Dell CloudLink hybrid cloud platform Deployment Guide

Add to my manuals
76 Pages

advertisement

Dell CloudLink hybrid cloud platform Deployment Guide | Manualzz

Dell CloudLink 7.1.5

Deployment Guide

January 2023

Rev. A00

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

© 2014 - 2023 Dell Inc. or its subsidiaries. All rights reserved. Dell Technologies, Dell, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.

Contents

Chapter 1: About Dell CloudLink.................................................................................................... 7

About Dell CloudLink for Enterprise and Microsoft Azure and Azure Stack.........................................................7

About Dell CloudLink for PowerFlex............................................................................................................................... 8

About Dell CloudLink for Containers...............................................................................................................................8

About Dell CloudLink Deployment Guide....................................................................................................................... 9

Intended audience for the CloudLink Deployment Guide...........................................................................................9

Chapter 2: Dell CloudLink licensing.............................................................................................. 10

Dell CloudLink licenses purchasing options................................................................................................................. 10

Select Dell CloudLink license...........................................................................................................................................10

Receive license email......................................................................................................................................................... 11

CloudLink licenses...............................................................................................................................................................11

Activate CloudLink licenses........................................................................................................................................ 11

Split CloudLink licenses after activating the license .......................................................................................... 12

Options after uploading licenses.................................................................................................................................... 12

Replace CloudLink Evaluation license......................................................................................................................12

Expired licenses of CloudLink....................................................................................................................................13

Chapter 3: Overview of CloudLink Center deployment scenarios.................................................. 14

CloudLink components......................................................................................................................................................14

CloudLink Center deployment model for Enterprise................................................................................................. 14

CloudLink Center deployment model for PowerFlex.................................................................................................15

CloudLink Center deployment model for Microsoft Azure and Azure Stack...................................................... 15

Typical CloudLink deployment workflow for Enterprise, PowerFlex, and Microsoft Azure and Azure

Stack................................................................................................................................................................................. 17

Verify the ISO signature file used in CloudLink Center.............................................................................................17

Software requirements for deploying CloudLink Center.......................................................................................... 18

System requirements for deploying CloudLink Center in Enterprise, PowerFlex, and Microsoft

Azure and Azure Stack........................................................................................................................................... 18

CloudLink virtual appliance host machine requirements.....................................................................................18

Network port information for CloudLink Center in Enterprise and Microsoft Azure and Azure

Stack........................................................................................................................................................................... 18

Network port information for CloudLink Center in PowerFlex......................................................................... 19

Supported maximum CloudLink and KMIP values......................................................................................................19

Chapter 4: Deploy and configure CloudLink Center...................................................................... 21

Connect to the CloudLink Center console...................................................................................................................21

Deploy and configure CloudLink Center in VMware vSphere for Enterprise and PowerFlex......................... 21

Deploy the CloudLink Center OVF template.........................................................................................................22

After deploying OVF or VHD template or qcow2 image file............................................................................. 22

Guidelines for configuring IPv4 or IPv6 addresses ............................................................................................ 23

Configure static network values in vSphere Client or Hyper-V Manager or Virtual Machine

Manager.....................................................................................................................................................................23

Configure DHCP IPv4 or IPv6 network values in vSphere Client or Hyper-V Manager or Virtual

Machine Manager....................................................................................................................................................24

Contents 3

Deploy and configure CloudLink Center in KVM....................................................................................................... 25

Deploy the CloudLink Center qcow2 image file................................................................................................... 25

Deploy and configure CloudLink Center in Microsoft Hyper-V..............................................................................26

Deploy the CloudLink Center VHD template........................................................................................................ 26

Deploy and configure CloudLink Center in Azure...................................................................................................... 27

Deploy and configure CloudLink Center in Azure Stack.......................................................................................... 27

Deploy and configure CloudLink Center image in Microsoft Azure and Azure Stack.......................................28

Create a new CloudLink Encryption for machines.............................................................................................. 28

Define network setting configuration for CloudLink Encryption for machines............................................ 28

Define deployment type of CloudLink Encryption for machines......................................................................29

Define Second step configuration of CloudLink Encryption for machines....................................................29

Create a new CloudLink Center server.................................................................................................................. 29

Add the CloudLink Center server to an existing cluster.................................................................................... 29

Configure CloudLink Center in the web interface...............................................................................................29

Deploy and configure CloudLink Center image in Amazon Web Services (AWS).............................................30

Prerequisites to install VASA provider on controller nodes using PowerFlex.....................................................30

Chapter 5: Prepare CloudLink Agent for deployment....................................................................31

Access CloudLink Center................................................................................................................................................. 31

Log in to CloudLink Center by using web browser.................................................................................................... 31

Prerequisites for configuring a CloudLink server....................................................................................................... 31

Configure the CloudLink Center server....................................................................................................................... 32

Configure machine groups and volume or device encryption policy.....................................................................33

Set Machine Agent Upgrade policy for CloudLink Agent........................................................................................ 33

Chapter 6: Deploy, configure, and verify CloudLink Agents on Windows and Linux machines....... 34

Manage Self-Encrypting Drives (SEDs)...................................................................................................................... 35

Standard and Custom mode installation of CloudLink Agent on Windows and Linux...................................... 35

Install CloudLink Agent using Standard mode............................................................................................................ 36

Download CloudLink Agent installer for Standard mode................................................................................... 36

Run the CloudLink Agent installer in Standard mode......................................................................................... 39

Download and Install CloudLink Agent on Windows and Linux using Custom mode........................................ 42

Download and run CloudLink Agent using Custom mode on Windows.......................................................... 42

Download, install and configure CloudLink Agent using Custom mode on Linux machines...................... 44

CloudLink Agent for Microsoft SQL Server................................................................................................................46

Dependencies of Microsoft SQL Server on CloudLink Agent...........................................................................46

Deploy CloudLink Agent Azure extension using the Azure portal......................................................................... 46

Deploy CloudLink Agent Azure extension to a Windows machine using PowerShell........................................47

Deploy CloudLink Agent Azure extension to a Linux machine using PowerShell.............................................. 48

Chapter 7: Deploy, install, and configure CloudLink Encryption for Containers............................50

Encryption for containers limitations........................................................................................................................... 50

Encryption for containers configuration overview.....................................................................................................51

Prerequisites to set up Encryption for containers on Kubernetes cluster...........................................................51

Prerequisites to set up Encryption for containers on Openshift Container Platform ..................................... 52

Prerequisites to set up Encryption for containers on Tanzu Kubernetes .......................................................... 52

Create a private docker registry with containerd............................................................................................... 52

Create a Kubernetes cluster entry in CloudLink Center..........................................................................................53

Build docker images for the Kubernetes node and controller................................................................................ 53

4 Contents

Install containers................................................................................................................................................................54

Create a Persistent Volume, Persistent Volume Claim and attach NFS volumes to workloads....................55

Attach PowerFlex volumes to workloads.................................................................................................................... 57

Create a Persistent Volume Claim and attach PowerFlex volumes to workloads using File System......57

Create a Persistent Volume Claim and attach PowerFlex volumes to workloads using Raw Block

Volume....................................................................................................................................................................... 58

Create a Persistent Volume Claim and attach PowerScale volumes to workloads.......................................... 59

Create a Persistent Volume Claim and attach PowerStore volumes to workloads.......................................... 60

Chapter 8: Using PowerFlex devices............................................................................................ 61

Requirements to encrypt PowerFlex devices............................................................................................................. 61

Encrypt a new PowerFlex device...................................................................................................................................61

Encrypt an existing PowerFlex device......................................................................................................................... 62

Manage PowerFlex devices from the command line................................................................................................ 62

Chapter 9: Uninstall CloudLink Agent.......................................................................................... 64

Uninstall CloudLink Agent on Windows....................................................................................................................... 64

Uninstall CloudLink Agent on Linux...............................................................................................................................64

Chapter 10: Troubleshooting....................................................................................................... 65

CloudLink installation problems and workarounds.................................................................................................... 65

CloudLink Azure extension is uninstalled, but CloudLink Agent software is not getting uninstalled......65

DNS configuration is lost after you restore CloudLink Center from a backup file...................................... 65

CloudLink Center fails to obtain an IP address from DHCP............................................................................. 65

If a CloudLink Center instance with dual NICs is restarted, the default gateway moves to the secondary NIC..........................................................................................................................................................65

CloudLink Agent installation problems and workarounds........................................................................................ 66

VM experiences a system failure during startup................................................................................................. 66

Windows machine fails to reboot............................................................................................................................ 66

CloudLink agent is installed but fails to register on the CloudLink Center................................................... 66

Encryption for Containers problems and workarounds............................................................................................66

Invalid CloudLink Center address list or inaccessible addresses are displayed............................................ 66

Container pods stops functioning........................................................................................................................... 66

Encryption for containers logs displays driver is not authenticated error message for PowerFlex........ 67

Encryption for containers driver logs displays driver error message.............................................................. 67

Encryption for containers logs displays driver is not authenticated error message for PowerScale......67

Pod status in kubectl is ImagePullBackOff in place of running........................................................................ 67

Chapter 11: Appendix—Reference topics..................................................................................... 68

CloudLink Center server address.................................................................................................................................. 68

Requirements for CloudLink Center server addresses in clusters.................................................................. 68

Prestartup authorization of CloudLink Center machines........................................................................................ 69

Secure CloudLink machines by using encryption keys.............................................................................................69

CloudLink Key Release policies...................................................................................................................................... 70

Manage CloudLink machines by grouping.................................................................................................................... 71

Encryption key location and protection options in CloudLink................................................................................. 71

Best practices for saving, backing up, and restoring CloudLink Center machine encryption keys...............72

CloudLink Vault to encrypt CloudLink Center machine data.................................................................................. 73

IP addresses of machines associated with CloudLink.............................................................................................. 73

Contents 5

Manage CloudLink Center clusters............................................................................................................................... 74

CloudLink Update menu...................................................................................................................................................74

Update menu options................................................................................................................................................. 75

Chapter 12: Related documentation and resources...................................................................... 76

Other Dell CloudLink documents you may require.................................................................................................... 76

Contact Dell Technologies.............................................................................................................................................. 76

6 Contents

1

About Dell CloudLink

Topics:

About Dell CloudLink for Enterprise and Microsoft Azure and Azure Stack

About Dell CloudLink for PowerFlex

About Dell CloudLink for Containers

About Dell CloudLink Deployment Guide

Intended audience for the CloudLink Deployment Guide

About Dell CloudLink for Enterprise and Microsoft

Azure and Azure Stack

Cloud computing offers significant benefits for deployment flexibility, infrastructure scalability, and cost-effective use of IT resources. You can take advantage of these benefits by deploying enterprise workloads in the cloud. However, because cloud computing is based on a shared, multi-tenant compute, network, and storage architecture, traditional security controls are not sufficient. Data owners must secure sensitive data that is saved in the cloud to address privacy and regulatory compliance requirements, and satisfy requirements that are related to data that might remain in the cloud after it is no longer used.

Dell CloudLink secures sensitive information within machines across both public and private clouds. It provides encryption for the boot volume and additional data volumes with prestartup authorization for cloud-hosted machines. CloudLink provides this encryption by using the following native OS encryption features:

● Microsoft BitLocker for Windows

● dm-crypt for Linux

BitLocker and dm-crypt are proven high-performance volume encryption solutions that are widely implemented for physical machines. However, customers have not been able to use these solutions in the cloud, where you cannot use the native OS encryption features alone to encrypt the boot volume. CloudLink solves this problem.

CloudLink's VM encryption functionality enables you to use native OS encryption features to encrypt a machine's boot and data volumes in a multi tenant cloud environment. This encryption enables you to protect the integrity of the machine itself against unauthorized modifications.

CloudLink encrypts the machine boot and data volumes with unique keys that enterprise security administrators control. Neither cloud administrators nor other tenants in the cloud have access to the keys. By securing machines, you can define the security policy that must be met before passing the prestartup authorization, including verifying the integrity of the machine’s boot chain. This offers protection against tampering.

CloudLink ensures that only trusted and verified machines can run and access sensitive data that is stored in the cloud. As part of the CloudLink solution, CloudLink Center defines the key release policy, performs prestartup authorization, and monitors all

CloudLink Agents, events, and logs.

About Dell CloudLink 7

About Dell CloudLink for PowerFlex

Enterprises have many reasons for encrypting their data—addressing regulatory compliance, protecting against theft of customer data, and sensitive intellectual property.

CloudLink offers significant benefits for environments that use Dell PowerFlex resources. PowerFlex is a software-defined solution that enables you to transform Direct Attached Storage (DAS) on existing hardware into shared block storage. It offers considerable scalability and extreme performance with flexible and elastic storage capacity and nodes.

CloudLink provides software-based Data at Rest Encryption (DARE) for PowerFlex Storage Data Servers (SDS) that is transparent to the features and operation of the PowerFlex solution. It uses dm-crypt, a native Linux encryption package, to secure SDS devices. A proven high-performance volume encryption solution, dm-crypt is widely implemented for Linux machines.

CloudLink encrypts the SDS devices with unique keys that are controlled by enterprise security administrators. CloudLink Center provides centralized, policy-based management for these keys, enabling single-screen security monitoring and management across one or more PowerFlex deployments.

About Dell CloudLink for Containers

CloudLink supports data encryption in a Kubernetes containerized environment. CloudLink encryption for containers enables you to encrypt shared volumes in a Kubernetes cluster. This functionality leverages Kubernetes 1.14 to 1.21 Container Storage

Interface (CSI), which is customizable to the user environment, and features a quick, easy setup with the UI or REST-API.

Encryption of Containers Agents sits between the Application and the CSI Storage Plugin encrypting the application data before it is sent to storage-thus providing both Data at Rest and Data in Motion. One CloudLink Center instance can support multiple Kubernetes clusters. Each Kubernetes cluster node can have multiple Container agents running on it, which includes one Encryption for Containers agent for each driver.

8 About Dell CloudLink

About Dell CloudLink Deployment Guide

This guide provides step-by-step instructions for installing, deploying, and configuring Dell CloudLink.

Intended audience for the CloudLink Deployment

Guide

The CloudLink deployment guide is intended for IT administrators who are responsible for deploying and maintaining machines in the CloudLink Center environment, but not necessarily for the security of data on those machines.

About Dell CloudLink 9

2

Dell CloudLink licensing

CloudLink license files determine the volume of machine instances, KMIP clients, CPU sockets, encrypted storage capacity, or physical machines with SEDs that your organization can manage using CloudLink Center. License files also define the CloudLink

Center usage duration. For example, your license might allow you to run 25 machines in CloudLink Center for 365 days, or encrypt 5 TiB of storage in CloudLink Center for perpetuity.

Topics:

Dell CloudLink licenses purchasing options

Select Dell CloudLink license

Receive license email

CloudLink licenses

Options after uploading licenses

Dell CloudLink licenses purchasing options

● Evaluation license—This is a free trial license to test the CloudLink features. This license has an expiry date and is not allowed to be used in production. Use a subscription or a perpetual license that is purchased through Dell for production purposes.

● Subscription license—This license expires on a predefined date and time. The subscription license period is for one, two, or three years only. Repurchase the subscription licenses at the end of their term.

● Perpetual license—This license never expires.

Select Dell CloudLink license

● Encryption for Machines license—Licensed per machine for volume encryption

This license defines the number of machines, virtual, or bare metal, that can be protected using CloudLink Center.

● Encryption for Containers license—Enables data encryption for containers. A single Container license supports any number of Kubernetes clusters.

● Encryption for PowerFlex license—Encrypted capacity for PowerFlex

This license defines the total storage that can be encrypted using CloudLink Center.

● Key Management over KMIP license—Licensed KMIP clients

This license defines the number of KMIP clients that can be managed using CloudLink Center. With one Key Management over KMIP license you can create:

○ One KMIP Client

○ One CloudLink Center cluster

NOTE: To create additional KMIP Clients or CloudLink Center clusters, purchase additional Key Management over KMIP licenses.

● Key Management for SED license—Number of physical machines with SEDs

A single Key Management for SED license is used per physical machine regardless of the number of SEDs connected to that machine.

10 Dell CloudLink licensing

Receive license email

When you place an order for purchasing a new license, an email containing a License Authorization Code (LAC), which is a unique alphanumeric value, is generated for all digitally licensed software and is sent from Dell as an order confirmation. The email contains instructions on how to activate the license, and links to download the CloudLink binaries.

CloudLink licenses

When you purchase a license for CloudLink, an email containing the LAC is sent to you or your purchasing department with a link to the Dell Technologies Software Licensing Central website. The LAC is required to complete the license activation process on the licensing site at https://licensing.emc.com/ .

If you cannot find the LAC email, you can use the Software Licensing Central website to find the CloudLink licenses or open a

Service Request with the Licensing support team at https://licensing.emc.com/ .

NOTE: The terms Product ID, Software ID, or SWID all represent the common software ID that is stored in the license file of your CloudLink Center.

Activate CloudLink licenses

Activate CloudLink licenses and download the license file using the License Authorization Code (LAC). Use the same procedure to also split the CloudLink licenses while activating the license.

Prerequisites

Ensure that the LAC email is readily available.

Steps

1. Click the highlighted link in the LAC email, and log in.

The link takes you directly to the Software Licensing Central page.

2. Click Activate My Software .

The Activate page is displayed.

3. In the License Authorization Code (LACs) box, enter the LAC, and then click Search .

An online wizard assists you with the license activation process.

4. On the Select Products page, select the product to activate and then click Start the Activation Process .

5. On the Company Details page, confirm (or update) your company's information, and then click Select a Machine .

6. On the Select a Machine page, perform one of the following:

● Select the machine on which you want to activate the product, and then click Search .

● In the Add a new machine box, enter a machine name, and then click Save Machine & Continue .

The machine name that you enter is used to identify the machine in the future.

7. On the Enter Details page, a. In the Quantity to Activate box, enter the quantity of the CloudLink licenses to activate on the machine.

b. In the Customer Name box, enter the customer name.

c. Click Review .

8. On the Review page, review your selections, and then click Activate .

The license key is emailed to the user logged in to the software licensing central with the respective username.

9. On the Complete page, view and save the CloudLink license. You can also view or print the license certificate.

Dell CloudLink licensing 11

Split CloudLink licenses after activating the license

You can deploy a CloudLink Center cluster using a CloudLink license. If you want to distribute the licenses across multiple

CloudLink Center clusters, split the licenses into multiple license files.

Prerequisites

Ensure that the LAC email is readily available.

Steps

1. Click the highlighted link in the LAC email, and log in.

The link takes you directly to the Software Licensing Central page.

2. On the Software Licensing Central page, perform one of the following:

● Click Licenses > Rehost .

● Click Move My Software .

3. On the Rehost page, enter one of the following search criteria, and then click Search .

● In the License Authorization Code (LAC) box, enter the LAC.

● In the Machine Name box, enter the machine name.

● In the Locking ID box, enter the Customer Name.

An online wizard assists you with the rehosting of the products process.

4. On the Select Source page, select the source machine, and then click Select Target .

5. On the Select Target page, perform one of the following:

● Under Search Machines , enter the search criteria to search an existing machine, and then click Search .

● In the Add a new machine box, enter a machine name, and then click Save Machine & Continue .

The machine name that you enter is used to identify the machine in the future.

6. On the Enter Details page, perform the following: a. In the Quantity to Rehost box, enter the quantity of the CloudLink licenses you want to rehost.

b. In the Customer Name box, enter the customer name.

c. Click Review .

7. On the Review page, review the rehost details.

The license key is emailed to the user logged in to the software licensing central with the respective username.

To send it to more recipients, click Email to more people and enter their email addresses.

8. Click Rehost Products .

9. On the Complete page, perform the following:

● View and save the CloudLink license key of the Source Machine.

● View and save the CloudLink license key of the Target Machine. Install the target machine license keys to use the respective CloudLink licensed features.

● View or print the license certificate.

Options after uploading licenses

Replace CloudLink Evaluation license

Replace an evaluation license by deleting it and uploading a subscription license or a perpetual license. When you delete an evaluation license, the Customer Name is reset, and then you can upload a production license. For more information about deleting and uploading licenses, see the Dell CloudLink Administration Guide .

12 Dell CloudLink licensing

Expired licenses of CloudLink

Licenses that are past their support duration, typically one, two, or three years from the date of purchase, are blocked from being uploaded. If licenses have expired after being uploaded, all the existing CloudLink functionalities will continue to work including releasing of keys. However, new CloudLink agent installation and encryption of machines and SDS devices cannot be performed. To reenable encryption, purchase a new license and upload it.

Dell CloudLink licensing 13

3

Overview of CloudLink Center deployment scenarios

Topics:

CloudLink components

CloudLink Center deployment model for Enterprise

CloudLink Center deployment model for PowerFlex

CloudLink Center deployment model for Microsoft Azure and Azure Stack

Typical CloudLink deployment workflow for Enterprise, PowerFlex, and Microsoft Azure and Azure Stack

Verify the ISO signature file used in CloudLink Center

Software requirements for deploying CloudLink Center

Supported maximum CloudLink and KMIP values

CloudLink components

Dell CloudLink consists of the following components.

● CloudLink Center—The web-based interface for CloudLink that is used to manage machines that belong to the CloudLink environment (those machines on which CloudLink Agent has been installed). CloudLink Center:

○ Communicates with machines over Transport Layer Security (TLS)

○ Manages the encryption keys that are used to secure the boot volumes, data volumes, and devices for the machines

○ Configures the security policies

○ Monitors the security and operation events

○ Collects log data

● CloudLink Agent—The agent that runs on individual machines. It communicates with CloudLink Center for prestartup authorization and decryption of BitLocker or dm-crypt encryption keys.

NOTE: You can install an agent on a physical server. However, CloudLink cannot be deployed on a physical server.

For Enterprise and PowerFlex—CloudLink Center is packaged as a virtual appliance that can be deployed in the enterprise on

VMware ESXi or Microsoft Hyper-V. Download CloudLink Agent from CloudLink Center.

For Microsoft Azure or Azure Stack—CloudLink Center can be deployed from the Azure Gallery in a simple-to-deploy, selfcontained image file that enables you to quickly start your business-critical operations by using CloudLink. Search the Azure

Gallery for CloudLink to locate the image. Download CloudLink Agent from CloudLink Center.

CloudLink Center deployment model for Enterprise

This guide assumes that CloudLink Center and the encryption keystore are deployed in the private cloud, as shown in the following figure. CloudLink Agent is deployed to individual VMs hosted in the private cloud or to VM instances in a supported public or hybrid cloud environment.

NOTE: CloudLink is a (closed) virtual appliance that does not support installation of third party applications.

When deployed, CloudLink Agent replicates the machine networking configuration as required, to ensure that it can communicate with CloudLink Center during the startup process. This replication to the preboot environment includes the

IP configuration for available network interfaces and any static routing information. For Linux machines, if the networking configuration is changed after deployment, you must refresh the CloudLink Agent service. For more information about CloudLink

Agent service, see

Refresh the CloudLink Agent service on Linux machines in Custom mode

.

NOTE: It is recommended that you enable EFI boot mode of all CloudLink agent-installed VMs for enhanced security against boot-level attacks. However, the following are not supported:

14 Overview of CloudLink Center deployment scenarios

● The Secure Boot feature

● IPv6 version with EFI

CloudLink Center deployment model for PowerFlex

CloudLink can be deployed to support a variety of PowerFlex environments, as illustrated in the following figure. The CloudLink

Agent can be deployed on physical and virtual Linux PowerFlex Storage Data Servers (SDSs) and supports fully converged, two-layer, and mixed configurations. CloudLink Center must be accessible by all encrypted SDSs.

CloudLink Center deployment model for Microsoft

Azure and Azure Stack

This guide describes CloudLink Center (the CloudLink web-based management console) deployment models for Azure, Azure

Stack, and hybrid Azure Stack and Azure. CloudLink Agent is deployed to individual machines hosted in Azure or Azure Stack and to machines in other supported public cloud environments.

Overview of CloudLink Center deployment scenarios 15

When deployed, CloudLink Agent replicates the machine networking configuration, as required, to ensure that it can communicate with CloudLink Center during the startup process. This replication to the preboot environment includes the

IP configuration for available network interfaces and any static routing information. For Linux machines, if the networking configuration is changed after deployment, you must refresh the CloudLink Agent service. For more information about

refreshing Cloudlink Agent service, see Refresh CloudLink Agent service on Linux machines in Custom mode

. The CloudLink deployment models for Azure and Azure Stack are shown in the following figures:

Figure 1. CloudLink deployment scenario for Azure

Figure 2. CloudLink deployment scenario for Azure

Figure 3. CloudLink deployment scenario for hybrid Azure Stack and Azure

16 Overview of CloudLink Center deployment scenarios

Typical CloudLink deployment workflow for

Enterprise, PowerFlex, and Microsoft Azure and Azure

Stack

This topic provides information on configuring CloudLink for Enterprise, PowerFlex, and Microsoft Azure and Azure Stack.

1. Deploy CloudLink Center as described in Deploying and Configuring CloudLink Center.

2. Prepare to deploy CloudLink Agent on machines as described in Preparing to Deploy CloudLink Agent.

3. Deploy CloudLink Agent on machines as described in Deploying CloudLink Agent to Machines.

Encryption (if any), based on the selected volume or device encryption policy for the machine group, begins automatically after you deploy CloudLink Agent to machines. For more information about the volume or device encryption policy, see the Dell

CloudLink Administration Guide.

For PowerFlex, the deployment workflow is based on the assumption that PowerFlex Storage Data Server (SDS) is installed before you install CloudLink Agent. If SDS is not installed, you must restart CloudLink Agent after you install SDS.

Verify the ISO signature file used in CloudLink Center

To ensure that the ISO file you use to upgrade CloudLink is valid and secure, do the following:

Prerequisites

Ensure that OpenSSL is installed on the system where CloudLink Center is deployed.

Steps

1. Download the public key (PEM), binary signature file of the certificate (BIN), and the ISO file to a directory.

Overview of CloudLink Center deployment scenarios 17

2. From the directory where the aforesaid files are saved, run the following command at the OpenSSL interface: openssl dgst -sha256 -verify publickey.pem -signature clc-7.1.5-131.81.cert.bin

clc-7.1.5-131.81.iso

.

The file is verified and the following message is displayed: Verified OK .

Software requirements for deploying CloudLink

Center

This section describes the system requirements for CloudLink Center, and the machines on which CloudLink Agent will be deployed. Ensure that these requirements are met before deployment.

System requirements for deploying CloudLink Center in Enterprise,

PowerFlex, and Microsoft Azure and Azure Stack

● For VMware deployments:

○ vSphere 6.0 or later

● For Microsoft Hyper-V deployments:

○ Hyper-V for Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019

● For Microsoft Azure and Azure Stack deployments:

○ Microsoft Azure account

○ An OpenSSH public key if you want to use public key authentication

● VMware Virtual Volume (vVol) and VMware vStorage APIs for Storage Awareness (VASA):

○ vVol 1.0, VASA 2.0: vSphere 6.0 or later

○ vVol 2.0, VASA 3.0: vSphere 6.5 or later

○ vVol 1.0 and VASA 2.0 on PowerFlex 3.5

○ vVol 2.0 and VASA 3.0 REST on PowerStore 1.0.3.1.3

● A3 Basic and A3 Standard are the recommended virtual machine sizes in Azure and Azure Stack.

● 4 vCPUs (minimum)

● 6 GB vRAM (minimum)

● 64 GB disk space

● Python package

● Web browser—Google Chrome 38 or higher or Mozilla Firefox 28 or higher

TLS 1.2 must be enabled in your browser settings to connect to CloudLink Center. By default, CloudLink Center is enabled on browsers such as Mozilla Firefox (58 and later versions) and Google Chrome (64 and later versions).

CloudLink virtual appliance host machine requirements

For information about currently supported platforms, see the Dell CloudLink 7.1.5 Release Notes .

Network port information for CloudLink Center in Enterprise and

Microsoft Azure and Azure Stack

This topic provides network port information for CloudLink Center in Enterprise and Microsoft Azure and Azure Stack.

Table 1. CloudLink network ports

Port TCP

Incoming

80 Yes

UDP

No

Service

CloudLink cluster communication

18 Overview of CloudLink Center deployment scenarios

Table 1. CloudLink network ports (continued)

Port

443

389

389

443

464

514

636

3268

3269

1194

5696

50000

Outgoing

123

TCP

Yes

Yes

Yes

Yes

UDP

No

Yes

No

No

Service

CloudLink Center web access, cluster communication, and

Agent download

CloudLink Agent communication

Key Management over KMIP

Encryption for Containers

No

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

No

Yes

Yes

Network Time Protocol (NTP)

Can be used LDAP port for Microsoft Windows domain integration

Can be used LDAP port over TLS

External keystores other than Microsoft Active Directory

Microsoft Windows domain integration

Syslog

Can be used LDAP port over SSL

Can be used Global Catalog port for Microsoft Windows domain integration

Can be used Global Catalog port over SSL

NOTE: All required incoming TCP and UDP ports are open by default in Cloudlink Center. If a port is not required, you may close it.

Network port information for CloudLink Center in PowerFlex

This topic provides network port information for CloudLink Center in PowerFlex.

Table 2. CloudLink network ports

Port

Incoming

TCP

80

443

Yes

Yes

UDP

No

No

Service

1194

5696

50000

Outgoing

123

443

514

Yes

Yes

Yes

No

Yes

No

Yes

No

No

Yes

No

Yes

CloudLink cluster communication

CloudLink Center web access, cluster communication, and

Agent download.

CloudLink Agent communication

Key Management over KMIP

Encryption for Containers

Network Time Protocol (NTP)

External keystores other than Microsoft Active Directory

Syslog

Supported maximum CloudLink and KMIP values

CloudLink Center, when configured with 4 vCPUS, 8 GB RAM, and 32 GB disk space, can support the following maximum values:

Overview of CloudLink Center deployment scenarios 19

● CloudLink Agents: 2,500

● CloudLink Agent encryption keys: 25,000

● KMIP partitions: 100

● KMIP encryption keys (total): 50,000

● CloudLink cluster nodes: 4

● Virtual machine groups: 100

NOTE: A single CloudLink cluster supports the maximum values for either CloudLink Agent-based encryption or KMIP, but not both.

20 Overview of CloudLink Center deployment scenarios

4

Deploy and configure CloudLink Center

This chapter provides instructions for deploying and configuring CloudLink Center on:

● VMware vSphere

● Microsoft Hyper-V

● Microsoft Azure

● Microsoft Azure Stack

NOTE: By default, CloudLink Center is deployed in the self-certificate-signed mode. To change it to the third-party-signed mode, see the "Secure CloudLink Center agents using third-party signed certificates" chapter in the Dell CloudLink

Administration Guide available on the support site.

Topics:

Connect to the CloudLink Center console

Deploy and configure CloudLink Center in VMware vSphere for Enterprise and PowerFlex

Deploy and configure CloudLink Center in KVM

Deploy and configure CloudLink Center in Microsoft Hyper-V

Deploy and configure CloudLink Center in Azure

Deploy and configure CloudLink Center in Azure Stack

Deploy and configure CloudLink Center image in Microsoft Azure and Azure Stack

Deploy and configure CloudLink Center image in Amazon Web Services (AWS)

Prerequisites to install VASA provider on controller nodes using PowerFlex

Connect to the CloudLink Center console

Use this procedure to connect to the CloudLink Center console.

Steps

1. Do one of the following:

● In vSphere Client, right-click the CloudLink Center virtual machine and select Open Console .

● In Hyper-V Manager, right-click the CloudLink Center virtual machine and click Connect .

● Start an SSH session to the CloudLink Center machine.

2. The default console login name is cloudlink .

You changed the default console password the first time you logged in to the console or CloudLink Center.

Deploy and configure CloudLink Center in VMware vSphere for Enterprise and PowerFlex

CloudLink uses an interface to enable CloudLink Center to communicate with the CloudLink Agent that is installed on individual machines. This interface is supported through a virtual network interface that is in the Open Virtualization Format (OVF) template that is used to deploy CloudLink Center. The interface is configured when you first log in to CloudLink Center.

Deploy and configure CloudLink Center 21

Deploy the CloudLink Center OVF template

Use this procedure to deploy the OVF template.

Prerequisites

This procedure assumes that you have obtained the CloudLink Center Open Virtualization Format (OVF) template that is used for deployment.

Steps

1. From vSphere Client, select File > Deploy OVF Template .

2. In the Deploy OVF Template window, go to your template folder, select the CloudLink Center template, and then click

Next .

3. Ensure that the OVF template information is correct and click Next .

4. Enter a name, select an inventory location for the deployed template, and click Next .

5. Select a host or cluster to run the deployed template, and then click Next .

6. If a series of warnings is displayed, click Yes to continue with the deployment.

7. Select a resource pool and click Next .

8. In the Review details panel, verify the template details, and then click Next .

9. Select a storage location for the machine files and click Next .

10. Select the disk format for the virtual disk and click Next .

11. Select a destination network and click Next .

12. In the Deployment Settings panel, review the selected options and click Finish .

13. In the Deployment Completed Successfully dialog box, click Close .

The CloudLink Center VM is displayed in the VMware vSphere VM list.

14. In vSphere Client, right-click the CloudLink Center VM and select Power > Power on .

Results

The DHCP server is assigned as the default server for CloudLink Center. If a DHCP server is available on your network, the

CloudLink Center VM automatically generates a random hostname for the CloudLink Center by using the DHCP server. You can also pre-configure static network settings of CloudLink VM during deployment by using the vSphere vApp Configure option.

When the static information is not provided during deployment, by default, the network configuration settings are assigned by a DHCP server. See the Pre-configure the static network settings during CloudLink VM deployment technical white paper available on the support site.

If a DHCP server is available, see

Access CloudLink Center

.

To configure static IPv4 or IPv6 network values, see Configure static network values in vSphere Client, Hyper-V Manager or

KVM

.

To configure DHCP IPv4 or IPv6 network values, see

Configure DHCP IPv4 or IPv6 network values in vSphere Client or Hyper-V

Manager or Virtual Machine Manager

.

NOTE: Before you log in to CloudLink Center or the console, wait until vSphere Client reports that VMware Tools are installed and running. Else, you might experience network configuration issues.

After deploying OVF or VHD template or qcow2 image file

This topic provides information about the rules that you should consider after deploying OVF or VHD template or qcow2 image file, and if you use IPv6 on your network.

NOTE: If you use IPv6 on your network, the following rules apply to CloudLink Center initial configuration:

● CloudLink supports the following combinations of IPv4 and IPv6 with static and dynamic network values:

○ IPv4 static

○ IPv4 DHCP

○ IPv6 static

○ IPv6 DHCP

22 Deploy and configure CloudLink Center

● CloudLink Center or a CloudLink Center cluster can use IPv6 addresses (static, link-local, Stateless Address

Autoconfiguration, or DHCPv6) to communicate with machines.

● When powered on, the CloudLink Center appliance tries to detect a DHCPv4 server or a DHCPv6 server. If not detected, the Initial Configuration wizard is automatically closed. By clicking Network in Update Menu, configure the IPv4 or IPv6 static values. See

Configure static network values in vSphere Client, Hyper-V Manager or KVM

.

Guidelines for configuring IPv4 or IPv6 addresses

Consider the following guidelines for configuring IPv4 or IPv6 or both IPv4 and IPv6 addresses.

● You can configure IPv4 or IPv6 or both IPv4 and IPv6 addresses on all the interfaces.

● You can choose not to configure IPv4 or IPv6 addresses on all the interfaces.

● You can add manual DNS entries when IPv4 or IPv6 or both IPv4 and IPv6 static network values are configured on at least one interface.

● You cannot add manual DNS entries in the DHCP mode.

● DNS configuration and network configuration information is lost when the network is reset. If you exit the CloudLink Center console without configuring either IPv4 or IPv6 addresses, previous network configuration is not restored.

● Network configuration information is not restored when CloudLink Center is restored from a backup file.

● If your environment consists of a mixed configuration, you can choose to configure both IPv4 and IPv6 addresses for the

CloudLink Center.

Configure static network values in vSphere Client or Hyper-V

Manager or Virtual Machine Manager

The following procedure explains how to configure IPv4 or IPv6 or both IPv4 and IPv6 static network values in vSphere Client,

Hyper-V Manager, or Virtual Machine Manager.

Prerequisites

If a DHCP server is not available, set static IPv4 or IPv6 network values. Use the CloudLink Center console to configure the network settings.

NOTE: The static IPv6 network values are not supported in CloudLink 7.0.1 and earlier versions.

Steps

1. To configure static network values:

● In vSphere Client or Virtual Machine Manager, right-click the CloudLink Center virtual machine and select Open

Console .

● In Hyper-V Manager, right-click the CloudLink Center virtual machine and click Connect .

If the screen is blank, press Alt+F1 to open a new console window.

2. Log in to the CloudLink Center console with the login name cloudlink and the default password cloudlink .

Change the default password.

3. When prompted, type a new password for the CloudLink Center console.

4. Press down arrow and type the password again to confirm it.

5. Press Tab and then OK to accept the password change.

Subsequent logins to the console prompt for the new password, which you can change at any time from the Update Menu in the CloudLink Center console. For more information, see

CloudLink Update Menu .

6. Press OK again in the Summary screen.

7. Select Reset Network in the Update Menu .

8. When prompted Are you sure you want to reset all network configuration?

, select Yes and then press Enter .

9. In the Network 1 Configuration window, select either IPv4 or IPv6 based on your requirement, and then press OK .

10. Select Static , and then press Enter .

11. Type the IP address, netmask, and gateway address for CloudLink Center.

12. Press Tab and then OK .

Deploy and configure CloudLink Center 23

The Network 1 Configuration window is displayed.

13. Repeat steps 9 to 12 if you want to configure both IPv4 and IPv6.

For example if you have:

● Completed configuring IPv4 and want to configure IPv6, then select IPv6 and repeat steps 9 to12.

● Completed configuring IPv6 and want to configure IPv4, then select IPv4 and repeat steps 9 to12.

● Completed configuring IPv6 and want to configure IPv4, then select IPv4 and repeat steps 9 to12.

14. Press Exit if you do not want to configure IPv4 and IPv6.

NOTE: If you reset the network and exit without configuring IPv4 or IPv6, CloudLink Center remains unconfigured.

15. Wait for the network configuration to complete.

This process might take some time.

16. If you want to configure multiple interfaces, repeat steps 9 to 15.

Results

After CloudLink Center network configuration is complete, a summary of its network settings is displayed. These settings include the IPv4 address or IPv6 address or both IPv4, and IPv6 addresses used to access CloudLink Center from a web browser and network configuration information.

Press OK to close the Network configuration(s) screen and return to the Update Menu. You can log out of the console.

The Update Menu is displayed every time you log in to the CloudLink Center console. For more information about using the

Update Menu in CloudLink Center console, see CloudLink Update Menu

.

Configure DHCP IPv4 or IPv6 network values in vSphere Client or

Hyper-V Manager or Virtual Machine Manager

The following procedure explains how to configure IPv4 or IPv6 or both IPv4 and IPv6 DHCP network values in vSphere Client,

Hyper-V Manager, or Virtual Machine Manager.

Prerequisites

If a DHCP server is not available, set static IPv4 or IPv6 network values. Use the CloudLink Center console to configure the

network settings. For more information about configuring static network values, see Configure static network values in vSphere

Client or Hyper-V Manager or Virtual Machine Manager .

Steps

1. To configure DHCP network values:

● In vSphere Client or Virtual Machine Manager, right-click the CloudLink Center virtual machine and select Open

Console .

● In Hyper-V Manager, right-click the CloudLink Center virtual machine and click Connect .

If the screen is blank, press Alt+F1 to open a new console window.

2. Log in to the CloudLink Center console with the login name cloudlink and the default password cloudlink .

24 Deploy and configure CloudLink Center

Change the default password.

3. When prompted, type a new password for the CloudLink Center console.

4. Press down arrow and type the password again to confirm it.

5. Press Tab and then OK to accept the password change.

Subsequent logins to the console prompt for the new password, which you can change at any time from the Update Menu in the CloudLink Center console. For more information, see

CloudLink Update Menu .

6. Press OK again in the Summary screen.

7. Select Reset Network in the Update Menu .

8. When prompted Are you sure you want to reset all network configuration?

, select Yes and then press Enter .

9. In the Network 1 Configuration window, select either IPv4 or IPv6 based on your requirement, and then press OK .

10. Select DHCP , and then press Enter .

Based on your selection, DHCP address is configured for either IPv4 or IPv6.

11. Repeat steps 9 to 12 if you want to configure both IPv4 and IPv6.

For example if you have:

● Completed configuring IPv4 and want to configure IPv6, then select IPv6 and repeat steps 9 to12.

● Completed configuring IPv6 and want to configure IPv4, then select IPv4 and repeat steps 9 to12.

12. Press Exit if you do not want to configure IPv4 and IPv6.

NOTE: If you reset the network and exit without configuring IPv4 or IPv6, CloudLink Center remains unconfigured.

13. Wait for the network configuration to complete.

This process might take some time.

14. If you want to configure multiple interfaces, repeat steps 9 to 14.

Results

After CloudLink Center network configuration is complete, a summary of its network settings is displayed. These settings include the IPv4 address or IPv6 address or both IPv4, and IPv6 addresses used to access CloudLink Center from a web browser and network configuration information.

Press OK to close the Network configuration(s) screen and return to the Update Menu. You can log out of the console.

The Update Menu is displayed every time you log in to the CloudLink Center console. For more information about using the

Update Menu in CloudLink Center console, see CloudLink Update Menu

.

Deploy and configure CloudLink Center in KVM

CloudLink uses an interface to enable CloudLink Center to communicate with the CloudLink Agent that is installed on individual machines. This interface is supported through a virtual network interface that is included in the qcow2 image file which is used to deploy CloudLink Center. The interface is configured when you first log in to CloudLink Center.

Deploy the CloudLink Center qcow2 image file

The following procedure explains how to deploy the qcow2 image file.

Prerequisites

Ensure that you have obtained the CloudLink Center qcow2 image file.

Steps

1. In the Linux desktop environment, start Virtual Machine Manager .

2. Click File > New Virtual Machine .

The Create a new virtual machine window is displayed.

3. Select Import existing disk image , and then click Forward .

4. Click Browse to select the CloudLink Center qcow2 image file.

5. From the OS type list, select Linux.

Deploy and configure CloudLink Center 25

6. From the Version list, select the required Ubuntu version, and then click Forward .

7. In the Choose Memory and CPU settings window, enter the following values: a. In the Memory box, enter 6 GB (6144 MB in binary).

b. In the CPU box, enter 4 CPUs.

8. Click Forward .

The Ready to begin the installation window is displayed.

9. In the Name box, enter a name for the VM.

10. From the Network selection list, select the destination network interface.

11. Click Finish .

Results

The DHCP server is assigned as the default server for CloudLink Center. If a DHCP server is available on your network, the

CloudLink Center VM automatically generates a random hostname for the CloudLink Center by using the DHCP server.

If a DHCP server is available, see

Access CloudLink Center

.

To configure static IPv4 or IPv6 network values, see Configure static network values in vSphere Client, Hyper-V Manager or

KVM

.

To configure DHCP IPv4 or IPv6 network values, see

Configure DHCP IPv4 or IPv6 network values in vSphere Client or Hyper-V

Manager or Virtual Machine Manager

.

Next steps

If you use IPv6 on your network, see

After deploying OVF or VHD template or qcow2 image file .

Deploy and configure CloudLink Center in Microsoft

Hyper-V

CloudLink uses a network interface to enable CloudLink Center to communicate with the CloudLink Agent that is installed on a machine. This interface is supported through a virtual network interface that is included in the Virtual Hard Disk (VHD) template that is used to deploy CloudLink Center for Microsoft Hyper ‑ V. The interface is configured as part of the CloudLink Center configuration process. CloudLink Agent configures this CloudLink Center network interface server address for authorization purposes.

Deploying CloudLink Center for Microsoft Hyper-V involves deploying the VHD template and configuring CloudLink Center.

Deploy the CloudLink Center VHD template

The following procedure explains how to deploy CloudLink Center VHD template.

Prerequisites

Ensure that you have obtained the CloudLink Center VHD template that is used for deployment.

Steps

1. From the Hyper-V Manager, create a CloudLink Center VM by selecting Action > New > Virtual Machine .

2. Enter a name for the VM, select a location to save the VM files, and then click Next .

3. Select the Generation 1 option if it is available, and click Next .

This option specifies the generation of virtual machine that is used and depends on the version of Windows Server that you are using.

4. Adjust the assigned memory if necessary. It is recommended to use 6 GB. Click Next .

5. Select a network to connect to CloudLink Center or leave the Not Connected option selected, and then click Next .

You can connect to the network later.

26 Deploy and configure CloudLink Center

6. Connect a VHD by selecting Use an existing virtual hard disk , browsing to the copy of the CloudLink Center VHD file, and then clicking Open .

Do not open the primary VHD file.

7. Review the configuration and click Finish .

8. In the Hyper-V Manager, select Settings and define the network.

9. In the Hyper-V Manager, review your hardware settings for CloudLink Center.

10. Right-click the CloudLink Center VM, and then select Start .

Results

The DHCP server is assigned as the default server for CloudLink Center. If a DHCP server is available on your network, the

CloudLink Center VM automatically generates a random hostname for the CloudLink Center by using the DHCP server.

If a DHCP server is available, see

Access CloudLink Center

.

To configure static IPv4 or IPv6 network values, see Configure static network values in vSphere Client, Hyper-V Manager or

KVM

.

To configure DHCP IPv4 or IPv6 network values, see

Configure DHCP IPv4 or IPv6 network values in vSphere Client or Hyper-V

Manager or Virtual Machine Manager

.

Next steps

If you use IPv6 on your network, see

After deploying OVF or VHD template

.

Deploy and configure CloudLink Center in Azure

Use port 443 to access CloudLink Center. The required endpoint is automatically created during CloudLink Center deployment.

However, if you have issues accessing CloudLink Center after deployment, an issue with the endpoint may exist. To resolve this issue, manually create the endpoint. For more information about manually creating an endpoint, see Microsoft Azure

Documentation .

While deploying and configuring CloudLink Center in Azure, ensure that:

● FQDN specified for the CloudLink Center is configured in your DNS servers.

● FQDN specified for the CloudLink Center is resolvable.

● DNS servers are reachable by CloudLink Center.

NOTE: For information about IPv6 support and reachability in Azure environment, see Microsoft Azure documentation .

Deploy and configure CloudLink Center in Azure Stack

You must have a functional Azure Stack system that is connected to Azure Marketplace. See the Azure documentation portal .

NOTE: Before you deploy CloudLink Center in your Azure Stack environment, the CloudLink image must be available in the

Azure Stack.

Contact Dell Technologies Customer Support team to obtain the following CloudLink images:

● Dell CloudLink 7.1.5 BYOL image file

● Dell CloudLink 7.1.5 Solution BYOL solution template

● CloudLink Agent for Linux virtual machine extension (optional)

● CloudLink Agent for Windows virtual machine extension (optional)

Deploy and configure CloudLink Center 27

Deploy and configure CloudLink Center image in

Microsoft Azure and Azure Stack

Use this procedure to deploy the CloudLink Center image in Microsoft Azure or Azure Stack.

Steps

1.

Create a new CloudLink Encryption for machines.

2.

Define network setting of CloudLink Encryption for machines.

3.

Define deployment type of CloudLink Encryption for machines.

4.

Define Second step configuration of CloudLink Encryption for machines

.

5.

Create a new CloudLink Center server.

6.

Add the CloudLink Center server to an existing cluster.

7.

Configure CloudLink Center in the web interface.

8. Click OK .

9. In the Summary blade, review the CloudLink Center server settings and click OK .

10. In the Buy or Create blade, review the terms of use and click Purchase or Create .

After the machine is created, you can browse for it in the Virtual machines blade.

Create a new CloudLink Encryption for machines

Steps

1. Sign in to the Azure Portal or your Azure Stack portal.

2. From the Hub menu, select Create a resource .

3. In the New blade, search for CloudLink SecureVM .

4. Select CloudLink in the search results.

5. In the CloudLink blade, select the Dell CloudLink 7.1.2 Solution BYOL software plan, and then click Create .

Define network setting configuration for CloudLink Encryption for machines

Steps

1. In the Basics blade, choose a subscription, resource group, and location.

2. Click OK .

3. In the Console configuration blade, type or accept the VM Name, and enter the CloudLink Center console account credentials.

4. Click OK .

5. In the Choose a size blade, accept the default VM size or select a new size, and then click OK .

6. In the Settings blade, define the network settings and click OK .

NOTE: In the Server public name/address box of Second Step Configuration , enter your domain name label and domain name. For example, if your domain name label is example , and your domain name is eastus.cloudapp.azure.com

then the Server public name/address must be example.eastus.cloudapp.azure.com

.

28 Deploy and configure CloudLink Center

Define deployment type of CloudLink Encryption for machines

Steps

In the Configuration blade, select a deployment type and click OK .

a. Select New Server to create a new CloudLink Center server.

b. Select Add to Existing Cluster to add the CloudLink Center server to an existing cluster. This deployment type requires at least one existing CloudLink Center server.

c. Select No Configuration to configure CloudLink Center in the web interface.

Define Second step configuration of CloudLink Encryption for machines

Steps

In the Second Step Configuration blade, do the following depending on your deployment type:

Create a new CloudLink Center server .

Add the CloudLink Center server to an existing cluster

.

Configure CloudLink Center in the web interface

.

Create a new CloudLink Center server

Steps

1. Enter or accept the hostname.

If you enter the hostname, ensure that you enter the VM name as the CloudLink hostname.

2. Type the DNS name used to connect to this server. See, CloudLink Center server address .

The DNS name must be a combination of the domain name label and domain name from the Settings blade.

3. Browse to and select a license file.

NOTE: If you select a CloudLink 6.5 or earlier license, you must assign the license start date after deploying the

CloudLink Center. This does not apply to CloudLink 6.6 or later licenses.

4. Type the password for the in-built secadmin user and reenter it to confirm.

You can change the password for the secadmin user account at any time after the first login. For more information, see the

Dell CloudLink Administration Guide .

Add the CloudLink Center server to an existing cluster

Steps

1. Enter or accept the hostname.

If you enter the hostname, ensure that you enter the VM name as the CloudLink hostname.

2. Type the DNS name used to connect to this server. For more information, see

CloudLink Center server address

.

The DNS name must be a combination of the domain name label and domain name from the Settings blade.

3. Enter the following properties of existing cluster server—DNS name, user name, and password.

Configure CloudLink Center in the web interface

Steps

Type accept in the text field to confirm that you will configure CloudLink Center in the web interface.

Deploy and configure CloudLink Center 29

Deploy and configure CloudLink Center image in

Amazon Web Services (AWS)

AWS CloudLink Center image is required to deploy and configure CloudLink Center in AWS. Contact Dell Technologies Customer

Support team to obtain AWS CloudLink Center image.

NOTE: While deploying and configuring CloudLink Center in AWS, you are prompted to enter or accept the CloudLink hostname. This CloudLink hostname changes each time the CloudLink Center restarts.

Prerequisites to install VASA provider on controller nodes using PowerFlex

● SVM template with OpenJDK version 8 for VMware vSphere API for Storage Awareness (VASA) VMs

● VASA VM should have sufficient memory. The minimum required amount is 8 GB, though 16 GB is recommended.

● VASA VM with three network interface controllers for ESXi management, DATA 1, and DATA 2 networks

● The DNS server must be configured.

● The hostname of each VASA VM must match the VASA FQDN.

● OpenJDK version 8 must be installed. The jdk-8u121-linux-x64.rpm

file is downloaded to /root/install directory.

● All components of your environment, including ESXi and vCenter, must have their time synchronized.

● A test folder is created and LIA, SDC, and VASA provider RPMs are copied.

30 Deploy and configure CloudLink Center

5

Prepare CloudLink Agent for deployment

After deploying and configuring CloudLink Center, prepare to instal CloudLink agent to machines by accessing CloudLink Center and setting up CloudLink licenses.

Topics:

Access CloudLink Center

Log in to CloudLink Center by using web browser

Prerequisites for configuring a CloudLink server

Configure the CloudLink Center server

Configure machine groups and volume or device encryption policy

Set Machine Agent Upgrade policy for CloudLink Agent

Access CloudLink Center

This topic provides information on how to access CloudLink Center.

Ensure that the following prerequisites are met:

● Web browser to log in to CloudLink Center after it is deployed

● HTTPS and JavaScript must be enabled in the web browser

● URL or clc_address of the CloudLink Center

If you have a DHCP server on your network, the clc_address is available in the virtual machine of the CloudLink Center. To locate the clc_address:

● In vCenter Client, click General panel .

● In Hyper-V Manager, click Networking .

If you configured network settings in the CloudLink Center console, the clc_address is available in the Update Menu >

Summary of the CloudLink Center console.

It is recommended that you configure Microsoft Windows domain integration so that you can access CloudLink Center with

Windows domain credentials. In this case, do not provide CloudLink Center credentials. The secadmin user account remains a local account. For information about user accounts and configuring Microsoft Windows domain integration, see the "Microsoft

Windows domain for user accounts" section in the Dell CloudLink Administration Guide .

Log in to CloudLink Center by using web browser

Use this procedure to log in to CloudLink Center by using web browser.

Steps

1. In your web browser, type the URL for CloudLink Center in the following format: https:// clc_address .

To locate the clc_address , see

Access CloudLink Center

.

2. Log in with the username secadmin , and the secadmin password specified during deployment.

Prerequisites for configuring a CloudLink server

Ensure that the following prerequisites are met before configuring CloudLink server.

● CloudLink license files determine the number of machine instances or the encrypted storage capacity that your organization can manage with CloudLink Center, and the duration of the license. During initial configuration, you must upload one license.

Prepare CloudLink Agent for deployment 31

You can upload additional licenses after the initial deployment. For information about CloudLink license files, see the Dell

CloudLink Administration Guide .

● The cluster server name is used primarily for CloudLink Center clusters, but it must be specified even if you do not plan to

use clusters. See Requirements for CloudLink Center server addresses in clusters

.

● Backups of CloudLink Center are encrypted using AES-256 with an RSA-2048 key pair. CloudLink Center only stores the public key. The private key must be downloaded and saved securely. Use CloudLink Web UI to generate an RSA-2048 key pair. Ensure that you save the private key in a known and secure location. The private key is required when restoring a backup.

● CloudLink Center stores sensitive information that is encrypted in the CloudLink Vault. The CloudLink Vault has to be unlocked before the information can be accessed. It is recommended that you use the Manual Unlock mode when deciding about how CloudLink Center opens the CloudLink Vault when restarted. This mode opens CloudLink Vault only when an administrator provides an appropriate passcode.

To ensure that CloudLink Vault can be unlocked manually after a CloudLink Center restart, use CloudLink Web UI to configure at least one CloudLink Vault passcode. See

CloudLink Vault to encrypt CloudLink Center machine data

.

Configure the CloudLink Center server

Use this procedure to access CloudLink Center, and configure the server. For Azure Stack, use this procedure only if you selected the No Configuration deployment type.

Steps

1. In your web browser, type the URL for CloudLink Center in the following format: https:// clc_address .

The clc_address must be in either FQDN, IPv4, or IPv6 format. To locate the clc_address , see

Access CloudLink Center

.

2. Accept the license agreement.

3. The password for the in-built secadmin user must be changed the first time you log in. Type the secadmin password, reenter it to confirm, and then click Change Password .

You can change the password for the secadmin user account at any time after the first-time login. For more information, see the Dell CloudLink Administration Guide.

4. Type the CloudLink Center console password, renter to confirm it, and then click Change Console Password .

NOTE: Step 4 is not applicable if you have already logged in to the CloudLink Center console.

5. Accept or change the CloudLink Center hostname.

If you change the hostname, ensure that you refresh the browser.

6. From the Deployment Type list, select New Server , and then click Next .

7. Select the license file, and click Upload .

You can browse to the license file.

8. In the Server Name or IP Address box, enter the DNS name or IP address that is used to connect to this server and click

Next .

For more information, see

CloudLink Center server address

.

9. Click Generate and Download .

10. Save the private key to an appropriate location.

By default, the private key is saved to the download folder of your web browser.

11. Click Next .

12. Click I Acknowledge .

13. Select Manual Unlock or Auto Unlock , and then click Next .

14. Enter at least one CloudLink Vault passcodes and reenter to confirm it.

15. Click Set Codes .

32 Prepare CloudLink Agent for deployment

Configure machine groups and volume or device encryption policy

Before deploying CloudLink Agent to machines, you may want to set up machine groups and their volume or device encryption

policy. For more information, see Manage CloudLink machines by grouping

.

CloudLink Center assigns machines to an existing machine group during CloudLink Agent deployment. Creating machine groups before deploying CloudLink Agent to machines, enables you to assign a machine to the appropriate group during deployment.

The benefit is that, after registering the machine, encryption begins automatically based on the volume encryption policy for the machine group.

If you do not specify an existing machine group during deployment, CloudLink Center assigns the machine to the Default group.

By default, this group uses the Manual volume or device encryption policy, which does not require encryption of any type of volume or device on machines in the group.

You can move machines to other groups after deployment. Based on the volume or device encryption policy for the original and new group, you must manually encrypt volumes so that the machine complies with the volume or device encryption policy of the new group.

For more information about creating machine groups and defining volume or device encryption policy, see the Dell CloudLink

Administration Guide .

Set Machine Agent Upgrade policy for CloudLink

Agent

If the Machine Agent Upgrade policy is set to Auto , connected CloudLink Agents are automatically upgraded. Any CloudLink

Agent that is not connected is automatically upgraded the next time it connects to CloudLink Center.

NOTE: By default, the Machine Agent Upgrade policy is set to Auto for the default machine group. It is recommended to set the Machine Agent Upgrade policy to Auto .

NOTE: In a PowerFlex Manager orchestrated environment, the PowerFlex Manager sets the Machine Agent Upgrade policy to Manual . Ensure that you do not change this setting.

Prepare CloudLink Agent for deployment 33

6

Deploy, configure, and verify CloudLink

Agents on Windows and Linux machines

You can deploy CloudLink Agent using a standard or custom installation. For VMs deployed in the Azure Portal, you can deploy

CloudLink Agent from Azure Virtual Machine Extensions.

NOTE: For information about downloading and installing third-party signed certificates, see the "Secure CloudLink Center agents using third-party signed certificates" chapter in the Dell CloudLink Administration Guide available on the support site.

● The standard installation is an automated method that requires minimal intervention by you. It is useful for deploying

CloudLink Agent to machines on an individual basis.

● The custom installation requires more intervention by you, but it provides more flexibility for deployment. Unlike the standard installation, the custom installation does not automatically register the machine with CloudLink Center.

A custom installation is useful for the following purposes:

○ Deploying CloudLink Agent to machines before deploying CloudLink Center

○ Deploying CloudLink Agent with configuration management tools

Select either the standard or custom installation that is based on the level of automation or points of manual intervention you require. At a high level, deployment includes the following processes:

● The machine might automatically restart several times to install and configure BitLocker or dm-crypt, and to create a system reserve or boot volume.

● The machine is automatically registered with CloudLink Center. This is the default setting, but a machine group could require manual approval for new machines.

● Encryption (if any), begins based on the volume or device encryption policy for the specified machine group.

34 Deploy, configure, and verify CloudLink Agents on Windows and Linux machines

For more information about the pending state and volume or device encryption policy, see the Dell CloudLink Administration

Guide .

Topics:

Manage Self-Encrypting Drives (SEDs)

Standard and Custom mode installation of CloudLink Agent on Windows and Linux

Install CloudLink Agent using Standard mode

Download and Install CloudLink Agent on Windows and Linux using Custom mode

CloudLink Agent for Microsoft SQL Server

Deploy CloudLink Agent Azure extension using the Azure portal

Deploy CloudLink Agent Azure extension to a Windows machine using PowerShell

Deploy CloudLink Agent Azure extension to a Linux machine using PowerShell

Manage Self-Encrypting Drives (SEDs)

See the "Manage Secure Machines" chapter in the Dell CloudLink Administration Guide .

Standard and Custom mode installation of CloudLink

Agent on Windows and Linux

The topic describes the deployment process for each type of installation and for each OS. The following procedure enables you to determine the appropriate installation based on your requirements.

Install CloudLink Agent on Windows and Linux machines in Standard mode

NOTE:

To install and connect an agent to CloudLink Center: See Download CloudLink Agent installer script for Standard mode on Linux CLI .

● To install agent, see

Download the CloudLink Agent deployment package for Linux in Custom mode

.

NOTE: To install an agent using a third-party signed certificate, see the "Secure CloudLink Center agents using third-party signed certificates" chapter in the Dell CloudLink Administration Guide available on the support site.

1. Download the CloudLink Agent installer.

2. Run the installer to complete installation and configuration.

Install CloudLink Agent on Windows machines in Custom mode

1. Download the CloudLink Agent installer package.

2. Install the package.

NOTE: If you do not want to register the machine during deployment, you can omit the CloudLink Center server address and add it manually later. Else, you can set the New Machine detection policy to get a manual approval. Registration is required for automatic encryption.

Install CloudLink Agent on Linux machines in Custom mode

1. Download the OS-specific deployment package.

2. Install the package.

3. Configure the CloudLink Center server address.

Deploy, configure, and verify CloudLink Agents on Windows and Linux machines 35

Install CloudLink Agent using Standard mode

Use this procedure to install CloudLink Agent on Windows or Linux machines by using the Standard installation mode.

Steps

1. Download the installer using the CloudLink Center interface or directly from the server.

2. Run the installer from the command line to complete installation and configuration.

Download CloudLink Agent installer for Standard mode

Download the CloudLink Agent installer from CloudLink Center. For Windows, the installer is provided in the Windows installer script clagent.bat

. For Linux, the installer is provided in the Linux installer script clagent.sh

.

NOTE: To install and connect a third-party certificate on a Linux and Windows agent, see the "Secure CloudLink Center agents using third-party signed certificates" chapter in the Dell CloudLink Administration Guide available on the support site.

You can download the installer in one of the following methods:

● Log in to CloudLink Center and download the installer using the CloudLink Center user interface.

● Download the installer from the CloudLink Center server without logging in.

● Download the installer using a CLI.

If you are not responsible for completing the installation, provide the downloaded software to the appropriate person.

Download CloudLink Agent installer script for Standard mode by using

CloudLink Center GUI

Steps

1. Log in to CloudLink Center. See Access CloudLink Center

.

2. From Agents , select Agent Download .

3. On the Downloads dialog box, select the Windows installer script or Linux installer script , and then click Download

Selected .

4. Click Save File .

Results

The installer is downloaded to your download folder.

36 Deploy, configure, and verify CloudLink Agents on Windows and Linux machines

Download CloudLink Agent installer script for Standard mode directly from

CloudLink Center

Steps

1. In a web browser, type the following: https://clc_address/cloudlink/agent where clc_address is the CloudLink Center server address. The clc_address must be in either the FQDN, IPv4, or IPv6 format. see

CloudLink Center server address

.

2. Click Save File .

For Linux, use the file name clagent.sh

Results

The installer is downloaded to your download folder.

Download CloudLink Agent installer script for Standard mode on Windows

CLI

Prerequisites

To download the clagent.bat

file by running the Invoke-RestMethod command, you must use the HTTPS connection.

To enable a secure connection, do one of the following:

Option 1: Configure CloudLink Web TLS certificate on VM

Steps

1. On the CloudLink UI, download the CloudLink web TLS certificate to a file.

2. Add the certificate to the Trusted Root Certification Authorities certificate store either from the browser settings or using

Windows Certificate Manager.

3. On Windows Server 2012 or 2012 R2 and Windows Server 2016, start a Windows PowerShell session to use TLS1.2 to communicate with CLC web server.

4. Run the following command:

$TLSProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'

[System.Net.ServicePointManager]::SecurityProtocol = $TLSProtocols .

The TLS 1.2 mode is enabled only for the current PowerShell session.

NOTE: To support TLS 1.2, use .NET Framework 4.7 and later versions.

5. Download the Clagent.bat

installer script file by running the following command:

Invoke-RestMethod -Uri https:// clc_address /cloudlink/agent -OutFile clagent.bat

where, clc_address is the CloudLink Center server address. The clc_address must be in either the FQDN, IPv4, or IPv6 format. See

CloudLink Center server address

.

Results

The Windows installer is downloaded to the current folder.

Deploy, configure, and verify CloudLink Agents on Windows and Linux machines 37

Option 2: Ignore verification of certificate on PowerShell

1. If the CloudLink web TLS certificate is not configured on VM, run the following script at PowerShell to ignore the verification of certificate, but only for the current PowerShell session: if (-not("SkipCert" -as [type]))

{

add-type -TypeDefinition @"

using System;

using System.Net;

using System.Net.Security;

using System.Security.Cryptography.X509Certificates;

public static class SkipCert

{

public static bool RetTrue(object sender, X509Certificate certificate,

X509Chain chain, SslPolicyErrors sslPolicyErrors)

{

return true;

}

public static RemoteCertificateValidationCallback CallBack()

{

return new RemoteCertificateValidationCallback(SkipCert.RetTrue);

}

}

"@

}

$TLSProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'

[System.Net.ServicePointManager]::SecurityProtocol = $TLSProtocols

[System.Net.ServicePointManager]::ServerCertificateValidationCallback =

[SkipCert]::CallBack()

The script will download the clagent.bat

file over secure channel.

2. Run the following command to download the clagent.bat

installer script file: Invoke-RestMethod -Uri https://

<CLC_IP>/cloudlink/agent -OutFile clagent.bat

.

NOTE: You can also download the PS1 file from the following location on the support site by running the

DownloadBat.PS1 -clc <CLC IP> command at the PowerShell interface: https://www.dell.com/support/ home/en-us/product-support/product/cloudlink-securevm/drivers .

Download CloudLink Agent installer script for Standard mode on Linux CLI

Prerequisites

Update to the latest curl version before downloading the installation script.

NOTE: If you plan to install an agent in the third-party-certificate mode, then download the certificate file only to the /tmp directory. For information about downloading and installing third-party signed certificate to a Linux agent, see the "Secure

CloudLink Center agents using third-party signed certificates" chapter in the Dell CloudLink Administration Guide available on the support site.

Steps

1. Use a CLI application such as wget or curl.

2. Enter one of the following commands: wget -O clagent.sh https:// clc_address /cloudlink/agent curl -o clagent.sh https:// clc_address /cloudlink/agent where, clc_address is the CloudLink Center server address. The clc_address must be in either the FQDN, IPv4, or IPv6 format. For more information, see

CloudLink Center server address

.

38 Deploy, configure, and verify CloudLink Agents on Windows and Linux machines

Results

The Linux installer is downloaded to the current directory.

Download CloudLink Agent installer script by ignoring the verification of TLS certificate when using HTTPS

Prerequisites

None.

Option 1 —Run the following command at the CLI:

Steps

1.

#wget --no-check-certificate https://cloudlink-ip-addr/cloudlink/agent -O clagent.sh

2.

#curl --no-check-certificate https://cloudlink-ip-addr/cloudlink/agent -o clagent.sh

where, cloudlink-ip-addr is the CloudLink Center server address.

Results

The Linux installer is downloaded to the current folder.

Option 2 —Run the following command at the CLI:

1. Configure the CloudLink Center Web TLS certificate on the VM by doing one of the following:

● A) Configure the CloudLink Center Web TLS certificate on the VM by doing the following:

○ Save or import the TLS Web certificate to a file.

○ Rename the file as cloudlink-host-name.pem

.

● B) Enter the following command at the CLI: #openssl s_client -servername 100.101.9.62 -connect

100.101.9.62:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cloudlink-host-name.pem

2. Export the CloudLink server IP address by running the command: server-host-name in /etc/hosts

3. Export the downloaded CloudLink SSL certificate to the Linux agent machine:

● A) On SUSE machines, install the CloudLink Web TLS certificate by running the following commands:

○ #cp cloudlink-host-name.pem /usr/share/pki/trust/anchors/

○ #cp cloudlink-host-name.pem /etc/pki/trust/anchors/

○ #update-ca-certificates

● B) On RHEL or CentOS machines, install the CloudLink Web TLS certificate by running the following commands:

○ #cp cloudlink-host-name.pem /usr/share/pki/ca-trust-source/anchors/

○ #cp cloudlink-host-name.pem /etc/pki/ca-trust/source/anchors/

○ #update-ca-trust

● C) On Ubuntu or Debian machines, install the CloudLink Web TLS certificate by running the following commands:

○ Rename the CloudLink Web TLS certificate extension from .pem

to .crt

.

○ #cp cloudlink-host-name.crt /usr/local/share/ca-certificates/

○ # update-ca-certificates

4. Download the agent installation script by running the following command:

● #curl https://<cloudlink-host-name>/cloudlink/agent -o agent

NOTE: Downloading of an agent script by using a Web TLS certificate works on some of Linux Distros because of different

TLS library and curl versions. In such a case, you can use option-1 described in this procedure.

Run the CloudLink Agent installer in Standard mode

After downloading the CloudLink Agent installer from CloudLink Center, run the installer at the CLI by entering the following:

● CloudLink Center server address

Registration code for the machine group to which you want to assign this machine (optional). See Manage CloudLink machines by grouping

.

Deploy, configure, and verify CloudLink Agents on Windows and Linux machines 39

The registration code is available from CloudLink Center on the Agents > Machine Groups page. See the Dell CloudLink

Administration Guide .

If you do not provide a registration code, CloudLink Center assigns the machine to the Default machine group.

Run the CloudLink Agent installer in Standard mode on Windows

About this task

On Windows VMs, CloudLink Agent automatically moves the page file to the boot drive when it is installed.

It is recommended not to move the page file to an encrypted data drive after CloudLink Agent is installed. Else, Windows cannot create administrative network shares because it uses a temporary page file.

Steps

1. In a command window, go to the folder where you downloaded the CloudLink Agent installer.

By default, the installer is downloaded to your download folder.

2. Enter the following at the CLI: clagent.bat /S clc_address [/g group_code ] where, /S clc_address

specifies the CloudLink Center server address. For more information, see CloudLink Center server address

.

/g group_code specifies the registration code for the machine group to which you want to assign this machine.

NOTE: CloudLink 7.1.3 and later versions enable you to use a third-party signed CA certificate for installing agents and connecting them to CloudLink. See the "Secure CloudLink Center agents using third-party signed certificates" chapter in the Dell CloudLink Administration Guide available on the support site.

Run the CloudLink Agent installer in Standard mode on Linux

Use this procedure to run the CloudLink Agent installer in Standard mode on Linux.

About this task

NOTE: After CloudLink Agent is installed on a Linux machine and the boot partition is encrypted; kernel upgrades and any other upgrades that involve rebuilding the kernel or initrd are not supported.

Steps

1. In a command window, go to the folder where you downloaded the CloudLink Agent installer.

By default, the installer is downloaded to your download folder.

2. Enter the following command at the CLI: sudo sh clagent.sh -S clc_address [-G group_code ] where, -S clc_address specifies the CloudLink Center server address. For more information, see

CloudLink Center server address

.

-G group_code specifies the registration code for the machine group to which you want to assign this machine.

NOTE: CloudLink 7.1.3 and later versions enable you to use a third-party signed CA certificate for installing agents and connecting them to CloudLink. See the "Secure CloudLink Center agents using third-party signed certificates" chapter in the Dell CloudLink Administration Guide available on the support site.

40 Deploy, configure, and verify CloudLink Agents on Windows and Linux machines

Scenario-based limitations for installing the CloudLink Agent installer in

Standard mode by using IPv6 protocol

Some of the limitations you have when installing CloudLink Agent, in standard mode by using IPv6 protocol, are listed here:

Install CloudLink Agent by using an IPv6 link-local address, without scope

Windows client

● Installation—Not allowed

● Example— clagent.bat /S fe80::0

● Sample error message: IPv6 link local address must include a scope ID.

Linux client

● Installation—Not allowed

● Example— sh clagent.sh -S fe80::0

● Sample error message: IPv6 Link local address <IPv6 address> requires scope.

Install CloudLink Agent by using an IPv6 link-local address, with scope indicated by the network interface ID

Windows client

● Installation—Not allowed

● Example— clagent.bat /S fe80::0%12

● Sample error message: Not applicable

Linux client

● Installation—Not allowed

● Example— sh clagent.sh -S fe80::0%2

● Sample error message: IPv6 link local address scope can be interface name only.

Install CloudLink Agent by using an IPv6 link-local address, with scope indicated by the network interface name

Windows client

● Installation—Not allowed

● Example— clagent.bat /S fe80::0%Ethernet

● Sample error message: IPv6 link local address scope can be interface number only.

Linux client

● Installation—Allowed

● Example— sh clagent.sh -S fe80::0%eth0

● Sample error message: Not applicable

Install CloudLink Agent using IPv6 link-local address on Debian 10 operating system

The following procedure explains how to install CloudLink Agent by using an IPv6 link-local address on Debian 10 operating system.

About this task

NOTE: You can use this procedure to install CloudLink Agent using IPv6 link-local address on Debian 10 operating system using Standard and Custom mode.

To download and run the CloudLink Agent on Debian 10 operating system, type the following commands:

Deploy, configure, and verify CloudLink Agents on Windows and Linux machines 41

Steps

1. To list all the IP addresses associated a network interface, type the following command: ip a ens192 where, ens 192 is the name of the network interface.

2.

curl --interface ens192 [IPv6-link-local address ]/cloudlink/securevm > securevm

3. Specify the scope of the IPv6 link-local address. Interface name is the scope of the link-local address.

For example: sh securevm -S [IPv6 link local address]%ens192

Download and Install CloudLink Agent on Windows and Linux using Custom mode

This topic describes the procedure to download and install CloudLink Agent on Windows and Linux using Custom mode of installation.

Download and run CloudLink Agent using Custom mode on

Windows

Use this procedure to download and run CloudLink Agent using the Custom mode on Windows.

Steps

1. Download the CloudLink Agent installer package. See,

Download CloudLink Agent installer package for Windows in Custom mode .

2. Run the installer from the CLI to complete installation and configuration.

Download CloudLink Agent installer package for Windows in Custom mode

Use this procedure to download the CloudLink Agent installer package for Windows in Custom mode.

Steps

1. Log in to CloudLink Center.

2. From Agents , select Agent Download .

3. From the Downloads page, select the 64-bit Windows Installer package ( securevm-windows-x64.msi

), and then click Download Selected .

4. Click Save File .

Results

The installer package is downloaded to your Downloads directory.

Run the CloudLink Agent installer package in Custom mode on Windows

Use this procedure to run the CloudLink Agent installer package on Windows using Custom mode.

About this task

After downloading the CloudLink Agent installer package (the securevm-windows-x64.msi

file) from CloudLink Center, you can run it from the CLI or by using Windows Installer tools.

Steps

1. Go to the folder where the CloudLink Agent installer package is located.

42 Deploy, configure, and verify CloudLink Agents on Windows and Linux machines

2. From the command line, type the following: msiexec /i securevm-windows-x64.msi [CLOUDLINKCENTER= clc_address ]

[GROUPCODE= group_code ]

NOTE: CloudLink 7.1.3 and later versions enable you to use a third-party signed CA certificate for installing agents and connecting them to CloudLink. See the "Secure CloudLink Center agents using third-party signed certificates" chapter in the Dell CloudLink Administration Guide available on the support site.

● CLOUDLINKCENTER= clc_address

specifies the CloudLink Center server address. For more information, see CloudLink

Center server address . If you do not specify the CloudLink Center server address, the machine is not registered with

CloudLink Center. No automatic encryption occurs after deployment. For information about specifying this address following deployment, see

Add the CloudLink Center server address or group registration code after deployment

.

● GROUPCODE= group_code specifies the registration code for the machine group to which you want to assign the machine. If you do not specify a registration code, CloudLink Center assigns the machine to the Default machine group.

For more information, see Manage CloudLink machines by grouping

.

You obtain the machine group registration code from CloudLink Center. The code is displayed on Agents > Machine

Groups . For more information, see the Dell CloudLink Administration Guide .

3. When the CloudLink Agent Setup Wizard is displayed, click Install .

4. Click Finish .

5. Wait for the installation to complete.

Results

The machine automatically restarts one or more times.

Add the CloudLink Center server address or group registration code after deployment

About this task

As a deployment option, you might want to omit the CloudLink Center server address when running the MSI file from the CLI.

Similarly, you might not have access to the group registration code required to assign a machine to a machine group other than

Default

. See, Run the CloudLink Agent installer package in Custom mode on Windows

.

Steps

Run the following command to add the CloudLink Center server address or group registration code: svm /S clc_address [/g group_code ] where, /S clc_address specifies the CloudLink Center server address. For more information, see

CloudLink Center server address

.

/g group_code specifies the registration code for the machine group to which you want to assign this machine.

Verify successful deployment of CloudLink Agent on Windows machines in

Custom mode

Verify successful deployment of CloudLink Agent on Windows machines by using one of the following.

● Log in to CloudLink Center, and view the machine status. For information about managing machines, including viewing their status, see the Dell CloudLink Administration Guide .

● In the Windows taskbar, ensure that the icon is displayed. The tooltip displays a message indicating that the machine is connected to CloudLink Center.

Deploy, configure, and verify CloudLink Agents on Windows and Linux machines 43

Download, install and configure CloudLink Agent using Custom mode on Linux machines

Use this procedure to download, install, and configure CloudLink Agent using custom mode on Linux machines.

Steps

1.

Download the CloudLink Agent deployment package

.

2.

Install the CloudLink Agent deployment package

.

3.

Configure CloudLink Agent .

Download the CloudLink Agent deployment package for Linux in Custom mode

Use this procedure to download CloudLink Agent deployment package for Linux machines in Custom mode.

Prerequisites

Update to the latest curl version before downloading the installation script.

About this task

CloudLink Agent deployment packages are available as RPM , TGZ , or DEB files which you download from CloudLink Center.

Steps

1. Log in to CloudLink Center.

2. Click Agents > Agent Download .

3. On the Downloads page, select the 64-bit Linux package that you want to use. The package URL is displayed below the selected package.

For example, securevm.centos.x86_64.rpm

4. In the Linux machine, open a command-line client and enter one of the following commands: wget https:// clc_address /cloudlink/agent/ url_of_package curl –O https:// clc_address /cloudlink/agent/ url_of_package where, clc_address is the CloudLink Center server address, and url_of_package is the package URL. The clc_address must be in either the FQDN, IPv4, or IPv6 format.

For example, wget https://192.168.112.157/cloudlink/agent/securevm.centos.x86_64.rpm

Results

The deployment package is downloaded to the Linux machine to be encrypted.

Install the CloudLink Agent deployment package for Linux in Custom mode

About this task

After downloading the deployment package for your operating system from CloudLink Center, do the following.

44 Deploy, configure, and verify CloudLink Agents on Windows and Linux machines

Steps

Install the package using the package manager for your platform.

NOTE: After CloudLink Agent is installed on a Linux machine and the boot partition is encrypted, kernel upgrades and any upgrades that involve rebuilding the kernel or initrd are not supported.

Configure CloudLink Agent on Linux machines

Use this procedure to configure CloudLink Agent on Linux machines using Custom mode.

About this task

The deployment package installation installs the CloudLink Agent, which provides the svm subcommand for configuring

CloudLink Agent. During configuration, the machine is registered with CloudLink Center.

NOTE: CloudLink 7.1.3 and later versions enable you to use a third-party signed CA certificate for installing agents and connecting them to CloudLink. See the "Secure CloudLink Center agents using third-party signed certificates" chapter in the Dell CloudLink Administration Guide available on the support site.

Steps

1. Enter the following command to configure CloudLink Agent.

svm [-v ] [-G group_code ]-S clc_address where,

● -v uses verbose mode.

● -G group_code specifies the registration code for the machine group that you want to assign this machine to.

● -S clc_address specifies the CloudLink Center server address. The clc_address must be in either the FQDN, IPv4, or

IPv6 format. For more information, see CloudLink Center server address .

2. Restart the machine.

Verify successful deployment of CloudLink Agent on Linux machines in

Custom mode

About this task

Verify CloudLink Agent deployment from the machine CLI and encryption status of volumes or devices by entering the following command: svm status

Refresh data after deployment of CloudLink Agent on Linux machines in

Custom mode

About this task

For Linux machines, if the networking configuration is changed on the client after CloudLink Agent deployment, refresh the

CloudLink Agent service.

Steps

Refresh the CloudLink Agent service from the machine CLI by entering the following command: svm refresh

Deploy, configure, and verify CloudLink Agents on Windows and Linux machines 45

CloudLink Agent for Microsoft SQL Server

If data drives encrypted by CloudLink Agent on a Windows machine running Microsoft SQL Server gets locked, SQL Server cannot load database files on those data drives.

Using PowerShell commands, the start of SQL Server services can be delayed until the data drive is available. After the

CloudLink Agent unlocks the encrypted data drive, it can manually start SQL Server services that are dependent on CloudLink.

After CloudLink Agent is uninstalled, all dependent services revert to their previous state.

BitLocker auto-unlock feature

As an alternative to delaying the start of SQL Server services, you can use the auto-unlock feature to unlock data drives during the Windows boot process. To automatically enable auto-unlock, ensure that the boot drive is encrypted BEFORE you encrypt the data drive.

Dependencies of Microsoft SQL Server on CloudLink Agent

PowerShell commands:

● Make the SQL Server service dependent or independent of CloudLink Agent.

● Encrypt or decrypt the SQL Server data drive.

Following are the PowerShell commands:

● To view the volume encryption status, run the svm status command.

● To encrypt a SQL server data drive, run the svm encrypt [volume_letter] command.

● To decrypt a SQL server data drive, run the svm decrypt [volume_letter] command.

● To set the SQL Server service to depend on CloudLink, run the svm setdeps <Microsoft SQL Server service name> command.

For example, svm setdeps MSSQLServer .

● To view the list of services that depend on CloudLink, run the svm showdeps command.

● To remove the SQL Server service from the CloudLink dependency list, run the svm cleardeps <Microsoft SQL

Server service name> command.

For example, svm cleardeps MSSQLServer .

Deploy CloudLink Agent Azure extension using the

Azure portal

Use the following procedure to install CloudLink Agent on a VM in the Azure Portal using an Azure VM extension.

Steps

1. In the Azure Portal, click Create a resource .

2. In the New blade, select your VM.

3. Follow the prompts to configure your VM until you get to the Guest config page.

4. From the Guest config page, click Select an extension to install .

5. From the extension list, select CloudLink SecureVM Agent .

6. Click Create .

7. In the CloudLink Center Address box, enter the CloudLink Center address in either the FQDN or IPv4 format.

This field is mandatory.

8. In the Machine Group Registration Code box, enter the machine group registration code to register the VM with that particular machine group.

This field is optional.

46 Deploy, configure, and verify CloudLink Agents on Windows and Linux machines

NOTE: If the machine group registration code is not specified, the VM registers with the default machine group in

CloudLink Center.

9. Click OK .

10. Continue to create your VM.

11. Wait for the VM to appear in the CloudLink Center Machines pane.

Results

After CloudLink Agent is installed, you can:

● To view the CloudLink Agent extension installation status, extension version, and other details, check the Extensions settings of the VM in the Azure Portal.

● Log in to the VM to ensure successful installation.

Deploy CloudLink Agent Azure extension to a Windows machine using PowerShell

Use this procedure to install CloudLink Agent on a Windows machine that was deployed using the Azure Resource Manager.

Prerequisites

● Azure PowerShell must be installed on the system you are using to manage your Azure resources.

● The AzureRM module for PowerShell must be installed and loaded.

Steps

1. Start PowerShell and log in to your Azure account with the following commands.

a. Enter the following command to log in to your Azure account:

Login-AzureRmAccount b. Enter your Azure account username and password when you are prompted.

c. Enter the following command to add your Azure account:

Add-AzureAccount d. Enter your Azure account username and password when you are prompted.

2. Enter the following commands to specify your Windows machine name, resource group, and location.

$vmname = “YourVMName” $resourceGroup = “YourVMResourceGroup” $location =

“YourVMLocation”

Example:

$vmname = "Test-win-2012r2" $resourceGroup = "Test-ResourceGroup" $location = "East

US"

3. Enter the following commands to specify the CloudLink Agent extension name, namespace, and version.

$extname = “CloudLinkSecureVMWindowsAgent” $nameSpace = “CloudLinkEMC.SecureVM”

$extversion = (Get-AzureVMAvaialableExtension –ExtensionName $extname).Version

4. Enter the following command to specify the CloudLink Center IP address and machine group registration code.

$SettingsString = ‘{“CloudLinkCenter” :”X.X.X.X”, “GroupRegistrationCode” : “XXXX-

XXXX”}’

Deploy, configure, and verify CloudLink Agents on Windows and Linux machines 47

NOTE: The GroupRegistrationCode parameter is optional. If it is not specified, the VM is registered to the default machine group in CloudLink Center.

Example:

$SettingsString = ‘{“CloudLinkCenter” :”192.168.1.1”, “GroupRegistrationCode” : “53adcc66”}’

5. Enter the following command to add the CloudLink Agent extension to the Windows machine:

Set-AzureRmVMExtension –ResourceGroupName $resourceGroup –Location $location -VMName

$vmname –Name $extname –Publisher $nameSpace –Type $extname –TypeHandlerVersion

$extversion –SettingString $SettingsString

6. Wait for the Windows machine to appear in the CloudLink Center Machines pane.

Results

After CloudLink Agent is installed:

● To see the CloudLink Agent extension installation status, the extension version, and other details, click the Extension settings of the Windows machine in the Azure Portal .

● Log in to the Windows machine to confirm successful installation.

Deploy CloudLink Agent Azure extension to a Linux machine using PowerShell

Use this procedure to install CloudLink Agent on a Linux machine that was deployed using the Azure Resource Manager.

Prerequisites

● Azure PowerShell must be installed on the system you are using to manage your Azure resources.

● The AzureRM module for PowerShell must be installed and loaded.

Steps

1. Start PowerShell and log in to your Azure account with the following commands: a. Enter the following command to log in to your Azure account:

Login-AzureRmAccount b. Enter your Azure account username and password when you are prompted.

c. Enter the following command to add your Azure account:

Add-AzureAccount d. Enter your Azure account username and password when you are prompted.

2. Enter the following commands to specify your Linux machine name, resource group, and location.

$vmname = “YourVMName” $resourceGroup = “YourVMResourceGroup” $location =

“YourVMLocation”

Example:

$vmname = "Test-rhel-7" $resourceGroup = "Test-ResourceGroup" $location = "East US"

3. Enter the following commands to specify the CloudLink Agent extension name, namespace, and version.

$extname = “CloudLinkSecureVMLinuxAgent” $nameSpace = “CloudLinkEMC.SecureVM”

$extversion = (Get-AzureVMAvaialableExtension –ExtensionName $extname).Version

48 Deploy, configure, and verify CloudLink Agents on Windows and Linux machines

4. Enter the following command to specify the CloudLink Center IP address and machine group registration code.

$SettingsString = ‘{“CloudLinkCenter” :”X.X.X.X”, “GroupRegistrationCode” : “XXXX-

XXXX”}’

NOTE: The GroupRegistrationCode parameter is optional. If it is not specified, the VM is registered to the default machine group in CloudLink Center.

Example:

$SettingsString = ‘{“CloudLinkCenter” :”192.168.1.1”, “GroupRegistrationCode” : “53adcc66”}’

5. Enter the following command to add the CloudLink Agent extension to the Linux machine:

Set-AzureRmVMExtension –ResourceGroupName $resourceGroup –Location $location -VMName

$vmname –Name $extname –Publisher $nameSpace –Type $extname –TypeHandlerVersion

$extversion –SettingString $SettingsString

6. Wait for the Linux machine to appear in the CloudLink Center Machines pane.

Results

After CloudLink Agent is installed:

● To see the CloudLink Agent extension installation status, the extension version, and other details, click the Extension settings of the Linux machine in the Azure Portal .

● Log in to the Linux machine to confirm successful installation.

Deploy, configure, and verify CloudLink Agents on Windows and Linux machines 49

7

Deploy, install, and configure CloudLink

Encryption for Containers

CloudLink encryption for containers enables you to encrypt shared volumes in a Kubernetes cluster. One CloudLink Center instance can support multiple Kubernetes clusters. Each Kubernetes cluster node can have multiple Encryption for Containers agents running on it, which includes one Encryption for Containers agent for each driver.

Using the CloudLink Center web interface, you can add Kubernetes clusters on which you can deploy containerized applications.

CloudLink supports the following:

● Kubernetes version 1.20 and 1.21 (For CloudLink Center 7.1.3 and later versions)

● Kubernetes version 1.18 to 1.19 (For CloudLink Center 7.1)

● Kubernetes version 1.14 to 1.17 (For CloudLink Center 7.0)

● Tanzu Kubernetes version 1.1 or later

● OpenShift Cluster version 4.3 or later

● Storage types that support Container Storage Interface (CSI):

○ Generic NFS (Supports File Systems)

○ PowerScale 1.5.0 (Supports File Systems). The CSI specification versions supported by CloudLink when deployed on

PowerScale: CloudLink 7.1–7.1.2 (CSI v1.2.0) and CloudLink 7.1.3 (CSI v1.5.0)

○ PowerFlex (Supports File Systems and Raw Block Volume provisioning). The CSI specification versions supported by

CloudLink when deployed on PowerFlex: CloudLink 7.0 (CSI v1.1.3), CloudLink 7.1–7.1.2 (CSI v1.1.5), and CloudLink 7.1.3

(CSI v1.5.0).

○ PowerStore (Supports File Systems). The CSI specification versions supported by CloudLink when deployed on

PowerStore: CloudLink 7.1.3 (CSI v2.0).

● FIPS validated dm-crypt crypto module for container block volume encryption

Topics:

Encryption for containers limitations

Encryption for containers configuration overview

Prerequisites to set up Encryption for containers on Kubernetes cluster

Prerequisites to set up Encryption for containers on Openshift Container Platform

Prerequisites to set up Encryption for containers on Tanzu Kubernetes

Create a Kubernetes cluster entry in CloudLink Center

Build docker images for the Kubernetes node and controller

Install containers

Create a Persistent Volume, Persistent Volume Claim and attach NFS volumes to workloads

Attach PowerFlex volumes to workloads

Create a Persistent Volume Claim and attach PowerScale volumes to workloads

Create a Persistent Volume Claim and attach PowerStore volumes to workloads

Encryption for containers limitations

This section provides information about the limitations for Encryption for containers.

● You cannot manually encrypt or decrypt volumes, or automatically decrypt volumes.

● If you need to save unencrypted data, copy the data from the encrypted volume to an unencrypted volume.

50 Deploy, install, and configure CloudLink Encryption for Containers

Encryption for containers configuration overview

This section provides information about the high-level configuration overview for Encryption for containers.

1. Deploy CloudLink Center.

2. Create a Kubernetes, Tanzu Kubernetes, or Openshift Container Platform cluster as per your requirement.

3. Add a Kubernetes cluster entry to CloudLink Center.

4. The cluster_name_secret.yaml

file is downloaded to the Downloads folder.

5. Upload the cluster_name_secret.yaml

file as a secret to the Kubernetes, Tanzu Kubernetes, or OpenShift cluster.

6. Build the node and controller Docker images using the Dockerfile in the Kubernetes node plug-in package.

7. Push the node and controller Docker images to the Docker registry.

8. Push the NFS plug-in image to the Docker registry. Ensure that you have the NFS plug-in image handy as per your requirement.

NOTE: Tanzu Kubernetes and Openshift Container Platform support only CSI driver for NFS.

9. Use Helm to deploy Encryption for containers in the Kubernetes, Tanzu Kubernetes, or Openshift Container Platform cluster.

10. Map the volumes to workloads.

11. Create workload container configuration files that reference the volume claims.

Prerequisites to set up Encryption for containers on

Kubernetes cluster

The following prerequisites must be met before containers can be added to your Kubernetes cluster.

● Central NFS file sharing server is created with shared volumes.

● Kubernetes cluster is prepared to provision NFS, PowerFlex, or PowerScale volumes based on your requirement.

● A local or custom Docker Registry that is accessible from the remote servers that are used as hosts for Kubernetes.

● Kubernetes version is installed. Kubernetes 1.14 to 1.19 are supported.

● Kubernetes with a multinode cluster is configured.

● Kubectl is installed on a server with network access to the Kubernetes cluster.

● PowerFlex Storage Data Client (SDC) is installed on all Kubernetes worker nodes.

● Helm is installed on a server with network access to the Kubernetes cluster.

● Kubernetes nodes are prepared by deploying sdp-runner daemon on all Kubernetes worker nodes. For instructions about deploying sdp-runner daemon , see the README.md

provided in the CloudLink Kubernetes Node Plug-in +

Dockerfile in CloudLink Center.

● CloudLink Center is installed and configured.

● Encryption for Containers license is uploaded to CloudLink Center.

● Namespace is created, and containers are deployed in the secret.yaml

file.

● Containers and secret.yaml

file are deployed in the namespace created.

NFS plug-in information

For information about NFS plug-in image and enabling or disabling NFS plug-in deployment, see the values.yaml

configuration file that is packaged in the CloudLink Kubernetes Helm Package in CloudLink Center.

PowerFlex plug-in information

For information about PowerFlex plug-in image and enabling or disabling PowerFlex plug-in deployment, see the values.yaml

configuration file that is packaged in the CloudLink Kubernetes Helm Package in CloudLink Center.

PowerScale plug-in information

For information about PowerScale plug-in image and enabling or disabling PowerScale plug-in deployment, see the values.yaml

configuration file that is packaged in the CloudLink Kubernetes Helm Package in CloudLink Center.

Deploy, install, and configure CloudLink Encryption for Containers 51

Prerequisites to set up Encryption for containers on

Openshift Container Platform

The following prerequisites must be met before containers are added to your Openshift Container Platform cluster.

● Central NFS file sharing server is created with shared volumes.

● Kubernetes cluster is prepared to provision NFS volumes based on your requirement.

● A local or custom Docker Registry that is accessible from the remote servers that are used as hosts for Openshift Container

Platform. For more information about creating a docker registry, see

Create a private docker registry with containerd .

● Openshift Container Platform 4.3 or later is installed.

● Openshift Container Platform 4.3 with a multinode cluster is configured.

● Helm is installed on a server with network access to the Openshift Container Platform cluster.

● An Openshift Container Platform cluster is set up by doing the following: 1) Setting up policies on Bastion node to run pods on clusters. 2) Configuring private registry on Bastion node. 3) Manually configuring private registry on worker nodes. For information about performing these tasks, see the Read.md

file. provided in the CloudLink Kubernetes Node Plug-in +

Dockerfile in CloudLink Center.

● OpenShift nodes are prepared by running the sdp-runner daemon script on all the Openshift Container Platform worker nodes. For instructions about running sdp-runner daemon , see the README.md

file.

● CloudLink Center is deployed and configured.

● Encryption for Containers license is uploaded to CloudLink Center.

● Namespace is created and containers are deployed in the secret.yaml

file.

● Containers and the secret.yaml

file are deployed in the namespace created.

Prerequisites to set up Encryption for containers on

Tanzu Kubernetes

The following prerequisites must be met before containers are added to your Tanzu Kubernetes cluster.

● Central NFS file sharing server is created with shared volumes.

● Kubernetes cluster is prepared to provision NFS volumes based on your requirement.

● A local or custom Docker Registry that is accessible from the remote servers that are used as hosts for Tanzu Kubernetes.

For more information about creating a docker registry, see

Create a private docker registry with containerd

.

● Tanzu Kubernetes version 1.1 or later is installed.

● Tanzu Kubernetes with a multinode cluster is configured.

● Helm is installed on a server with network access to the Tanzu Kubernetes cluster.

● Tanzu Kubernetes nodes is prepared by deploying sdp-runner daemon on all the Tanzu Kubernetes worker nodes. For instructions about deploying sdp-runner daemon , see the README.md

provided in the CloudLink Kubernetes Node

Plug-in + Dockerfile in CloudLink Center.

● CloudLink Center is installed and configured.

● Encryption for Containers license is uploaded to CloudLink Center.

● Tanzu cluster role is created and bounded to Pods Security Policy (PSP).

● Rolebinding is created and bounded to the Tanzu cluster role.

● Namespace is created, and containers are deployed in the secret.yaml

file.

● Containers and secret.yaml

file are deployed in the namespace created.

Create a private docker registry with containerd

This procedure explains how to create a private docker registry with containerd.

About this task

To create a private docker registry with containerd:

52 Deploy, install, and configure CloudLink Encryption for Containers

Steps

1. Log in to every worker node using jump box.

2. Add the following entries in the /etc/containerd/config.toml

configuration file under the section

[plugins.cri.registry.mirrors] .

[plugins.cri.registry.mirrors."<private-registry-name>:<port>"]

endpoint = ["https://<private-registry-name>:<port>"]

3. Restart containerd service, and docker service using the following commands:

Systemctl restart containerd

Systemctl restart docker

Results

Run the helm charts, and the Kubernetes pods are up and running.

Create a Kubernetes cluster entry in CloudLink Center

Use this procedure to create a Kubernetes cluster entry in CloudLink Center.

Steps

1. Log in to CloudLink Center.

2. Click Containers > Kubernetes Clusters .

3. Click Add to add a new cluster.

The cluster_name_secret.yaml file is downloaded to your Downloads folder.

4. Save the secret.yaml

file.

Build docker images for the Kubernetes node and controller

Use this procedure to build docker images for the Kubernetes node and controller

Prerequisites

Create a Kubernetes cluster entry in CloudLink Center. For more information, see Create a Kubernetes cluster entry in CloudLink

Center .

About this task

Steps

1. Log in to the machine that has access to the local Docker Registry server .

2. Run the following command to download the Kubernetes Controller and Node plug-in from CloudLink Center: wget https:// <clc_address> /cloudlink/kubernetes/sdp/nodeplugin/latest --no-checkcertificate

3. Run the following commands to extract the tar file and change directories to the Docker file location: tar xvzf <filename> where,

Deploy, install, and configure CloudLink Encryption for Containers 53

<filename> is cloudlink-sdp-node-plugin-7.1 tgz or higher.

cd cloudlink-sdp-node-plugin-7.1

4. Run the following commands to build the Kubernetes Node and Controller: docker build -t <registry_name> :443/sdp-node:v0.1.0 .

Period is required at the end of the command.

docker build -t <registry_name> :443/sdp-controller:v0.1.0 .

Period is required at the end of the command.

5. Run the following command to push the Node and Controller images to the Registry: docker push <registry_name> :443/sdp-node:v0.1.0 docker push <registry_name> :443/sdp-controller:v0.1.0

Install containers

The following procedure explains how to install containers.

Prerequisites

● Create a Kubernetes cluster entry in CloudLink Center. For more information, see

Create a Kubernetes cluster entry in

CloudLink Center

.

● Build docker images for containers node and controller. For more information, see

Build docker images for containers node and controller

.

● Configure and list all the cluster member nodes in the values.yaml

configuration file to configure CloudLink Center High

Availability (HA).

About this task

Steps

1. Open the secret.yaml

file that is downloaded from CloudLink Center and change the namespace value to the namespace value you created.

You can also use the namespace that is used in Kubernetes such as kube-system . But, it is recommended to use the namespace value you create.

2. Provide the CloudLink Center IP address under the clcNodes in the default values.yaml

configuration file to connect to

CloudLink Center.

3. Copy the secret.yaml

file to the server running kubectl.

4. Log in to the server running kubectl.

5. Run the following command to apply the secret to the planned namespace: kubectl apply -f secret.yaml -n <user defined namespace>

This is now in the Secrets listing in Kubernetes for the new namespace in the secret.yaml

file.

6. Log in to the server running Helm.

7. Download the CloudLink Kubernetes Helm Package from CloudLink Center and extract the default values.yaml

file from the helm package.

8. Open the default values.yaml

file, and modify the CloudLink NFS or PowerFlex plug-in image values as per your requirement.

● Modify the NFS and node plug-in image values as follows: a. Modify the image value in the cloudlink-sdp-nfs section to reference the nfsplugin pushed to the local Docker repository. For example:

54 Deploy, install, and configure CloudLink Encryption for Containers

image: <local-registry>:443/nfsplugin b. Modify the image line for cloudlink-sdp-node to reference the local Docker registry.

For example: image: "<local-registry>:443/cloudlink-sdp-node" c. Modify the image line for cloudlink-sdp-controller to reference the local Docker registry.

For example: image: "<local-registry>:443/cloudlink-sdp-controller"

● Modify the PowerFlex and node plug-in image values as follows: a. Modify the image value if you have a latest version of PowerFlex. For example: image:dellemc/csi-vxflexos:v1.1.3

b. Modify the image line for cloudlink-sdp-node to reference the local Docker registry.

For example: image: "<local-registry>:443/cloudlink-sdp-node" c. Modify the image line for cloudlink-sdp-controller to reference the local Docker registry.

For example: image: "<local-registry>:443/cloudlink-sdp-controller"

● Modify the PowerScale and node plug-in image values as follows: a. Modify the image value if you have a latest version of PowerScale. For example: image:dellemc/csi-isilon:v1.2.0

b. Modify the image line for cloudlink-sdp-node to reference the local Docker registry.

For example: image: "<local-registry>:443/cloudlink-sdp-node" c. Modify the image line for cloudlink-sdp-controller to reference the local Docker registry.

For example: image: "<local-registry>:443/cloudlink-sdp-controller"

● Modify the PowerStore and node plug-in image values as follows: a. Modify the image value if you have a latest version of PowerStore . For example: image:dellemc/csi-powerstore:v2.0.0

b. Modify the image line for cloudlink-sdp-node to reference the local Docker registry.

For example: image: "<local-registry>:443/cloudlink-sdp-node" c. Modify the image line for cloudlink-sdp-controller to reference the local Docker registry.

For example: image: "<local-registry>:443/cloudlink-sdp-controller"

9. Run the following command to install containers using Helm: helm install --namespace isilon-old -f cloudlink713values.yaml demo https://

<clc_address>/cloudlink/kubernetes/sdp/helm/cloudlink-sdp-helm-7.1.7.tgz --insecureskip-tls-verify

10. Wait until Kubernetes and CloudLink entries are created.

Results

Helm creates Kubernetes pods that are related to containers in the provided namespace.

In CloudLink Center, new entries are displayed under Containers > Kubernetes Nodes .

Create a Persistent Volume, Persistent Volume Claim and attach NFS volumes to workloads

The following procedure explains how to create Persistent Volume (PV) and PersistentVolumeClaim (PVC) and attach NFS volumes to workloads.

Prerequisites

● A Kubernetes cluster entry is created in CloudLink Center. For more information, see

Create a Kubernetes cluster entry in

CloudLink Center

.

Docker images are built for the containers node and controller. For more information, see Build docker images for containers node and controller

.

● Containers are installed. For more information, see

Install containers .

Deploy, install, and configure CloudLink Encryption for Containers 55

Steps

1. Create a Persistent Volume (PV) and PersistentVolumeClaim (PVC) in Kubernetes.

Following is the sample PV file:

apiVersion: v1

kind: PersistentVolume

metadata:

name: encrypted-shareswag

labels:

name: encrypted-shareswag

spec:

accessModes:

- ReadWriteMany

capacity:

storage: 4Gi

csi:

driver: csi-sdp-nfsplugin

volumeHandle: data-ab1

volumeAttributes:

server: 100.101.10.155

share: /mnt/nfs_share

Following is the sample PVC file:

apiVersion: v1

kind: PersistentVolume

metadata:

name: encrypted-shareswag

spec:

accessModes:

- ReadWriteMany

resources:

requests:

storage: 4Gi

selector:

matchExpressions:

- key: name

operator: In

values: ["encrypted-shareswag"]

2. Attach the NFS volume to the workload.

Following is the sample workload file:

apiVersion: apps/v1

kind: Deployment

metadata:

name: deploy-u18enc4

spec:

selector:

matchLabels:

app: ubuntu

replicas: 3

template:

metadata:

labels:

app: ubuntu

spec:

containers:

- image: ubuntu:18.04

command: [ "/bin/bash", "-c", "while true; do sleep 1; done" ]

name: ubuntu

volumeMounts:

- mountPath: /encrypted4

name: encrypted-share4

volumes:

- name: encrypted-share4

persistentVolumeClaim:

claimName: encrypted-share4

56 Deploy, install, and configure CloudLink Encryption for Containers

Attach PowerFlex volumes to workloads

You can attach PowerFlex volumes to workloads using the following provisioning methods:

● File System provisioning

● Raw Block Volume provisioning

Create a Persistent Volume Claim and attach PowerFlex volumes to workloads using File System

The following procedure explains how to create a PVC, and attach PowerFlex volumes to workloads using File System.

Prerequisites

● A Kubernetes cluster entry is created in CloudLink Center. For more information, see

Create a Kubernetes cluster entry in

CloudLink Center

.

Docker images are built for the containers node and controller. For more information, see Build docker images for containers node and controller

.

● Containers are installed. For more information, see

Install containers .

About this task

Encryption for Containers also supports snapshot functionality which requires snapshot support from their respective driver.

Steps

1. Create a PVC in Kubernetes.

Following is the sample PVC file:

apiVersion: v1

kind: PersistentVolume

metadata:

name: data-proxy-vxflexos

spec:

accessModes:

- ReadWriteOnce

volumeMode: Filesystem

resources:

requests:

storage: 100Gi

storageClassName: sdp-vxflexos

2. Attach the PowerFlex volumes to the workload.

Following is the sample workload file:

apiVersion: apps/v1

kind: Pod

metadata:

name: demo-app

spec:

containers:

- image: ubuntu:18.04

imagePullPolicy: IfNotPresent

name: demo-app

command: [ "/bin/sh" ]

args: [ "-c", "while true; do sleep 1; done" ]

volumeMounts:

- mountPath: /mnt/vol0

name: vol0

volumes:

- name: vol0

persistentVolumeClaim:

claimName: data-proxy-vxflexos

Deploy, install, and configure CloudLink Encryption for Containers 57

Create a Persistent Volume Claim and attach PowerFlex volumes to workloads using Raw Block Volume

The following procedure explains how to create a PVC, and attach PowerFlex volumes to workloads using Raw Block Volume.

Prerequisites

● A Kubernetes cluster entry is created in CloudLink Center. For more information, see

Create a Kubernetes cluster entry in

CloudLink Center

.

Docker images are built for the containers node and controller. For more information, see Build docker images for containers node and controller

.

● Containers are installed. For more information, see

Install containers .

About this task

Encryption for Containers also supports snapshot functionality which requires snapshot support from their respective driver.

Steps

1. Create a PVC in Kubernetes.

Following is the sample PVC file:

apiVersion: v1

kind: PersistentVolume

metadata:

name: rbv

spec:

accessModes:

- ReadWriteOnce

volumeMode: Block

resources:

requests:

storage: 100Gi

storageClassName: sdp-vxflexos

2. Attach the PowerFlex volumes to the workload.

Following is the sample workload file:

apiVersion: v1

kind: Pod

metadata:

name: rbv-demo

spec:

containers:

- image: centos

imagePullPolicy: IfNotPresent

name: demo-app2

command: [ "/bin/sh" ]

args: [ "-c", "while true; do sleep 1; done" ]

volumeDevices:

- devicePath: /dev/sdb

name: vol-rbv

volumes:

- name: vol-rbv

persistentVolumeClaim:

claimName: rbv

58 Deploy, install, and configure CloudLink Encryption for Containers

Create a Persistent Volume Claim and attach

PowerScale volumes to workloads

The following procedure explains how to create a PVC and attach PowerScale volumes to workloads.

Prerequisites

● A Kubernetes cluster entry is created in CloudLink Center. For more information, see

Create a Kubernetes cluster entry in

CloudLink Center

.

Docker images are built for the containers node and controller. For more information, see Build docker images for containers node and controller

.

● Containers are installed. For more information, see

Install containers .

Steps

1. Create a PVC in Kubernetes.

Following is the sample PVC file:

apiVersion: v1

kind: PersistentVolumeClaim

metadata:

name: data-proxy-isilon

spec:

accessModes:

- ReadWriteOnce

volumeMode: Filesystem

resources:

requests:

storage: 100Gi

storageClassName: sdp-isilon

2. Attach the PowerScale volumes to the workload.

Following is the sample workload file:

apiVersion: v1

kind: Pod

metadata:

name: demo-app-is

spec:

containers:

- image: ubuntu:18.04

imagePullPolicy: IfNotPresent

name: demo-app

command: [ "/bin/sh" ]

args: [ "-c", "while true; do sleep 1; done" ]

volumeMounts:

- mountPath: /mnt/vol0

name: vol0

volumes:

- name: vol0

persistentVolumeClaim:

claimName: data-proxy-isilon

Deploy, install, and configure CloudLink Encryption for Containers 59

Create a Persistent Volume Claim and attach

PowerStore volumes to workloads

The following procedure explains how to create a PVC and attach PowerStore volumes to workloads.

Prerequisites

● A Kubernetes cluster entry is created in CloudLink Center. For more information, see

Create a Kubernetes cluster entry in

CloudLink Center

.

Docker images are built for the containers node and controller. For more information, see Build docker images for containers node and controller

.

● Containers are installed. For more information, see

Install containers .

Steps

1. Create a PVC in Kubernetes.

Following is the sample PVC file: kind: PersistentVolumeClaim apiVersion: v1 metadata:

name: p-vol0

namespace: default spec:

accessModes:

- ReadWriteMany

volumeMode: Filesystem

resources:

requests:

storage: 8Gi

storageClassName: sdp-powerstore-nfs

2. Attach the PowerStore volumes to the workload.

Following is the sample workload file:

apiVersion: v1 kind: Pod metadata:

name: nfspod1

namespace: test spec:

containers:

- name: task-pv-container

image: doc-registry:443/nginx_image:latest

ports:

- containerPort: 80

volumeMounts:

- mountPath: "/usr/share/nginx/html"

name: nov-eleventh-1-pv-storage

volumes:

- name: nov-eleventh-1-pv-storage

persistentVolumeClaim:

claimName: p-vol0

60 Deploy, install, and configure CloudLink Encryption for Containers

8

Using PowerFlex devices

This chapter presents the following topics:

Topics:

Requirements to encrypt PowerFlex devices

Encrypt a new PowerFlex device

Encrypt an existing PowerFlex device

Manage PowerFlex devices from the command line

Requirements to encrypt PowerFlex devices

This topic provides information about the requirements to encrypt PowerFlex devices.

NOTE: The device mapping name changes after the device is encrypted.

Encrypt a new PowerFlex device

The following procedure explains how to encrypt a new PowerFlex device.

About this task

The Linux virtual machine must have CloudLink Agent installed, and it must be registered with CloudLink Center.

Steps

1. In CloudLink Center, click Agents > Machines .

2. Select the Linux virtual machine that you want to add to PowerFlex.

3. Encrypt the raw device.

4. Copy the encrypted device name.

Using PowerFlex devices 61

For example, /dev/mapper/svm_sdb .

5. Start the PowerFlex UI.

6. Right-click the target PowerFlex Storage Data Server, and then select Add Device .

7. Type or paste the device name and click OK .

PowerFlex begins a rebalance operation and adds the device.

When the device is added to PowerFlex, CloudLink Center detects the PowerFlex Storage Data Server (SDS) device header, and the device type is changed to SDS. You can also use the PowerFlex CLI tools or REST APIs to add the device to the pool.

Encrypt an existing PowerFlex device

About this task

You can encrypt devices that are already attached to a PowerFlex. Remove the device using the PowerFlex Storage Data Server

(SDS) UI or the CLI on the Metadata Manager (MDM) server.

NOTE: A rebalance operation occurs when the device is added back, because all data on the device is erased as part of the encryption process.

Steps

1. Using the PowerFlex UI, remove the device from PowerFlex.

2. Wait until the device is removed from PowerFlex.

The device type is changed to an unencrypted raw device in CloudLink Center.

3. In CloudLink Center, click Agents > Machines .

4. Select the device that you want to encrypt.

5. In the Actions menu, select Encrypt .

CloudLink Center encrypts the device.

6. Copy the encrypted device name.

For example, /dev/mapper/svm_sdb

7. Start the PowerFlex UI.

8. Right-click the target SDS, and then select Add Device .

9. Type or paste the device name, and then click OK .

PowerFlex begins a rebalancing operation and adds the device.

Manage PowerFlex devices from the command line

Run the following commands to manage PowerFlex devices from the CLI.

● Enter the following command to log in to the MDM: scli –login –username=admin

● Enter the following command to encrypt a PowerFlex device: svm encrypt /dev/sd X where, X is the drive letter.

● Enter the following command to erase a PowerFlex device: svm erase /dev/sd X

62 Using PowerFlex devices

where, X is the device letter.

● Enter the following command to add a device to the SDS: scli --add_sds_device --storage_pool_name < EX-POOL-NAME >

--sds_name < EX-SDS-NAME > --device_path /dev/mapper/svm_sd X --device_name svm_sd X where, EX-POOL-NAME and EX-SDS-NAME are your storage pools.

SDS names and X is the device letter.

EX-SDS-NAME can also be an IP address.

Using PowerFlex devices 63

9

Uninstall CloudLink Agent

This chapter describes the procedures to uninstall CloudLink Agent on Windows, and Linux machines.

If you are uninstalling the SDS package from the PowerFlex Storage Data Server, it is recommended to uninstall the CloudLink

Agent first. For more information, see the "Erase a PowerFlex SDS device" section in the Dell CloudLink Administration Guide .

Topics:

Uninstall CloudLink Agent on Windows

Uninstall CloudLink Agent on Linux

Uninstall CloudLink Agent on Windows

Use this procedure to uninstall CloudLink Agent on Windows.

Steps

1. Decrypt any encrypted volumes on the machine.

2. Use the Msiexec.exe

tool for uninstalling applications.

If you installed CloudLink Agent using Azure VM Extensions through PowerShell, uninstall CloudLink Agent using PowerShell.

Uninstall CloudLink Agent on Linux

Use this procedure to uninstall CloudLink Agent on Linux.

Steps

1. Decrypt any encrypted volumes on the machine.

2. Enter the following command: svm uninstall

3. If you installed CloudLink Agent using Azure VM Extensions through PowerShell, remove CloudLink Agent using PowerShell.

64 Uninstall CloudLink Agent

10

Troubleshooting

Topics:

CloudLink installation problems and workarounds

CloudLink Agent installation problems and workarounds

Encryption for Containers problems and workarounds

CloudLink installation problems and workarounds

This topic describes the CloudLink installation problems and possible workarounds.

CloudLink Azure extension is uninstalled, but CloudLink Agent software is not getting uninstalled

Description

Workaround

If you uninstall the CloudLink Azure Extension for a machine that has encrypted volumes, the CloudLink

Azure Extension is uninstalled. But, CloudLink Agent software is not getting uninstalled.

Decrypt the encrypted volumes before uninstalling the CloudLink Azure extension.

DNS configuration is lost after you restore CloudLink Center from a backup file

Description

Workaround

If you restore CloudLink Center from a backup file, then the DNS configuration may be lost.

Add the DNS configuration manually, if it is missing in CloudLink Center.

CloudLink Center fails to obtain an IP address from DHCP

Description

Workaround

CloudLink Center may fail to obtain an IP address from DHCP.

This issue does not occur frequently. If it occurs, select Network Reconfigure from the CloudLink

Center console to acquire a new IP address.

If a CloudLink Center instance with dual NICs is restarted, the default gateway moves to the secondary NIC

Description

Workaround

If a CloudLink Center instance with dual NICs that use DHCP for IPv4, is restarted, then the default gateway may move to the secondary NIC.

Do not use DHCP for IPv4 with both NICs.

Troubleshooting 65

CloudLink Agent installation problems and workarounds

This topic describes the known CloudLink Agent installation problems and limitations, and possible workarounds.

VM experiences a system failure during startup

Description

Workaround

If the Active Directory domain services database, log files, and SYSVOL files are on an encrypted data volume, the machine experiences a system failure during startup.

Ensure that the Active Directory domain services database, log files, and SYSVOL files are on the boot volume.

Windows machine fails to reboot

Description

Workaround

Windows machine fails to reboot when using EFI bootloader, and the machine is connected to CloudLink

Center using secondary NIC in a two-adapter configuration.

Use the primary NIC to connect to CloudLink Center.

CloudLink agent is installed but fails to register on the CloudLink

Center

Description

Workaround

If you misprinted Machine Group Registration Code parameter during CloudLink Agent Azure Extension installation on a Linux VM, the CloudLink agent is installed, but fails to register on the CloudLink Center.

Uninstall CloudLink Agent Azure Extension, and then install the CloudLink Agent Azure Extension using correct set of parameters.

Encryption for Containers problems and workarounds

This topic describes the known Encryption for Containers problems and limitations, and possible workarounds.

Invalid CloudLink Center address list or inaccessible addresses are displayed

Description

Workaround kubectl -n sdp logs demo-cloudlink-sdp-nfs-encrypted-2lg4z proxy logs displays invalid CloudLink Center address list or inaccessible addresses.

Verify that the secret for the corresponding cluster that is created in the CloudLink Center is applied to the Kubernetes cluster.

Container pods stops functioning

Description

Workaround

The container pods stops functioning, and displays /var/lib/kubelet/plugins/csi-sdpvxflexos/csi-vxflexos.sock

is already in use error message.

Delete the socket file on each of the worker node at /var/lib/kubelet/plugins/csi-sdpvxflexos/csi-vxflexos.sock

.

66 Troubleshooting

Encryption for containers logs displays driver is not authenticated error message for PowerFlex

Description

Workaround

The

kubectl logs -n vxflexos demo-cloudlink-sdp-vxflexos-encrypted-ctl-0 driver logs displays the "driver is not authenticated" error message for PowerFlex.

Verify the following for the PowerFlex system:

● Username

● Password

● Gateway IP address

Encryption for containers driver logs displays driver error message

Description

Workaround

The kubectl logs -n Isilon demo-cloudlink-sdp-isilon-encrypted-ctl-0 driver logs displays the "Create volume failed, access denied. Create directory as requested" error message. This occurs when the user who created the base path is different from the user who configured the driver.

Ensure that the user who deploys the driver has sufficient rights on the base path (isiPath) to perform the required operations.

Encryption for containers logs displays driver is not authenticated error message for PowerScale

Description

Workaround

The kubectl logs -n Isilon demo-cloudlink-sdp-isilon-encrypted-ctl-0 driver logs displays the "driver is not authenticated" error message.

Verify the username and the password of the secret for the corresponding cluster.

Pod status in kubectl is ImagePullBackOff in place of running

Description

Workaround

Pod status in kubectl is ImagePullBackOff in place of running. This occurs if the docker registry is unreachable or if the image is not available.

Verify the following:

● Docker registry is reachable.

● Image is available.

Troubleshooting 67

11

Appendix—Reference topics

Topics:

CloudLink Center server address

Prestartup authorization of CloudLink Center machines

Secure CloudLink machines by using encryption keys

CloudLink Key Release policies

Manage CloudLink machines by grouping

Encryption key location and protection options in CloudLink

Best practices for saving, backing up, and restoring CloudLink Center machine encryption keys

CloudLink Vault to encrypt CloudLink Center machine data

IP addresses of machines associated with CloudLink

Manage CloudLink Center clusters

CloudLink Update menu

CloudLink Center server address

You use the CloudLink Center server address frequently. For example, you provide the address in the URL used to access the

CloudLink Center user interface and in commands that are used to download installation files.

You can specify the CloudLink Center server address in one of the following formats:

● IP address default

Enterprise and PowerFlex—It is recommended that you use a static IPv4 address. For IPv6, CloudLink only supports dynamic address assignment.

NOTE: If you use IPv6, an IPv4 address must be assigned to the CloudLink Center network interface using either static or DHCP addressing. CloudLink only supports dual-stack devices.

Microsoft Azure and Azure Stack—You can use an IPv4 address. It is recommended using the DNS name because IP address of CloudLink Center can change after power cycling.

NOTE: The server address can be either the public external address or the private internal address. The choice depends on the location of the CloudLink Agents connecting to CloudLink Center. The external DNS name is the best choice usually.

● Hostname

If the Domain Name System (DNS) has an entry for CloudLink Center, it is recommended that you specify the CloudLink

Center server address as a hostname in fully qualified domain name (FQDN) format, such as clc.example.com. For more information, see the Dell CloudLink Administration Guide .

Requirements for CloudLink Center server addresses in clusters

In a CloudLink Center cluster, servers and CloudLink Agents use the CloudLink Center server address for communication. You define this address, as the Server Name/Address , when deploying a new server. You can use either the IP address or hostname

(FQDN format).

NOTE: Only use the hostname in FQDN format or the external DNS name for Azure and Azure Stack machines with dynamic IP addresses.

Ensure that you specify the server address using the preferred format for each CloudLink Center server before creating the cluster. You can use FQDNs and IP addresses in a cluster, but you cannot change the server address format after creating a cluster.

68 Appendix—Reference topics

Prestartup authorization of CloudLink Center machines

Prestartup authorization of CloudLink Center machines applies to only Enterprise and Microsoft Azure and Azure Stack.

Prestartup authorization enables a machine to start automatically when the machine has been previously registered with

CloudLink Center and can connect to it.

NOTE: If the boot volume of a machine is not encrypted, but one or more data volumes are encrypted, the machine is allowed to start. After the machine starts, CloudLink Center determines whether encryption keys for encrypted data volumes can be released automatically based on key release policies. If key release policies are not met for the data volume,

CloudLink Center puts the machine in the pending state.

If a machine does not pass prestartup authorization, CloudLink Center puts the machine in the pending state and you must explicitly accept the machine before startup is allowed to continue.

For information about approved networks, removing or blocking a machine, and the pending state, see the Dell CloudLink

Administration Guide .

Secure CloudLink machines by using encryption keys

CloudLink uses the following types of encryption keys to secure machines:

These keys are stored in CloudLink Center or another keystore. For more information, see Encryption key location and protection options in CloudLink

.

For a machine, key release policies determine the volume or device encryption keys to secure the boot or data volumes, or encrypted devices. For more information, see

CloudLink Key Release policies

. The VKEK pair protects the volume encryption keys:

● When CloudLink Center receives a request from CloudLink Agent to encrypt a volume or a device on its machine, CloudLink

Center generates a new VKEK in the current keystore and uses it to encrypt the volume or device encryption key.

● When a volume requires decryption, CloudLink Center decrypts the volume encryption key using the VKEK and sends it to

CloudLink Agent.

There is a difference between the types of encryption keys that are used to secure machines because native technologies in the

OS of the machines create and manages volume or device encryption keys.

CloudLink documentation does not discuss keys in detail. Unless specified otherwise, the terms encryption keys and keys in this documentation refer to VKEKs.

Appendix—Reference topics 69

CloudLink Key Release policies

This topic provides information on the key release policies available in CloudLink.

Before CloudLink Center automatically releases keys, a machine must:

● Fulfill the requirements of key release policies

● Use an IP address that belongs to an approved network

● Belong to an approved location

● Not have been previously removed

Key release policies may be required to enable:

● A machine to boot as part of the prestartup authorization process

● Access to encrypted data volumes or devices.

If a machine does not meet the policies, CloudLink Center puts the machine in the pending state. Manually choose whether to allow the key release.

Key release policies are set for a machine group. For more information, see Manage CloudLink machines by grouping

.

The following key release policies are available.

You can change these key release policies. For more information about approved networks, moved volumes or devices, cloned machines, and the pending state, see the Dell CloudLink Administration Guide .

70 Appendix—Reference topics

Preboot unlock for PowerFlex devices

By changing all the pending policies of a machine group to the Allow Automatically mode, unlock the preboot of devices that are connected to PowerFlex machines. This prevents the PowerFlex machine from being placed in the pending state and allows the connected devices to be unlocked.

Manage CloudLink machines by grouping

You can organize machines into groups for administrative or operational purposes. For example, you might group machines for your finance department and apply a volume or a device encryption policy that requires encryption of all boot and data volumes, or devices. Also, you can group machines for your Development and Operations (DevOps) department and apply a volume encryption policy that requires encryption of only boot volumes. Each machine group might have a different administrator.

Each machine must belong to a machine group. A machine is assigned to a machine group during deployment. If you do not specify a group during deployment, the machine is assigned to the in-built machine group named Default . After deployment, you can change the machine group of a machine.

All machines in a group use the same:

● Key release policies that determine when CloudLink Center automatically releases keys to a machine. For more information, see

CloudLink Key Release Policies .

● Volume encryption policy determines the types of volumes that must be encrypted (boot, data, or both boot and data).

Volume encryption policy applies to virtual machines (boot and data volumes).

● Keystore where encryption keys are stored. For more information, see

Encryption key location and protection options in

CloudLink .

● Only users belonging to a managing role for a machine group can view, change, and perform operations on the machines belonging to it.

● Approved networks, which are network locations that allow automatic startup for machines in a machine group.

● Approved location used to verify that a machine is in the correct place.

● Key lifetime that determines how frequently and at what intervals CloudLink Center updates encryption keys for machines in the group.

● New machine detection policy—If a new machine that has an approved IP address is added to CloudLink Center, you can choose to allow it to automatically register with CloudLink Center (default) or to require manual approval.

● CloudLink Agent upgrade policy, which determines whether CloudLink Agents are upgraded when CloudLink Center is upgraded, or if CloudLink Agents are upgraded individually.

For information about machine groups, volume encryption policy, device encryption policy, managing roles, approved networks, and key lifetimes, see the Dell CloudLink Administration Guide .

Encryption key location and protection options in

CloudLink

Keystores

The combination of a key location and a key protector. Encryption keys are stored in a key location and are encrypted, or protected, by a key protector.

Key locations

CloudLink Center supports several options for the key location that is used to store encryption keys:

Local Database

Microsoft Active

Directory

Amazon S3

An internal key location.

An external key location.

An external key location. You must have an Amazon Web Services (AWS) account to use this location.

Appendix—Reference topics 71

S3-compatible bucket

External KMIP

Server

An external S3-compatible key location.

In CloudLink Center 7.1.3 and later versions, you can configure an external KMIP server so it can generate and store encryption keys required for agent or machine encryption. The key release policies applicable for an agent are applicable for external KMIP servers also. It can be used for encrypting machines, PowerFlex devices, containers, and SED key management. However, the aforesaid features are not applicable for

Key Management over KMIP, because in this case, CloudLink acts as a KMIP server.

Key protectors

CloudLink Center supports several options for encryption key protectors.

NOTE: The type of available key protector depends on the selected key location.

CloudLink Vault An internal key protector.

SafeNet LunaSA An external key protector using a hardware security module (HSM) for protection.

An external key protector using an Azure or Azure Stack Key Vault for protection.

Microsoft Azure or Azure Stack

Key Vault

KMIP server

Password

An external key protector using a Key Management Interoperability Protocol (KMIP) server for protection.

The encryption key is protected with a password.

Best practices for saving, backing up, and restoring

CloudLink Center machine encryption keys

This topic provides information about the best practices for saving, backing up, and restoring CloudLink Center machine encryption keys.

You are responsible for your encryption keys and for ensuring that the appropriate access control and backup policies and procedures are in place to protect the keys against loss or theft. If your keys become unavailable, you cannot access any data that was encrypted using those keys.

CloudLink Center backups are critical for restoring CloudLink Center. Have a backup of CloudLink Center so that you can deploy a new server and restore CloudLink Center. If you are using the local database, volume encryption keys or device encryption keys are stored in CloudLink Center. Backups are the only method of restoring keys so that you can access encrypted data. For information about VKEKs and volume encryption keys or device encryption keys, see the Dell CloudLink Administration Guide .

The following identifies the key protectors that are available for each type of key location.

Key Protector—CloudLink Vault

● Local database key location—Yes

● Microsoft Active Directory key location —No

● Amazon S3 key location—No

● S3-compatible bucket key location—No

Key Protector—SafeNet LunaSA

● Local database key location—Yes

● Microsoft Active Directory key location —No

● Amazon S3 key location—No

● S3-compatible bucket key location—No

Key Protector—Microsoft Azure or Azure Stack Key Vault

● Local database key location—Yes

● Microsoft Active Directory key location —No

● Amazon S3 key location—No

● S3-compatible bucket key location—No

Key Protector—KMIP key manager

72 Appendix—Reference topics

● Local database key location—Yes

● Microsoft Active Directory key location —Yes

● Amazon S3 key location—Yes

● S3-compatible bucket key location—Yes

Key Protector—Password

● Local database key location—Yes

● Microsoft Active Directory key location —Yes

● Amazon S3 key location—Yes

● S3-compatible bucket key location—Yes

NOTE: Ensure that you meet all prerequisites for restoring CloudLink Center from backup, otherwise you cannot access encrypted data after restoring from a backup file.

For more information about CloudLink Center backups and restoring from a backup file, see the Dell CloudLink Administration

Guide .

CloudLink Vault to encrypt CloudLink Center machine data

CloudLink Center includes an encrypted container, CloudLink Vault, which is created during the deployment and configuration of

CloudLink. CloudLink Vault:

● Encrypts credentials that are used to access remote resources

For example, CloudLink Vault stores credentials that are required to access FTP or SFTP servers or external keystores.

● Provides an initial, internal key protector

You can continue to use this initial CloudLink Vault as the key protector, keystore, or configure a different key protector.

When used as the key protector, CloudLink Vault encrypts device or volume key encryption keys (VKEKs). For more information, see the Dell CloudLink Administration Guide .

When a CloudLink Center server restarts, it must unlock CloudLink Vault before CloudLink Center can authorize machine operations, ensuring that a stolen copy of CloudLink Vault or the disk on which it is stored does not contain any unprotected secrets or encryption keys.

You can configure CloudLink Vault to open:

● Manually by providing a passcode

When configuring CloudLink Vault, you specify up to three passcodes. Only one passcode is required to open the vault.

● Automatically by using a server-specific key

NOTE: During CloudLink Center initial configuration, the default vault unlock mode is automatic. You can choose to set the

CloudLink Vault to unlock manually.

IP addresses of machines associated with CloudLink

In some circumstances, the IP address of a machine under CloudLink Center management might change, such as when a

Dynamic Host Configuration Protocol (DHCP) server assigns IP addresses. When a machine starts up with a changed IP address, CloudLink Center might put the machine in the pending state. Before startup can continue, you must manually accept the machine. For more information about accepting machines in the pending state, see the Dell CloudLink Administration Guide .

By default, in Azure and Azure Stack environments, the IP address of a machine under CloudLink Center management might change each time, the machine is shut down and restarted. A new IP address is assigned from the same subnet as the previous address. When a machine starts up with a changed IP address, CloudLink Center might put the machine in the pending state.

Before startup can continue, you must manually accept the machine.

To avoid manually accepting machines in the pending state because of changed IP addresses, you can change the key release policies for the machine group to allow CloudLink Center to release keys to machines starting up with changed IP addresses.

See

CloudLink Key Release Policies

for more information.

Appendix—Reference topics 73

In Azure and Azure Stack environments, to avoid manually accepting machines in the pending state because of changed IP addresses, you can assign static IP addresses to machines.

Manage CloudLink Center clusters

A CloudLink Center cluster provides for high availability if one CloudLink Center server in the cluster becomes unavailable, whether due to planned maintenance or an unexpected issue.

A CloudLink Center cluster consists of up to four CloudLink Center servers, where each server is active always. There is no primary server. The agents can be connected to any server in the cluster.

CloudLink Center replicates configuration information between all servers in a cluster. This replication means that all servers contain the same critical configuration information:

● CloudLink licenses

● Volume encryption policy

● User accounts

● Manual passcodes for unlocking CloudLink Vault

● Actions

● Alarms

● Security events

Data from external resources, such as key locations, key protectors, and key management servers, are not replicated.

For information about creating a CloudLink Center server cluster, see the Dell CloudLink Administration Guide .

CloudLink Update menu

After you have configured CloudLink Center, the Update Menu is displayed every time you log in using the CloudLink Center.

74 Appendix—Reference topics

Update menu options

This topic provide information on Update menu options for Enterprise, PowerFlex, and Microsoft Azure and Azure Stack.

For Enterprise and PowerFlex

● Summary—Displays a summary of CloudLink Center settings.

● Network—Displays CloudLink Center network configuration(s).

● Password—Changes the current password used to log in to the CloudLink Center console.

● Reset Network—Resets the network settings, after which you can reconfigure them. If you select this option, all current network settings are removed.

● Unlock User—Unlocks the secadmin user account.

● Shutdown—Shut down or reboot CloudLink Center.

● Diagnostics—Intended only for use as directed by your Dell Technologies representative.

For Microsoft Azure and Azure Stack

● Summary—Displays a summary of CloudLink Center settings.

● Network—Displays CloudLink Center network configuration(s).

● Unlock User—Unlocks the secadmin user account.

● Shutdown—Shut down or reboot CloudLink Center.

● Diagnostics—Intended only for use as directed by your Dell Technologies representative.

Appendix—Reference topics 75

12

Related documentation and resources

Topics:

Other Dell CloudLink documents you may require

Contact Dell Technologies

Other Dell CloudLink documents you may require

You can find the following documents on the Dell Technologies Support website.

● Dell CloudLink 7.1.5 Deployment Guide

● Dell CloudLink 7.1.5 Administration Guide

● Dell CloudLink 7.1.5 Release Notes

● Dell CloudLink 7.1.5 Upgrade Guide

● Dell CloudLink Security Configuration Guide

● Dell CloudLink Support Matrix

● Dell CloudLink Key Management for VMware vCenter Server Configuration Guide

● Dell CloudLink SNMP Reference Guide

Contact Dell Technologies

Dell Technologies provides several online and telephone-based support and service options. Availability varies by country, region, and product, and some services may not be available in your area. To contact Dell Technologies for sales, technical support, or customer service issues, see www.dell.com/contactdell .

If you do not have an active Internet connection, you can find contact information on your purchase invoice, packing slip, bill, or the product catalog.

76 Related documentation and resources

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Related manuals

Download PDF

advertisement

Table of contents