Example for how to pre-build and appliance using a secure backup and a private network

Steps

Information Needed
Tools needed:
1) USB to serial cable
See this technote for details on setting up and connecting to the serial console:
http://www.ibm.com/support/docview.wss?uid=swg21663613
2) A standard Network cable (not crossover) for the private network
3) Space to work that has power available and power cords

Required information needed available on your workstation:
1) Secure backup files from old appliance (see the next section for an example of generating the secure backup)
2) key/cert pair for the secure backup
3) Firmware image to match the existing appliance the backup was taken from if needed

 

-----------------------------------------------------------------------------------------------------------------------------------

Steps to create the secure backup on the existing appliance
This section is an example of creating the secure backup on the existing appliance using the most common settings.
1) Create a key/cert pair and ensure to mark as “exportable”
                a) Navigate to Crypto tools
                b) Enter the CN Common Name (can be anything you want such as “secback” etc)
                Note: You may choose any of the other options such as password for the key or key length that you like or is required.
                c) Decide how long you would like the Validity Period to be such as if you will use this same key/cert pair for all the environments how long you want them to be good to avoid any expiry issues.
                d) Select ON for Mark as Exportable or the key will not be able to be downloaded!
                e) Click Generate Key and confirm
2) Download the key/cert from the temporary directory from the File Manager and store in a secure location
Note: the key/cert in the temporary directory will be deleted on the next reboot.
3) Navigate to System Control
4) Scroll to the secure backup section and select the cert created for the backup (or upload if using the same cert on additional appliances)
5) Enter destination as temporary:///secureBackup
6) Best practice is to not include the Raid or ISCI but you may confirm if there are any important files by looking at the RAID directory name set in your appliance in both the Local and LogStore directories.
Note: the default directory name is “ondisk” but may be named something else. To confirm you may look at the raid array information in the WebGUI or the “show raid-volume” CLI command
7) Click “Secure Backup” and confirm
8) When complete download all the files in the “secureBackup” sub-directory in the Temporary directory using the File Manager and save in a folder clearly marked for this appliance.
Confirm you download all the files and to ensure you have them all you may view the manifest file for a list of files generated
 

------------------------------------------------------------------------------------------------------------------------------------
Steps to set up and configure appliances using a private network and secure restore:
Note: This example is using the following settings:
a) The interface eth10 but you may choose any interface that is not used on the old appliance.
b) The temporary password of “admin1”
c) IP addresses for the private network of 1.1.1.5 for the appliance and 1.1.1.3 for your workstation with a mask of 255.255.255.0
d) A windows workstation
--------------------------------------------------------------------------------------------------------------------------------------
1) Connect USB to serial cable to the serial console port (see the technote from the first section for details) and the Ethernet cable from the eth10 port (lower left port of the 8-port module) to workstation and power on
Note: the baud rate is 115,200 for the 8436, 8441 and 8496 machine types.
2) When the login prompt appears, enter the user admin and the password of admin
3) Answer yes to enable Disaster recovery mode and confirm
4) Answer no to enable the Common Criteria mode unless certain it is needed in the environment
Note: This is very important as if this is enabled and not needed it will cause very strict security settings and rules that will cause issues. Search the web for more detail on the Common Criteria specification if any questions.
5) Set admin password to admin1 (or the password of your choice) when asked
6) Answer yes to use the Startup Wizard
7) Answer yes to configure the network
8) Answer yes to configure Eth10
9) Answer no to “Enable DHCP”
10) Enter the IP address 1.1.1.5/24 (/24 is the CIDR notation for the mask of 255.255.255.0 set on your workstation)
11) Leave the gateway for both the ipv4 and ipv6 blank by pressing enter when asked for them
12) Answer no to configuring the remaining interfaces
13) Answer yes to configure access
14) Answer no to configure DNS
15) Answer yes to configure access
16) Answer yes to enable ssh
17) Enter 0 for the IP to listen on
18) Answer 22 for the port to listen on
19) Answer yes to enable web management
20) Enter 0 for the IP to listen on
21) Enter 9090 for the port to listen on
22) Answer no to configure a backup user
23) Answer yes to enable the raid array
24) Use the default ondisk for the directory (if the directory name is different in the backup it will be changed by the restore)
Wait for the raid to initialize this take a few minutes
25) Answer yes to review the configuration
26) Answer yes to save the configuration and confirm
27) Ping the IP set for the work station with the command ping 1.1.1.3 to test the connection
28) Connect to the WebGUI by entering the URL https://1.1.1.5:9090
Once connected log in as admin using the password you set
29) Click the “I Agree” for the license question on the WebGUI.
Watch the serial console for the login prompt to be displayed (should take about 30 seconds) then refresh the browser and log back into the appliance in both the WebGUI and serial session.
Note: You will need to use the license activator tools available on your companies Passport Advantage download page to activate any needed licenses.
30) Click “System Control” in the WebGUI
31) Check the time and date displayed and update if needed (top section of the System Control page)
32) In the “Boot Image” section (second section on the page) click upload then browse for the firmware image to match the existing appliance
Note: If a license build is required to enable license(s) upload and install that first using the same boot image steps then do the firmware upgrade to match the appliance the backup was taken from.
33) Check the “Accept license” checkbox and then the “Boot Image” button and confirm
34) When the upgrade and reboot is complete log back into the appliance and select File Management
35) Create a sub directory in the local directory called “securebackup”
36) Upload the secure backup files for this appliance to this directory using the File Manager and selecting Upload Files from the Actions for the securebackup directory then browse to each file and press “Add” after each one then upload after all have been added. Then confirm the files are in the securebackup directory
37) Navigate to System Control and scroll to the “Secure Restore” section
38) Click the “+” by the security credentials and name the profile “SecBackup” (or name of your choice)
39) Click the “+” by the Crypto Key
40) Name it “SecBackKey” (or name of your choice) and upload the key (and if needed the password for the key depending on how the key was generated) then apply (enter password if one was added when the key was generated)
41) Click the “+” by the certificate
42) Name it “SecBakCert” (or name of your choice) and upload the certificate and apply
43) Click apply in the crypto profile
44) In the location field, enter: local:///securebackup and leave the Appliance model field blank if the backup is from the same machine type (such as 8496). If migrating from one appliance type to another then you would enter the machine type of the appliance the backup was created on such as:
843652X - IDG X1 without HSM
843653X - IDG X1 with HSM
844152X - IDG X2 without HSM
844153X - IDG X2 with HSM
45) Click the “validate only” option then click “Restore” and confirm
46) If successful clear the validate only option and click Restore and confirm.
If the validate or restore fails please see the notes at the end of this document with reported issues and resolutions.
47) Watch the serial console for the restore and reboot to complete (will take about 10 min or longer depending on config)
Note: the GUI will not update as the restore will remove the private network as well as the port the WebMgmt is listening on.
48) Once the reboot is complete and the login prompt is displayed in the serial session log in as admin using the password admin (the secure restore resets the admin password to the default of admin) then set the password to “admin1”(or your wanted password) when prompted
49) To confirm the configuration from the WebGUI you may reconfigure the private network and WebGUI port using these commands:
config
web-mgmt|
local-address 0.0.0.0
exit
int eth10
ip address 1.1.1.5/24
exit
write mem (if you want to save the private network settings otherwise this will go away when rebooted/powered off)
y
ping 1.1.1.3
50) Delete the sub directory “securebackup” from the local directory.
This is to avoid any issues of a new backup from containing a copy old backup which can lead to exponential growth of the next secure backups by containing nested compressed files that can lead to the backup being too large and not being able to upload and not usable.
If not reconnecting the private network ensure to delete this directory after the X3 is racked and accessible.
51) Power off the appliance by pressing and holding the White button on the front of the appliance.
52) To ensure the correct old appliance is replaced in the rack you may illuminate the Locate LED (blue LED) on the front of the appliance:
From the WebGUI: System Control then scroll to the bottom of the page and select to turn on the LED and apply
From the CLI:
config
locate
53) Perform the swap of the appliance in the rack and:
a) Connect the network cables ensuring the cables are returned to the same ports on the X3 as were connected on the original appliance.
b) Connect the power cords and power on the appliance by pressing the White button on the front of the appliance.
54) After the boot is complete log on to the serial console and confirm the networking is working by pinging the default gateway or static route for each interface. (This information can be seen by issuing the “show route” command) using the command “ping <gateway IP>” from the Global Configuration Mode on the appliance.
Note: not all networks allow for pings so if the ping fails try to connect to the WebGUI and engage your network team to confirm the connections and if there are any firewall rules or MAC filtering that may need to be updated.
55) Confirm access over the network and change the admin password to your final wanted password if the temporary one was set.
56) Test or add traffic and confirm working as expected
Note: it is highly recommended to have a backup “privileged” level user that can reset the admin user password in the event the password is lost.

-------------------------------------------------------------------------------------------------------------------------------------

Issues that have been reported:

Restore errors:

1. If the validate only option works but the restore fails look in the system logs and if you see errors like:
   “The cert is not yet valid” or “object is in the future”
   This would indicate the time was not set on the X3 as noted in “step 31”.
   To resolve set the date and time.
   Note: In some cases you may need to perform a reboot for the restore to complete.
2. Receive error that “file not found” in the logs:
   Confirm the secure backup file names and location.
   Common file name issues noted:
   The manifest file is renamed by the browser on download from .xml to .txt
   Some file names are changed to uppercase
   To resolve these issues rename the files to be correct.
   Note: to confirm all the correct files are loaded open the manifest file and it will list:
   a) The serial number and machine type of the appliance the backup came from
   b) The firmware version that the restore was created with
   c) The files that are required for the restore
   Important!! Never edit the contents of the manifest file
3. Not all static routes are restored.
   If there are missing static routes you will need to add them manually.
   Please report this to the support team with examples of what static routes were not included.

Connection issues:
In some cases the network will not immediately recognize the new appliance and in most cases performing a ping of the default gateway (or static route) from the appliance for each configured interface will force the ARP tables to be updated in the switch.
If the ping does not allow you to connect to the appliance over the network engage your network team to assist:
a) Some switches may need the port cleared to establish the connection.
b) In rare cases the switches have the hardcoded MAC address listed and will need to be updated to match the new appliance MAC address(es).
c) Firewall rules may need updating