SecureData 6.9.7 Installation

Voltage SecureData
Software Version 6.9.7
Appliance Installation Guide
Document Release Date: June 2023

Software Release Date: June 2023
Legal notices
© Copyright 2019 - 2023 Micro Focus or one of its affiliates
The only warranties for products and services of Micro Focus and its affiliates and licensors ("Micro Focus") are as may be set
forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained
herein. The information contained herein is subject to change without notice.
Except as specifically indicated otherwise, this document contains confidential information and a valid license is required for
possession, use or copying. If this work is provided to the U.S. Government, consistent with FAR 12.211 and 12.212,
Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to
the U.S. Government under vendor's standard commercial license.
Trademark notices
Third-party brand and product names (including logos and icons) mentioned in this manual may be trademarks or registered
trademarks of their respective companies and are the sole property of their respective owners.
Voltage SecureData (6.9.7) ii CONFIDENTIAL

Documentation updates
This section provides information about changes made to this document for the Voltage SecureData 6.9.7.
Updates for SDA 6.9.7
The following table identifies changes to this guide for installing the SDA 6.9.7 release.
Location Description
Chapter 1, “Install SecureData Appliance” > “Hardware If you are installing on a VM, this release supports VMware
Requirements” on page 1-2 ESXi Server 7.0.
Chapter 1, “Install SecureData Appliance” > “Installing and This release supports the following HSMs for use with
Configuring the Appliance with an HSM” on page 1-6 SecureData Appliance:
 Atalla HSMs - AT1000 models

 Entrust nShield HSMs - nShield Connect XC
models
Removed Atalla Ax160 HSM. This version of Atalla HSMs is
no longer in support. We provide a migration for Voltage
districts generated with Ax160 to AT1000. Contact Voltage
Support for information.
Chapter 2, “Configure SecureData Appliance” > “Configuring The default Time Zone setting is Etc\UTC.
the Time Zone” on page 2-12
The System clock uses UTC option is enabled by default.
This setting configures the system to use RTC time in UTC
and to automatically maintain time zone changes and
daylight savings time adjustments.
These settings apply for new installations.
Chapter 2, “Configure SecureData Appliance” > “Post-Install This section provides links to information you can use to
Configuration Options” on page 2-25 configure additional functionality, as appropriate for your
environment and business needs.
Chapter 3, “Additional Configuration Options” > “Enable or SecureData supports caching of key requests from Simple
Disable Caching for Simple API Key Requests” on page 3-1 API. You can enable or disable the Simple API memory cache
in the config.py file. It is enabled by default.
Chapter 3, “Additional Configuration Options” > “Configure You can configure a Syslog client on the Appliance host with
Log Forwarding for Syslog Using TCP with TLS” on page 3-3 settings that will securely forward logs from SDA localhost to
a remote Syslog host by using TCP with TLS. Enable Syslog
logging settings for localhost in the Management Console
separately for the Key Management Service, Web Service,
PIE Service, and Console Service. The Syslog client and
Syslog logging are not configured by default.
Chapter 3, “Additional Configuration Options” > “Configure If the config.py file for an existing system had custom
SSL Protocols for TLS 1.3 and TLS 1.2” on page 3-12 settings for SSL protocols, the custom settings still apply
after upgrading the system. You can modify custom settings
in the config.py file to support TLS 1.3 and TLS 1.2 SSL
protocols.
Chapter 3, “Additional Configuration Options” > “Configure If the config.py file for an existing system had custom
Strong SSL Ciphers for TLS 1.3 and TLS 1.2” on page 3-14 settings for Strong SSL Ciphers, the custom settings still
apply after upgrading the system. You can modify custom
settings in the config.py file to support Strong SSL Ciphers
for TLS 1.3 and TLS 1.2.
Voltage SecureData (6.9.7) iii CONFIDENTIAL

Location Description
Chapter 3, “Additional Configuration Options” > “Configure The Time Zone settings for an existing installation are not
Time Zone and System Clock to Use UTC” on page 3-17 modified during the upgrade. To use UTC and have
automatic time management provided on an appliance,
modify its values for Time Zone (Etc/UTC) and the "System
clock uses UTC" check box (enabled).
Chapter 4, “Appliance Operations” on page 4-1 This section provides steps for common operational tasks to
manage SecureData appliances.
Chapter 6, “Upgrade SecureData Appliance” > “Supported Voltage SecureData 6.9.7 supports direct upgrade from an
Upgrade Paths” on page 6-1 existing 6.8.2 or 6.9.x installation to Version 6.9.7. Interim
version-to-version upgrades might be required for releases
prior to 6.8.2.
Chapter 6, “Upgrade SecureData Appliance” > “Upgrade Before you run an upgrade script, ensure that your existing
Prerequisites” on page 6-1 SDA installation meets the prerequisites for upgrade in this
section.
Chapter 6, “Upgrade SecureData Appliance” > Blockers for During the upgrade process, Voltage SecureData checks for
Upgrade > “Blockers for Upgrades to SDA 6.9.7” on page 6-3 conditions in your existing system that are no longer
supported and blocks the upgrade, such as mixed common
names for key numbers in a key rotation group, regular
expression format Mask settings, and an Authorization
Token Secret for HMAC SHA1 authorization. Remove or
modify the settings for discovered issues before upgrading.
Chapter 6, “Upgrade SecureData Appliance” > “Upgrade During the upgrade to SecureData 6.9.7, new default
Notices” on page 6-6 settings will not replace customizations you have made to
the config.py file or time settings for the existing installation.
You can update your settings after the upgrade, according to
your business needs.
Chapter 6, “Upgrade SecureData Appliance” > “Upgrading After you back up your existing system, ensure that you
Version 6.8.2 or 6.9.x to Version 6.9.7” on page 6-8 close the Management Console before you run the upgrade
script. Closing the browser deletes the old CSRF (Cross-Site
Request Forgery) token, ensuring that a fresh token is
generated when you log in after upgrading.
Chapter 6, “Upgrade SecureData Appliance” > “Post- This section provides links to information you can use add
Upgrade Configuration Options” on page 6-9 additional functionality or to modify your custom settings
after upgrade, as appropriate for your environment and
business needs.
Voltage SecureData (6.9.7) iv CONFIDENTIAL

Contents
Chapter 1 Install SecureData Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Installing the Voltage SecureData Appliance Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Logging in to the Appliance and Changing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Ensuring Access to Voltage SecureData Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Installing and Configuring the Appliance with an HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Management Console SSL Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Chapter 2 Configure SecureData Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Displaying the SecureData Appliance Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Using the SecureData Appliance Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Configuring the Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Configuring the IP Addresses (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Setting a Default Router IP Address (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Configuring the DNS and Hostname Settings (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Editing the /etc/hosts File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Configuring Firewall and Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Enabling or Disabling SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Enabling or Disabling SSH for Root Login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Enable or Disable Single SSH Connection Per User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Enabling or Disabling ICMP Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Enabling or Disabling Remote Access to the Management Console . . . . . . . . . . . . . . . . . 2-10
Configuring the Time Zone and NTP Servers (Required) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Configuring the NTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Setting the Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Configuring the Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12
Changing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
Configure Event Viewer License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-14
Enabling a Multi-host Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
Management Console Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Clock Skew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Creating and Viewing Host Registration Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-17
Deleting or Resetting Host Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
Initializing Services for the SecureData Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Initializing Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Enabling, Disabling, and Restarting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Rebooting and Shutting Down Your Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Voltage SecureData (6.9.7) v CONFIDENTIAL

Managing Atalla HSM Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
Using the SecureData Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
Restricting Remote Access to the Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-23
Password Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Standby Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-24
Post-Install Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25
Chapter 3 Additional Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Enable or Disable Caching for Simple API Key Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Configure Log Forwarding for Syslog Using TCP with TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Configure the Syslog Host to Receive Events using TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4
Copy CA Certificate from Syslog Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Configure the Syslog Client on the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Configure SecureData Services for Syslog Log Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Configure SSL Protocols for TLS 1.3 and TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Inbound Traffic (tomcat) TLS Version Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Outbound Traffic (LDAP request) TLS Version Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Modifying SSL Protocol Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Configure Strong SSL Ciphers for TLS 1.3 and TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14
Default Cipher Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Specifying Custom Cipher Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Configure Time Zone and System Clock to Use UTC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Modify Time Zone and System Clock Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Chapter 4 Appliance Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Login for the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Change Passwords for admin Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Enable, Disable, or Restart Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Reboot or Shut Down Your Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Apply Management Console Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
Enable or Disable Remote Access to the Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
View Host Registration Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9
Re-Register Remote Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10
Chapter 5 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
SSL Connections Failing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1
SSH Connections Failing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Enable Certificate Revocation Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Chapter 6 Upgrade SecureData Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Supported Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Upgrade Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1
Blockers for Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Blockers for Upgrades to SDA 6.9 and Later . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Voltage SecureData (6.9.7) vi CONFIDENTIAL

Blockers for Upgrades to SDA 6.9.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Mixed Common Name for Key Rotation Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4
Regular Expression Format Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Authorization Method HMAC SHA1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Unsupported or Invalid Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Upgrade Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Default SSL Protocols for TLS 1.3 and TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Default Strong SSL Ciphers for TLS 1.3 and TLS 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
Default Time Zone and System Clock Set to UTC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
Upgrading Version 6.8.2 or 6.9.x to Version 6.9.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
Post-Upgrade Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
Voltage SecureData (6.9.7) vii CONFIDENTIAL

1 Install SecureData Appliance
This section describes how to install the Voltage SecureData Appliance software. The software
can be installed on any server that meets the hardware requirements.
The installation process installs the following Voltage SecureData Appliance components:
 Voltage SecureData Management Console
See the Voltage SecureData Administrator Guide or the Management Console Help for
information about this component.
 Voltage SecureData Key Management Server
See “Key Management” in the Voltage SecureData Administrator Guide or the
Management Console Help for information about this component.
 Voltage SecureData Web Service Server (REST API and SOAP API)
See “Web Service” in the Voltage SecureData Administrator Guide or the Management
Console Help for information about this component.
See the Voltage SecureData REST API Developer Guide for information about the REST
API interface.
See the Voltage SecureData SOAP API Developer Guide for information about the
SOAP API interface.
 Voltage SecureData Web Front End Server (sometimes referred to as Page-Integrated
Encryption (PIE))
See “Page-Integrated Encryption” in the Voltage SecureData Administrator Guide or the
Management Console Help for information about this component.
See the Voltage SecureData Web Supplement in the Voltage SecureData Host SDK
documentation for additional information about PIE configuration and use. After you have
installed and configured the appliance, use the Voltage SecureData Management Console to
configure the server components. The Management Console Help and the Voltage SecureData
Administrator Guide contain information and instructions for configuring your system.
Voltage SecureData (6.9.7) 1-1 CONFIDENTIAL

Appliance Installation Guide Hardware Requirements
Voltage SecureData clients, such as the Voltage SecureData Simple API, are installed separately
on a client machine. Refer to the documentation for the specific product for details. For
information about supported SecureData clients, see “Voltage SecureData Clients” in the
Voltage SecureData Appliance Architecture Guide.
NOTE: If you purchased Voltage SecureData Appliance for AWS, see the Voltage SecureData for AWS
Installation Supplement for information on AMI instantiation.
If you purchased Voltage SecureData Appliance for Azure, see the Voltage SecureData for Azure Installation
Supplement for information on VHD Blob instantiation.
Hardware Requirements
Make sure that your server meets the following requirements before you install the Voltage
SecureData Appliance software.
Voltage recommends the following hardware configuration:

 At least 3 GHz x86 64-bit architecture processor, with 8 CPU cores
 At least 8 GB RAM
 At least 80 GB disk space. Recommended disk size for Management Console Hosts is
256 GB. Actual space required depends on logging levels and volume of data logged.
NOTE: The default log size is now 100MB.
 Ability to load an ISO image containing the operating system, such as a physical or
virtual DVD-ROM drive.
 If you are installing on hardware, use a DVD drive (internal or external).
 If you are installing on a VM, use a real or virtual DVD-ROM or a mounted ISO image.
 1G Ethernet Network Interface Card (NIC)
A hardened Linux-based operating system is loaded from the Voltage-provided ISO image file.
The following hardware is supported:

 All hardware compatible with Red Hat Enterprise Linux 7, 64 bit
 VMware ESXi Server 7.0

Appliance Installation Guide Installing the Voltage SecureData Appliance Software
Installing the Voltage SecureData Appliance

Software
CAUTION: Installing the Voltage SecureData Appliance software from disk reformats the machine’s hard
drive, thus deleting all data and the operating system. There is no way to recover deleted data or software once
the installation begins.
To Install the Voltage SecureData Appliance software:
1. Before installing the Voltage SecureData Appliance software, make sure that the
hardware time is set correctly on the machine.
2. Insert the Installation DVD into the drive and boot the system.
3. Press Enter to begin the installation.

When the installation is complete, the system automatically reboots.
After the installation process is complete, the next step is to log in and change the Appliance
passwords for the root and admin users.
Logging in to the Appliance and Changing

Passwords
The SecureData Appliance installation process automatically creates an admin user name and
password. Use the admin user name to log in and configure the Voltage SecureData Appliance
software. The first time you log in, you must accept the license agreement. For security reasons,
you must also change the passwords for the admin and root users.
1. Log in to the Voltage SecureData Appliance with:

user name: admin
password: voltage123
The license agreement is displayed.
2. Use the arrow keys to scroll through and read the license agreement.
3. Navigate to the I agree button, and press Enter to accept the license agreement.
You are prompted to change the root password.

Appliance Installation Guide Ensuring Access to Voltage SecureData Services
Type a new root password for the appliance, then press Enter. The SecureData
Appliance root user password must be 8 to 256 alphanumeric characters and contain a
combination of letters and numbers. The password is case-sensitive. Your passwords
serve as a security check to protect the appliance. Therefore, it is important to choose
passwords that are not easily guessed. Treat the root password with the highest level of
security.
4. Type the same password again, then press Enter to confirm the selection.
A message indicates that the password was successfully updated.
5. Press Enter to continue.

The system prompts you to change the admin password for the appliance.
6. Type a new admin password for the appliance, and press Enter.
The SecureData Appliance admin user password must be 8 to 256 alphanumeric
characters and contain a combination of letters and numbers. The password is case-
sensitive. Your passwords serve as a security check to protect the appliance. Therefore,
it is important to choose passwords that are not easily guessed. Treat the admin
password with the highest level of security.
7. Type the same password again, and press Enter to confirm.

The admin password for the appliance is updated and the appliance Main Menu is
displayed.
The next step is to configure the initial setup of the appliance using the appliance Menu.
See Chapter 2, “Configure SecureData Appliance” for instructions.
Ensuring Access to Voltage SecureData Services

You must open a group of ports in your firewalls between your clients, web browser, LDAP
directories and the Voltage SecureData Appliance. Depending on your deployment and use
cases, some ports are not required or are optional.
Table 1-1 Ports Used by SecureData
Port Origin Destination Description Notes

53 Voltage SecureData DNS servers DNS lookups
Appliance
123 Voltage SecureData Time server NTP server for system Optional, but
Appliance clock recommended
389 Voltage SecureData LDAP directory LDAP Not recommended for
Appliance production

Appliance Installation Guide Ensuring Access to Voltage SecureData Services
Table 1-1 Ports Used by SecureData (Continued)
Port Origin Destination Description Notes

443 Client Machines Voltage SecureData HTTPS access For key requests and
Appliance public parameter
SOA Client Machines SOA web services calls retrieval, as well as SOA
web services calls
514 Voltage SecureData Syslog local or UDP For events sent to a
Appliance remote host local or remote Syslog
host by using UDP
636 Voltage SecureData LDAP directory LDAPS Needed if LDAP
Appliance authentication is used
6514 Syslog client running Syslog remote host TCP For forwarded event
on Voltage logs sent to a remote
SecureData Appliance Syslog host by using
TCP with TLS
8000 Administrator Voltage SecureData Access to the Events tab of Populated by a separate
workstations Appliance the Management Console process running on port
8000.
7000 Voltage SecureData Atalla HSMs Requests between HSMs Only needed for
Appliance and Appliance Appliances hosting the
Management Console
and Key Management
Server
7001 Atalla HSMs Voltage SecureData Atalla HSMs status Optional
Appliance
Can be used to listen to
the Atalla logs
7005 Administrator Atalla HSMs Requests between the Optional, only needed
workstation SCA-3 and the Atalla HSM for Remote SCA-3
when using Remote SCA-3 Utility
Utility
8001 Event aggregation from
front end servers
8182 SOA client machines Voltage SecureData Client certificate access to Optional
SOA server SOA server
8443 Administrator Voltage SecureData Access to web interface Do not use this port for
workstations Appliance REST API requests
8443 Voltage SecureData Voltage SecureData Communication between
Appliance Appliance Management Console
server and remote hosts
9004 Voltage SecureData nShield HSMs Requests between HSMs Only needed for
Appliance and SecureData SecureData
Management Console
Administrator and Key Management
workstation Server (for RFS server)
hosts
10022 Administrator Voltage SecureData Communication via SSH This port can be
workstations Appliance changed

Appliance Installation Guide Installing and Configuring the Appliance with an HSM
Installing and Configuring the Appliance with an

HSM
A Hardware Security Module (HSM) is a physical device design to store master secrets and
provide derived keys for secure data encryption using symmetric keys. Using an HSM involves
installing and configuring the HSM device according to the manufacturer’s instructions and
then installing client software on each of your Voltage SecureData Appliances. Voltage
SecureData supports the following HSMs:
 Atalla HSM - AT1000 models
For information about HSM versions supported and installing and configuring the
Voltage SecureData Appliance to work with Atalla AT1000 HSMs, see the Voltage
SecureData Integration Supplement for Atalla AT1000 HSMs.
 Entrust nShield HSM - nShield Connect XC models
For information about HSM versions supported and installing and configuring the
Voltage SecureData Appliance to work with Entrust nShield Connect XC HSMs, see the
Voltage SecureData Integration Supplement for Entrust nShield HSMs.
Refer to the appropriate HSMs Supplement to help ensure that you have configured
SecureData to work with your HSM properly. For information about how HSMs provide an
additional level of security in managing SecureData encryption keys, see the “HSMs and
SecureData” section in the supplement.
NOTE: You can use multiple HSMs of the same type in a cluster. You cannot configure a single cluster to use
both Atalla HSMs and nShield HSMs.
Management Console SSL Certificate

By default, Voltage SecureData Appliance uses a self-signed SSL certificate to secure
communications when you display the Management Console in a browser. The self-signed
certificate is generated automatically when the Management Console service is started. For
production-level security, you must use a Certificate Authority (CA) signed certificate staged
through the Management Console. For information about staging the certificate, see "Using a
CA Signed Certificate for Management Console Services" in the Voltage SecureData
Administration Guide.
CAUTION: To fully secure access to the SecureData Appliance, you must use a CA signed certificate.
After you have staged the CA signed certificate, you apply it using the Appliance menu. See
Rebooting and Shutting Down Your Server (page 2-20) for instructions.

2 Configure SecureData Appliance
This chapter describes how to configure the initial settings on the Voltage SecureData
appliance, using the Voltage SecureData Appliance Menu. It also describes how to access the
Voltage SecureData Management Console in order to complete the configuration.
You must complete a set of configuration steps on the Appliance Menu in the following
sequence:
1. Configure at least one IP address. See “Configuring the IP Addresses (Required)” on

page 2-4.
2. Set the default router IP address. See “Setting a Default Router IP Address (Required)”
on page 2-5.
3. Configure DNS and Hostname settings. See “Configuring the DNS and Hostname
Settings (Required)” on page 2-5.
4. Update the Splunk license. See “Configure Event Viewer License” on page 2-14.
5. Add the IP addresses of all of your servers to the /etc/hosts file. See “Editing the /etc/
hosts File” on page 2-5. Note that this step is only required if your host name does not
resolve in DNS.
6. Configure the time and date. See “Configuring the Time Zone and NTP Servers
(Required)” on page 2-10.
7. Initialize services for the Management Console. See “Initializing Services” on page 2-19
for instructions.
NOTE: If you are setting up a system with multiple servers, this step configures one of the servers
as the Management Console. The other servers must be set up as remote hosts. See Enabling a
Multi-host Configuration (page 2-15) for information about setting up remote hosts.
After you complete the required steps on the Appliance Menu, you can log in to the
Management Console to complete additional configuration steps and begin using the software.
See “Using the SecureData Management Console” on page 2-22 for details.

Appliance Installation Guide Displaying the SecureData Appliance Menu
Displaying the SecureData Appliance Menu

When you log in to the Voltage SecureData Appliance using the admin user name, the Voltage
SecureData Appliance Main Menu displays, as shown in Figure 2-1. You use this menu to
configure network settings, set the server date and time, configure host registration, configure
services, and shutdown or reboot the software.
Figure 2-1 Appliance Main Menu
Use the Appliance admin account to log in to the Appliance directly or remotely through SSH,
after the port (10022 by default, but is configurable) has been enabled for SSH to allow remote
access. See “Enabling or Disabling SSH” on page 2-7 for details. If you access the Appliance
remotely, set the character set translation on your SSH client (such as PuTTY) to UTF-8.
The admin account is used to perform all administrator functions on the Voltage SecureData
Appliance. If you log in as the root user, a shell prompt displays instead of the Appliance Main
Menu.
CAUTION: Log in as the root user only if you are following instructions provided in a Voltage SecureData
document, or troubleshooting with the help from a representative of Voltage. Treat both the admin and root
passwords with the highest level of security.
To allow an additional Linux account to access the Appliance over SSL, edit the only line in the
/etc/security/access.conf file to include the new account name. Note that during a
future upgrade, it is possible that any change you make to this file might get overwritten.

Appliance Installation Guide Configuring the Network Settings
Using the SecureData Appliance Menu

To select an option on the Voltage SecureData Appliance Menu:
1. Use the Up or Down arrow to highlight the menu option that you want to select, or type
the letter for the menu option that you want to select.
2. Press Enter or use the tab key to highlight OK, and then press Enter.
You can also use the following Voltage SecureData Appliance Menu navigation methods:
 From a secondary menu, use the Tab key to highlight Back, or press F12 to return to
the previous menu.
 Press F12 to quit and exit the Voltage SecureData Appliance Main Menu.
Configuring the Network Settings

To configure the server for the first time, you begin by configuring network settings. From the
Main Menu, choose a. Configure Networking.
The Network Configuration Menu displays, as shown in Figure 2-2.
Figure 2-2 Network Configuration Menu
Use this menu to do the following:

 To view your current network settings, choose a. View Network Settings.
 To configure the IP Addresses, choose b. Configure IP Addresses. See “Configuring the
IP Addresses (Required)” on page 2-4 for instructions.
 To configure the host name, domain name and nameserver, choose c. Configure DNS
and Hostname. See “Configuring the DNS and Hostname Settings (Required)” on page
2-5.

 To configure the default router, choose d. Set Default Router IP Address, and press
Enter. See “Setting a Default Router IP Address (Required)” on page 2-5 for instructions.
 To edit the /etc/hosts file directly, choose e. Edit /etc/hosts File, and press Enter. See
“Editing the /etc/hosts File” on page 2-5 for instructions.
 To configure the firewall and remote access parameters, choose f. Configure Firewall/
Remote Access. See “Configuring Firewall and Remote Access” on page 2-6 for
instructions.
Configuring the IP Addresses (Required)

The Voltage SecureData Appliance uses IP aliasing to configure local IP addresses and requires
at least one valid IP address.
To set the IP address:
1. From the Network Configuration Menu, choose b. Configure IP Addresses. The IP

Address Configuration Menu displays.
2. To add a new IP address, choose a. Add New IP Addresses.
3. Enter the IP address associated with the host name that you entered in step 2 of
Configuring the DNS Settings.
By default, the Voltage SecureData Appliance listens for inbound and outbound
encryption requests on this IP address.
4. Enter the netmask for the host name IP address.
5. Press Enter to highlight OK, then press OK.

A message asks if you want to add another IP address.
6. Press Enter to add another IP address or use the arrow key to highlight No, and press
Enter if you do not want to add another IP address.
A list of the IP addresses that you entered displays at the top of the IP Address
Configuration Menu.
NOTE: To change an IP address or netmask value, you must add the updated value for both, then
delete the existing value.
To delete an IP address:
1. From the IP Address Configuration Menu, use the arrow keys to highlight b. Delete
Existing IP Addresses and then press Enter.
2. Select the IP address you want to delete using the arrow keys, then press OK.

3. Press Yes to dismiss the confirmation message.
NOTE: If only one IP address is configured, you cannot delete it. You must add a new IP address so
that the one you want to delete is no longer the only one.
Setting a Default Router IP Address (Required)

To set the default router:
1. From the Network Configuration Menu, use the arrow keys to highlight d. Set Default
Router IP Address, and press Enter.
2. Enter the default router IP address.
3. Press OK.
The Default Router IP Address is updated and the Network Configuration Menu displays.
Configuring the DNS and Hostname Settings (Required)

The DNS settings allow you to set the fully qualified host name of the Voltage SecureData
Appliance and the IP addresses of up to three DNS servers.
To configure DNS and hostname settings:
1. From the Network Configuration Menu, use the down arrow key to highlight
c. Configure DNS and Hostname, and press Enter.
2. Enter the fully qualified host name, for example, voltage.<yourdomain>. Press the Tab
key to move the cursor to the Primary Name Server IP field.
3. Type the IP address of your Primary Name Server and then press Enter.
You can enter up to three Name Server IP addresses. Press Tab to skip the IP address.
4. When you have entered the IP addresses, press Enter to highlight OK.
Your changes are applied and you return to the Network Configuration Menu.
Editing the /etc/hosts File

If your host name does not resolve in DNS, you must update the /etc/hosts file of each
Appliance to associate each of its IP addresses with the hostname that has the format of
voltage-pp-0000.<domain_name>. Associating the IP address with the hostname ensures that
the Appliance can resolve the hostname for key generation.

To edit the /etc/hosts file directly:
1. From the Network Configuration Menu, use the arrow keys to highlight e. Edit /etc/
hosts File, and press Enter.
2. When prompted to select the editor you want to use, press either Vi or Emacs to use
that editor.
3. Edit the file.

For example, if the IP address of the Appliance is 172.10.10.10 and the hostname is
voltage-pp-0000.example.com, you would add the following entry:
172.10.10.10 voltage-pp-0000.example.com
4. Save the file and exit.
Configuring Firewall and Remote Access

If you want to enable or disable access to the Voltage SecureData Appliance, use one or more
of the procedures in this section.
To configure Firewall and Remote Access:
1. From the Network Configuration Menu, use the arrow keys to highlight f. Configure
Firewall/Remote Access, and press Enter. The Firewall/Remote Access Menu
displays. From this menu you can set the following on your server:
 Enable or disable SSH (SSH is disabled by default)
 Enable or disable SSH Root Login (SSH for root login is disabled by default)
 Enable or disable Single SSH Connection Per User
 Enable or disable ICMP Ping
 Enable or disable Remote Access to the Management Console
IMPORTANT: Effective in SecureData 6.9.6, less secure SSH algorithms are no longer supported. Connection
requests from clients using weak SSH algorithms may fail. For a list of deprecated algorithms, see the Voltage
SecureData 6.9.6 Release Notes.

Enabling or Disabling SSH

The Voltage SecureData Appliance installation disables SSH on the external interface of the
Appliance, by default.
To enable or disable SSH:
1. From the Firewall/Remote Access Menu, use the arrow keys to highlight a. Enable/
Disable SSH, and press Enter.
2. Select Yes to enable or disable SSH, and press Enter.
3. If you enable SSH, enter the port you want to listen on, and press Enter.
Enabling or Disabling SSH for Root Login

The Voltage SecureData Appliance installation disables SSH for root login to the server, by
default.
To enable or disable SSH for root login:
1. From the Firewall/Remote Access Menu, use the arrow keys to highlight b. Enable/
Disable SSH Root Login, and press Enter.
2. Select Yes to enable or No to disable SSH, and press Enter.
Enable or Disable Single SSH Connection Per User

You have the option to limit the number of connections an SSH user can establish to one. This
option does not limit the number of connections a root user can establish.
The admin account connection using the Web Console or Remote Console (that is, not SSH
connections) is included in this count. For example, if the user admin has an open connection
through the Web Console, the user admin cannot concurrently SSH into the system.
NOTE: This setting applies to the current machine only. Enable on each remote host for system-wide
coverage.
To enable or disable Single SSH Connection Per User:
1. From the Firewall/Remote Access Menu, use the arrow keys to highlight c. Enable/
Disable Single SSH Connection Per User, and press Enter.
2. To enable, select Yes at the prompt.

If a connection timeout has been set previously, select Yes at the prompt shown below
to enable.
If a connection timeout has not been set previously, select Yes at the prompt shown
below to enable. A default timeout of 45 minutes is set for the connection. You can
change this timeout. See “Set SSH Connection Timeout” on page 2-8.
NOTE: This timeout is also applied to root connections.
3. To disable, select Yes at the prompt shown below.
Set SSH Connection Timeout

The customize_ssh_and_user_shell_timeout_rules.sh script is located at /usr/
share/smappliance/.
To set a custom timeout:
1. Log in to the appliance as root user, then go to the /usr/share/smappliance folder.

cd /usr/share/smappliance/
2. Run the script:

./customize_ssh_and_user_shell_timeout_rules.sh
3. Enter 1 to enable SSH and/or User Shell timeout.

4. Enter y to set a session idle timeout.
5. Enter a timeout value in minutes. The maximum value allowed is 59 minutes.
6. Verify the SSH connection timeout is enabled by running the following commands:
root@voltage-pp-0000 ~]# grep "ClientAliveInterval" \
/etc/ssh/sshd_config
root@voltage-pp-0000 ~]# grep "ClientAliveCountMax" \

Example: SSH connection timeout is enabled

In the following example, the SSH connection timeout is enabled. The
ClientAliveInterval is 300 seconds, and ClientAliveCountMax is 0.
[root@voltage-pp-0000 ~]# grep "ClientAliveInterval" \
ClientAliveInterval 300
[root@voltage-pp-0000 ~]# grep "ClientAliveCountMax" \

ClientAliveCountMax 0
Example: SSH connection timeout is disabled

If the SSH timeout is disabled, the returned strings are commented out.
[root@voltage-pp-0000 ~]# grep "ClientAliveInterval" \
#ClientAliveInterval 300
[root@voltage-pp-0000 ~]# grep "ClientAliveCountMax" \

#ClientAliveCountMax 0
7. Verify User Shell timeout is enabled by running the following command.

[root@voltage-pp-0000 ~]# grep "TMOUT" /etc/profile
Example: User Shell timeout is enabled

For this example, User Shell timeout is 600 seconds.
export TMOUT=600

Appliance Installation Guide Configuring the Time Zone and NTP Servers (Required)
Example: User Shell timeout is disabled

If the User Shell timeout is disabled, nothing is returned, or the returned string is
commented out.
#export TMOUT=600
Enabling or Disabling ICMP Ping

The Voltage SecureData Appliance installation disables ICMP Ping on the server, by default.
To enable or disable ICMP Ping:
1. From the Firewall/Remote Access Menu, use the arrow keys to highlight d. Enable/
Disable ICMP Ping, and press Enter.
2. Select Yes to enable or disable ICMP Ping, and press Enter.
Enabling or Disabling Remote Access to the Management

Console
The Voltage SecureData Appliance allows the Management Console to be accessed on the
external interface. You need to access the Management Console to configure your server after
installation. However, for security reasons, you might want to disable Management Console
access. You can also restrict Management Console access through the Management Console
itself, as described in “Restricting Remote Access to the Management Console” on page 2-23.
To enable or disable access to the Management Console:
1. From the Firewall/Remote Access Menu, use the arrow keys to highlight e. Enable/
Disable Remote Access To Management Console, and press Enter.
2. Select Yes to enable or disable Management Console access, and press Enter.
Configuring the Time Zone and NTP Servers

(Required)
Verify that your Voltage SecureData Appliance time is set correctly. You can set the time and
date and configure the time zone and the Network Time Protocol (NTP) Servers. You configure
the time and date using one of the methods described in this section.
All time configuration is done from the Time/Date Configuration Menu. To access this menu,
from the Main Menu, choose b. Configure Time/Date.

The Time/Date Configuration Menu displays, as shown in Figure 2-3.
Figure 2-3 Time/Date Configuration Menu
Configuring the NTP Servers

Voltage SecureData Appliance is installed with three NTP servers already defined
(0.pool.ntp.org, 1.pool.ntp.org, and 2.pool.ntp.org). You can change these settings as described
below.
To configure the NTP Servers:
1. From the Time/Date Menu, choose b. Configure NTP Servers.
2. Enter the fully qualified host name or IP address for the NTP server. You can enter up to
three servers.
3. Press Tab twice to move to the OK button and then press Enter.
4. Use the Tab key to highlight Back and then press Enter to return to the Main Menu.
5. To have your server get its time from the NTP server, from the Time/Date
Configuration Menu, choose c. Set Time/Date from NTP Server.
6. When the time and date display, choose OK.
Setting the Time and Date

To view the Current Time and Date, choose a. View Current Time and Date. If you want to
make any adjustments manually:
1. Return to the Time/Date Configuration Menu.
2. Choose d. Set Time/Date Manually.

3. Enter the current year, month, day, hour and minute.
4. Choose OK to return again to the Time/Date Configuration Menu.
Configuring the Time Zone

To set the time zone:
1. From the Time/Date Configuration Menu, choose e. Set Time Zone.

The Timezone Selection Menu displays, as shown in Figure 2-4.
Figure 2-4 Timezone Selection Menu

Use the arrow keys to move up or down the list of time zones. Select a time zone by
highlighting the correct time zone. The default Time Zone setting is Etc/UTC.
The “System Clock uses UTC” check box is enabled by default. This setting configures
the system to use RTC time in UTC and to automatically maintain time zone changes
and daylight savings time adjustments.
CAUTION: If you disable (clear) the “System Clock uses UTC” check box, you are configuring the
system clock to use RTC time in the local time zone. You must use external facilities to maintain time
zone changes and daylight savings time adjustments.
2. Press Tab twice to move to the OK button, and press Enter to apply the settings.
Depending on whether services have been initialized for Single Server Deployment, you
see the following response:

Appliance Installation Guide Changing Passwords
 If the services have not yet been initialized, you return to the Time/Date
Configuration Menu. If you disabled the “System Clock uses UTC” check box, a
Warning message displays about using RTC time in the local time zone. Read the
message, then press Enter to return to the Time/Date Configuration Menu.
Your Time Zone settings have been applied locally. The settings will be used during
the subsequent initialization of services and registration of remote hosts.
Skip Step 3, and continue with configuring your system.
 If the services are already initialized, a message displays to identify additional steps
required to effect the changes in the Management Console and remote hosts. If you
disabled the “System Clock uses UTC” check box, the confirmation message
includes a Warning message about using RTC time in the local time zone. Read the
message, then press Enter to return to the Time/Date Configuration Menu.
Your Time Zone settings have been applied locally. Continue with Step 3 to
complete the changes for your Time Zone settings.
3. If services have already been initialized for Single Server Deployment, you must do the
following to effect the changes for the Management Console and remote hosts:
a. Restart the Management Console for the new Time Zone settings to take effect.
b. Re-register any remote hosts in your system. For information, see “Hosts Overview”
in the Voltage SecureData Services Administrator Guide.
Changing Passwords
To keep your server secure, you can change the password for the Management Console and for
access to the Appliance Menu.
To change your passwords:
1. Log in to the Voltage SecureData Appliance with the user name admin.
2. From the Voltage SecureData Appliance Main Menu, choose c. Configure Passwords.
The Password Configuration Menu displays, as shown in Figure 2-5.
Figure 2-5 Password Configuration Menu

Appliance Installation Guide Configure Event Viewer License
3. To change your server password:

a. Choose a. Change Appliance Password.
b. Use the Tab key to highlight Yes and then press Enter.
c. Enter your current password, use the Tab key to highlight OK and then press Enter.
Enter a new SecureData Appliance admin password. The SecureData Appliance
admin user password must be 8 to 256 alphanumeric characters and contain a
serve as a security check to protect the appliance. Therefore, it is important to
choose passwords that are not easily guessed.
d. Re-enter the new password.
e. Tab to the OK button, and press Enter.
The SecureData Appliance admin user password is updated.
4. To change the password for the Management Console admin account:

a. Use the down arrow key to highlight b. Change Management Console Password.
b. Use the Tab key to highlight Yes, and then press Enter.
Enter a new Management Console password. The Management Console admin
user password must be 8 to 256 alphanumeric characters and contain a
serve as a security check to protect the SecureData . Therefore, it is important to
choose passwords that are not easily guessed.
c. Re-enter the new password.
d. Tab to the OK button, and press Enter.
The Management Console admin user password is updated.
Configure Event Viewer License

If you are installing SecureData for the first time or are upgrading a version purchased after
Dec. 28, 2020, you should have received a new Splunk license from Voltage. The new Splunk
license must be installed on all SecureData hosts.
If you are upgrading a version of SecureData purchased prior to Dec. 28, 2020, you can
continue to use your existing Splunk license and skip this step.

Appliance Installation Guide Enabling a Multi-host Configuration
To configure the Event Viewer license:
1. Copy the splunk.lic file to /opt/splunk/.
2. From the Voltage SecureData Appliance Main Menu, choose d. Configure Event
Viewer License.
3. Select Yes to confirm you want to add the new license.
4. After the license has been added successfully, select OK.
Enabling a Multi-host Configuration

A multi-host environment refers to a configuration in which components installed on multiple
servers are managed from a single Management Console.
While more flexible than a single-server system, a multi-host environment has additional issues
to consider:
 Configuration files - See “Management Console Configuration Files” on page 2-16 for
details.
 Clock skew - See “Clock Skew” on page 2-16 for details.
In a multi-host environment, the Management Console, Key Management Server, Web Service
Server, and SecureData Web (Page-Integrated Encryption (PIE)) Server can each be placed on
separate hardware. To allow for redundancy, you can have multiple instances of each type of
component, although only one instance of the Management Console component can be active
at any particular time. Servers that run the Key Management Server and/or the Web Service
Server and do not include a Management Console are called remote hosts.
To set up a multi-host configuration:
1. Install the Voltage SecureData software on each server and complete the required steps
on the Appliance Menu for each server.
2. Choose one of the servers to host the Management Console, then Initialize that server
by following the procedure in “Initializing Services” on page 2-19.
3. Verify that the Management Console service is enabled and running on that server. See
“Initializing Services” on page 2-19 to learn how to view service status.
4. Configure each additional server as a remote host:

a. Create a host registration password. See “Creating and Viewing Host Registration
Passwords” on page 2-17 for details.
b. Verify that IBE & SOA Service are enabled and running.

c. Verify that the Management Console service is not enabled.
5. Log in to the Voltage SecureData Management Console to register each remote host.
See the section on “Adding Hosts” in the Voltage SecureData Administrator Guide for
details.
6. Deploy the services from the Management Console.

This pushes the configuration from the Management Console to all of the registered
remote hosts.
You can view the status of all of your servers on the Home page of the Management Console.
The server hosting the Management Console also acts as the event aggregator. This means
that you can view events for all servers in a multi-host configuration using the Events tab of
the Management Console.
NOTE: Even though events for all servers can only be viewed on the active Management Console, the Event
collection software is installed and running on all of the remote hosts.
Management Console Configuration Files

Each server has a configuration file protected with a key and stored on the Management
Console, and configuration data on a specific system can be managed remotely using
Management Console on another server. When a server reboots, it must wait for the key from
the Management Console before it can access the configuration file and become fully
operational.
The Management Console checks every 60 seconds for any servers that are waiting for their
access keys. During this time, the server appears unresponsive to the clients or a loadbalancer.
After the server has accessed its configuration file and is able to respond to requests, the ports
are opened and requests can be routed to the server.
Clock Skew
Clock skew can be an issue in a multi-host environment. Various machines in your environment
may have different clock settings. If you are using a self-signed certificate that is saved at one
time, it might not yet be valid on another machine in your node because its time is set
differently. In this case, a registration error is generated because the certificate is not yet valid.
For example, if the Management Console time is two hours ahead of the remote host time, you
might encounter registration errors. In this situation, if you attempt to register a remote host, a
registration error occurs. In this situation, you can de-register the remote host, reset the clocks
on both systems and re-register the remote hosts.
It is best practice to keep all servers in sync as closely as possible using NIST time servers
available on the Internet.

Creating and Viewing Host Registration Passwords

In order to configure registration, you must create a registration password on the remote server
that is going to be managed by a Management Console on a different server.
To create or view a host registration password:
1. Log in to the managed Voltage SecureData Appliance.
2. From the Voltage SecureData Appliance Main Menu, choose e. Host Registration. The
Host Registration Menu displays, as shown in Figure 2-6.
Figure 2-6 Host Registration Menu
3. To create a new registration password, choose a. Create New Registration Password.

You cannot create a registration password if:
 The host has already been registered with an active Management Console.
 The host has been configured as a single server, for which a district or SSL
credentials were already created.
 The host is being used as an event forwarder or as an event aggregator in a multi-
host configuration.
NOTE: Host registration passwords can be created only on servers where no districts are
configured, and there can be only one registration password at a time.
4. In the confirmation window, use the Tab key to highlight OK and then press Enter.
When you create the registration password, the Management Console on this server is
automatically disabled.
To view your current registration password, choose b. View Current Registration
Password.

The Voltage SecureData Appliance Configuration dialog displays the current

registration password that you must enter on the hosting server. Record the password; it
is needed to complete the registration.
Figure 2-7 Example of Generated Registration Password
5. To complete the registration configuration, you must log in to the active Management
Console, which is on a separate server.
For more information about logging into the Management Console, see Using the
SecureData Management Console (page 2-22).
6. On the Management Console, navigate to the System > Hosts tab, then click New Host
to add the host and provide its registration password to complete the host registration.
For instructions, see “Adding Hosts” in the Voltage SecureData Administrator Guide or
the Management Console Help.
Deleting or Resetting Host Registration

You can delete or reset a registration on a remote host only by using the Host Registration
menu on that server. The services on the deleted registration server continue to use the
configuration that was deployed from the Management Console, until the settings are changed
on the Management Console. The Reset Host Registration option is not available on the
server that is hosting the Management Console.
To reset or delete your host registrations on the remote host:
1. Log in to the remote host.

The Voltage SecureData Appliance Main Menu displays.
2. Choose e. Host Registration.
3. Do one of the following:

 To reset a registration, choose d. Reset Host Registration.
Resetting a host registration clears the current configuration and returns the server
to the default “empty” configuration.

Appliance Installation Guide Initializing Services for the SecureData Appliance
 To delete a registration, choose c. Delete Registration.

Deleting a host registration keeps the existing configuration on the server, but any
additional changes on the server must be made through the local server
Management Console. This server no longer accepts configuration changes from the
active Management Console.
4. In the confirmation window, use the Tab key to highlight Yes and then press Enter.
Initializing Services for the SecureData Appliance

You can deploy the Voltage SecureData Appliance in a single-server or multi-host deployment.
When configuring a single server, you initialize the services for the server that you are
configuring using the Initialize Services for Single Server Deployment option. The Voltage
SecureData Appliance is configured to run the Management Console Server, the Key
Management Server, the Web Service Server, and the Event Viewer software. When you have
finished the initial configuration, you can log in to the Management Console and navigate to the
System > Hosts tab to select the services that you want to run on the current server.
To enable, disable, or restart individual services on your server, see Enabling, Disabling, and
Restarting Services (page 2-20).
Initializing Services
To view the service status and initial services for a single-server configuration, or for the server
that hosts the Management Console in a multi-host configuration:
1. From the Main Menu, choose f. Configure Services. The Service Management Menu
displays, as shown in Figure 2-8.
Figure 2-8 Service Management Menu
2. To view the current service status on this server, choose a. View Service Status. The
service status displays.
3. Press Enter to return to the Service Management Menu.

Appliance Installation Guide Rebooting and Shutting Down Your Server
4. To initialize service, choose b. Initialize Services for Single Server Deployment. A

confirmation to configure this server as a single-server deployment displays.
5. Use the Tab key to highlight OK, and then press Enter.
At the prompt, enter the password to be used for the Management Console admin user,
then re-enter that password. The Management Console admin password must be 8 to
256 alphanumeric characters and contain a combination of letters and numbers. The
password is case-sensitive. Your password serves as a security check to protect the
SecureData deployment. Therefore, it is important to choose passwords that are not
easily guessed.
Enabling, Disabling, and Restarting Services

The Advanced Service Management menu on the Appliance Menu lets you enable, disable,
and restart the individual services including, the Management Console, the IBE and SOA
Encryption Web Service, Voltage SecureData Web, and the Event reporting software. There
may be times when you must use this menu to restart a particular service on your server.
To enable, disable, or restart services:
1. From the Main Menu, use the down arrow key to highlight f. Configure Services.
2. Use the down arrow key to highlight c. Advanced Services Configuration.
3. To enable disable or restart any services, use the down arrow key to highlight the
service you want to set.
4. Use the down arrow key to highlight the action you want to take.
5. Use the Tab key to highlight Yes and then press Enter.
Rebooting and Shutting Down Your Server

Use the Appliance Configuration Menu to reboot the server or shut down the server. This is
also where you can apply the CA signed certificate you previously stage on the Management
Console. See the Voltage SecureData Administrator Guide for more information on using CA
signed certificates.

Appliance Installation Guide Rebooting and Shutting Down Your Server
To reboot or shut down the Appliance:
1. From the Main Menu, choose g. Manage Appliance. The Appliance Configuration
Menu displays as shown in Figure 2-9.
Figure 2-9 Appliance Configuration Menu for Reboot or Shut Down Options

 To reboot the server, choose a. Reboot Appliance. Use the Tab key to highlight Yes
and then press Enter.
 To shut down the server, choose b. Shut Down Appliance. Use the Tab key to
highlight Yes and then press Enter.
3. If you are applying a staged CA signed certificate for Management Console services,
choose c. Apply Management Console Certificate.
CAUTION: To fully secure access to the SecureData Appliance, you must use a CA signed
certificate.
Figure 2-10 Appliance Configuration Menu Option for Console Certificate

Appliance Installation Guide Managing Atalla HSM Integration
Managing Atalla HSM Integration

The Voltage SecureData Appliance includes the software needed to communicate with Atalla
HSMs. By default, the Atalla HSM Services are not enabled. Prior to enabling these services, you
must complete a set of configuration steps on the Atalla HSMs. After the HSMs are configured,
use the Atalla HSM Configuration Menu to enable services and set up communication between
the HSMs and the Appliance.
Figure 2-11Atalla HSM Connector Configuration Menu
See the Voltage SecureData Integration Supplement for Atalla AT1000 HSMs for information
about how to enable Atalla HSMs to work with the Voltage SecureData Appliance, as well as
configuration steps to be completed on both the Appliance and Management Console.
Using the SecureData Management Console

You configure the Voltage SecureData Appliance using the Voltage SecureData Management
Console graphical interface, which runs in a web browser. Since the Voltage SecureData
Appliance does not have a web browser, you cannot use that machine to connect to the
Management Console. Instead, you connect from a separate machine with a web browser
installed.
By default, remote access to the Management Console is enabled for all IP addresses. You can
connect from any machine using the instructions that follow. Once you are connected, you can
restrict access using the instructions in the following section.

Appliance Installation Guide Using the SecureData Management Console
To access the Management Console:
1. Start a web browser and enter the URL, either the Voltage SecureData Appliance IP
address that you entered in Configuring the IP Addresses (Required) (page 2-4), or the
host name that you entered in Configuring the DNS and Hostname Settings (Required)
(page 2-5):
 https://<Hostname>:8443/console
 https://<IPaddress>:8443/console
Note that only a secure HTTP (https://) URL is valid.
2. Log in the first time with user name=admin and the password that you set in Initializing
Services (page 2-19).
After you log in to the Management Console, you can navigate to the Administration
tab to change the Management Console password and add other administrators.
See the Getting Started topic in the Management Console Help for instructions on completing
the configuration of your Voltage SecureData Appliance.
Restricting Remote Access to the Management Console

You can restrict access to the Management Console to specified machines, using the
Administration tab on the Management Console.
To restrict Management Console access:
1. In the Management Console, click the Administration tab.
2. Click the Network Access tab.

The Network Access page displays as shown in Figure 2-12.
Figure 2-12Management Console - Network Access Page

To add an IP address or subnet, in the IP Pattern box enter an IP address or pattern to
identify the machine(s) from which an administrator can log in.

Appliance Installation Guide Standby Management Console
The following are examples of IP pattern entries:

 To allow everyone, enter the IP Address as *.*.*.*.
 To allow any machine on the 172.16 class B network, enter the IP Address as
172.16.*.*.
 To allow only the machine with IP address, 172.16.5.14, enter the IP Address as
172.16.5.14.
3. Click Add IP Pattern.
4. Click Save.
Password Lockout
The Management Console is configured by default to lock out users when they fail at password
entry five times. They remain locked out for 30 minutes. You can change the defaults by editing
the settings.py file.
To change password lockout defaults:
1. Open the setting.py file located at /opt/vsmgmt/console/settings.py.
2. Find the values below and modify as needed.
# Set variable for Maximum allowed invalid login attempts, value must be greater
than zero
MAX_ALLOWED_LOCKOUT_ATTEMPTS = 5
# Set variable to set lockout duration in seconds, value must be greater than
zero
LOCKOUT_DURATION = 1800
3. Restart the Management Console service. See “Enabling, Disabling, and Restarting
Services” on page 2-20.
Standby Management Console

In a multi-host deployment, only one server can run the Management Console, which is turned
off in all other servers. This means that if the server hosting your Management Console goes
down, no other Management Console is available. Voltage recommends that you have a
machine with the Voltage SecureData Appliance software pre-installed ready to be initialized as
a Management Console with an up-to-date backup. For more information on standby
Management Console options and restoration, see the Voltage SecureData Appliance Help or
the Voltage SecureData Appliance Administrator Guide.

Appliance Installation Guide Post-Install Configuration Options
Post-Install Configuration Options

Use the following information to configure additional functionality after installing SecureData
6.9.7.
 “Enable or Disable Caching for Simple API Key Requests” on page 3-1
SecureData 6.9.7 supports caching of key requests from Simple API. You can enable or
disable the Simple API memory cache in the config.py file. It is enabled by default.
 “Configure Log Forwarding for Syslog Using TCP with TLS” on page 3-3
SecureData 6.9.7 adds functionality that supports log forwarding using TCP with TLS.
You can configure a Syslog client on the Appliance host with settings that will securely
forward logs from SDA localhost to a remote Syslog host by using TCP with TLS. Enable
Syslog logging settings for localhost in the Management Console separately for the Key
Management Service, Web Service, PIE Service, and Console Service. The Syslog client
and Syslog logging are not configured by default.

3 Additional Configuration Options
This chapter describes additional configuration options for the Voltage SecureData Appliance.
 Enable or Disable Caching for Simple API Key Requests
 Configure Log Forwarding for Syslog Using TCP with TLS
 Configure SSL Protocols for TLS 1.3 and TLS 1.2
 Configure Strong SSL Ciphers for TLS 1.3 and TLS 1.2
 Configure Time Zone and System Clock to Use UTC
Enable or Disable Caching for Simple API Key

Requests
Voltage SecureData Appliance supports caching for Simple API key requests. The Simple API
memory cache is enabled by default.
In SecureData Appliance 6.9.7 (or later), you can enable or disable the Simple API memory
cache for key requests for an Appliance by adding the
"ENABLE_SIMPLE_API_MEMORY_CACHE" parameter in the config.py file. If this parameter is
missing, set to None, or set to a non-boolean value, the "enableSimpleAPIMemoryCache"
setting defaults to "true".
To enable or disable caching of Simple API key requests for an Appliance:
1. Log in to the Appliance as the root user.
2. Open the /opt/vsmgmt/console/config.py file in a text editor.
3. Add or modify the ENABLE_SIMPLE_API_MEMORY_CACHE parameter with a setting of

True or False, then save the file. For example:
ENABLE_SIMPLE_API_MEMORY_CACHE = True
ENABLE_SIMPLE_API_MEMORY_CACHE = False

Appliance Installation Guide Enable or Disable Caching for Simple API Key Requests
Example
The following example of the config.py file shows the
ENABLE_SIMPLE_API_MEMORY_CACHE parameter added and set to True:
# Enable/Disable Simple API Key Cache. Value must be either True or False.
ENABLE_SIMPLE_API_MEMORY_CACHE = True
4. In the Appliance Menu, restart the Management Console service to apply the change.
See “Enabling, Disabling, and Restarting Services” on page 2-20.
5. Log in to the Management Console UI as an Administrative user, then navigate to the

System tab, and click the Deploy button.
6. Verify that the change is in effect by verifying the value shown in the following locations:
 Find the event "New_EnableSimpleAPIMemoryCache=" in the /opt/vssoa/
logs/audit.log file, and verify the value.
Example
YYYY-MM-DD HH:MM:SS, ms
CEF:0|Voltage|SOA|6.9.7|16|UpdateSettings|0|src=127.0.0.1 tenant=Default
Current_EnableSimpleAPIMemoryCache=false
New_EnableSimpleAPIMemoryCache=true shost=sdatest.int
 Find the event "Global" "enableSimpleAPIMemoryCache:" in the /opt/

vssoa/logs/debug.log file, and verify the value.
 Find the entry "enableSimpleAPIMemoryCache =" under Global Settings

in the /opt/vssoa/webapps/vibesimple/WEB-INF/config/Default/
VibeSimpleConfig.xml file, and verify the value.
SOA restarts during deployment if the value for "ENABLE_SIMPLE_API_MEMORY_CACHE"

has changed. A message is logged in /opt/vssoa/logs/audit.log file indicating when the
need to restart is detected. The message is "A configuration change was detected
that requires restart."
Example Event
YYYY-MM-DD HH:MM:SS, ms CEF:0|Voltage|SOA|6.9.7|16|UpdateSettings|0|src=127.0.0.1

tenant=Default msg=A configuration change was detected that requires a restart.
shost=sdatest.int

Appliance Installation Guide Configure Log Forwarding for Syslog Using TCP with TLS
Configure Log Forwarding for Syslog Using TCP

with TLS
Voltage SecureData Appliance 6.9.7 (or later) supports forwarding events securely from a local
Syslog client on the Appliance to a remote Syslog host by using TCP with TLS. TCP provides
secure, reliable transmission of logged events over the network between Appliances and your
Syslog host. SecureData pre-installs the RSyslog GnuTLS utility as the Syslog client that
performs the log-forwarding functionality.
This usage requires a Syslog host in your environment to receive the forwarded events using
TCP. By default, the Syslog client directs events to /var/log/messages on the Server host.
NOTE: This section refers to Syslog running on the Appliance as the Syslog client. The Syslog host is the
target location for the forwarded logged events.
To enable SecureData to send files over TCP, you must configure the Syslog client with the IP
address (or FQDN) and port (default 6514) of the target Syslog host, and enable TCP mode for
communications to the host. In the Management Console, enable Syslog for each SecureData
service according to your needs: Key Management Service, Web Service, PIE Service, and
Console Service.
In the Management Console, you enable Syslog and specify “localhost” as the Syslog host. On
Appliances where the service is enabled, the service sends events by using UDP to the local /
var/log/messages location on the Appliance by default. If the Syslog client is configured and
running, the Syslog client forwards the service’s events to its configured target Syslog host by
using TCP. This configuration ensures secure and reliable transmission using the TCP protocol
with TLS over the network to the remote Syslog host.
CAUTION: By default, if you specify the remote Syslog host’s IP address (or its FQDN) directly in the
Management Console UI, SecureData sends the service events over the network using UDP (which is not
secure).
For each Appliance where the enabled service is deployed:

 Events in the local /var/log/messages location are viewable in the Events tab on the
Management Console.
 Events forwarded to the /var/log/messages location on the remote Syslog host are
viewable by using native or third-party log management tools.
If multiple services are deployed on an Appliance, logs are forwarded for the Syslog-enabled
services where the Syslog host is set to “localhost”.
The RSyslog GnuTLS logging utility is pre-installed as the Syslog client for the Appliance:
rsyslog-gnutls-8.24.0-57.el7_9.3.x86_64.rpm

SecureData provides the following template file that provides a basic functional example to
configure the Syslog client for secure log forwarding:
/etc/rsyslog.d/client-tls.conf.template
Use the example to create a configuration file for the Syslog client that specifies configuration
values related to forwarding logs using TCP with TLS from SDA to your Syslog host. You can
also configure custom Syslog settings in the file. The Syslog client will forward logs to the
remote Syslog host and port that you specify in this file.
To set up log forwarding through TLS to a Syslog host, you must do the following:
1. Configure the Syslog Host to Receive Events using TCP
2. Copy CA Certificate from Syslog Host
3. Configure the Syslog Client on the Appliance
4. Configure SecureData Services for Syslog Log Forwarding
Configure the Syslog Host to Receive Events using TCP

Before you begin, ensure the following setup of the Syslog host in your environment that will
receive SecureData event logs by using TCP:
 Ensure that your Syslog host is configured to receive the forwarded log events using
TCP with TLS communications.
 Ensure that the specified TCP port is open on the Syslog host and in network firewalls
between the receiving Syslog host and the sending SecureData Appliances.
 On the remote Syslog host, configure a CA certificate, a certificate signed with that CA,
and the private key for the signed certificate that you will use for server/client validation.
The location and filenames depend on the software you use for the Syslog host and any
customizations you apply. Ensure that the files are readable by the root user.
Example
For a Syslog host running RSyslog, the location and filenames for certificate files might
be:
/etc/pki/rsyslog/ca.pem
/etc/pki/rsyslog/server-cert.pem
/etc/pki/rsyslog/server-key.pem
 Obtain a copy of the CA certificate that you will use for server/client validation. You will
copy the CA certificate to each SDA that will send events to the Syslog host. Ensure that
the files are readable by the root user.

Example
To continue the example above, you will copy the certificate file /etc/pki/rsyslog/
ca.pem to the /etc/pki/rsyslog/ca.pem location on each SDA that will send
events to the Syslog host.
Modify permissions for the certificate file by running the following command to ensure it
is readable by the root user:
chmod 400 /etc/pki/rsyslog/*.pem
 Ensure that the Syslog host software is running and working properly. The commands
you use depend on the software you use for the Syslog host.
Example
For a Syslog host running RSyslog, run the following commands as the user root on the
Syslog host.
To check status, run:
systemctl status rsyslog
To restart the Syslog host service, run:

systemctl restart rsyslog
When your Syslog host and network are configured and working properly, continue with Copy
CA Certificate from Syslog Host.
Copy CA Certificate from Syslog Host

On the Appliance, set up the CA certificate used by the target Syslog host:
1. Log in as the root user to the SecureData Appliance.
2. Obtain a copy of the CA certificate used by the target Syslog host server.
3. Copy the CA certificate file to /etc/pki/rsyslog/ca.pem location on SDA.
NOTE: The path and filename you use for the CA certificate from the Syslog host is configurable,
but it must use the .pem extension. Ensure that modify the value for the global parameter for the
CA file in the /etc/rsyslog.d/<your-syslog-client-name>.conf configuration file for
the Syslog client:
DefaultNetStreamDriverCAFile="/etc/pki/rsyslog/ca.pem"
Ensure that you adjust any related commands for managing the Syslog client, according to the path
and filename you use.
4. Modify permissions for the copied CA certificate file to make it readable by the root
user. Run the following command:
chmod 400 /etc/pki/rsyslog/ca.pem

5. Continue with Configure the Syslog Client on the Appliance.
Configure the Syslog Client on the Appliance

The instructions in this section describe how to configure the Syslog client for its SDA host. For
multi-host SDA, each SDA host will have its own Syslog client.
NOTE: Repeat the instructions to configure a Syslog client on each SDA host where you want to enable
Syslog log forwarding using TCP with TLS.
To configure the Syslog client:
1. On the Appliance acting as the root user, rename the Syslog configuration template file
(/etc/rsyslog.d/client-tls.conf.template) to /etc/rsyslog.d/client-
tls.conf.
There is no restriction on file name, other than the requirement to use the .conf file
extension. The .conf file must be located in the /etc/rsyslog.d/ folder to be read
by the Syslog client. The /etc/rsyslog.conf master configuration file imports its
settings from this file.
2. Open the /etc/rsyslog.d/client-tls.conf file in a text editor. The default

template settings are shown below.
CAUTION: The basic configuration template can be used for testing and non-production, but
should not be used as-is for production. For production environments, Voltage recommends that you
configure a more secure authentication mode.
# (c) Copyright 2023 Micro Focus or one of its affiliates.
# The only warranties for products and services of Micro Focus and its affiliates
and licensors ("Micro Focus") are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. Micro Focus shall not be liable for
technical or editorial errors or omissions contained herein. The information
contained herein is subject to change without notice.
global(
)
*.* action(
type="omfwd"
StreamDriver="gtls"
StreamDriverMode="1" # run driver in TLS-only mode
StreamDriverAuthMode="anon" # "anon" is not recommended
# StreamDriverAuthMode="x509/name"
# StreamDriverPermittedPeers="<HOST CN>"
target="<HOST>" port="<PORT>" protocol="tcp"
)

3. Replace variables <HOST> and <PORT> with values for the target Syslog host. Port 6514
is the default TCP port for Syslog.
Example
The following example shows a host value of 10.10.10.214 and port value of 6514 for
the Syslog host server.
# (c) Copyright 2023 Micro Focus or one of its affiliates.
# The only warranties for products and services of Micro Focus and its affiliates
and licensors ("Micro Focus") are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. Micro Focus shall not be liable for
technical or editorial errors or omissions contained herein. The information
contained herein is subject to change without notice.
global(
)
*.* action(
type="omfwd"
StreamDriver="gtls"
StreamDriverMode="1" # run driver in TLS-only mode
StreamDriverAuthMode="anon" # "anon" is not recommended
# StreamDriverAuthMode="x509/name"
# StreamDriverPermittedPeers="<HOST CN>"
target="10.10.10.214" port="6514" protocol="tcp"
)
4. In the client-tls.conf file, customize the other settings to meet your needs. For
information, refer to official RSyslog Documentation here:
https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
 If you used a custom path or file name for the CA certificate file in Copy CA
Certificate from Syslog Host, ensure that you modify the value for the global
parameter DefaultNetStreamDriverCAFile to match.
 For more secure authentication, Voltage recommends that you modify the
StreamDriverAuthMode parameter from "anon" to a more secure authentication
mode, such as "x509/fingerprint" or "x509/name".
CAUTION: The anon option is typically used in testing or non-production environments, and
will not authenticate to connect. For production environments, Voltage recommends that you
configure a more secure authentication mode.
For information, see “Supported Authentication Modes” in the RSyslog

documentation here:
https://www.rsyslog.com/doc/master/concepts/ns_ossl.html

 Ensure that the certificate with a CN matches how clients will access the Syslog host.
For example, if the client uses an IP address to reach the server, then the CN on the
certificate used by the server must be the same IP address. If the client uses DNS to
reach the server, then the CN on the certificate used by the server must be the same
DNS.
5. Restart Syslog by running the following command as user root:

systemctl restart rsyslog
6. Validate the configuration by running the following command as user root:

rsyslogd -N 1
Example Output
root@sdatest rsyslog.d]# rsyslogd -N 1

rsyslogd: version 8.24.0-57.el7_9.3, config validation run (level 1),
master config /etc/rsyslog.conf
In this output, the /etc/rsyslog.conf master configuration file imports its settings
from your custom configuration file that ends with .conf the /etc/rsyslog.d/
folder, such as /etc/rsyslog.d/client-tls.conf.
7. Check that Syslog is running by running the following command as user root:
systemctl status rsyslog
Example Output
[root@sdatest rsyslog.d]# systemctl status rsyslog

 rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled;
vendor preset: enabled)
Active: active (running) since Tue 2023-05-16 18:15:44 UTC; 19s ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 3534 (rsyslogd)
CGroup: /system.slice/rsyslog.service
??3534 /usr/sbin/rsyslogd -n
May 16 18:15:44 sdatest.int systemd[1]:

Starting System Logging Service...
May 16 18:15:44 sdatest.int rsyslogd[3534]:
[origin software="rsyslogd" swVersion="8.24.0-57.el7_9.3"
x-pid="3534" x-inf... start
May 16 18:15:44 sdatest.int systemd[1]: Started System Logging Service.
Hint: Some lines were ellipsized, use -l to show in full.
8. Verify that logs are being forwarded to the right place. As the user root, run the
logger command to send a test event.
logger "this is a test"

You should see "this is a test" on the Syslog server in /var/log/messages.
9. Repeat these steps for each Appliance where you want to enable Syslog log forwarding
using TCP.
10. Continue with Configure SecureData Services for Syslog Log Forwarding.
Configure SecureData Services for Syslog Log Forwarding

After you configure a Syslog client on the Appliance host, use the Management Console to
enable SecureData services to forward their events to the Syslog host, according to your needs.
The following services support logging:
 Key Management Service (audit events)
 Web Service (audit events)
 PIE Service (audit events)
 Console Service (console events)
To enable log forwarding for a service, go the service’s logging settings, configure Syslog
output for the Syslog host “localhost”, and then deploy the configuration.
To enable log forwarding for a service:
1. Log in to the Management Console as an Administrative user. See “Using the

SecureData Management Console” on page 2-22 for details.
2. Navigate to the logging configuration page for each SecureData service that you want
to send to Syslog.
Table 3-1 identifies pages in the Management Console where you can configure
logging for each service’s audit log and the Management Console’s console log. See the
specified section in the Voltage SecureData Appliance Administrator Guide or
Management Console Help for configuration details.

Table 3-1 Management Console Logging Settings
Logging Configuration Page For configuration details
Key Management > System Settings See “Key Management System Settings”.
Web Service > System Settings See “Web Service System Settings”.
PIE Service > Audit Settings See “PIE Audit Settings”.

Table 3-1 Management Console Logging Settings (Continued)
Logging Configuration Page For configuration details
Administration > Console Logging See “Console Logging”.
3. Enable Syslog as a destination of events for the service:

a. In the Audit Destination or Log Destination field, select Syslog or File and Syslog.
Events are viewable in the Events tab on the Management Console.
NOTE: If you select File and Syslog, events are also sent to a specified audit or console log file.
Events sent to the default log files are viewable in the Events tab.
b. In the Syslog host field, specify localhost as the target Syslog host.
For Appliances where this service is deployed, specifying localhost enables events
to be sent using UDP to the local /var/log/messages location on the Appliance.
When the Syslog client on the Appliance is configured and running, the client
securely forwards events to its specified target Syslog host by using TCP with TLS.
If the Syslog client on the Appliance is not configured or is not running, the events
are not forwarded to the remote Syslog host.
CAUTION: Do not specify the IP address of the remote Syslog host in this field. By default,
SecureData will send events over the network using UDP (which is not secure), even if the Syslog
client is configured and running on Appliances where the service is deployed.
c. Click Save Settings.

d. Repeat the Syslog setup for each of the services you want to output to Syslog.
4. On the Console Home page, deploy the modified settings. Wait until the deployment is
completed before continuing.

Appliance Installation Guide Configure SSL Protocols for TLS 1.3 and TLS 1.2
5. On the Syslog host, view the Syslog log output to verify events are being forwarded. Run
either of the following commands from the Syslog host as the root user:
tail -f /var/log/messages
tail /var/log/messages
Use the -f option to continue to monitor the file and display new messages as they come
in.
Configure SSL Protocols for TLS 1.3 and TLS 1.2

For new installations, SecureData enables TLSv1.3 (new in SDA 6.9.7) and TLSv1.2 by default
in the settings.py file. For upgrades, if the existing installation has custom settings in the
config.py file, your custom settings are not modified during the upgrade. After the upgrade,
you can modify your custom settings to add support for TLS 1.3 (optional) and TLS 1.2
(required) protocols, according to your business needs.
The following SDA services are configured to accept inbound (tomcat) TLS 1.3 and TLS 1.2
traffic by default on ports 443, 8181, and 8182:
 Key Management Service server
 Web Service server (REST and SOAP APIs)
 PIE front-end server
TLS 1.3 is not supported for the Management Console service. The Console requires TLS 1.2
inbound (nginx, port 8443).
Outbound (Java) LDAP requests from SDA are configured to support TLS 1.3 and TLS 1.2
traffic by default.
A SecureData client must support the TLS 1.3 protocol to use it for its communications with
SecureData services. For information about SecureData client versions that support TLS 1.3 at
the time of this release, see "SecureData Support for TLS 1.3" in the Voltage SecureData
Appliance Architecture Guide.
The supported SSL protocol versions are configured by using the SSL_ENABLED_PROTOCOLS
and JAVA_SSL_ENABLED_PROTOCOLS variables in the settings.py file. You can override
the default value by modifying the settings for the variables in the /opt/vsmgmt/console/
config.py file, and putting different values for SSL_ENABLED_PROTOCOLS and
JAVA_SSL_ENABLED_PROTOCOLS variables.
CAUTION: Do not remove TLSv1.2 from the configuration. TLS 1.2 is required (by CentOS) for internal
communication between SDA services and between HSMs and SDA services.
Do not modify the settings.py file; it is overwritten with every software upgrade.

Appliance Installation Guide Configure SSL Protocols for TLS 1.3 and TLS 1.2
NOTE: If you enable TLS 1.3, ensure that you also add the supporting TLS 1.3 ciphers required to make TLS
1.3 connections.. Configure Strong SSL Ciphers for TLS 1.3 and TLS 1.2,
Inbound Traffic (tomcat) TLS Version Support

The TLS version for inbound (tomcat) traffic is determined by the SSL_ENABLED_PROTOCOLS
variable. The following examples show settings to configure support for different combinations
of TLS versions.
Example: Enable TLS1.3 + TLS1.2 (default for SecureData 6.9.7)

SSL_ENABLED_PROTOCOLS = "TLSv1.3,TLSv1.2"
Example: Enable TLS1.3 + TLS1.2 + TLS1.1

SSL_ENABLED_PROTOCOLS = "TLSv1.3,TLSv1.2,TLSv1.1"
Example: Enable TLS1.3 + TLS1.2 + TLS1.1 + TLS1.0

SSL_ENABLED_PROTOCOLS = "TLSv1.3,TLSv1.2,TLSv1.1,TLS1,SSLv2Hello"
Outbound Traffic (LDAP request) TLS Version Support

For outbound (Java client) traffic for LDAP requests, the TLS version is determined by
SSL_ENABLED_PROTOCOLS and JAVA_SSL_ENABLED_PROTOCOLS variables. The supported
TLS versions will be the set of protocols represented by combining the two settings.
TLS Version: Min{SSL_ENABLED_PROTOCOLS, JAVA_SSL_ENABLED_PROTOCOLS}
Example: Default Setting with TLS 1.3 and TLS 1.2 Enabled
By default, SecureData 6.9.7 enables both TLS 1.3 and TLS 1.2 for each of the TLS protocol
variables in the /opt/vsmgmt/console/settings.py file. The inbound (tomcat) traffic
supports TLS 1.3 and TLS 1.2. The outbound (Java) LDAP request supports TLS 1.3 and TLS
1.2.
JAVA_SSL_ENABLED_PROTOCOLS = "TLSv1.3,TLSv1.2"
Example: Different TLS Versions for the Variables
If you configure different settings for the two variables, the resulting TLS versions supported
for the outbound LDAP request will be the minimum set of the combination. With the following
settings, the inbound (tomcat) traffic supports TLS 1.3 and TLS 1.2, and the outbound (Java)
LDAP request supports TLS 1.3, TLS 1.2, and TLS 1.1.

Appliance Installation Guide Configure Strong SSL Ciphers for TLS 1.3 and TLS 1.2
SSL_ENABLED_PROTOCOLS=”TLSv1.3,TLSv1.2"
JAVA_SSL_ENABLED_PROTOCOLS ="TLSv1.2,TLSv1.1"
Modifying SSL Protocol Settings

To configure TLS 1.3 and TLS 1.2 SSL protocol settings in your custom settings in the
config.py file:
1. Install and deploy SecureData.
2. Open the /opt/vsmgmt/console/config.py file for editing. The config.py

settings are used as defaults when upgrading the SecureData server.
3. Update protocols listed at the SSL_ENABLED_PROTOCOLS and

JAVA_SSL_ENABLED_PROTOCOLS variables.
CAUTION: Do not disable TLS 1.2. It is required (by CentOS) for internal communications between
services and between HSMs and services.
For example, the following settings enable both TLS 1.3 and TLS 1.2 for external
inbound traffic and outbound LDAP requests:
JAVA_SSL_ENABLED_PROTOCOLS = "TLSv1.3,TLSv1.2"
4. Ensure that you also configure strong SSL ciphers to support the TLS versions you
configure. See Configure Strong SSL Ciphers for TLS 1.3 and TLS 1.2.
5. Save the config.py file.
6. Restart the management service.

systemctl restart vsmgmt
7. Deploy the changes from the Management Console.
Configure Strong SSL Ciphers for TLS 1.3 and

TLS 1.2
For new installations, SecureData servers use a list of Strong SSL Ciphers supporting TLS 1.3
(new in SDA 6.9.7) and TLS 1.2 by default in the settings.py file. If you have custom
settings in the config.py file, your settings will not be modified during an upgrade. After the
upgrade, you can modify your custom settings in the config.py file to add Strong SSL
Ciphers, according to the TLS protocols enabled for your system.

Default Cipher Settings

SecureData sets strong SSL ciphers using the STRONG_SSL_CIPHERS variable in the
settings.py file. Ciphers are listed in the default order of preference. By default in the
settings.py file, the USE_CIPHER_ORDER variable is set to true, which enables Tomcat to
enforce the order.
In SecureData 6.9.7, the default strong SSL cipher settings for TLS 1.3 and TLS 1.2 support are:
STRONG_SSL_CIPHERS = "TLS_AES_128_GCM_SHA256," \
"TLS_AES_256_GCM_SHA384," \
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," \
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384," \
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," \
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
The following table lists the ciphers defined in a SecureData Appliance 6.9.7 in the order of
preference. The SecureData Appliance defines the cipher's name used by IANA (Internet
Assigned Numbers Authority). The table also shows each cipher's name used by OpenSSL,
which uses different names for the same ciphers.
Figure 3-1 Default Strong SSL Ciphers in SecureData
NOTE: If you have custom cipher settings in the config.py file prior to an upgrade, the upgrade process
preserves your custom settings. To overwrite your existing custom settings from a prior release, you must
make changes in config.py file.

Specifying Custom Cipher Settings

You can override the default cipher settings by adding the STRONG_SSL_CIPHERS variable in
the /opt/vsmgmt/console/config.py file and specifying different cipher values. Applying
custom settings in the config.py file requires a re-deployment from the Management
Console.
CAUTION: Do not remove all strong SSL ciphers for TLSv1.2 from the configuration. TLS 1.2 is required (by
CentOS) for internal communication between SDA services and between HSMs and SDA services.
Do not modify the settings.py file; it is overwritten with every software upgrade.
You can specify the ciphers for the STRONG_SSL_CIPHERS variable in a preferred order. Add
the USE_CIPHER_ORDER variable in the config.py file, and set it to true to enable Tomcat
to enforce the order. Set the variable to false to let Tomcat choose the first acceptable cipher
suite that is presented by the client that matches a cipher in your list.
# This setting forces Tomcat to honor the order the ciphers are listed in
(useServerCipherSuitesOrder)
USE_CIPHER_ORDER = True
To configure TLS 1.3 and TLS 1.2 cipher settings in your custom settings in the config.py
file:

3. Add the STRONG_SSL_CIPHERS variable, and list the ciphers you want to use. See the
example above of the default cipher settings for SecureData 6.9.7.
4. To enable Tomcat to enforce your custom preferred order, add the

USE_CIPHER_ORDER variable and set it to true.
USE_CIPHER_ORDER = true


Appliance Installation Guide Configure Time Zone and System Clock to Use UTC
Configure Time Zone and System Clock to Use

UTC
In SecureData 6.9.7 (or later), the Time Zone default setting is Etc/UTC. The "System clock
uses UTC" check box is selected by default. This setting configures the system to use RTC time
in UTC and to automatically maintain time zone changes and daylight savings time
adjustments.
NOTE: If you disable (clear) the “System Clock uses UTC” check box, you are configuring the system clock
to use RTC time in the local time zone. You must use external facilities to maintain time zone changes and
These default settings apply only for new installations. System settings are not modified for
upgrades applied to existing systems. After upgrading to SecureData 6.9.7, you can modify
Time Zone settings to use the default values for Time Zone (Etc/UTC) and the "System clock
uses UTC" check box (selected).
Modify Time Zone and System Clock Settings

For a Single Server Deployment or for the Management Console in a multi-host environment:
1. Log in to the Appliance menu as user admin.
2. Change the appliance’s Time Zone and System Clock settings.

a. From the Main Menu, choose b. Configure Time/Date.
b. From the Time/Date Configuration Menu, choose e. Set Time Zone.
c. Configure your system to use the default settings (in SecureData 6.9.7 and later):
 Use the arrow keys to move up or down the list of time zones, and highlight the
default Time Zone setting Etc/UTC.
 Enable (select) the “System Clock uses UTC” check box. This default setting
configures the system to use RTC time in UTC and to automatically maintain
time zone changes and daylight savings time adjustments.
CAUTION: If you disable (clear) the “System Clock uses UTC” check box, you are configuring
the system clock to use RTC time in the local time zone. You must use external facilities to
maintain time zone changes and daylight savings time adjustments.
d. Press Tab twice to move to the OK button, and press Enter to apply the settings.
A message displays to identify additional steps required to effect the changes in the
Management Console and remote hosts. Your Time Zone settings have been
applied locally.

Appliance Installation Guide Configure Time Zone and System Clock to Use UTC
e. Use the arrow keys to select Back to return to the Main Menu.
3. Restart the Management Console service for the new Time Zone settings to take effect.
4. Log out of the appliance.
5. Re-register any remote hosts in your system for this Management Console. For
information, see “Re-Register Remote Hosts” on page 4-10.

4 Appliance Operations
This chapter describes post-setup operational tasks for the Voltage SecureData Appliance,
using the Voltage SecureData Appliance Menu. To modify the configuration, use the
information in “Configure SecureData Appliance” on page 2-1.
 Login for the Appliance
 Change Passwords for admin Accounts
 Enable, Disable, or Restart Services
 Reboot or Shut Down Your Server
 Apply Management Console Certificate
 Enable or Disable Remote Access to the Management Console
 View Host Registration Password
 Re-Register Remote Hosts

Appliance Installation Guide Login for the Appliance
Login for the Appliance

Use the Appliance admin account to log in to the Appliance directly or to log in remotely
through SSH, after the port has been enabled for SSH to allow remote access. The default SSH
port is 10022 but is configurable. See “Enabling or Disabling SSH” on page 2-7 for details. If
you access the Appliance remotely, set the character set translation on your SSH client (such as
PuTTY) to UTF-8.
When you log in to the Voltage SecureData Appliance using the admin user name, the Voltage
SecureData Appliance Main Menu displays.
Figure 4-1 Appliance Main Menu

Appliance Installation Guide Change Passwords for admin Accounts
Change Passwords for admin Accounts

To keep your server secure, you can use the Password Configuration Menu to change the
password for the admin user for the Appliance or for the admin account for the Management
Console.
To change your passwords:
1. Log in to the Voltage SecureData Appliance with the user name admin.
2. From the Voltage SecureData Appliance Main Menu, choose c. Configure Passwords.
The Password Configuration Menu displays, as shown in Figure 4-2.
Figure 4-2 Password Configuration Menu
3. To change your server password:

a. Choose a. Change Appliance Password.
b. Use the Tab key to highlight Yes and then press Enter.
c. Enter your current password, use the Tab key to highlight OK and then press Enter.
d. Enter a new SecureData Appliance admin password.
The SecureData Appliance admin user password must be 8 to 256 alphanumeric
sensitive. Your passwords serve as a security check to protect the appliance.
Therefore, it is important to choose passwords that are not easily guessed.
e. Re-enter the new password.
f. Tab to the OK button, and press Enter.
The SecureData Appliance admin user password is updated.
4. To change the password for the Management Console admin account:

a. Use the down arrow key to highlight b. Change Management Console Password.
b. Use the Tab key to highlight Yes, and then press Enter.

Appliance Installation Guide Change Passwords for admin Accounts
c. Enter a new Management Console password.

The Management Console admin user password must be 8 to 256 alphanumeric
sensitive. Your passwords serve as a security check to protect the SecureData .
Therefore, it is important to choose passwords that are not easily guessed.
d. Re-enter the new password.
e. Tab to the OK button, and press Enter.
The Management Console admin user password is updated.

Appliance Installation Guide Enable, Disable, or Restart Services
Enable, Disable, or Restart Services

The Advanced Service Management menu on the Appliance Menu lets you enable, disable,
and restart the individual services including, the Management Console, the IBE and SOA
Encryption Web Service, Voltage SecureData Web, and the Event reporting software. There
may be times when you must use this menu to restart a particular service on your server.
For example, you might restart a service from the Appliance Menu if a restart from the
Management Console fails with error messages such as service notification errors or application
server restart errors. If restarting the service also fails from the Appliance Menu, you might need
to restart the appliance, as described in Reboot or Shut Down Your Server.
CAUTION: When you restart the services, it takes several seconds to restart the application server. This
causes a disruption in availability of the server components and may cause failures in client applications.
Accordingly, use the restart services operation only when absolutely necessary.
To enable, disable, or restart services:
1. From the Main Menu, use the down arrow key to highlight f. Configure Services. Use
the down arrow to select OK, then press Enter.
The Service Management Menu displays, as shown in Figure 4-3.
Figure 4-3 Service Management Menu
2. Use the down arrow key to highlight c. Advanced Services Configuration. Use the Tab
key to highlight OK, and then press Enter.
3. To enable disable or restart any services, use the down arrow key to highlight the
service you want to set.
4. Use the down arrow key to highlight the action you want to take.
5. Use the Tab key to highlight Yes, and then press Enter.

Appliance Installation Guide Reboot or Shut Down Your Server
Reboot or Shut Down Your Server

Use the Appliance Configuration Menu to reboot the server or shut down the server.
To reboot or shut down the Appliance:
1. From the Main Menu, choose g. Manage Appliance. Use the Tab key to highlight OK,
The Appliance Configuration Menu displays as shown in Figure 4-4.
Figure 4-4 Appliance Configuration Menu for Reboot or Shut Down Options

 To reboot the server, choose a. Reboot Appliance. Use the Tab key to highlight
Yes, and then press Enter.
 To shut down the server, choose b. Shut Down Appliance. Use the Tab key to
highlight Yes, and then press Enter.

Appliance Installation Guide Apply Management Console Certificate
Apply Management Console Certificate

Use the Appliance Configuration Menu to apply the CA signed certificate you previously
stage on the Management Console. See “Trusted Certificates Overview” in the Voltage
SecureData Administrator Guide for more information on using CA signed certificates.
To apply the CA signed certificate:
1. From the Main Menu, choose g. Manage Appliance. Use the Tab key to highlight OK,
The Appliance Configuration Menu displays as shown in Figure 4-4.
Figure 4-5 Appliance Configuration Menu for Apply Management Console Certificate
2. Use the arrow keys to highlight c. Apply Management Console Certificate to apply a
staged CA signed certificate for Management Console services.
CAUTION: To fully secure access to the SecureData Appliance, you must use a CA signed
certificate.
3. Use the Tab key to highlight OK, and then press Enter.

Appliance Installation Guide Enable or Disable Remote Access to the Management Console
Enable or Disable Remote Access to the

Management Console
The Voltage SecureData Appliance allows the Management Console to be accessed on the
external interface. You need to access the Management Console to configure your server after
installation. However, for security reasons, you might want to disable Management Console
access. You can also restrict Management Console access through the Management Console
itself, as described in “Restricting Remote Access to the Management Console” on page 2-23.
To enable or disable access to the Management Console:
1. From the Main Menu, choose a. Configure Networking. Use the Tab key to highlight
OK, and then press Enter.
2. Use the arrow keys to highlight f. Configure Firewall/Remote Access, as shown in

Figure 4-6. Use the Tab key to highlight OK, and then press Enter.
Figure 4-6 Network Configuration Menu
3. From the Firewall/Remote Access Menu, use the arrow keys to highlight e. Enable/
Disable Remote Access To Management Console, and press Enter.
4. Select Yes to enable or disable Management Console access, and press Enter.

Appliance Installation Guide View Host Registration Password
View Host Registration Password

To register hosts in the Management Console, you need the registration password from the
host to be registered. You must enter this password when you add the host in the Management
Console by using the System > Hosts page. For information, see “Adding a New Host” in the
Voltage SecureData Administrator Guide or the Management Console Help.
To view a host registration password:
1. Log in to the managed Voltage SecureData Appliance.
2. From the Voltage SecureData Appliance Main Menu, choose e. Host Registration.
The Host Registration Menu displays, as shown in Figure 4-7.
Figure 4-7 Host Registration Menu
3. To view your current registration password, choose b. View Current Registration

Password. Use the Tab key to highlight OK, and then press Enter.
A message displays the registration password for the Appliance. This password is
needed to complete the registration in the Management Console.
Figure 4-8 Example of Generated Registration Password

Appliance Installation Guide Re-Register Remote Hosts
Re-Register Remote Hosts

You might need to re-register remote hosts if you modify the Time Zone and System Clock
settings on the Management Console in a multi-host environment or if you are registering a
host with a different Management Console. The process requires actions in the Management
Console and in the Appliance Main Menu on the remote host.
To re-register a remote host:
1. Remove the registered host from the Hosts lists in the Management Console.
a. In the Management Console, navigate to System > Hosts tab.
b. On the host list, click Delete next to the registered host whose Time Zone and
System Clock settings you are changing.
2. Log in to the Appliance menu of the remote host as user admin.
3. Delete the appliance’s existing host registration.

a. From the Appliance Main Menu, use the down arrow key to highlight e. Host
Registration.
b. Use the down arrow key to highlight c. Delete Registration. In the confirmation
message, click Yes to delete the registration, then click OK.
c. Use the arrow keys to select Back to return to the Main Menu
4. Create a new host registration for the appliance.

a. From the Main Menu, choose e. Host Registration.
b. From the Host Registration Menu, choose a. Create New Registration Password.
c. Record the registration password that is generated.
5. Log out of the Appliance.
6. Return to the Management Console where you want to register the host, and navigate
to the System > Hosts tab.
7. Click Add Host to re-add the remote host. Enter all of the information about the host
you want to add, including its newly generated registration password, and click Save.
8. Deploy your changes.

The remote host is now a managed remote host.

5 Troubleshooting
This chapter covers troubleshooting topics.

 SSL Connections Failing
 SSH Connections Failing
 Enable Certificate Revocation Check
SSL Connections Failing

SecureData servers require stronger TLS 1.2 ciphers for SSL communications. This may
prevent older SSL clients from connecting to SecureData hosts.
By default, SecureData servers use a list of ciphers defined by OWASP Cipher String 'B'
supporting TLS 1.2. You can either edit the cipher list to enable older clients, or update your
clients.
CAUTION: This section describes how to restore less-secure TLS 1.2 SSL ciphers. Voltage recommends that
you upgrade older clients to resolve this issue.
The following ciphers were removed in 6.9.5:

TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
To change the SSL cipher defaults:

NOTE: Do not edit the settings.py file for these changes. The settings.py values are
overwritten during a SecureData upgrade.

Appliance Installation Guide SSL Connections Failing
3. Update ciphers listed at the STRONG_SSL_CIPHERS variable, adding any ciphers you
want to use. See the examples below of cipher settings in prior releases.
NOTE: If you are upgrading from an earlier release, the config.py file may not include the
STRONG_SSL_CIPHERS variable. You can simply add the variable at the end of the file.

Example (6.9.7 default cipher settings for TLS 1.3 and TLS 1.2 support)
STRONG_SSL_CIPHERS = "TLS_AES_128_GCM_SHA256," \
"TLS_AES_256_GCM_SHA384," \
Example (6.9.6 default cipher settings for TLS 1.2 support)
STRONG_SSL_CIPHERS = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA348," \
Example (6.9.4 cipher settings)
STRONG_SSL_CIPHERS = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," \
"TLS_RSA_WITH_AES_128_GCM_SHA256," \
"TLS_RSA_WITH_AES_256_GCM_SHA384," \
"TLS_RSA_WITH_AES_128_CBC_SHA256," \
"TLS_RSA_WITH_AES_256_CBC_SHA256," \
"TLS_RSA_WITH_AES_128_CBC_SHA," \
"TLS_RSA_WITH_AES_256_CBC_SHA," \
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"

Appliance Installation Guide SSH Connections Failing
SSH Connections Failing

SecureData 6.9.5 upgraded the security of SSH connections by removing support for some
less-secure SSH algorithms. This means that older SSH clients may be unable to connect to
SecureData. If you cannot upgrade your SSH clients, you can reconfigure the SSH server on
SecureData to use weaker MAC and key exchange algorithms.
CAUTION: This section describes how to restore weaker MAC and key exchange algorithms. Micro Focus
Voltage recommends that you upgrade older clients to resolve this issue.
To reconfigure the SSH server:
1. Log in to SecureData as root.
2. Open the /etc/ssh/sshd_config file for editing.
3. Search for MACs.
4. Append the following to the list:

hmac-sha1, hmac-sha2-256, hmac-sha2-512
Example result
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-
sha1,hmac-sha2-256,hmac-sha2-512
5. Search for KexAlgorithms.
6. Append the following to the list:

ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-
hellman-group14-sha1,diffie-hellman-group-exchange-sha1
Example result
KexAlgorithms diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-
sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-
group-exchange-sha1
7. Save the file.
8. To restart the sshd service, run:

systemctl restart sshd
9. Launch a new SSH session to verify that you can now connect.

Appliance Installation Guide Enable Certificate Revocation Check
Enable Certificate Revocation Check

Starting with the SDA 6.9.3 release, you can enable support for certificate revocation status
check in client certificate authentication. When enabled, a revoked client certificate provided for
CERTIFICATE authentication will be rejected during SSL handshake.
The certificate revocation check is disabled by default.
To enable the certificate revocation check:
1. Open the /opt/vsmgmt/console/config.py file on the Management Console

appliance for editing.
2. Add "CHECK_CERTIFICATE_REVOCATION = True" to the file and save it.
3. From the Appliance Configuration menu, navigate to Configure Services > Advanced
Service Configuration > Management Service > Restart Management Console and
select OK. See “Enabling, Disabling, and Restarting Services” on page 2-20.
4. From the Management Console, click Deploy.
An event is logged when IBE/SOA service is started to indicate whether certificate revocation
status check is turned on.
 When certificate revocation status check is disabled:
2020-08-27 21:20:36,492 CEF:0|Voltage|KeyServer|6.9.6|96000|cert manager

config|7|msg=Client certificate revocation status check is disabled
shost=voltage-pp-0000.<domain>
 When certificate revocation status check is enabled:
2020-08-28 10:00:58,088 CEF:0|Voltage|KeyServer|6.9.6|96000|cert manager

config|5|msg=Client certificate revocation status check is enabled
shost=voltage-pp-0000.<domain>

6 Upgrade SecureData Appliance
This chapter describes how to upgrade the Voltage SecureData Appliance software from a
previous version.
 Supported Upgrade Paths
 Upgrade Prerequisites
 Blockers for Upgrade
 Upgrade Notices
 Upgrading Version 6.8.2 or 6.9.x to Version 6.9.7
 Post-Upgrade Configuration Options
Supported Upgrade Paths

The Voltage SecureData Appliance Version 6.9.7 Upgrade Script can directly upgrade an
existing 6.8.2 or 6.9.x installation to Version 6.9.7. See “Upgrading Version 6.8.2 or 6.9.x to
Version 6.9.7,” below. Intermediate version-to-version upgrade paths might be required for
releases prior to 6.8.2. Contact a Voltage Support representative for information about
upgrades from releases prior to 6.8.2.
Upgrade Prerequisites
 All SecureData Appliances in the system must be running the same version.
 Before you begin an upgrade, ensure that your SDA system is up and working properly.
The following are the minimum required configuration and tasks that must be
performed on an existing system before that system can be upgraded.
 Ensure that all SecureData Appliance has been configured and initialized as
described in “Configure SecureData Appliance” on page 2-1.

Appliance Installation Guide Upgrade Prerequisites
 Ensure that you perform the following post-initialization configuration tasks to have
a minimally functional Appliance that can be upgraded:
Table 6-1 Minimum Post-Initialization Configuration Tasks
# Task For information:

(HSMs only) If you are using an HSM with See the SDA supplement for your HSM:
1.
SDA, set up the HSM and perform the
additional steps required to make it work  Voltage SecureData Integration
with SDA before you create a district that Supplement for Atalla AT1000
uses the HSM. HSMs
 Voltage SecureData Integration
Supplement for Entrust nShield
HSMs
Set the initial district domain name and In the Voltage SecureData
2.
generate a district. Administration Guide or Management
Console Help, see:
 “District Overview”
 “Setting the Initial District Domain
Name”
 “Generating a District”
 (HSM only) “Enable an HSM”
Generate, stage, and apply a staged CA See requirements and procedures in the
3.
signed certificate for Management Console following:
services.
 “Management Console SSL
note You can use a self-signed certificate, Certificate” on page 1-6
according to your security needs, in non-
production environments.  “SSL Credentials” in the Voltage
SecureData Administration
Guide or Management Console
Help
 “Apply Management Console
Certificate” on page 4-7
4. Deploy the system. See “Deploying” in the Voltage
SecureData Administration Guide or
Management Console Help.
Go to the Management Console Home page See “Status” and “Alerts” in the Voltage
5.
and verify that the system has been SecureData Administration Guide or
deployed successfully by viewing the system Management Console Help.
status and alerts.
 Review the potential blockers to understand which issues might be relevant to your
existing installations. See “Blockers for Upgrade” on page 6-3.
 Voltage recommends that you first upgrade the appliance hosting the Management
Console.
 Voltage recommends that you re-register the remote hosts after they are upgraded. For
more information see, “Deleting or Resetting Host Registration” on page 2-18.

Appliance Installation Guide Blockers for Upgrade
IMPORTANT: If you are using Atalla AT-1000 HSMs in your SecureData environment and have upgraded
to Atalla version 8.30, you MUST create an AES MFK (AMK) before you can upgrade Voltage SecureData to
version 6.7 and later. See the Voltage SecureData Integration Supplement for Atalla AT1000
HSMs more information.
Blockers for Upgrade

This section describes features that are no longer available in SecureData. The upgrade
process checks and blocks the upgrade if no-longer-supported data are present in the
database (or system).
Ensure that you understand potential blockers and the actions needed to resolve them.
 Blockers for Upgrades to SDA 6.9 and Later
 Blockers for Upgrades to SDA 6.9.7
 Unsupported or Invalid Formats
Blockers for Upgrades to SDA 6.9 and Later

Beginning in SecureData Version 6.9, the following data protection features are no longer
supported:
 BIN mapping
 Database tokenization
If you are using data protection formats with either of these features, upgrading to SecureData
6.9 and later is blocked.
The upgrade process detects whether BIN mapping or database tokenization features are in
use, but it does not identify each instance. If you are using these features, modify or remove the
affected data protection formats, and make a new backup before upgrading to Version 6.9 or
later.
Blockers for Upgrades to SDA 6.9.7

Beginning in SecureData Version 6.9.7, the following data protection features are no longer
available:
 Mixed Common Name for Key Rotation Group
 Regular Expression Format Masks

 Authorization Method HMAC SHA1
If you are using these features, upgrading to SecureData Version 6.9.7 is blocked. The upgrade
process checks for and reports on each of these issues before it blocks the upgrade with the
message:
Upgrade terminated due to above errors. Contact Voltage Support for additional
guidance.
Use the logged events to manually correct the issues in your prior release, and make a new
backup before upgrading to SecureData Version 6.9.7. The following sections contain
information about each unsupported feature.
Mixed Common Name for Key Rotation Group

Using mixed common names for key numbers in a key rotation group is no longer supported.
All key numbers in a key rotation group must have the same common name (all with the same
value or all blank). In the Key Management > Key Rotation page to Add or Edit the Key
Number for a Key Rotation Group, the common name can be changed for the first or only
remaining key number.
The upgrade process checks key rotation group settings for mixed common names, displays
the following error message in the console screen, lists affected key rotation groups, and blocks
the upgrade.
One or more invalid Key Rotation Groups with mixed common names detected. All key
numbers in a key rotation group must have the same common name.
It lists the name of each affected key rotation group and the type of naming error. There are
three mixed name conditions:
 Example: Mix of Non-Blank Common Names
Key Rotation Group name "<key-rotation-group-name>": Invalid Key Rotation Group

with different common names detected, with no key numbers having a blank common
name. (Case: A, B, C.)
 Example: Mix of Blank and Same Non-Blank Common Names

with a mix of blank and non-blank common names detected, with all non-blank
common names having the same value. (Case: A, A, none.)
 Example: Mix of Blank and Different Non-Blank Common Names

with a mix of different as well as some blank common names detected. (Case: A, B,
none.)

To prepare your system for upgrade, modify common names for each identified key rotation
group to ensure they meet this new requirement. Use the logged events to manually correct
the issues in your prior release. Make a new backup before upgrading to SecureData Version
6.9.7.
Regular Expression Format Masks

Regular Expression (Regex) format masking is no longer supported. All Mask settings must be
Leading and Trailing characters only. In the Web Service > Format Mask Settings pages,
options to configure an Unmask Type set to Unmasking Regular Expression and the Mask
Pattern are no longer available under Default Mask Settings and Custom Mask Settings.
The upgrade process checks format mask settings for regex masking, displays the following
error message in the console screen, lists affected formats, and blocks the upgrade:
One or more Formats with regular expression Mask Settings detected. Regex masking is no
longer supported.
It lists the name of each affected format and whether the regex Mask error is for the Default
Mask Setting or Custom Mask Setting.
 Example: Default Mask Settings
Format name "<format_name>": RegEx masking found in Default Mask Settings
 Example: Custom Mask Settings
Format name "<format_name>": RegEx masking found in Custom Mask Settings
To prepare your system for upgrade, modify the Default and Custom Mask Settings for the
format mask, or remove the format. Make a new backup before upgrading to SecureData
Version 6.9.7.
Authorization Method HMAC SHA1

The advanced authorization method HMAC SHA1 (AuthToken_HMAC_SHA1) is no longer
supported. All SOAP API operations must be authenticated and authorized only through
Shared Secret, User Password, or Certificate authentication. In the Web Service > System
Settings page under Advanced Options, the Authorization Token Secret, Re-enter
Authorization Token Secret, and Enable AuthToken Caching settings are no longer
available.
The upgrade process checks for the presence of an Authorization Token Secret setting,
displays the following error message in the console screen, and blocks the upgrade.
An 'Authorization Token Secret' has been configured, for use in the advanced
'AuthToken_HMAC_SHA1' auth method in the SOAP API. This auth method is no longer
supported.

Appliance Installation Guide Upgrade Notices
To prepare for upgrade, remove the Authorization Token Secret values, clear the Enable
AuthToken Caching check box, and save the settings. Ensure that you configure a supported
authorization method to use for SOAP API operations. Make a new backup before upgrading to
SecureData Version 6.9.7.
Unsupported or Invalid Formats

If the upgrade script finds any unsupported or invalid data protection formats, it will display the
formats and terminate the upgrade. For unsupported formats, remove these formats and run
the upgrade script again. If invalid formats are found, contact Voltage Support to safely resolve
invalid formats and complete your upgrade.
Upgrade Notices
During the upgrade to SecureData 6.9.7, the new default settings described below will not
replace customizations you have made to the config.py file or time settings for the existing
installation. You can update your settings after the upgrade, according to your business needs.
Default SSL Protocols for TLS 1.3 and TLS 1.2

For new installations, SecureData enables TLSv1.3 (new in SDA 6.9.7) and TLSv1.2 by default
in the settings.py file. For upgrades, if the existing installation has custom settings in the
config.py file, your custom settings are not modified during the upgrade. After the upgrade,
you can modify your custom settings to add support for TLS 1.3 (optional) and TLS 1.2
(required) protocols, according to your business needs.
CAUTION: Do not remove TLSv1.2 from the configuration. TLS 1.2 is required (by CentOS) for internal
communication between SDA services and between HSMs and SDA services.
The following SDA services are configured to accept inbound TLS 1.3 and TLS 1.2 traffic by
default for tomcat on ports 443, 8181, and 8182:
 Key Management Service server
 Web Service server (REST and SOAP APIs)
 PIE front-end server

Appliance Installation Guide Upgrade Notices
TLS 1.3 is not supported for the Management Console service. The Console requires TLS 1.2
inbound (tomcat, port 8443).
Outbound (Java) LDAP requests from SDA are configured to support TLS 1.3 and TLS 1.2
traffic by default.
A SecureData client must support the TLS 1.3 protocol to use it for its communications with
SecureData services. For information about SecureData client versions that support TLS 1.3 at
the time of this release, see "SecureData Support for TLS 1.3" in the Voltage SecureData
Appliance Architecture Guide.
Default Strong SSL Ciphers for TLS 1.3 and TLS 1.2
For new installations, SecureData servers use a list of Strong SSL Ciphers supporting TLS 1.3
(new in SDA 6.9.7) and TLS 1.2 by default in the settings.py file. If you have custom
settings in the config.py file, your settings will not be modified during an upgrade. After the
upgrade, you can modify your custom settings in the config.py file to add Strong SSL
Ciphers, according to the TLS protocols enabled for your system.
When upgrading from SDA 6.X to 6.9.7, the following default settings and their comments from
prior releases are removed from the config.py file. The default settings from the
settings.py file will apply after the upgrade.
ENABLE_STRONG_SSL_CIPHERS
STRONG_SSL_CIPHERS
CHECK_CERTIFICATE_REVOCATION
However, if you have set a custom list in the config.py file for the strong SSL ciphers, which may
not include the TLS 1.3 cipher (new in SDA 6.9.7), your settings will not be modified during an
upgrade. After the upgrade, you can update your cipher list in the config.py file to update
your strong SSL cipher settings, according to the TLS protocols enabled for your system.
Default Time Zone and System Clock Set to UTC

In the SecureData Appliance Menu, the Time Zone default setting is Etc/UTC. The "System
clock uses UTC" check box is selected by default. This setting configures the system to use
RTC time in UTC and to automatically maintain time zone changes and daylight savings time
adjustments.
NOTE: If you disable (clear) the “System Clock uses UTC” check box, you are configuring the system clock
to use RTC time in the local time zone. You must use external facilities to maintain time zone changes and
These default settings apply only for new installations. System settings are not modified for
upgrades applied to existing systems. After the upgrade, you can update your Time Zone and
System Clock settings for the appliance, as appropriate for your business needs.

Appliance Installation Guide Upgrading Version 6.8.2 or 6.9.x to Version 6.9.7
Upgrading Version 6.8.2 or 6.9.x to Version 6.9.7

You can upgrade directly from SecureData Appliance version 6.8.2 or 6.9.x to version 6.9.7.
Before you begin, ensure that you meet the “Upgrade Prerequisites” on page 6-1.
IMPORTANT: If you are upgrading a SecureData version purchased after Dec. 28, 2020, you must install a
new Splunk license. See “Configure Event Viewer License” on page 2-14.
The following script upgrades an Appliance running version 6.8.2 or 6.9.x to 6.9.7:
sda_6.9.7_upgrade.run
The script restarts any affected service after it completes successfully.
To upgrade an appliance from version 6.8.2 or 6.9.x to version 6.9.7:
1. Log in to the Management Console as an Administrative user, and create a backup of

your system. For backup instructions, see the Voltage SecureData Administrator Guide
or the Management Console Help.
2. Log out of the Management Console, and then close your browser before you upgrade
the software.
NOTE: The upgrade applies software updates to the Management Console. This action removes
the old CSRF (Cross-Site Request Forgery) token. After the upgrade, a fresh CSRF token will be
generated when you reopen the browser and log in again.
3. Log in to the Appliance as user root.
4. Create a directory under root as /root/sda_upgrade if it does not exist.
5. Copy the script, in binary mode, to the /root/sda_upgrade directory of the

Appliance that you created in Step 4.
6. Grant execute permission to the script, using the appropriate command:
chmod +x /root/sda_upgrade/sda_6.9.7_upgrade.run
7. Run the corresponding script:
/root/sda_upgrade/sda_6.9.7_upgrade.run
8. In a multi-host configuration, repeat Step 2 through Step 7 for each Appliance.
9. Log in to the Management Console as an Administrative user, and deploy the system.
After the upgrade script successfully runs, the Appliance menu and Management
Console display Version 6.9.7, indicating that the upgrade was successful.

Appliance Installation Guide Post-Upgrade Configuration Options
10. (Remote hosts) Re-register each remote host after it has been successfully upgraded.
For more information see, “Deleting or Resetting Host Registration” on page 2-18.
Post-Upgrade Configuration Options

Use the following information to configure new options and update new default settings after
you upgrade appliances in your existing installation to SecureData 6.9.7.
 “Enable or Disable Caching for Simple API Key Requests” on page 3-1
SecureData 6.9.7 supports caching of key requests from Simple API. You can enable or
disable the Simple API memory cache in the config.py file. It is enabled by default.
 “Configure Log Forwarding for Syslog Using TCP with TLS” on page 3-3
SecureData 6.9.7 adds functionality that supports log forwarding using TCP with TLS.
You can configure a Syslog client on the Appliance host with settings that will securely
forward logs from SDA localhost to a remote Syslog host by using TCP with TLS. Enable
Syslog logging settings for localhost in the Management Console separately for the Key
Management Service, Web Service, PIE Service, and Console Service. The Syslog client
and Syslog logging are not configured by default.
 “Configure SSL Protocols for TLS 1.3 and TLS 1.2” on page 3-12
If the config.py file for an existing system had custom settings for SSL protocols, the
custom settings still apply after upgrading the system. You can modify custom settings
in the config.py file to support TLS 1.3 and TLS 1.2 SSL protocols.
 “Configure Strong SSL Ciphers for TLS 1.3 and TLS 1.2” on page 3-14
If the config.py file for an existing system had custom settings for Strong SSL Ciphers,
the custom settings still apply after upgrading the system. You can modify custom
settings in the config.py file to support Strong SSL Ciphers for TLS 1.3 and TLS 1.2.
 “Configure Time Zone and System Clock to Use UTC” on page 3-17
The Time Zone settings for an existing installation are not modified during the upgrade.
To use UTC and have automatic time management provided on an appliance, modify its
values for Time Zone (Etc/UTC) and the "System clock uses UTC" check box
(enabled).

Appliance Installation Guide Post-Upgrade Configuration Options
 Restore from backup of the prior system.

For restore instructions, see the Voltage SecureData Administrator Guide or the
Management Console Help.
NOTE: (HSM) If the backup contains configuration for an HSM and HSM types of districts for
Utimaco Atalla HSMs or for Entrust nShield HSMs:
 Before you restore the backup, ensure that you prepare the HSM to work with this
SecureData release, and install the corresponding HSM client software for your HSM on the
appliance. See the following for information about your HSM:

Voltage SecureData Integration Supplement for Utimaco Atalla HSMs

Voltage SecureData Integration Supplement for Entrust nShield HSMs
 After you restore from backup and before you deploy the changes, you must reset (clear,
save, select, save) the restored HSM enabled setting in the Management Console on the
System > Advanced page. This is necessary to ensure that the Management Console uses
the HSM FEK.
 (Recommended) Re-register the remote hosts after they are upgraded.

For more information see, “Deleting or Resetting Host Registration” on page 2-18. See
also “Adding Hosts” in the Voltage SecureData Administrator Guide or the Management
Console Help.

SecureData 6.9.7 Installation

Uploaded by

Copyright:

Available Formats

SecureData 6.9.7 Installation

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SecureData 6.9.7 Installation

Uploaded by

Copyright:

Available Formats

Voltage SecureData

Software Version 6.9.7

Appliance Installation Guide

Document Release Date: June 2023

Voltage SecureData (6.9.7) ii CONFIDENTIAL

Updates for SDA 6.9.7

 Atalla HSMs - AT1000 models

Voltage SecureData (6.9.7) iii CONFIDENTIAL

Voltage SecureData (6.9.7) iv CONFIDENTIAL

Chapter 1 Install SecureData Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Voltage SecureData (6.9.7) v CONFIDENTIAL

Voltage SecureData (6.9.7) vi CONFIDENTIAL

Voltage SecureData (6.9.7) vii CONFIDENTIAL

Voltage SecureData (6.9.7) 1-1 CONFIDENTIAL

Voltage recommends the following hardware configuration:

NOTE: The default log size is now 100MB.

The following hardware is supported:

Voltage SecureData (6.9.7) 1-2 CONFIDENTIAL

Installing the Voltage SecureData Appliance

To Install the Voltage SecureData Appliance software:

3. Press Enter to begin the installation.

Logging in to the Appliance and Changing

1. Log in to the Voltage SecureData Appliance with:

Voltage SecureData (6.9.7) 1-3 CONFIDENTIAL

5. Press Enter to continue.

7. Type the same password again, and press Enter to confirm.

Ensuring Access to Voltage SecureData Services

Table 1-1 Ports Used by SecureData

Port Origin Destination Description Notes

Voltage SecureData (6.9.7) 1-4 CONFIDENTIAL

Table 1-1 Ports Used by SecureData (Continued)

Port Origin Destination Description Notes

Voltage SecureData (6.9.7) 1-5 CONFIDENTIAL

Installing and Configuring the Appliance with an

Management Console SSL Certificate

Voltage SecureData (6.9.7) 1-6 CONFIDENTIAL

1. Configure at least one IP address. See “Configuring the IP Addresses (Required)” on

Voltage SecureData (6.9.7) 2-1 CONFIDENTIAL

Displaying the SecureData Appliance Menu

Figure 2-1 Appliance Main Menu

Voltage SecureData (6.9.7) 2-2 CONFIDENTIAL

Using the SecureData Appliance Menu

Configuring the Network Settings

The Network Configuration Menu displays, as shown in Figure 2-2.

Figure 2-2 Network Configuration Menu

Use this menu to do the following:

Voltage SecureData (6.9.7) 2-3 CONFIDENTIAL

Configuring the IP Addresses (Required)

To set the IP address:

1. From the Network Configuration Menu, choose b. Configure IP Addresses. The IP

2. To add a new IP address, choose a. Add New IP Addresses.

4. Enter the netmask for the host name IP address.

5. Press Enter to highlight OK, then press OK.

Voltage SecureData (6.9.7) 2-4 CONFIDENTIAL

3. Press Yes to dismiss the confirmation message.

Setting a Default Router IP Address (Required)

2. Enter the default router IP address.

Configuring the DNS and Hostname Settings (Required)

To configure DNS and hostname settings: