the entire volume. A single merged encrypted volume supports up to 10 TB (or 1 TB) to handle a large amount of data. In a multivolume environment, each volume is limited to 1 TB (EBS volume limitation) and the maximum aggregated volume size is limited to 10 TB or 1 TB depending upon the CloudLink Edition licensed. Separate volumes allow you to provide a separate key for each volume and manage the volumes independently. CloudLink provides AWS instances with direct access to their encrypted storage over NFS/SMB or iscsi. CloudLink supports three storage modes: NFS/SMB network-attached storage (NAS) This option is appropriate for standard deployments where instances will be attaching/mapping Software Version Document Version 1.0

8 to an encrypted share. iscsi remote disk for a single Windows server This option is appropriate for servers requiring dedicated, block-level high performance access to a remote disk. iscsi remote disk for a Windows SMB server This option is appropriate for advanced SMB sharing configurations where Windows Kerberos authentication and access control is required. Any data that is written to the EBS volume is secured with AES 256-bit encryption. Each EBS volume will have a unique encryption key when configured in split volume mode. When EBS volumes are merged into a single encrypted volume, a single key is used to encrypt the merged volume. Note: CloudLink does not support AWS encrypted EBS volumes in this release. 2.3 Storage Access in VPC Environments In a VPC environment, instances within AWS will access the CloudLink encrypted storage based on its private IP address as private IP addressing is persistent in VPC environments. Assigning a public IP to a VPC CloudLink instance is recommended to enable administrators to manage their CloudLink deployment from a browser. If a public IP address is not assigned to CloudLink, administrators will need to RDP to an AWS instance that does have a public IP and then access CloudLink from that instance s web browser. NOTE: In VPC environments, public IP addresses are not persistent after stopping and starting the CloudLink instance, but the private IP address is persistent (static). 2.4 Storage Access in EC2 Environments Support of CloudLink deployments in EC2 requires additional configuration steps due to the fact that in EC2 both private and public IP addresses are not persistent after stopping and starting CloudLink instances. This non-persistent IP addressing behaviour introduces ease of use challenges from the perspective of seamless access and access control to the CloudLink encrypted storage. To support CloudLink EC2 deployments, it is recommended that an Elastic IP address be assigned to CloudLink. An Elastic IP (EIP) address is a static IP reservation that can be assigned to a CloudLink instance providing a consistent IP for external Internet access to the CloudLink instance. An additional benefit of EIPs is Software Version Document Version 1.0

9 that internally within the AWS environment, if the EIP public domain name is queried, the current private IP address of the CloudLink instance associated with the EIP is returned. If AWS instances attach/map to CloudLink storage based upon the public domain name, even if the CloudLink instance is stopped and started, the AWS DNS service will always return the current private IP address and the pre-defined attach/map commands will be successful. For a Windows instance attempting to access CloudLink encrypted storage, the attach or map command for a single volume would look similar to the following: \\public_domain_name\secure0. As mentioned, the AWS DNS service will return the current private IP address of the CloudLink instance to the Windows instance attempting to access the CloudLink encrypted storage If an EC2 CloudLink instance is stopped and started, the same EIP address is assigned to the CloudLink instance, however, you must manually re-associate the IP address to the instance. NOTE: A reboot of the CloudLink instance does not require re-association. 2.5 Security By default, access to the CloudLink instance encrypted storage is denied to all. You must configure AWS security groups to control traffic into the CloudLink instance. You then configure the CloudLink Access Control List (ACL) to allow all members of the subnet to connect to the encrypted storage. Security groups act as a virtual firewall Security Groups in VPC Environments One method to grant access to secure encrypted storage in a VPC environment is to create a second security group and associate it to designated virtual servers. You then add the security group to an inbound rule of the CloudLink instance security group. Alternatively, you can assign individual IP or IP ranges to restrict access to specific instances or groups of instances. After you launch a CloudLink instance in a VPC, you can change its security groups. You can also change the rules of a security group, and those changes are automatically applied to all virtual servers that are associated with the security group. NOTE: The rules you create for use with a security group for a VPC cannot reference a security group from the EC2 environment. For more information on VPC security groups, refer to the AWS VPC user guide. Software Version Document Version 1.0

10 2.5.2 Security Groups in EC2 Environments Since private IP addresses are non-persistent in an EC2 environment, access rules must be based on security groups and not on IP addresses. You can create additional security groups and associate them with designated virtual servers. You then add the security groups to inbound rules of the CloudLink instance security group. For increased access control, you can configure the CloudLink instance encrypted storage as an iscsi share, then use a Windows server as the SMB server and configure Windows ACL capabilities. After you launch a CloudLink instance in an EC2 environment, you cannot change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group. NOTE: The rules you create for use with a security group for EC2 cannot reference a security group from the VPC environment. For more information on EC2 security groups, refer to the AWS EC2 user guide. Software Version Document Version 1.0

11 3 Prerequisites Before launching a CloudLink instance on the AWS Marketplace, ensure that you have the following: An AWS account. You can use an existing key pair or create a key pair during the deployment process. Access to the AWS documentation at Access to the CloudLink documentation available on the CloudLink page in the AWS Marketplace: o o CloudLink (this guide) CloudLink Amazon Web Services Administration Guide Software Version Document Version 1.0

12 4 CloudLink Deployment The CloudLink instance is deployed with the Launch with EC2 Console method and is capable of supporting multiple EBS volumes totalling up to 10 TB or 1 TB, depending upon the edition licensed, that can be configured as standard or Provisioned Input/Output Operations per Second (IOPS) volumes. In this deployment model, as storage requirements grow, additional storage can be added to the CloudLink instance or additional CloudLink instances can be added to the AWS environment. The CloudLink instance ACL is initially configured to deny access to all servers. Once security group configuration is complete and applied to the designated instances, you can change the CloudLink instance ACL setting to allow access to all instances. The security group settings will act as a virtual firewall and filter access to the encrypted storage of the CloudLink instance. The port requirements for CloudLink are as follows: CloudLink ports: o TCP: 8443 (HTTPS) for incoming access to CloudLink. o o o UDP: 514 to send the CloudLink Center logs to a system log TCP: 443 if RSA DPM is implemented as a key store TCP: 389 if Active Directory is implemented as a key store iscsi ports: o TCP: 860 and 3260 NFS ports: o TCP: 111, 2049, and SMB ports: o TCP and UDP: 135, 137, 138, and 139 o TCP: 445 For SSH access to the CloudLink instance, enable port 22. Software Version Document Version 1.0

13 4.1 CloudLink Deployment in VPC The Launch with EC2 Console method allows you to configure a CloudLink instance to meet your requirements for the VPC environment. To deploy a CloudLink AMI instance in a VPC environment: 1. Log on to the AWS Marketplace with your AWS account credentials. 2. Locate the AFORE Solutions CloudLink products on the AWS Marketplace website. 3. Select either of the following CloudLink products: AFORE CloudLink NAS Encryption 10 TB Edition AFORE CloudLink NAS Encryption 1 TB Edition 4. From the CloudLink product page, click Continue. 5. Select a version. 6. Click Accept Terms (only required if you have not previously accepted the terms). 7. Click the Launch with EC2 Console button for the desired region. 8. Step 2 of the AWS deployment procedure appears on your screen. For example: 9. Select the m3.medium instance type or a larger instance type. 10. Click Next to proceed to Step For the Network parameter, select an existing VPC or click Create new VPC. If you selected Create new VPC, the VPC console is launched. Click Create VPC and configure the VPC parameters to suit your environment and return to the EC2 console to resume deployment. You then select the new VPC as the Network parameter and create a subnet for the VPC. 12. Checkmark the Automatically assign a public IP address to your instances checkbox to assign a public IP address to the CloudLink instance. 13. Click Next to proceed to Step Add the necessary EBS volumes up to a maximum of 10 TB or 1TBs depending upon the CloudLink edition selected. Log the snapshot identifiers of all EBS volumes and store them in a safe place. You can use the worksheet in Appendix A: AWS Deployment Worksheet on page 32 to log your Software Version Document Version 1.0

14 configuration. NOTES: You can also add EBS volumes after deployment, see the CloudLink Amazon Web Services Administration Guide. Newer Linux kernels may rename the devices from dev/sd to /dev/xvd. 15. Ensure that the Delete on Termination checkbox is unchecked for all EBS volumes. Otherwise, all data on the EBS volumes will be lost on termination of the CloudLink instance. 16. Click Next to proceed to Step Enter a string for the Name tag in the Value field. This string will be used as the CloudLink hostname. 18. Click Next to proceed to Step Create a new security group or select an existing security group. Only security groups from the VPC environment are available. NOTE: At this point, you can only configure inbound rules. Once deployed, you can change the inbound rules and the default outbound rules. 20. Click Review and Launch. 21. Confirm your settings and click Launch. 22. From the Key Pair dialog, select an existing key pair or create a new key pair. A key pair consists of a public key that AWS stores, and a private key file that you store. Together, they allow you to connect to your CloudLink instance securely. For the CloudLink AMIs, the private key file allows you to use SSH to log in to your CloudLink instance. 23. Click Launch Instances to launch the CloudLink instance and view the instance identifier from the Launch Status window. 24. Click View Instances to access the EC2 console and view the new VPC CloudLink instance. 25. Access the CloudLink instance s security group from the EC2 console and modify the inbound and outbound rules to suit your environment and security requirements. You have deployed an instance of the CloudLink AMI in a VPC environment. The CloudLink instance has a static private IP address and a public IP address that allows you to access the CloudLink instance from the Internet. If the CloudLink instance is stopped and restarted, a new public IP address will be assigned to the Software Version Document Version 1.0

15 CloudLink instance. To configure the CloudLink environment, proceed to 5 Configuring the CloudLink Environment on page 19. Software Version Document Version 1.0

16 4.2 CloudLink Deployment in EC2 The Launch with EC2 Console method allows you to configure a CloudLink instance to meet your requirements for the EC2 environment. To deploy a CloudLink AMI instance in a VPC environment: 1. Log on to the AWS Marketplace with your AWS account credentials. 2. Locate the AFORE Solutions CloudLink products on the AWS Marketplace website. 3. Select either of the following CloudLink products: AFORE CloudLink NAS Encryption 10 TB Edition AFORE CloudLink NAS Encryption 1 TB Edition 4. From the CloudLink product page, click Continue. 5. Select a version. 6. Click Accept Terms (only required if you have not previously accepted the terms). 7. Click the Launch with EC2 Console button for the desired region. 8. Step 2 of the AWS deployment procedure appears on your screen. For example: 9. Select the m3.medium instance type or a larger instance type. 10. Click Next to proceed to Step For the Network parameter, select Launch into EC2-Classic and configure the remaining parameters to suit your environment. 12. Click Next to proceed to Step Add the necessary EBS volumes up to a maximum of 10 TB or 1 TB depending upon the CloudLink edition selected. Log the snapshot identifiers of all EBS volumes and store them in a safe place. You can use the worksheet in Appendix A: AWS Deployment Worksheet on page 32 to log your configuration. NOTES: You can also add EBS volumes after deployment, see the CloudLink Amazon Web Services Administration Guide. Software Version Document Version 1.0

17 Newer Linux kernels may rename the devices from dev/sd to /dev/xvd. 14. Ensure that the Delete on Termination checkbox is unchecked for all EBS volumes. Otherwise, all data on the EBS volumes will be lost on termination of the CloudLink instance. 15. Click Next to proceed to Step Enter a string for the Name tag in the Value field. This string will be used as the CloudLink hostname. 17. Click Next to proceed to Step Create a new security group or select an existing security group. Only security groups from the EC2 environment are available. NOTE: At this point, you can only configure inbound rules. Once deployed, you can change the inbound rules. 19. Click Review and Launch. 20. Confirm your settings and click Launch. 21. From the Key Pair dialog, select an existing key pair or create a new key pair. A key pair consists of a public key that AWS stores, and a private key file that you store. Together, they allow you to connect to your CloudLink instance securely. For the CloudLink AMIs, the private key file allows you to use SSH to log in to your CloudLink instance. 22. Click Launch Instances to launch the CloudLink instance and view the instance identifier from the Launch Status window. 23. Click View Instances to access the EC2 console and view the new EC2 CloudLink instance. 24. Access the CloudLink instance s security group from the EC2 console and modify the inbound rules to suit your environment and security requirements. 25. From the EC2 console, you can assign an EIP address to the CloudLink instance. The EIP is a public static IP address that belongs to your AWS account. If the CloudLink instance is stopped and restarted, you must re-associate the EIP with the CloudLink instance. A reboot of the CloudLink instance does not require re-association. a. Under Network and Security, click Elastic IPs and then click Allocate New Address. b. From the Allocate New Address dialog, select EC2 and click Yes, Allocate. c. Observe the new IP address in the EIP window. d. Select the new IP address and click Associate Address. e. From the Associate Address dialog, select the CloudLink instance and click Associate. Software Version Document Version 1.0

18 f. Observe the results in the Elastic IP window. g. Click Instances and select the CloudLink instance. Observe the parameters from the Description tab. h. To view the security group configuration, click the view rules link in the Description tab. You have deployed an instance of the CloudLink AMI in an EC2 environment. The CloudLink instance has a non-static private IP address and a static public EIP address. To configure the CloudLink environment, proceed to 5 Configuring the CloudLink Environment on page 19. Software Version Document Version 1.0

19 5 Configuring the CloudLink Environment After you deploy a CloudLink instance on AWS, you must access CloudLink Center on the CloudLink instance and configure the CloudLink environment before you can access the encrypted storage from the designated virtual servers. Proceed as follows: 1. Access CloudLink Center on the CloudLink instance, see Accessing CloudLink Center on page Change the default secadmin user account password, see Changing the secadmin Password on page Assign storage licenses to the storage volumes, see Assigning Licenses to the Storage Volumes on page Split the volume if desired (CloudLink merges all storage volumes at deployment time), see Splitting a Volume on page Specify the storage type (NFS/SMB or iscsi), see Changing the Volume Type on page Set the write mode for the storage volumes, see Changing the Volume Write Mode to Async on page Format the storage volume(s), see Formatting the Volumes on page Configure access rights to the storage volumes: For SMB/NFS, see Configuring NFS/SMB Access to Secure Storage on page 25. For iscsi, see Configuring iscsi Access to Secure Storage on page 26. For information on how to access a storage volume, see 6 Accessing the Secure Storage on page 29. For additional information on configuring and managing the CloudLink environment, refer to the CloudLink Amazon Web Services Administration Guide. Software Version Document Version 1.0

20 5.1.1 Accessing CloudLink Center To connect to CloudLink Center on the CloudLink instance: 1. In your Web browser, type the URL of the CloudLink instance in the format IpAddress:8443 or fqdn:8443 where IpAddress is the public interface IP and fqdn is the fully qualified domain name (FQDN). 2. Observe the presence of the CloudLink Center home page in your browser. 3. Log in. The default Username is secadmin and the default Password is your AWS instance ID Changing the secadmin Password To change the default secadmin password: 1. Log in as a secadmin user. The default password is your AWS instance ID. (see Accessing CloudLink Center on page 20). 2. From the Topology Tree, select the CloudLink instance. 3. Click the Administration tab. 4. From the Options panel, select User Accounts. 5. In the User name list, right-click the secadmin account and click Change password. 6. In the Change password window, enter the new password and confirm the new password. 7. Click OK. Software Version Document Version 1.0

21 5.1.3 Assigning Licenses to the Storage Volumes Storage licenses form part of the CloudLink instances and depending upon the edition selected either a 10 TB or 1 TB license is included. To assign a storage license to a CloudLink instance: 1. Log in as a secadmin or admin user (see Accessing CloudLink Center on page 20). 2. From the Topology Tree, select a CloudLink instance. 3. Select the Storage tab. 4. From the Options panel, select the License option. 5. From the License Assignment panel, select the storage license from the Available Licenses dropdown list. 6. Click Assign to assign the storage license. 7. Observe the graph in the License Usage panel Splitting a Volume When you create more than one volume at instantiation, CloudLink automatically merges the volumes into a single volume. You can split the aggregated volume back into separate volumes, with each volume being encrypted with a unique encryption key. NOTE: Splitting a volume results in the loss of all data on the EBS volume. Ensure any data associated with the CloudLink EBS volume is backed up before proceeding. The storage volume names will be secure0-xx where xx starts at 01. The Device rows will show the original device names, for example, sdb, sdc, sdd, and sde. The displayed Size of the volumes will show the original disk sizes. The results of a volume split are as follows: All data previously stored on the combined volume is lost. The storage key for the volume is lost and the ACL configuration is lost. The storage write mode is set to Sync. Software Version Document Version 1.0

22 To split a volume: 1. Log in as a secadmin user (see Accessing CloudLink Center on page 20). 2. From the Topology Tree, select a CloudLink instance. 3. Click the Storage tab then the Configuration tab. 4. Click Volumes in the Options panel. 5. From the Volumes panel, right-click the volume and select Split. Click Yes in the confirmation window. 6. Once the Storage tab reappears, select it to view the results Changing the Volume Type You can change the volume type of a volume from NFS/SMB to iscsi and from iscsi to NFS/SMB. Server Message Block (SMB) shares, also referred to as Common Internet File System (CIFS) shares, are primarily used in Windows operating systems. Network File System (NFS) shares are primarily used in Unix and Linux based operating systems. When working with NFS you mount a remote folder to a local path. The Internet Small Computer System Interface (iscsi) provides better performance for raw I/O and is used for databases/clusters. The results of a change in volume type are as follows: All data on the disk is lost. The storage keys are lost and the ACL configuration is lost. The storage write mode is set to Sync. To access a CloudLink instance s secure storage over iscsi, you must also configure CHAP credentials for use in performing incoming access to the instance s iscsi target. For more information, see the CloudLink Amazon Web Services Administration Guide. To change the volume type for a storage volume: 1. Log in as a secadmin user (see Accessing CloudLink Center on page 20). 2. From the Topology Tree, select a CloudLink instance. Software Version Document Version 1.0

23 3. Click the Storage tab then the Configuration tab. 4. Click Volumes in the Options panel. 5. Right-click a NFS/SMB volume and select Change volume type to iscsi or right-click an iscsi volume and select Change volume type to NFS/SMB. 6. Observe that the volume type has changed in the Volumes panel. NOTES: If the new volume type is iscsi, you must mount the volume as an iscsi target from the disk management facility on the client PC and configure CHAP credentials for use in performing access to the iscsi target Changing the Volume Write Mode to Async The default write mode for NFS/SMB and iscsi EBS volumes is synchronous (sync). You can change the write mode to asynchronous for the purpose of reducing data transfer times to EBS volumes. In the asynchronous write mode, loss of data can occur under network failure scenarios. NOTE: After changing the write mode for an iscsi volume, you must reactivate the disk from the disk management facility on the client PC. To change the write mode of a volume to async: 1. Log in as a secadmin or admin user (see Accessing CloudLink Center on page 20). 2. From the Topology Tree, select a CloudLink instance. 3. Click the Storage tab then the Configuration tab. 4. Click Volumes in the Options panel. 5. From the Volumes panel, right-click a volume and select Change Write Mode to async. NOTE: You can change the mode back to sync at any time. See the CloudLink Amazon Web Services Administration Guide for details. Software Version Document Version 1.0

24 5.1.7 Formatting the Volumes To format a storage volume: 1. Log in as a secadmin or admin user (see Accessing CloudLink Center on page 20). 2. From the Topology Tree, select a CloudLink instance. 3. Click the Storage tab then the Configuration tab. 4. Click Key in the Options panel. 5. Select one or more volumes and right-click a selected volume. 6. Select Format from the menu. The format operation formats the disk and makes old data unusable. The generated key has a name in the following format: volumename_yyyymmdd_hhmmss.key where: volumename yyyymmdd HHmmss - the name of volume - key generation date - key generation time For example, secure0-01_ _ key To retain access to the secure storage in the event of an unrecoverable failure of the CloudLink instance, you should export and securely save all keys before storing data on the volumes. All keys are exported as a set into a single file. The exported keys will allow you to access the storage volumes from another CloudLink instance. NOTE: Active Directory (AD) or RSA DPM can be used as a key store. For more information, see the CloudLink Amazon Web Services Administration Guide. Software Version Document Version 1.0

25 5.1.8 Configuring NFS/SMB Access to Secure Storage To access a CloudLink instance secure storage over NFS/SMB, you configure which instances are granted access to the secure storage. For CloudLink instances in an AWS environment, you simply allow all machines connected to the CloudLink instance s private subnet. As part of deployment, AWS security groups are configured and therefore act as a virtual firewall to control traffic into the CloudLink instance s secure storage. To configure the ACL to provide access to the storage for all members: 1. Log in as a secadmin user (see Accessing CloudLink Center on page 20). 2. From the Topology Tree, select a CloudLink instance. 3. Click the Storage tab then the Configuration tab. 4. In the Options panel, click Access. 5. Select a volume from the Volume Name dropdown list. 6. Click the IP Address dropdown list, and select Any. 7. Click Add. NOTE: All IP entries in the Access Control List must be deleted before you can select Any. The Access Control List will display the subnet(s) that will be granted access to the secure storage. Once access to a secure storage has been granted, the storage is made available to those devices over NFS/SMB that form part of the proper AWS security groups. For more information, see 6 Accessing the Secure Storage on page 29. Software Version Document Version 1.0

26 5.1.9 Configuring iscsi Access to Secure Storage To access a CloudLink instance secure storage over iscsi, you must configure CHAP credentials for use in performing incoming access to the iscsi target (that is, one-way CHAP authentication). If you wish to configure mutual CHAP authentication, you can optionally configure CHAP credentials for performing outgoing access from the CloudLink instance to the iscsi initiator. This section shows you how to: Configure one-way CHAP authentication. Configure mutual CHAP authentication. To configure one-way CHAP authentication: 1. Log in as a secadmin user (see Accessing CloudLink Center on page 20). 2. From the Topology Tree, select a CloudLink instance. 3. Click the Storage tab then the Configuration tab. 4. From the Options panel, click Access. 5. Select the encrypted volume for which you are configuring access from the Volume Name dropdown list in the Volume panel. 6. If the Access Control List is empty, then there are no credentials configured for accessing the iscsi storage and the storage is therefore inaccessible. Set the ACL configuration to Any. 7. Enter a CHAP user name in the User Name field and a corresponding secret in the Secret field. This user name and secret combination will be used to authenticate the iscsi initiator. Software Version Document Version 1.0

27 8. Select Incoming User in the User Type dropdown list and click Add. For example: NOTES: You must configure the iscsi initiator(s) you wish to connect to with one of the Incoming User credentials specified in the Access Control List. The iscsi Qualified Name (IQN) field is not used for this release. To configure mutual CHAP authentication: 1. Configure one-way CHAP authentication as described in this section. 2. Enter a CHAP user name in the User Name field and a corresponding secret in the Secret field. This user name and secret combination will be used to authenticate the CloudLink iscsi target to the initiator. Software Version Document Version 1.0

28 3. Select Outgoing User in the User Type dropdown list and click Add. For example: NOTES: You can configure only one Outgoing User credential for each volume. You must configure the iscsi initiator(s) you wish to connect to with an Outgoing User credential specified in the Access Control List for mutual authentication. The iscsi Qualified Name (IQN) field is not used for this release. Software Version Document Version 1.0

29 6 Accessing the Secure Storage Once access to a CloudLink instance s secure storage has been granted to virtual servers, the storage is made available to those devices over NFS/SMB or iscsi. If you opted to have the encrypted storage presented as a single volume, the storage volume name is secure0. It you opted to split the encrypted storage into multiple volumes, the volume name format is secure0-x where x represents the numerical identifier of the encrypted storage volume. For example, secure0-01 to secure Storage Access in an EC2 Environment To access encrypted secure storage from a Windows machine in an EC2 environment, launch a file browser from a qualified instance and enter the domain name of the CloudLink instance followed by the secure storage name. For example, a CloudLink instance with an EIP address of , may be accessed as follows: \\ec sa-east-1.compute.amazonaws.com\secure0 To test the storage, you can create a folder on the encrypted storage volume. For example: To access the same encrypted secure storage from a Linux machine, you would mount the drive as follows: mount ec sa-east-1.compute.amazonaws.com:/secure0/mnt/ foldername Software Version Document Version 1.0

30 6.1.2 Storage Access in a VPC Environment To access an encrypted secure storage from a Windows machine in an EC2 environment, launch a file browser from a qualified instance and enter the private IP address of the CloudLink instance followed by the secure storage name. For example, a CloudLink instance with a private IP address of , may be accessed as follows: \\ \secure0 For external access, you can use the public IP address. To access the same encrypted secure storage from a Linux machine, you would mount the drive as follows: mount :/secure0/mnt/ foldername Software Version Document Version 1.0

31 7 Terms and Acronyms ACL AES AMI AWS AWS Marketplace CHAP CIFS DNS EBS EC2 EIP FQDN GB HTTP HTTPS I/O IOPS IP iscsi NFS PIN RDP SG SMB SSH TB TCP UDP vdc VM VPC Access Control List Advanced Encryption Standard Amazon Machine Image Amazon Web Services An online store of software and services to build products and run businesses. AWS Marketplace includes databases, application servers, testing tools, monitoring tools, content management, and business intelligence software. Challenge-Handshake Authentication Protocol Common Internet File System Domain Name Server Elastic Block Store Elastic Compute Cloud Elastic Internet Protocol Fully Qualified Domain Name Gigabyte Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Input/Output Input/Output Operations per Second Internet Protocol Internet Small Computer System Interface Network File System Personal Identification Number Remote Desktop Protocol Security Group Server Message Block Secure Shell Terabyte Transmission Control Protocol User Datagram Protocol Virtual Data Center Virtual Machine Virtual Private Cloud Software Version Document Version 1.0

32 Appendix A: AWS Deployment Worksheet After deployment and before using the encrypted storage you should log the AWS AMI instance configuration to help you correlate the CloudLink instances to their components. CloudLink Instance Name: Region / Availability Zone: VPC Id. (vpc-): AMI Id: Instance Id. (i-): Public DNS (ec2-): Private DNS (ip-): EIP Address: Security groups (sg-): Volumes (vol-) / Snapshots (snap-): Other: Software Version Document Version 1.0