DEV Community: Abdul Hadi

THALES CipherTrust Manager Installation on Private Cloud Guide 2025

Abdul Hadi — Fri, 11 Apr 2025 19:42:59 +0000

We assume that you have already downloaded the CipherTrust Manager OVA file. IF NOT then please follow this link OVA file download.

Passing the cloud-init file for a Private Cloud Image
When using the disk image, how the cloud-init data is passed to CipherTrust Manager depends on the virtualization platform - please refer to documentation or notes for your specific cloud environment.
The following are two examples of passing cloud-init data when using a disk image, one using 'libvirt' and one using VMware/vSphere.

You can view official documentation here THALES CipherTrust Manager.

Using VMware/vSphere

This example describes how to deploy CipherTrust Manager on VMware with a static IP configuration. In general, if you have virtual machines you intend to use frequently or for extended periods of time, it can be convenient to assign a static IP address, or configure DHCP server to always assign the same IP address, to each of these virtual machines.
For virtual machines that you do not expect to keep for extended periods of time, use DHCP and let it allocate P addresses for these machines.

Use the following procedure to deploy CipherTrust Manager on VMware with a static IP configuration.

Note: This procedure includes preparation of a cloud-init configuration file used to set up a static IP address during launch of the CipherTrust Manager.

Get CipherTrust Manager installation file for VMware from Gemalto Support Portal.

Deploy OVA in ESXi Server.
Select "Deploy OVF Template".
On the Select an OVF template page, choose OVA file and select NEXT.

Deploy Template

On the Select a name and folder page, select the name of the virtual machine and its location.

Validate the CipherTrust Manager Virtual Machine Configuration. On the Select a compute resource page, select the destination compute resource (if applicable).

Note
Error: If you see an error, please perform the following steps:

Use ovftool.exe to convert ova file into uncompressed file(s).

Execute the following command:

ovftool.exe --lax <source_OVA_file> <destination_OVF_file>

Note
OVF with compressed disk is not supported on newer version of Vsphere client. It may work on older versions.

Repeat Step 2 with a new installer file.

On the Review details page, verify the template details of the CipherTrust Manager image and if correct, select NEXT.

Review Details

On the Select storage page, select the storage location to install the CipherTrust Manager and then select NEXT.
On the Select network page, select the network and then select FINISH.

Warning
Caution: Do not launch/start the machine at this time.

Prepare the cloud-init configuration.

Add a CD drive to the VM.

Before booting up the VM, prepare the cloud-init configuration. The following cloud-init example configures the VM's eth0 port with a static IP address. Copy this example and edit it for your desired network settings.

#cloud-config
keysecure:
    netcfg:
        iface:
            name: eth0
            type: static
            address: 192.168.1.150
            netmask: 255.255.255.0
            gateway: 192.168.1.1
            dns1: 192.168.1.100

Warning
Note: Cloud-init configuration files use YAML syntax; indentation is important and tabs cannot be used.

Convert the string to base64. To convert to base64, use the openssl command:

openssl base64 -in <infile> -out <outfile>

Save this base64 string to use in next steps.

Add the base64 configuration to the VM. This step shows vSphere web client (Flash) version as demonstration. You may find similar options in other clients.

Select: > virtual machine > Configure > Settings > vApp Options

Press Edit button on the top right on this page.

Under OVF Settings, select the ISO Image check box, which is next to OVF environment transport.

On the same page, expand "Properties" to add configuration.

Press the New button to add a property for the configuration. On following screen, there are two fields which need to be changed.

Label: user-data
Default value: <base64 string of configuration>

Note: Key ID will change automatically when you change Label.

Press OK to save the Property Settings.

Then press OK again to save the vApp Options page.

Launch the instance. The VM should boot up configured with a static IP.

Important
If you you're VM didn't pick the configuration using the base64 format. Then you can use my alternate step. Only follow if you were unsuccessful in configuring your YAML using base64 encoding.

Injecting cloud-init conf using ISO file

CTM.yaml:
Make your network configuration file as mentioned below, to add other configurations in this please visit this link:

#cloud-config
keysecure:
    netcfg:
        iface:
            name: eth0
            type: static
            address: 192.168.1.150
            netmask: 255.255.255.0
            gateway: 192.168.1.1
            dns1: 192.168.1.100

Meta-data:

Create a meta-data file and provide instance parameters, for example:

instance-id: <some instance id>

Creating ISO file:

Use any available linux command line.
Make sure genisoimage utility is installed.
Create the ISO file using the following command.

genisoimage -o config.iso -volid cidata -joliet -rock <your-netowrk-config-file> <your-meta-data-file>

This command will give you a file named config.iso.
Attaching the ISO file
Upload the given config.iso file into your VMware Datastore. Attach the ISO file to the CipherTrust Manager VM by editing settings.

Important
Make sure your CD/DVD Drive Connect on Power On checkbox is checked.
Now start the VM and check if it picked up the configurations.

Example using 'libvirt'

When launching a virtual machine with the Qcow2 image using 'libvirt', the cloud-init data has to be passed in as an ISO file. The ISO can be generated as follows:

Prepare the user-data file as follows:

Rename the file config.data to user-data.

Because the user's SSH key is used for wrapping a layer of encryption keys, it must be added to the cloud-init config. So, the 'user-data' file should look like:

#cloud-config
hostname: <host name for the instance>
diskenc:
  encrypt: true
ssh_authorized_keys:
  - <replace with user ssh public key>

Note: 'ssh_authorized_keys' can be configured with multiple ssh public keys.

Create a meta-data file and provide instance parameters, for example:

instance-id: <some instance id>

Create an ISO image file:

Make sure genisoimage utility is installed.
Create the ISO file.

genisoimage -o config.iso -volid cidata -joliet -rock user-data meta-data

Launch instance using virt-install. OpenStack example:

virt-install --virt-type kvm --name <virtual image name> --ram 2048 --disk path=<path to keysecure qcow2 image>,size=16,format=qcow2 --disk path=<path to config.iso> --network network=default --graphics vnc,listen=0.0.0.0 --noautoconsole --os-type=linux --os-variant= ubuntu16.04 --import

Verifying if VM configurations

After logging in using the ksadmin user and setting a new password you can follow the steps to verify your configurations.

Viewing Cloud-init Logs

In my case I edited the VM IP address, gateway and DNS server. In most cases logs of every configurations done on this VM is stored in
/var/log/cloud-init.log

cd /var/log/

less cloud-init.log

# I want to search if my IP was set to static

/static

# You can search for anything else related to you
This will give the following output.
Other ways to verify your network configurations.
# Find your network device
nmcli device show | head -n 10
# Mine was ens32 consult your network configuration file
nmcli device show ens32

IBM Storage Ceph Installation Guide

Abdul Hadi — Thu, 10 Apr 2025 18:49:58 +0000

Before you begin

Before registering the IBM Storage Ceph nodes, be sure that you have:

At least one running virtual machine (VM) or bare-metal server with an active internet connection.
Red Hat Enterprise Linux 9.4 or 9.5 with ansible-core bundled into AppStream. sudo dnf info ansible-core
If not available install it using: sudo dnf install ansible-core
A valid IBM subscription with the appropriate entitlements.
Root-level access to all nodes.
For the latest supported Red Hat Enterprise Linux versions, see Compatibility matrix

Registering Storage Ceph Nodes

sudo subscription-manager register

For example,

[root@admin ~]# subscription-manager register
Registering to: subscription.rhsm.redhat.com:443/subscription
Username: USERNAME
Password: PASSWORD
The system has been registered with ID: ID
The registered system name is: SYSTEM_NAME
Pull the latest subscription.

subscription-manager refresh

For example,

[root@admin ~]# subscription-manager refresh
All local data refreshed

Disable the software repositories.

subscription-manager repos --disable=*

Enable the Red Hat Enterprise Linux BaseOS and appstream repositories.

subscription-manager repos --enable=rhel-9-for-x86_64-baseos-rpms
subscription-manager repos --enable=rhel-9-for-x86_64-appstream-rpms

Update the system.

dnf update

Enable the ceph-tools repository.

curl https://public.dhe.ibm.com/ibmdl/export/pub/storage/ceph/ibm-storage-ceph-8-rhel-9.repo | sudo tee /etc/yum.repos.d/ibm-storage-ceph-8-rhel-9.repo

Add the license to install IBM Storage Ceph and click Accept.

dnf install ibm-storage-ceph-license

Accept the provisions.

touch /usr/share/ibm-storage-ceph-license/accept

Repeat the above steps on all the nodes of the storage cluster.

Install cephadm-ansible only on admin node.

dnf install cephadm-ansible -y
dnf install cephadm -y

Configuring Ansible inventory location

Navigate to the /usr/share/cephadm-ansible/ directory.

cd /usr/share/cephadm-ansible

Optional: Create subdirectories for staging and production.

mkdir -p inventory/staging inventory/production

Optional: Edit the ansible.cfg file and add the following line to assign a default inventory location.

[defaults]
inventory = ./inventory/staging
Optional: Create an inventory hosts file for each environment.

touch inventory/staging/hosts
touch inventory/production/hosts

Open and edit each hosts file and add the nodes and [admin] group.

NODE_NAME_1
NODE_NAME_2

[admin]
ADMIN_NODE_NAME_1

Replace NODE_NAME_1 and NODE_NAME_2 with the Ceph nodes such as monitors, OSDs, MDSs, and gateway nodes.

Replace ADMIN_NODE_NAME_1 with the name of the node where the admin keyring is stored.

Enabling SSH login as root user on Red Hat Enterprise Linux 9

Prerequisites

Root-level access to all nodes.

Procedure

Open the etc/ssh/sshd_config file and set the PermitRootLoginto yes.

echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config.d/01-permitrootlogin.conf

Restart the SSH service.

systemctl restart sshd.service

ssh root@HOST_NAME

Replace HOST_NAME with the host name of the Ceph node.

ssh root@host01

Enter the root password when prompted.

Creating an Ansible user with sudo access

Complete these steps on each node in the storage cluster.

ssh root@HOST_NAME

Replace HOST_NAME with the host name of the Ceph node.

Create a new Ansible user.

adduser ceph-admin

Replace USER_NAMEwith the new user name for the Ansible user.

Important: Do not use ceph as the user name. The ceph user name is reserved for the Ceph daemons. A uniform user name across the cluster can improve ease of use, but avoid using obvious user names, because intruders typically use them for brute-force attacks.

Set a new password for this user.

passwd ceph-admin

Configure sudo access for the newly created user.

cat << EOF | sudo tee /etc/sudoers.d/ceph-admin
ceph-admin ALL=(ALL) NOPASSWD:ALL
EOF

Assign the correct file permissions to the new file.

chmod 0440 /etc/sudoers.d/ceph-admin

Enabling password-less SSH for Ansible

Generate the SSH key pair, accept the default file name and leave the passphrase empty.

su - ceph-admin
ssh-keygen

Copy the public key to all nodes in the storage cluster.

ssh-copy-id ceph-admin@host01

If there is some issue while copying the ssh-key then manually add in the authorized_keys file in the other nodes.

Create the user's SSH config file.

touch ~/.ssh/config

Open the config file for editing.

Set values for the Hostname and User options for each node in the storage cluster.

Important: By configuring the ~/.ssh/config file you do not have to specify the -u USER_NAME option each time you execute the ansible-playbook command.

Host ceph-node-admin
Hostname <ip-address>
User ceph-admin   
Host ceph-node-1
Hostname 65.2.172.224
User ceph-admin
Host ceph-node-2
Hostname 65.2.182.40
User ceph-admin
Host ceph-node-3
Hostname 13.233.8.7
User ceph-admin

Set the correct file permissions for the ~/.ssh/config file.

chmod 600 ~/.ssh/config

Running the preflight playbook

Note: In the following procedure, host01 is the bootstrap node.

Navigate to the /usr/share/cephadm-ansible directory.

Open and edit the hosts file and add your nodes.

ceph-node-1
ceph-node-2
ceph-node-3

[admin]
ceph-node-admin

Run the preflight playbook.

Run the preflight playbook either by running the playbook for all hosts in the cluster or for a selected set of hosts in the cluster.

Note: When running the preflight playbook, cephadm-ansible automatically installs chronyand ceph-common packages on the client nodes.

After installation is complete, cephadm resides in the /usr/sbin/ directory.

Run the playbook for all hosts in the cluster.

ansible-playbook -i INVENTORY_FILE cephadm-preflight.yml --extra-vars "ceph_origin=ibm"

For example,

ansible-playbook -i hosts cephadm-preflight.yml --extra-vars "ceph_origin=ibm"

Bootstrapping a new storage cluster

Before you begin

Before you begin, make sure that you have the following prerequisites in place:

An IP address for the first Ceph Monitor container, which is also the IP address for the first node in the storage cluster.
Login access to cp.icr.io/cp. For information about obtaining credentials for cp.icr.io/cp, see Obtaining an entitlement key.
A minimum of 10 GB of free space for /var/lib/containers/.
Root-level access to all nodes.
Bootstrap a storage cluster.

cephadm bootstrap --cluster-network 172.31.0.0/16 --mon-ip 172.31.34.236 --registry-url cp.icr.io/cp --registry-username cp --registry-password <ENTITLEMENT KEY> --yes-i-know

Open Port Ranges
Apart from the common port range (22, 80, 443). The following are the port numbers for IBM Storage Ceph:

3300
6789
8443
8765
9093
9283

Distributing SSH keys

You can use the cephadm-distribute-ssh-key.yml playbook to distribute the SSH keys instead of creating and distributing the keys manually.

About this task
The playbook distributes an SSH public key over all hosts in the inventory. You can also generate an SSH key pair on the Ansible administration node and distribute the public key to each node in the storage cluster so that Ansible can access the nodes without being prompted for a password.

Procedure
Navigate to the /usr/share/cephadm-ansible directory on the Ansible administration node.

[ansible@admin ~]$ cd /usr/share/cephadm-ansible

From the Ansible administration node, distribute the SSH keys. The optional cephadm_pubkey_path parameter is the full path name of the SSH public key file on the ansible controller host.

Note: If cephadm_pubkey_path is not specified, the playbook gets the key from the cephadm get-pub-key command. This implies that you have at least bootstrapped a minimal cluster.

ansible-playbook -i INVENTORY_HOST_FILE cephadm-distribute-ssh-key.yml -e cephadm_ssh_user=USER_NAME -e cephadm_pubkey_path= home/cephadm/ceph.key -e admin_node=ADMIN_NODE_NAME_1

For example:

[ansible@admin cephadm-ansible]$ ansible-playbook -i hosts cephadm-distribute-ssh-key.yml -e cephadm_ssh_user=ceph-admin -e cephadm_pubkey_path=/home/cephadm/ceph.key -e admin_node=host01

[ansible@admin cephadm-ansible]$ ansible-playbook -i hosts cephadm-distribute-ssh-key.yml -e cephadm_ssh_user=ceph-admin -e admin_node

Adding multiple hosts

Before you begin
Before you begin, make sure that you have the following prerequisites in place:

A storage cluster that has been installed and bootstrapped.
Root-level access to all nodes in the storage cluster.
About this task

Note: Be sure to create the hosts.yaml file within a host container, or create the file on the local host and then use the cephadm shell to mount the file within the container. The cephadm shell automatically places mounted files in /mnt. If you create the file directly on the local host and then apply the hosts.yaml file instead of mounting it, you might see a File does not exist error.

Procedure

Copy over the public ssh key to each of the hosts that you want to add.
Use a text editor to create a hosts.yaml file.
Add the host descriptions to the hosts.yaml file.

Include the labels to identify placements for the daemons that you want to deploy on each host. Separate each host description with three dashes (---).

service_type: host
addr:
hostname: host02
labels:
- mon
- osd
- mgr
---
service_type: host
addr:
hostname: host03
labels:
- mon
- osd
- mgr
---
service_type: host
addr:
hostname: host04
labels:
- mon
- osd

Mount the hosts.yaml file.

If you created the hosts.yaml file directly on the local host, use the
cephadm shell to mount the file.

cephadm shell --mount hosts.yaml -- ceph orch apply -i /mnt/hosts.yaml

For example,

[root@host01 ~]# cephadm shell --mount hosts.yaml -- ceph orch apply -i /mnt/hosts.yaml

If you created the hosts.yaml file within the host container, run the ceph orch apply command. For example,

[ceph: root@host01 /]# ceph orch apply -i hosts.yaml
Added host 'host02' with addr '10.10.128.69'
Added host 'host03' with addr '10.10.128.70'
Added host 'host04' with addr '10.10.128.71'

View the list of hosts and their labels.

[ceph: root@host01 /]# ceph orch host ls
HOST      ADDR      LABELS          STATUS
host02   host02    mon,osd,mgr
host03   host03    mon,osd,mgr
host04   host04    mon,osd