Don't Control the Network? No Problem. Nutanix Native DR Encryption to The Rescue

  • 18 November 2022
  • 1 reply
  • 74 views

Userlevel 4
Badge +19

 

Stop the Man in the Middle Attacks.



Whether you're replicating to the cloud or to a remote branch site you may not control the networking stack and to end. When you don't control the networking stack end to end or you're in an environment that simply doesn't have a firewall you can use Nutanix Native DR encryption between your Nutanix clusters.  

The feature is fully supported for both PD and Nutanix DR(PC) based replication.
Changes will persistent after reboots of the CVMs and upon upgrades.

AOS needs to be on 6.1 or higher.

DR with Encryption will use 14119,14108 as additional ports that need to open bi-directional when all of the CVMS.

 

*** Note you need to run the below steps on each cluster.

To enable this feature

  1. SSH to the CVM
  2. Change the folder to bin - all the python commands need to ran from the bin directory 
    cd bin
  3. Run the script.
    For PD based Replication 
    python onwire_encryption_tool.py --enable <remote_cluster_vip>

    For PC/Nutanix DR Replication 
    Enure your Prism Centrals Availablity zones are paired before running.

    python onwire_encryption_tool.py --leap --enable <remote_cluster_vip>

    The script will prompt for the remote admin password.

  4. Ensure that the changes take effect by performing a rolling start of cerebro and stargate services on the primary and remote replication clusters using the following command.
     

    allssh "source /etc/profile; genesis stop cerebro stargate && cluster start; sleep 200"
  5.  You can check the enabled or disabled status of encryption of the replication traffic.
    allssh "ls -la /home/nutanix/tmp/ | grep -i trusted"

    SSH into the CVM that has the cert.
    Run this command for PD replication

    python onwire_encryption_tool.py --verify <remote_cluster_vip>

    Run this command for PC/Nutanix DR replication

    python onwire_encryption_tool.py --leap --verify <remote_cluster_vip>

 

 

NOTE: If your cluster is in AWS your will have to adjust the Managment Security Group for ports 14119,14108

 

 

If you want to disable encryption at any time:

  1.  Run this command for PD replication

    python onwire_encryption_tool.py --disable <remote_cluster_vip>

    Run this command for PC/Nutanix DR replication

    python onwire_encryption_tool.py --leap --disable <remote_cluster_vip>

 


1 reply

Userlevel 3
Badge +14

This is a pretty great addition to things like Data at Rest Encryption. I’m looking forward to a GUI coming along for the in transit encryption.

Reply