There are multiple reasons why somebody would like to have a KSM server.
\nThis article explains how to set up such a server with persistent database storage, so that an encrypted vm survives a complete (vcenter\/esxi) reboot.
\nAlthough it works, it is certainly not recommended to do it this way in large environments.
\nBut nevertheless, it’s a cheap way to get a vtpm.
\nRemark: After a reboot of vcenter, the trust seems still intact, but does not work anymore! In that case, just remove the KMS cluster-definition and re-add and trust it. After that you should be able to unlock encrypted VMs again.<\/p>\n
I did this with an minimal Ubuntu server 18.04.1 64bit install. The service runs as the admin user (sudoer, not root). You might want to change that to even a less privileges user and probably setup iptables or other means to protect the TPM data! It is an sqlite db, so anybody with file-access could steal and read it! This tutorial also uses a self-signed certificate. If you have a PKI, it would certainly be better to use properly signed and managed ssl certs…
\nYou have been warned! \ud83d\ude09<\/p>\n
<$username> should get replaced with the actual username. Login as user to the ubuntu machine. Fill out the form… If you need to use a proxy, then replace X.X.X.X with the ip of the proxy and PORT with the port your proxy server is available. You might also add “yourproxyusername:yourproxypassword@” directly in front of the ip, if your proxy requires authentication. We will need this one more time later on, so keep them in mind. export https_proxy=http:\/\/X.X.X.X:PORT<\/span> cd \/usr\/local<\/span> sudo -i<\/span><\/p>\n Again, the Proxy, but this time as root.<\/p>\n export https_proxy=http:\/\/X.X.X.X:PORT<\/span> cd \/usr\/local\/PyKMIP<\/span> Enter these following lines between the — signs (but without them) in the nano editor. — We should now be ready to start the service!<\/p>\n cd \/usr\/local\/PyKMIP<\/span> Now you should be able to add the host as KSM server in vcenter with the ip and port 5696.<\/p>\n To make the connection complete, you need to press the “Make KMS trust vcenter” button. Press the “Establish Trust” button.<\/p>\n To let the service start on every boot, you can add it to the crontab.<\/p>\n crontab -e<\/span><\/p>\n Add the following line. and save the file.<\/p>\n @reboot ( sleep 30s; python \/usr\/local\/PyKMIP\/bin\/run_server & )<\/p>\n","protected":false},"excerpt":{"rendered":" There are multiple reasons why somebody would like to have a KSM server. This article explains how to set up such a server with persistent database storage, so that an encrypted vm survives a complete (vcenter\/esxi) reboot. Although it works, … Weiterlesen
\nCommands in green<\/span> should be executed as user.
\nCommands in red<\/span> should get executed as root.
\nThe switch between the two are the sudo and exit commands.<\/p>\n
\nsudo -i<\/span>
\napt-get update<\/span>
\napt-get upgrade<\/span>
\nmkdir \/usr\/local\/PyKMIP<\/span>
\nmkdir \/etc\/pykmip<\/span>
\nmkdir \/var\/log\/pykmip<\/span>
\nchown <$username>: -R \/usr\/local\/PyKMIP<\/span>
\nchown <$username>: -R \/etc\/pykmip<\/span>
\n chown <$username>: -R \/var\/log\/pykmip<\/span>
\n apt -get installpython-dev libffi-dev libssl-dev libsqlite3-dev python-setuptools python-requests<\/span>
\n openssl req -x509 -nodes -days 9999 -newkey rsa:2048 -keyout \/etc\/ssl\/private\/selfsigned.key -out \/etc\/ssl\/certs\/selfsigned.crt<\/span><\/p>\n
\n
\nchown <$username>: -R \/etc\/ssl\/private<\/span>
\nchown <$username>: \/etc\/ssl\/certs\/selfsigned.crt<\/span>
\n exit<\/span>
\ncd \/usr\/local<\/span><\/p>\n
\nIf you don’t need any proxy, the you can leave the following two commands out.<\/p>\n
\nexport http_proxy=http:\/\/X.X.X.X:PORT<\/span><\/p>\n
\ngit clone https:\/\/github.com\/OpenKMIP\/PyKMIP<\/span><\/p>\n
\nexport http_proxy=http:\/\/X.X.X.X:PORT<\/span><\/p>\n
\n python setup.py install<\/span>
\nexit<\/span>
\nnano \/etc\/pykmip\/server.conf<\/span><\/p>\n
\nReplace hostname=10.X.X.X with the servers IP.
\nQuit with ctrl-x followed by y and enter<\/p>\n
\n[server]
\ndatabase_path=\/etc\/pykmip\/pykmip.database
\nhostname=10.X.X.X
\nport=5696
\ncertificate_path=\/etc\/ssl\/certs\/selfsigned.crt
\nkey_path=\/etc\/ssl\/private\/selfsigned.key
\nca_path=\/etc\/ssl\/certs\/selfsigned.crt
\nauth_suite=TLS1.2
\npolicy_path=\/usr\/local\/PyKMIP\/examples\/
\nenable_tls_client_auth=False
\ntls_cipher_suites=
\nTLS_RSA_WITH_AES_128_CBC_SHA256
\nTLS_RSA_WITH_AES_256_CBC_SHA256
\nTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
\nlogging_level=DEBUG
\n—<\/p>\n
\n python bin\/run_server.py<\/span><\/p>\n
\nChoose “KMS certificate and private key”
\nOpen a new shell to the ubuntu server
\ncat \/etc\/ssl\/certs\/selfsigned.crt<\/span>
\ncopy the whole output inclusive the —begin and end — messages and paste it to the first field “KMS Certificate” in vcenter
\ncat \/etc\/ssl\/private\/selfsigned.key<\/span>
\ncopy the whole output inclusive the —begin and end — messages and paste it to the second field “KMS Private Key” in vcenter<\/p>\n