Installing DSG on Cloud Installation

• 1: Installing DSG on AWS
• 1.1: Creating and Launching a DSG Instance from the AMI
• 1.2: Finalizing the DSG Installation
• 2: Installing DSG on Azure
• 2.1: Creating Image and VM on Azure
• 2.2: Adding and Configuring the Second Network Interface
• 2.3: Finalizing the DSG Installation
• 2.4: Azure Cloud Utility
• 3: Installing DSG on GCP
• 3.1: Creating a VM Instance from an Image
• 3.2: Finalizing the DSG Installation

1 - Installing DSG on AWS

This section describes the process for launching a DSG instance on Amazon Web Services (AWS).

AWS is a cloud-based computing service. It provides several services, such as, computing power through Amazon Elastic Compute Cloud (EC2), storage through Amazon Simple Storage Service (S3), and so on. The AWS stores Amazon Machine images (AMIs), which are templates or virtual images containing an operating system, applications, and configuration settings.

Prerequisites

This section describes the prerequisites for launching and installing the DSG on AWS. It also includes the information for the audience, network prerequisites, and hardware and software requirements for the DSG.

Ensure that the following prerequisites are met before launching the DSG on AWS:

• Ensure that an ESA v10.1.x is installed.

  For more information about installing the ESA v10.1.x, refer to the sections Installing Appliance On-Premise and Installing Appliances on Cloud Platforms.

• Ensure that Policy Management (PIM) has been initialized on the ESA. The initialization of PIM ensures that cryptographic keys for protecting data and the policy repository have been created.
  For more information about initializing the PIM, refer to section Initializing the Policy Management.

• Ensure that the FIPS mode is disabled on the ESA.
  For more information about diabling the FIPS mode, refer to the section Disabling the FIPS Mode

• Ensure that Analytics component is initialized on the ESA. The initialization of Analytics component is required for displaying the Audit Store information on Audit Store Dashboards.
  For more information about initializing Analytics, refer Initializing Analytics on the ESA.

• An Amazon account for using AWS is available with the following information:

  • Login URL for the AWS account
  • Authentication credentials for the AWS account

Audience

This section contains information for stakeholders who are interested in understanding how to create, launch, and install a DSG instance on AWS.

It is recommended that you understand and use Amazon Web Services and its related concepts.

For more information about the Amazon Web Services concepts, refer to the AWS documentation at https://docs.aws.amazon.com.

Hardware Requirements

This section describes the hardware requirements for the DSG.

As the Protegrity appliances are hosted and run on AWS, the hardware requirements are dependent on the configurations provided by Amazon.

For reference, the following list describes the minimum hardware requirements for the DSG:

• CPU: 4 Cores
• RAM: 16 GB
• Disk Size: 64 GB
• Network Interfaces: 2

The hardware configuration required might vary based on the actual usage or amount of data and logs expected.

Network Requirements

This section describes the network requirements for a DSG instance on AWS.

It is recommended that the DSG on AWS must be installed in the Amazon Virtual Private Cloud (VPC) networking environment.

For more information about the Amazon Virtual Private Cloud, refer to the documentation at: http://docs.aws.amazon.com.

Ensure that two Network Interface Cards (NICs) are added during the DSG instance creation on AWS.

For more information about the network interface requirements, refer to the section Network Planning.

The Data Security Gateway must be configured with the following two network interfaces:

• Management Interface - This interface is used for communication between the ESA and the DSG, and accessing the DSG Web UI.
• Service Interface - This interface is used for handling the network traffic traversing through the DSG.

Installing the DSG on AWS

This section provides information for the steps required to launch and install the Data Security Gateway (DSG) instance from an AMI provided by Protegrity.

Ensure that the installation order provided in the table is followed.

1.1 - Creating and Launching a DSG Instance from the AMI

This section includes the steps to create a DSG instance from the AMI.

Ensure that the DSG AMI is downloaded from the My.Protegrity portal to your AWS account.

To create an instance of DSG:

1. Launch the instance using the DSG AMI, DSG_PAP-ALL-64_x86-64_AWS_3.3.0.1.x.ami.

2. While setting up the instance, ensure that the minimum hardware requirements are properly specified. For more information about minimum hardware requirements, refer to the Minimum Hardware Requirements.

3. After the instance is launched, click the launched instance link on the Launch Status screen.

   The Instances screen appears. It lists the DSG instance-related details.

After the instance is created, you must finalize the DSG installation by accessing the instance using the instance IP.

1.2 - Finalizing the DSG Installation

After the DSG instance is launched, you must complete the finalization of the DSG installation. The finalization process will rotate the Protegrity provided keys and certificates so that these are regenerated as a security best practice.

CAUTION:

Ensure that the SSH connection is not interrupted during the finalization of the DSG installation. If the SSH connection is interrupted, then the finalization of the DSG installation fails. The process of instance creation and installation of the DSG must be started afresh.

To finalize the DSG installation:

1. Access the DSG management IP and provide the downloaded key pair details to connect using an SSH client.

2. Login using the local_admin user for the DSG.

3. Press Tab to select Yes and press Enter to finalize the installation.

   The finalize installation confirmation screen appears.

   

   If you select No during finalization, then the DSG installation does not complete.

   Perform the following steps to complete the finalization of the DSG installation on the DSG CLI manager.

   1. Navigate to Tools > Finalize Installation.
   2. Follow the step 4 to step 6 to complete installing the DSG.

4. Press Tab to select Yes and press Enter to rotate the required keys, certificates, and credentials for the appliance.

   

5. Configure the default user passwords, press Tab to select Apply and press Enter.

   

   It is recommended that strong passwords are set for all the users.

   For more information about password policies, refer to the section Strengthening Password Policy.

   Ensure that the default passwords are not reused.

6. Press Tab to select Continue and press Enter to complete the finalization of the DSG installation.

   

7. To access the DSG CLI Manager with administrator user credentials, you must login to the DSG Web UI. On the DSG Web UI, navigate to Settings > Network and select the SSH tab. In the SSH Authentication Configuration section, select Password + Publickey as the Authentication type and click Apply.

The finalization of the DSG installation completes successfully.

2 - Installing DSG on Azure

This section provides information on launching a Data Security Gateway (DSG) virtual machine (VM) on the Microsoft Azure platform.

The Microsoft Azure platform is a set of cloud-based computing services, which include computing services, virtual machines, data storage, analytics, networking services, and so on.

Prerequisites

This section describes the prerequisites for launching the DSG on Azure. It also includes the details for the network prerequisites and hardware requirements for the DSG.

Ensure that the following prerequisites are met before launching the DSG on Azure:

• Ensure that an ESA v10.1.x is installed.

  For more information about installing the ESA v10.1.x, refer to the sections Installing Appliance On-Premise and Installing Appliances on Cloud Platforms.

• Ensure that Policy Management (PIM) has been initialized on the ESA. The initialization of PIM ensures that cryptographic keys for protecting data and the policy repository have been created.
  For more information about initializing the PIM, refer to section Initializing the Policy Management.

• Ensure that the FIPS mode is disabled on the ESA.
  For more information about diabling the FIPS mode, refer to the section Disabling the FIPS Mode

• Ensure that Analytics component is initialized on the ESA. The initialization of Analytics component is required for displaying the Audit Store information on Audit Store Dashboards.
  For more information about initializing Analytics, refer Initializing Analytics on the ESA.

• An Azure account is available with the following information:

  • Sign in URL for the Azure account
  • Authentication credentials for the Azure account

• Ensure that the DSG BLOB is available in the storage account that will be selected to create the disk and the VM.

Audience

This section contains information for stakeholders who are interested in understanding how to create, launch, and install a DSG instance on Azure.

It is recommended that you possess working knowledge of the Azure Platform and knowledge of related concepts.

For more information about Azure concepts, refer to the Azure documentation at: https://docs.microsoft.com/en-us/azure/

Hardware Requirements

This section describes the hardware and software requirements for the DSG.

As the DSG is hosted and run on Azure, the hardware requirements are dependent on the configurations provided by Azure.

For reference, the following list describes the minimum hardware requirements for the DSG:

• CPU: 4 Cores
• RAM: 16 GB
• Disk Size: 64 GB
• Network Interfaces: 2

The hardware configuration required might vary based on the actual usage or amount of data and logs expected.

Network Requirements

This section explains the network requirements for the DSG in Azure.

It is recommended that the DSG on Azure is provided with the Azure Virtual Network environment.
For more information about the Azure Virtual Network, refer to the Azure documentation at https://docs.microsoft.com/en-us/azure.

Ensure that two Network Interface Cards (NICs) are added during the DSG instance creation on Azure.
For more information about the network interface requirements, refer to the section Network Planning.

The Data Security Gateway must be configured with the following two network interfaces:

• Management Interface - This interface is used for communication between the ESA and the DSG, and accessing the DSG Web UI.
• Service Interface - This interface is used for handling the network traffic traversing through the DSG.

Installing the DSG on Azure

This section provides information for the steps required to launch and install the Data Security Gateway (DSG) instance from a BLOB provided by Protegrity.

Ensure that the installation order provided in the table is followed.

2.1 - Creating Image and VM on Azure

Creating an Image from the DSG BLOB

This section explains how to create an image from the DSG BLOB.

Ensure that the DSG BLOB is downloaded from the My.Protegrity portal to your Azure storage account that will be selected to create the image.

To create an image from the BLOB:

1. Log in to the Azure portal.

2. Select Images and click Create.

3. Enter the details in the Resource Group, Name, and Region text boxes.

4. In the OS disk option, select Linux.

5. In the VM generation option, select Gen 1.

6. In the Storage blob drop-down list, select the Protegrity Azure BLOB.

7. Enter the appropriate information in the required fields and click Review + create.

   The image is created from the BLOB.

Creating a VM from the Image

This section describes the steps to create a VM from an image.

After obtaining the image, you can create a VM from it. For more information about creating a VM from the image, refer to the following link.

https://docs.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-portal#create-virtual-machine

To create a VM:

1. Login in to the Azure homepage.

2. Click Images.

   The list of all the images appear.

3. Select the required image.

4. Click Create VM.

5. Enter details in the required fields.

6. Select SSH public key in the Authentication type option.

   As a security measure for the appliances, it is recommended to not use the Password based mechanism as an authentication type.

7. In the Username text box, enter the name of a user.

   This user is added as an OS level user in the appliance. Ensure that the following usernames are not provided in the Username text box:

   • Appliance OS users
   • Appliance LDAP users

8. Select the required SSH public key source.

9. Enter the required information in the Disks, Networking, Management, and Tags sections.

10. Click Review + Create.

    The VM is created from the image.

11. After the VM is created, you can access the appliance from the CLI Manager or Web UI.

    The OS user that is created in step 7 does not have SSH access to the appliance. If you want to provide SSH access to this user, login to the appliance as another administrative user and toggle SSH access. In addition, update the user to permit Linux shell access (/bin/sh).

2.2 - Adding and Configuring the Second Network Interface

Adding the Second Network Interface

For ensuring network security, the DSG isolates the management interface from the service interface by allocating each with a separate network address. Ensure that two NICs are added to the DSG. This section explains the steps to add a second network interface to the DSG appliance after a DSG VM is created.

To add a second network interface to the DSG:

1. On the Azure Portal Dashboard, click Virtual Machines.

2. Select the DSG VM that you created.

   The DSG VM details appear in the Virtual Machine screen.

3. On the Virtual Machine screen, click Overview.

4. Click Stop to power off the VM.

5. Create the second network interface for the DSG VM.

6. Navigate to the Virtual Machine screen, select the DSG VM that you created, and click Networking under the Settings area.

7. Click Attach network interface.

8. Select the network interface that you created in step 5, and click OK.

   The second network interface is added to the VM. You can view two tabs that represent NICs for the management and service interfaces.

9. Click Start to power on the VM.

   The second network interface is added to the DSG node.

Configuring the Second Network Interface

This section explains the steps to configure a second network interface on the DSG after finalizing the DSG installation. For more information about finalizing the DSG installation, refer to the section Finalizing the DSG Installation.

To configure the second network interface on the DSG:

1. On the Azure Portal Dashboard, click Virtual Machines.

2. Navigate to the Virtual Machine screen, and select the DSG VM instance that you created earlier.

3. Click Overview.

4. Click Serial Console to access the DSG instance.

5. Login to the DSG instance using the administrator credentials.

6. Navigate to Networking > Network Settings.

   The Network Configuration Information screen appears.

   

7. Select Interfaces and press Edit.

8. Select the ethSRV0 interface and proceed by pressing Tab to select Edit.

   

9. Select either DHCP or Static for the ethSRV0 interface.

   

   1. If the DHCP server is not configured, then select Static, and proceed by pressing Tab to select Update for updating the network information manually.

      The Interface Settings screen appears.

      

10. On the Interface Settings screen, press Tab and select Add to enter the IP Address and Netmask for the ethSRV0 interface.

    The Network Settings screen appears.

    

11. On the Network Settings screen, enter the IP Address and the Netmask of the ethSRV0 interface and proceed by pressing Tab and select OK.

    

The second network interface, ethSRV0, is configured on the DSG node.

2.3 - Finalizing the DSG Installation

After the DSG instance is launched, you must complete the finalization of the DSG installation. The finalization process will rotate the Protegrity provided keys and certificates so that these are regenerated as a security best practice.

It is recommended to finalize the installation of the DSG instance using the Serial Console provided by Azure. Do not finalize the installation of the DSG instance using the SSH connection.

To finalize the DSG installation:

1. Sign in to the Azure homepage.

2. On the left pane, click Virtual machines.

   The Virtual machine screen appears.

3. Select the required virtual machine and click Serial console.

   The DSG CLI manager screen appears.

4. Login to the DSG CLI Manager using the administrator credentials and press ENTER.

   The credentials for logging in to the DSG are provided in the DSG 3.3.0.1 readme.

5. Press Tab to select Yes and press Enter to finalize the installation.

   The finalize installation confirmation screen appears.

   

   If you select No during finalization, then the DSG installation does not complete.

   Perform the following steps to complete the finalization of the DSG installation on the DSG CLI manager.

   1. Navigate to Tools > Finalize Installation.
   2. Follow the step 6 to step 9 to complete installing the DSG.

6. Enter the administrator credentials for the DSG instance, press Tab to select OK and press Enter.

   

   The administrator credentials for logging in to the DSG are provided in the DSG 3.3.0.1 readme.

7. Press Tab to select Yes and press Enter to rotate the required keys, certificates, and credentials for the appliance.

   

8. Configure the default user’s passwords, press Tab to select Apply and press Enter to continue.

   

   It is recommended that strong passwords are set for all the users.

   For more information about password policies, refer to the section Strengthening Password Policy.

   Ensure that the default passwords are not reused.

9. Press Tab to select Continue and press Enter to complete the finalization of the DSG installation.

   

A part of finalization of the DSG installation is completed successfully. For the next part of the installation, the Second Network Interface must be configured before you can use the DSG instance.

2.4 - Azure Cloud Utility

The Azure Cloud Utility is a DSG appliance component that is used for supporting features specific to Azure Cloud Platform, which are, Azure Accelerated Networking and Azure Linux VM agent. When you install the DSG from an Azure v3.3.0.1 BLOB, the Azure Cloud Utility is installed automatically on the DSG.

CAUTION: While you are using the Azure Accelerated Networking or Azure Linux VM agent, ensure that the Azure Cloud Utility is not uninstalled.

Working with Accelerated Networking

The Accelerated Networking is a feature provided by Microsoft Azure, which allows the DSG appliance to handle increasing loads. The advantages offered with Accelerated Networking include reduced latency, reduced jitter, and improved CPU utilization. The following observations are applicable to the Accelerated Networking feature when it is enabled or not enabled in the VM:

• When this feature is enabled in the VM, the network traffic is routed to the VM Network Interface (NIC), and it is then forwarded to the VM. This helps to improve the networking performance as the traffic bypasses the virtual switch.
• When this feature is not enabled in the VM, the networking traffic coming in and out of the VM traverses through the host and the virtual switch.

The DSG is configured with two network interfaces, Management Interface and Service Interface, where the the Management Interface is used for communication between the ESA and the DSG, and accessing the DSG Web UI. The Service Interface is used for handling the network traffic traversing through the DSG.

For more information about an overview and how to configure Azure Accelerated Networking, refer to the Azure documentation at https://docs.microsoft.com/en-us/azure.

It is recommended to configure the Accelerated Networking feature after the DSG is installed on Azure VM instance as it improves the networking performance. As the network traffic traverses through the Service Interface on the DSG, it is recommended to enable the Accelerated Networking feature on the Service Interface.

Working with Linux VM Agent

The Microsoft Azure Linux Agent (waagent) is a VM extension provided by Microsoft Azure that manages image provisioning, networking, kernel, integrating third-party softwares on VMs, and so on.

For more information about the Linux VM agent, refer to the Azure documentation at https://docs.microsoft.com/en-us/azure.

For the DSG, the Linux VM agent is used for enabling backup and restore using either of the following two methods:

• Recovery Services Vaults
• Creating Images of an Instance

The waagent extension is registered in the .vhd file that is provided by Protegrity. To use the Linux VM agent feature, you must create an image from the .vhd file provided by Protegrity.

3 - Installing DSG on GCP

This section describes the process for launching a Data Security Gateway (DSG) instance on Google Cloud Platform (GCP).

GCP is a set of cloud computing services provided by Google, and offers services, such as compute, storage, and networking.

Prerequisites

This section describes the prerequisites for launching the DSG on GCP. It also includes the information for the audience and the network prerequisites for the DSG.

Ensure that the following prerequisites are met before launching the DSG on GCP:

• Ensure that an ESA v10.1.x is installed.

  For more information about installing the ESA v10.1.x, refer to the sections Installing Appliance On-Premise and Installing Appliances on Cloud Platforms.

• Ensure that Policy Management (PIM) has been initialized on the ESA. The initialization of PIM ensures that cryptographic keys for protecting data and the policy repository have been created.
  For more information about initializing the PIM, refer to section Initializing the Policy Management.

• Ensure that the FIPS mode is disabled on the ESA.
  For more information about diabling the FIPS mode, refer to the section Disabling the FIPS Mode

• Ensure that Analytics component is initialized on the ESA. The initialization of Analytics component is required for displaying the Audit Store information on Audit Store Dashboards.
  For more information about initializing Analytics, refer Initializing Analytics on the ESA.

• A GCP account is available with the following information:

  • Login URL for the GCP account
  • Authentication credentials for the GCP account

Audience

This section contains information for stakeholders who are interested in deploying a DSG instance on GCP.

It is recommended that you understand and use the Google Cloud Platform before proceeding further.

For more information about the Google Cloud Platform, refer to the https://cloud.google.com/docs.

Hardware Requirements

This section describes the hardware and software requirements for the DSG.

As the DSG is hosted and run on GCP, the hardware requirements are dependent on the configurations provided by Google.

The following list describes the minimum required configuration for launching the DSG image on the GCP:

• CPU: 4 Cores
• RAM: 16 GB
• Disk Size: 64 GB
• Network Interfaces: 2

The hardware configuration required might vary based on the actual usage or amount of data and logs expected.

Network Requirements

his section explains the network requirements for the DSG on GCP.

It is recommended that the DSG on GCP must be installed in the GCP Virtual Private Cloud (VPC) networking environment.

For more information about the GCP Virtual Private Cloud, refer to the documentation at: https://cloud.google.com/vpc/docs

Ensure that two Network Interface Cards (NICs) are added during the DSG instance creation on GCP.

For more information about the network interface requirements, refer to the section Network Planning.

The Data Security Gateway must be configured with the following two network interfaces:

• Management Interface - This interface is used for communication between the ESA and the DSG, and accessing the DSG Web UI.
• Service Interface - This interface is used for handling the network traffic traversing through the DSG.

Installing the DSG on GCP

This section provides information for the steps required to launch and install the Data Security Gateway (DSG) instance from an image provided by Protegrity.

Ensure that the installation order provided in the table is followed.

3.1 - Creating a VM Instance from an Image

This section describes how to create a VM instance from a DSG image.

Ensure that the DSG image is downloaded from the My.Protegrity portal to your GCP account.

To create a VM instance from an image:

1. Login to the GCP console.

2. Under the Compute section, click Compute Engine > VM instances.

3. On the VM instances screen, click CREATE INSTANCE.

   The Create an instance screen appears.

4. On the Create an instance screen, select the configurations as per your requirements. Some of the configurations on this screen must be set as provided in the sub steps so that the DSG can be installed successfully.

   1. Under Machine Configuration, click the Serial and the Machine type drop down list and select the required configuration.

      It is recommended that an instance with minimum 4 Core CPU and 16 GB RAM configuration is selected. The instance type listed is the minimum hardware configuration.

      The hardware configuration required might vary based on the actual usage or amount of data and logs expected.

   2. Under Boot disk, click Change.

      1. Click the Custom images tab, and click the DSG image, dsg-pap-all-64-x86-64-gcp-3-3-0-1-x, in the image drop down list.
      2. Select the required boot disk type and set the value for the Size(GB) option as 64 and then click Select.

   3. Under Firewall, ensure that the Allow HTTP traffic and Allow HTTPS traffic check boxes are selected.

   4. Click the Networking tab and add two NICs.

      For ensuring network security, the DSG isolates the management interface from the service interface by allocating each with a separate network address. Ensure that two NICs are added to the DSG.

5. Click Create to create the VM instance.

   After the instance is created, a notification stating that the VM instance has been created appears in the Notifications tab.

6. On the VM instances screen, search or enter the name of the VM instance.

7. Click the VM that you created.

   The VM instance details screen appears.

   Ensure that you validate the details, such as, Machine Type, Boot disk, Firewall, and the Network Interfaces on the VM instance details screen.

3.2 - Finalizing the DSG Installation

After the DSG instance is launched, you must complete the finalization of the DSG installation. The finalization process will rotate the Protegrity provided keys and certificates so that these are regenerated as a security best practice.

It is recommended to finalize the installation of the DSG instance using the Serial Console provided by GCP. Do not finalize the installation of the DSG instance using the SSH connection.

To finalize the DSG installation:

1. Login to the GCP console.

2. Under the Compute section, click Compute Engine > VM instances.

3. On the VM instances screen, search or enter the name of the VM instance.

4. Click Connect to serial console to access the DSG instance.

5. Login using the administrator credentials for the DSG.

   The credentials for logging in to the DSG are provided in the DSG 3.3.0.1 readme.

6. Press Tab to select Yes and press Enter to finalize the installation.

   The finalize installation confirmation screen appears.

   

   If you select No during finalization, then the DSG installation does not complete.

   Perform the following steps to complete the finalization of the DSG installation on the DSG CLI manager.

   1. Navigate to Tools > Finalize Installation.
   2. Follow the step 7 to step 10 to complete installing the DSG.

7. Enter the administrator credentials for the DSG instance, press Tab to select OK and press Enter.

   The credentials for logging in to the DSG are provided in the DSG 3.3.0.1 readme.

   

8. Press Tab to select Yes and press Enter to rotate the required keys, certificates, and credentials for the appliance.

   

9. Configure the default user’s passwords, press Tab to select Apply and press Enter to continue.

   

   It is recommended that strong passwords are set for all the users.

   For more information about password policies, refer to the section Strengthening Password Policy.

   Ensure that the default passwords are not reused.

10. Press Tab to select Continue and press Enter to complete the finalization of the DSG installation.

    

The finalization of the DSG installation completes successfully.