Eyeglass All Product Installation and Upgrade Guides Publication

Encrypted Data Access

Home




Integrating GoldenCopy with PowerScale SMBv3 Encrypted Mount



Overview

The following configuration is for integrating Eyeglass GoldenCopy with PowerScale SMBv3 Encrypted mount.  This provides encrypted data inflight between PowerScale and Golden Copy VM’s.


There are two SMB Shares with the following paths to be mounted on the Eyeglass Golden Copy Nodes

  • /ifs/.snapshot

  • /ifs/goldencopy/recall

Those SMB Shares are configured with SMBv3 encryption enabled.


PowerScale SMBv3 Encryption

This prepares SMB Shares on the PowerScale for snapshot and recall directories:


  1. SSH to PowerScale Cluster as root user.

  2. Run the following commands to create the snapshot share:

isi smb shares create --name=snapshot-share$ --path=/ifs/.snapshot --zone system --smb3-encryption-enabled yes

  1. Run the command below to add eyeglassSR service account to the SMB member list of snapshot share

isi smb shares permission create --share=snapshot-share$ --user="eyeglassSR" --run-as-root --zone=system

  1. Run the following commands to create the recall share:

isi smb shares create --name=recall-share$ --path=/ifs/goldencopy/recall --create-path --zone system --smb3-encryption-enabled yes

  1. Run the command below to add eyeglassSR service account to the SMB member list of recall share

isi smb shares permission create --share=recall-share$ --user="eyeglassSR" --run-as-root --zone=system

  1. Done



Golden Copy Mount Point and FSTAB Configuration

  1. SSH to Golden Copy VM  node 1 as ecaadmin user

  2. Verify that samba-client and cifs-utils packages are installed

sudo zypper search -i samba-client cifs-utils

  1. If not installed, run the following command to install:

sudo zypper install  samba-client cifs-utils

  1. Create the following directories for mount points using the following command

ecactl cluster exec "sudo mkdir -p /opt/superna/mnt/search/<GUID>/<NAME>"

ecactl cluster exec "sudo mkdir -p /opt/superna/mnt/recall/<GUID>/<NAME>"


Where:

<NAME> = PowerScale Cluster name 

<GUID> = PowerScale Cluster GUID


  1. Create the SMB credentials file

ecactl cluster exec 'sudo touch /etc/auto.smb.<NAME>'


Where:

<NAME> = PowerScale Cluster name 


  1. Run command below and enter the credentials for SMB share access in the following format

  2. Set the permissions to only allow the owner to access the file:

  1. chown root /etc/auto.smb.<name>

  2. chmod 600 /etc/auto.smb.<name>

You can now pass the credentials=auto.smb.<name> mount option to the mount utility or use it in the /etc/fstab file to mount the share without being prompted for the username and password.


ecactl cluster exec 'sudo vim /etc/auto.smb.<NAME>'


File contents use this format: Example:(replace username and password with your service account username and password)

username=eyeglassSR

password=3y3gl4ss


  1. Enter the fstab rule to mount SMB snapshot and recall shares. Run command below and add an entry in the following format:

ecactl cluster exec 'sudo nano /etc/fstab'


Add the following lines to the end of  fstab file:


//<SmartConnectName>/snapshot-share$ /opt/superna/mnt/search/<GUID>/<NAME> cifs vers=3.0,ro,credentials=/etc/auto.smb.<NAME> 0 0


//<SmartConnectName>/recall-share$ /opt/superna/mnt/recall/<GUID>/<NAME> cifs vers=3.0,credentials=/etc/auto.smb.<NAME> 0 0


Where:

<NAME> = PowerScale Cluster name (use the same name in auto.smb.<NAME> file, created in previous steps.

<GUID> = PowerScale Cluster GUID

<SmartConnectName> = FQDN of SmartConnect Zone Name for the PowerScale System Pool


  1. Mount

ecactl cluster exec 'sudo mount -va'


  1. Done


© Superna Inc