Eyeglass All Product Installation and Upgrade Guides Publication

Ransomware Defender Enterprise Airgap Agent VM Install Guide

Introduction to this Guide

Use this document to get your new Ransomware Defender single VM into a secure AirGap vault ESX host.

System Requirement

  1. vSphere 6.0 or higher appliance appliance requires
  2.  4 vCPU
  3. 16 GB RAM
  4. 30G OS partition plus 80 GB disk Total disk size in VMware 110G 


IMPORTANT INFORMATION REGARDING ADDING CLUSTERS TO AirGap Agent VM READ-ME FIRST

Supported OneFS releases

  1. Please refer to the Release Notes for the Ransomware Defender AirGap Vault Agent.

Prerequisites 

  1. ESX host installed
  2. ensure esx host time is set correctly and time zone is correct
  3. Ransomware Defender AirGap Vault Agent VM should have time sync to VM checked 


Ransomware Defender AirGap Vault Agent Firewall Port Requirements

  1. The vault agent requires
    1. port 8080 https from vault agent --> to the vault cluster management pool
    2. port 22 ssh from vault agent --> to the vault cluster management pool
  2. The Vault Cluster to the Production cluster
    1. port 8080 https API vault cluster --> prod cluster (used only for connectivity test CLI command, not used for any other purpose)
    2. port 22 ssh from vault cluster --> prod cluster(s)

Download Eyeglass (Mandatory)

  1. Download ECA zip from Superna web site following instructions here Latest ECA Download

Deploy the Ransomware Defender AirGap Vault Agent Appliance (Mandatory)

Ransomware Defender AirGap Vault Agent is delivered in an  OVF format for easy deployment in your esx environment.  Deploy the OVF and then follow the wizard to setup networking for this Linux appliance.  You will need to know the following:

  1. subnet and network required so that the appliance will have IP connectivity to the PowerScale clusters that it’s managing and the users that are using it
  2. IP address for the appliance
  3. Gateway

Steps to Deploy the OVF with vSphere Client (Mandatory)

OVF Deployment steps :

Step 1: Download an ECA OVF zip file from  Latest Appliance Download.

Step 2:  Unzip the contents of the zip file from Step 1 onto a computer with vSphere web URL.


Step 3: Login to the esx host with appropriate login credentials.

Step 4: Single click on the VMware vSphere client on the Desktop. Login with appropriate login credentials.

Step 5: Once logged in to VMware client, you can see different Menus on the top left of the application. Next, go to the File menu and select Deploy OVF Template.

Step 6: Browse to the location of the OVF files you’ve downloaded and unzipped in steps 1 and 2. Select OK and then Next.

Next, You will see the OVF template details. Verify the details and proceed by selecting Next. Notice download size to be under the allocated disk size limit.

Step 7: Choose a unique name for the virtual machine and select the Inventory location for the deployed template. Once done, select Next.

Step 8: Select the host/cluster where you want to run the deployed template and then Next.

Step 9: Select the Resource pool within which you wish to deploy the template.

Step 10: Select destination storage for virtual machine files, and select Next

Step 11: Select Disk Format for the datastore you selected in the previous step.

Step 12: Enter the networking properties for the Eyeglass appliance VM in the OVF properties display.  Replace with the correct settings for your environment.

Step 13: When done, verify your settings and deploy the OVF

After deployment:

Step : Power On the virtual machine.  

  1. The Ransomware Defender AirGap Vault Agent appliance is deployed with the following default admin user password:
  2. ssh to eyeglass vm as ecaadmin
    1. sudo systemctl status superna-on-boot  (enter admin password and verify the first boot process completes)
    2. default login and password:  ecaadmin/3y3gl4ss
    3. set the OVF mode
      1. ovf set-value -f mode=vault-agent
    4. sudo -s
    5. umount /opt/superna/mnt/zk-ramdisk
    6. remove the tmpfs /opt/superna/mnt/zk-ramdisk tmpfs nodev,nosuid,noexec,nodiratime,size=512M 0 0 line from /etc/fstab 
      1. nano /etc/fstab
      2. remove the line above
      3. with ctrl key +k on the line
      4. ctrl key + x to save and exit
      5. done
  3. Can also be used to login to the SSH session
  4. Mandatory: It is highly recommended to reset the default password after the appliance is deployed.
    1. Type passwd
    2. enter new password and confirm password
  5. Setup Time zone  (Mandatory)
    1. Follow Animated GIF below to set using YAST
    2. ssh as admin user,
    3. sudo -s
    4. Enter admin password
    5. type yast
    6. select menu system --> date and time
    7. set the time zone
    8. Done
  6. Cluster startup
    1. exit if you are still root user
    2. whoami (make sure you are ecaadmin)
    3. ecactl cluster up
    4. done


Dell Apex Managed Cyber Vault Metering Software Configuration


Upgrade Vault Agent Procedures

This section covers how to upgrade the vault agent software.

Two methods are available depending on vault operation mode.   

Method #1 in-band maintenance window option requires the vault agent to have in-band maintenance mode enabled.

Method #2 requires console access or mouse keyboard access to esx host inside the vault; this requires physical access to the vault.


Method #1 - in-band maintenance mode upgrade procedure

  1. Requirements:
    1. Enable Vault agent in band maintenance mode see guide.
    2. 2 Factor authentication is configured on the eyeglass VM and the vault agent vm.  See guide here.
  2. Upgrade Procedures
    1. Download the vault agent upgrade file from support https://support.superna.net.  Recored the md5 checksum from the download menu.
    2. Compute the md5 checksum after download and compare to the md5 checksum posted on the download site.
    3. Using winscp copy the run file to the production Powerscale connected to the vault network
    4. Request the vault maintenance mode window with this command for a 45 minute maintenance window
      1. igls airgap vaultaccessrequest --interval=45
      2. The vault agent checks in every 2 hour for maintenance requests on the hour example 8 am, 10 am etc..
      3. At the next time interval check prepare for the upgrade following steps below.
    5. ssh to the production cluster with the user that copied the upgrade file to the cluster.  This example assumes the admin cluster user with a home directory of /ifs/home/admin.
      1. 1 minute after the hour, test access to the with scp /ifs/home/admin/<upgrade file name> eyeglass@x.x.x.x:<upgrade file name> (x.x.x.x is IP of the vault cluster interface).   If the vault door is open,  a password prompt will be presented; if a timeout message appears the vault has not opened for maintenance yet, retry the scp copy.
      2. Once the file is copied to the vault login to the vault over ssh
        1. ssh eyeglass@x.x.x.x 
        2. scp /ifs/home/eyeglass/<upgrade file name> ecaadmin@y.y.y.y:<upgrade file name> (y.y.y.y is the vault agent VM) enter ecaadmin password to complete the copy.
      3. SSH to the vault agent VM
        1. ssh ecaadmin@y.y.y.y
      4. Shutdown vault agent
        1. ecactl cluster down
      5. upgrade vault agent
        1. chmod 777 /home/ecaadmin/<upgrade file name>
        2. ./home/ecaadmin/<upgrade file name>
        3. wait for upgrade to complete
      6. start vault cluster software
        1. ecactl cluster up
      7. Check remaining time for the timed maintenance before the vault network is auto closed
        1. ecactl airgap checkopen 
      8. Verify upgrade
        1. type docker ps  (verify all containers are running and none are restarting)
      9. Check configuration
        1. ecactl isilons list
        2. ecactl airgap list
      10. Close the vault to exit the ssh session
        1. ecactl vault close
        2. The ssh session will timeout once the vault closes
      11.  Upgrade Complete

Method #2 - Physical Vault VM Access 

  1. Requirements
    1. Bastion host with access to vault management switch inside the vault
    2. OR physical access with laptop to management switch inside the vault
    3. Secured vault laptop dedicated for vault access.  This laptop should be physically secured when not in use with limited personnel access to the laptop.   Change control to gain access to the secured laptop. 
    4. Dedicated USB stick for up
  2. Upgrade Procedures
    1. Download the vault agent upgrade file from support https://support.superna.net. Recored the md5 checksum from the download menu.
    2. Compute the md5 checksum after download and compare to the md5 checksum posted on the download site.  
    3. Copy the upgrade file to a USB stick.
    4. Copy the upgrade file from the USB stick to the  to the management laptop.
    5. Winscp the upgrade file to the vault agent using the ecaadmin user
    6. SSH to the vault agent VM
      1. ssh ecaadmin@y.y.y.y (or use ssh utility)
    7. Shutdown vault agent
      1. ecactl cluster down
    8. upgrade vault agent
      1. chmod 777 /home/ecaadmin/<upgrade file name>
      2. /home/ecaadmin/<upgrade file name>
      3. wait for upgrade to complete
    9. Start vault cluster software
      1. ecactl cluster up
    10. Verify upgrade
      1. type docker ps (verify all containers are running and none are restarting)
    11. Check configuration
      1. ecactl isilons list
      2. ecactl airgap list
    12. Test Vault Connectivity to  production cluster
      1. ecactl airgap check --prod <protected cluster name>
      2. Verify successful communications 
    13. Upgrade Complete


© Superna LLC