Dell CloudLink 7.1.

3
Administration Guide

March 2022
Rev. A00
Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid
the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

© 2014 - 2022 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Other trademarks may be trademarks of their respective owners.
 Contents

Chapter 1: About Dell EMC CloudLink........................................................................................... 11

About Dell EMC CloudLink for Enterprise and Microsoft Azure and Azure Stack............................................. 11
About Dell EMC CloudLink for PowerFlex.................................................................................................................... 11
About Dell EMC CloudLink for Containers...................................................................................................................12
About Dell EMC CloudLink Administration Guide....................................................................................................... 12
Intended audience for the CloudLink Administration Guide.................................................................................... 12
Get started with Dell EMC CloudLink........................................................................................................................... 12
CloudLink Center server address................................................................................................................................... 13

Chapter 2: Manage CloudLink licenses......................................................................................... 14

View CloudLink licenses....................................................................................................................................................14
Upload CloudLink license files.........................................................................................................................................15
Delete CloudLink license files..........................................................................................................................................15
Manage licensed hosts in CloudLink Center................................................................................................................15
Add a licensed host......................................................................................................................................................15
View a licensed host.................................................................................................................................................... 15
Delete a licensed host................................................................................................................................................. 16

Chapter 3: Log in to CloudLink Center..........................................................................................17

Access CloudLink Center................................................................................................................................................. 17
CloudLink Center server address............................................................................................................................. 17
Change maximum session timeout.................................................................................................................................18
Change the automatic logout interval...........................................................................................................................18
Change the number of login attempts before lockout..............................................................................................18
Enable or disable special characters in password...................................................................................................... 19

Chapter 4: CloudLink Center Graphical User Interface (GUI)....................................................... 20

Navigate through CloudLink Center GUI.....................................................................................................................20
Dell EMC CloudLink Center home page.......................................................................................................................22

Chapter 5: Common tasks you can perform in CloudLink Center.................................................. 24

Save tabulated data to a CSV file................................................................................................................................. 24
Filter table data..................................................................................................................................................................24
Refresh CloudLink Center page data........................................................................................................................... 25
View CloudLink Center alarms....................................................................................................................................... 25

Chapter 6: Best practices to secure data in CloudLink Center..................................................... 26

Chapter 7: Manage secure machines on CloudLink Center........................................................... 27

CloudLink self-encrypting drives (SEDs).....................................................................................................................27
CloudLink prestartup authorization.............................................................................................................................. 28
CloudLink Center registered machines........................................................................................................................ 28
CloudLink Center machine startup..........................................................................................................................28
CloudLink Center machine states............................................................................................................................28

Contents 3
 Accept or reject pending machines in CloudLink Center.........................................................................................29
Accept a pending machine..............................................................................................................................................30
Reject a pending machine............................................................................................................................................... 30
View registered machines............................................................................................................................................... 30
Move a registered machine to a different machine group...................................................................................... 30
Scenarios for removing machine from CloudLink Center.........................................................................................31
Remove a machine from CloudLink Center........................................................................................................... 31
Release a license.......................................................................................................................................................... 31
Shred encrypted CloudLink machines.......................................................................................................................... 32
Shred a machine from CloudLink Center...............................................................................................................32
View event history of a machine................................................................................................................................... 32
Refresh mounted devices or devices of a Linux machine ...................................................................................... 33
Work with cloned machines in CloudLink Center...................................................................................................... 33
Change encryption keys on Linux machines......................................................................................................... 34
Change encryption keys on Windows machines.................................................................................................. 34
Change hostnames......................................................................................................................................................35
Restart the CloudLink Agent service on Linux machines........................................................................................ 35
CloudLink Center machine volumes..............................................................................................................................35
Encrypt a volume.........................................................................................................................................................35
Encrypt devices of a Linux Machine from the CLI.............................................................................................. 36
Decrypt a volume.........................................................................................................................................................37
Decrypt a data volume on a self-encrypting drive.............................................................................................. 37
Decrypt boot volume of a linux machine from the CLI.......................................................................................38
Decrypt the mounted volumes of a Linux machine from the CLI.................................................................... 39
Unlock a moved volume............................................................................................................................................. 40
Machine devices.................................................................................................................................................................41
Encrypt a PowerFlex SDS device.............................................................................................................................41
Erase a PowerFlex SDS device................................................................................................................................ 42
Erase a PowerFlex SDS device................................................................................................................................ 42
Unlock a moved device.............................................................................................................................................. 43
Manage a Self-encrypting Drive from CloudLink Center.........................................................................................43
Manage a self-encrypting drive from the CLI............................................................................................................ 43
Encrypt the devices of a machine from the CLI........................................................................................................ 44
Release a self-encrypting drive......................................................................................................................................44
Release management of a self-encrypting drive from the CLI.............................................................................. 45
Monitor the real-time progress of encryption and decryption processes...........................................................45
Windows machines......................................................................................................................................................45
Linux machines.............................................................................................................................................................45
View volume encryption policy compliance...........................................................................................................45
Exempt volumes from encryption in CloudLink Center......................................................................................46
Change the CloudLink Center IP address................................................................................................................... 46
Change the CloudLink Center IP address on a Windows machine..................................................................46
Change the CloudLink Center IP address on a Linux machine......................................................................... 47
Move a machine to a different CloudLink Center..................................................................................................... 47
Add a new CloudLink Center to an existing cluster and remove the old CloudLink Center............................47
Unlock out-of-band data disks with an ISO image file............................................................................................. 48
Unlock data disks of Linux machines using an ISO image file...........................................................................48
Unlock data disks of Windows machines using an ISO image file................................................................... 50
Unlock out-of-band data disks with a RAW file......................................................................................................... 51
Unlock data disks of Linux machines using a RAW file....................................................................................... 51

4 Contents
 Unlock data disks of Windows machines using a RAW file............................................................................... 52

Chapter 8: Manage secure machine groups on CloudLink Center................................................. 53

CloudLink key release policies........................................................................................................................................ 54
CloudLink Center Key Release Policies Matrix.....................................................................................................55
Types of CloudLink key release policies.................................................................................................................56
CloudLink pending machine policy................................................................................................................................ 56
CloudLink Center volume encryption policy............................................................................................................... 56
Types of volume encryption policies in CloudLink Center.................................................................................56
Handle existing encrypted Windows volumes in CloudLink...............................................................................57
CloudLink Center machine group properties.............................................................................................................. 57
View machine groups on CloudLink Center................................................................................................................ 58
Create a machine group to CloudLink Center............................................................................................................58
Modify a machine property on a CloudLink Center machine group......................................................................58
Change the volume encryption policy.......................................................................................................................... 59
Change the location of a machine group on CloudLink Center............................................................................. 59
Change key release policies of a machine group on CloudLink Center................................................................60
Change pending policies of a machine group on CloudLink Center......................................................................60
Generate a registration code for a machine group on CloudLink Center.............................................................61
Scenarios for using maximum usage of CloudLink licenses..................................................................................... 61
Reset the license usage for a machine group............................................................................................................ 62
Delete a machine group from from CloudLink Center..............................................................................................62
Manage approved networks for machine groups...................................................................................................... 62
View approved networks on CloudLink Center....................................................................................................63
Add an approved network to CloudLink Center...................................................................................................63
Add IP addresses to an approved network in CloudLink Center..................................................................... 63
Edit IP addresses of an approved network in CloudLink Center..................................................................... 64
Delete IP addresses of an approved network in CloudLink Center.................................................................64
Modify an approved network....................................................................................................................................64
Delete an approved network.................................................................................................................................... 65
Manage approved locations for machine groups...................................................................................................... 65
View approved locations............................................................................................................................................65
Add approved Cloud Providers to approved locations.......................................................................................65
Add an approved location..........................................................................................................................................66
Add a Cloud Provider instance to an approved location....................................................................................66
Modify Cloud Providers..............................................................................................................................................67
Delete Cloud Providers...............................................................................................................................................67
Modify approved locations........................................................................................................................................ 67
Delete approved locations......................................................................................................................................... 67

Chapter 9: Secure CloudLink Center agents using third-party signed certificates....................... 68

Generate a CSR using CloudLink to get a third-party certificate for an agent machine................................ 68
Upload a third-party signed CA certificate to CloudLink........................................................................................ 69
Download a third-party signed certificate for CloudLink agent.............................................................................69
Assign third-party signed certificate to a CloudLink Center Linux agent............................................................70
Assign third-party signed certificate during new installation of CloudLink 7.1.3 on Linux agent............. 70
Assign third-party signed certificate to a Linux agent when upgrading CloudLink from 7.x.x..................71
Assign third-party signed certificate to a CloudLink Center Windows agent.....................................................72
Assign third-party signed certificate during new installation of CloudLink 7.1.3 on Windows agent...... 72

Contents 5
 Assign third-party signed certificate to Windows agents during upgradation of CloudLink from
earlier versions......................................................................................................................................................... 73

Chapter 10: Manage Key Management Interoperability Protocol (KMIP) servers in CloudLink
Center......................................................................................................................................74
Change KMIP server certificates...................................................................................................................................74
Change Subject Alternate names.................................................................................................................................. 75
Download KMIP server certificate................................................................................................................................ 75
Generate CSR for KMIP servers....................................................................................................................................75
Upload KMIP server CA-signed certificate................................................................................................................. 75
Change KMIP CSR server certificate lifetime............................................................................................................ 76
Manage KMIP partititions................................................................................................................................................76
View KMIP partitions.................................................................................................................................................. 76
Add a KMIP partition...................................................................................................................................................76
Modify a KMIP partition............................................................................................................................................. 77
View KMIP partition objects......................................................................................................................................77
Shred a KMIP partition............................................................................................................................................... 77
Rotate encryption keys on a KMIP partition......................................................................................................... 77
Stop key rotation of a KMIP partition.....................................................................................................................78
View the event history of a KMIP partition...........................................................................................................78
Manage KMIP clients........................................................................................................................................................78
Add a KMIP client........................................................................................................................................................ 78
Change the KMIP client password in CloudLink Center ................................................................................... 79
Change KMIP client notes in CloudLink Center................................................................................................... 79
Generate a new certificate for KMIP clients........................................................................................................ 79
Delete a KMIP client................................................................................................................................................... 80
View the event history of a KMIP client................................................................................................................80

Chapter 11: Manage CloudLink Encryption for Containers............................................................ 81

Change Kubernetes server certificate lifetime........................................................................................................... 81
Change Kubernetes server certificate......................................................................................................................... 82
Download Kubernetes server certificate..................................................................................................................... 82
Generate a CSR for Kubernetes....................................................................................................................................82
Upload Kubernetes server CA-signed certificate...................................................................................................... 82
Download the Kubernetes Helm package....................................................................................................................83
Download the Kubernetes node plugin and dockerfile............................................................................................. 83
Add a Kubernetes cluster................................................................................................................................................ 83
Modify a Kubernetes cluster.......................................................................................................................................... 83
Generate a new Kubernetes cluster certificate.........................................................................................................83
Delete a Kubernetes cluster........................................................................................................................................... 84
View the event history of a Kubernetes cluster........................................................................................................ 84
View Kubernetes nodes................................................................................................................................................... 84
View Kubernetes volumes from Kubernetes clusters or Kubernetes nodes.......................................................84
Accept Kubernetes volumes ..........................................................................................................................................85
Supported volume access modes for updating keys for Kubernetes volumes...................................................85
Generate an update key for Kubernetes volumes from Kubernetes clusters or Kubernetes nodes ........... 85

Chapter 12: Manage CloudLink Center user roles......................................................................... 87

Built-in CloudLink Center user roles............................................................................................................................. 87
Implicit user role permissions for using CloudLink Center.......................................................................................88

6 Contents
 Manage custom roles....................................................................................................................................................... 88
Role administration example..................................................................................................................................... 88
View CloudLink Center user roles................................................................................................................................. 88
Add CloudLink Center user role..................................................................................................................................... 89
Modify CloudLink Center user roles............................................................................................................................. 89
Change managing roles....................................................................................................................................................90
Delete CloudLink Center custom user roles............................................................................................................... 90

Chapter 13: Manage CloudLink Center users and groups.............................................................. 91

Secadmin user (built-in) role...........................................................................................................................................91
CloudLink Center user types........................................................................................................................................... 91
CloudLink local accounts........................................................................................................................................... 92
CloudLink Domain and Domain Group Accounts..................................................................................................92
2-Factor Authentication (2FA) in CloudLink Center................................................................................................ 92
View CloudLink Center users......................................................................................................................................... 93
Add CloudLink Center users........................................................................................................................................... 93
Additional account set up for Google two-factor authentication....................................................................94
Change user roles in CloudLink Center........................................................................................................................94
Change user password in CloudLink Center...............................................................................................................95
Change 2-Factor Authentication (2FA) for accessing CloudLink Center........................................................... 95
Unlock CloudLink accounts.............................................................................................................................................95
Manually unlock local CloudLink Center users..................................................................................................... 96
Manually unlock built-in secadmin CloudLink Center users.............................................................................. 96
Delete CloudLink Center users...................................................................................................................................... 96

Chapter 14: Manage encryption keystores and keys in CloudLink Center......................................97

CloudLink Center encryption key location and protector options.........................................................................98
Best practices for key location access control and backup..............................................................................99
CloudLink Center key location................................................................................................................................100
CloudLink key protectors..........................................................................................................................................101
View keystores.................................................................................................................................................................. 101
Configure a keystore....................................................................................................................................................... 101
Add a keystore............................................................................................................................................................102
Add an encryption key location.............................................................................................................................. 102
Add an encrypted key protector............................................................................................................................ 103
Set the current keystore................................................................................................................................................104
Modify key location of a keystore............................................................................................................................... 104
Modify key protector of a keystore ........................................................................................................................... 105
Delete a keystore.............................................................................................................................................................105
Resolve missing CloudLink Center key alarm........................................................................................................... 105
Show keys in a keystore................................................................................................................................................ 106
Move keys to another keystore................................................................................................................................... 106
View event history of a keystore................................................................................................................................. 106
Update keys...................................................................................................................................................................... 106

Chapter 15: Monitor CloudLink Center....................................................................................... 108

Actions, events, security events, and alarms in CloudLink....................................................................................109
View CloudLink Center actions.................................................................................................................................... 109
CloudLink events and corresponding syslog severity numbers............................................................................109

Contents 7
 View CloudLink Center events..................................................................................................................................... 109
Security events in CloudLink......................................................................................................................................... 110
View CloudLink Center security events...................................................................................................................... 110
View CloudLink Center alarms...................................................................................................................................... 110
Change the CloudLink Center alarm state................................................................................................................. 110
Manage email notifications in CloudLink Center........................................................................................................111
Send test email in CloudLink Center.......................................................................................................................111
Change email subject format in CloudLink Center.............................................................................................. 111
Add recipient in CloudLink Center...........................................................................................................................111
Delete recipient from CloudLink Center................................................................................................................ 111
Change email server configuration in CloudLink Center................................................................................... 112
View individual log files................................................................................................................................................... 112
Download log files.............................................................................................................................................................112
Generate diagnostic log files......................................................................................................................................... 113
Enable the debug mode in CloudLink Center.............................................................................................................113
View user sessions in CloudLink Center......................................................................................................................113
End user sessions in CloudLink Center....................................................................................................................... 114
View usage in CloudLink Center................................................................................................................................... 114
Reset license usage in CloudLink Center....................................................................................................................114

Chapter 16: Back up and restore CloudLink Center..................................................................... 116

CloudLink Center backup............................................................................................................................................... 116
CloudLink backup key pairs and backup files.......................................................................................................116
Change the filename prefix for the backup file......................................................................................................... 117
View CloudLink Center backup information............................................................................................................... 117
Generate a backup key pair............................................................................................................................................117
Change the backup store for automatic backups.................................................................................................... 118
Change the schedule for automatic backups............................................................................................................ 119
Generate a backup file manually................................................................................................................................... 119
Download the current backup file................................................................................................................................ 119
Restore CloudLink Center from a backup file...........................................................................................................120
Restore a CloudLink Center cluster............................................................................................................................ 120
Restore keystores from a backup file..........................................................................................................................121
Best practices for restoring and backing up keys and files in CloudLink Center............................................. 122

Chapter 17: Create and manage CloudLink Center cluster.......................................................... 123

Create a CloudLink Center cluster.............................................................................................................................. 124
CloudLink Center server addresses in CloudLink clusters............................................................................... 124
Associate a server to a CloudLink Center cluster....................................................................................................124
Upload a third-party signed certificate to communicate among cluster nodes............................................... 125
Administer a cluster........................................................................................................................................................ 125
Guidelines for working with CloudLink Center clusters......................................................................................... 125
View CloudLink Center cluster servers...................................................................................................................... 126
Change a CloudLink Center cluster server name or address................................................................................126
Remove a CloudLink Center cluster server...............................................................................................................126

Chapter 18: Manage CloudLink Vault.......................................................................................... 128

View the CloudLink Vault settings...............................................................................................................................128
Change the CloudLink Vault mode.............................................................................................................................. 128

8 Contents
 Set the CloudLink Vault Passcodes............................................................................................................................ 129
Unlock the CloudLink Vault........................................................................................................................................... 129
Guidelines for working with CloudLink Vaults.......................................................................................................... 130

Chapter 19: Assign Microsoft Windows User Account for CloudLink Center User Roles.............. 131
View Microsoft Windows domain configuration....................................................................................................... 131
Configure Microsoft Windows domain........................................................................................................................ 131
Modify Microsoft Windows domain.............................................................................................................................132
Leave Microsoft Windows domain.............................................................................................................................. 133

Chapter 20: RSA Authentication Manager.................................................................................. 134

Upload an RSA Authentication Manager configuration file................................................................................... 134
Delete an RSA Authentication Manager configuration file.................................................................................... 134
Clear the shared node secret....................................................................................................................................... 135

Chapter 21: Manage CloudLink SysLog data............................................................................... 136

View syslog configuration..............................................................................................................................................136
Change syslog server configuration............................................................................................................................136
Change syslog message format....................................................................................................................................137

Chapter 22: Manage CloudLink Center network settings............................................................ 138

Change CloudLink Center hostname configuration settings.................................................................................138
Change CloudLink Center SSH configuration settings...........................................................................................138

Chapter 23: Configure CloudLink Center DNS properties........................................................... 139

DNS servers in CloudLink Center................................................................................................................................ 139
Add DNS for accessing CloudLink Center................................................................................................................. 139
Set DNS server as the primary server for CloudLink Center................................................................................139
PING a DNS server to test connection...................................................................................................................... 140
Delete a DNS associated with CloudLink Center.....................................................................................................140

Chapter 24: Manage NTP servers associated with CloudLink Center...........................................141

Force an NTP server time synchronization with CloudLink Center..................................................................... 141
Add an NTP server for CloudLink Center...................................................................................................................141
Delete NTP server........................................................................................................................................................... 142

Chapter 25: Manage TLS certificates......................................................................................... 143

CloudLink Center Certificates...................................................................................................................................... 143
Upload a new TLS certificate....................................................................................................................................... 143
Generate a CSR certificate........................................................................................................................................... 144

Chapter 26: Configure SNMP for CloudLink Center....................................................................145

Add an SNMP configuration to the CloudLink Center........................................................................................... 145
Modify the SNMP configuration in the CloudLink Center.....................................................................................146
Send a test SNMP trap in the CloudLink Center.....................................................................................................146
Download MIB files..........................................................................................................................................................146
Delete the SNMP configuration in the CloudLink Center...................................................................................... 147

Contents 9
 Chapter 27: Linux commands for CloudLink Agent......................................................................148
Command variables......................................................................................................................................................... 149

Chapter 28: Command actions for Windows PowerShell............................................................. 151

Command variables......................................................................................................................................................... 152

Appendix A: Role-Based Access Control for CloudLink............................................................... 153

Appendix B: Configure Active Directory for the CloudLink encryption keystore..........................156

Appendix C: Upgrade Ubuntu OS by using REST API.................................................................. 157

Appendix D: Update the Microsoft Azure Linux agent in a CloudLink Center..............................158

Appendix E: Restore VM agent connection to CloudLink Center................................................. 159

Appendix F: Install the redirect application................................................................................ 160

Appendix G: Move an encrypted drive to another machine.......................................................... 161

Move an encrypted disk to Windows machine..........................................................................................................161
Move an encrypted disk to Linux machine.................................................................................................................161

Appendix H: Recover an encrypted Linux boot volume................................................................163

10 Contents
 1
About Dell EMC CloudLink
Topics:
• About Dell EMC CloudLink for Enterprise and Microsoft Azure and Azure Stack
• About Dell EMC CloudLink for PowerFlex
• About Dell EMC CloudLink for Containers
• About Dell EMC CloudLink Administration Guide
• Intended audience for the CloudLink Administration Guide
• Get started with Dell EMC CloudLink
• CloudLink Center server address

About Dell EMC CloudLink for Enterprise and

Microsoft Azure and Azure Stack
Cloud computing offers significant benefits for deployment flexibility, infrastructure scalability, and cost-effective use of IT
resources. You can take advantage of these benefits by deploying enterprise workloads in the cloud. However, because cloud
computing is based on a shared, multi-tenant compute, network, and storage architecture, traditional security controls are not
sufficient. Data owners must secure sensitive data that is saved in the cloud to address privacy and regulatory compliance
requirements, and satisfy requirements that are related to data that might remain in the cloud after it is no longer used.
Dell EMC CloudLink secures sensitive information within machines across both public and private clouds. It provides encryption
for the boot volume and additional data volumes with prestartup authorization for cloud-hosted machines. CloudLink provides
this encryption by using the following native OS encryption features:
● Microsoft BitLocker for Windows
● dm-crypt for Linux
BitLocker and dm-crypt are proven high-performance volume encryption solutions that are widely implemented for physical
machines. However, customers have not been able to use these solutions in the cloud, where you cannot use the native OS
encryption features alone to encrypt the boot volume. CloudLink solves this problem.
CloudLink's VM encryption functionality enables you to use native OS encryption features to encrypt a machine's boot and data
volumes in a multi tenant cloud environment. This encryption enables you to protect the integrity of the machine itself against
unauthorized modifications.
CloudLink encrypts the machine boot and data volumes with unique keys that enterprise security administrators control. Neither
cloud administrators nor other tenants in the cloud have access to the keys. By securing machines, you can define the security
policy that must be met before passing the prestartup authorization, including verifying the integrity of the machine’s boot
chain. This offers protection against tampering.
CloudLink ensures that only trusted and verified machines can run and access sensitive data that is stored in the cloud. As part
of the CloudLink solution, CloudLink Center defines the key release policy, performs prestartup authorization, and monitors all
CloudLink Agents, events, and logs.

About Dell EMC CloudLink for PowerFlex

Enterprises have many reasons for encrypting their data—addressing regulatory compliance, protecting against theft of
customer data, and sensitive intellectual property.
CloudLink offers significant benefits for environments that use Dell EMC PowerFlex resources. PowerFlex is a software-defined
solution that enables you to transform Direct Attached Storage (DAS) on existing hardware into shared block storage. It offers
considerable scalability and extreme performance with flexible and elastic storage capacity and nodes.
CloudLink provides software-based Data at Rest Encryption (DARE) for PowerFlex Storage Data Servers (SDS) that is
transparent to the features and operation of the PowerFlex solution. It uses dm-crypt, a native Linux encryption package,

About Dell EMC CloudLink 11

to secure SDS devices. A proven high-performance volume encryption solution, dm-crypt is widely implemented for Linux
machines.
CloudLink encrypts the SDS devices with unique keys that are controlled by enterprise security administrators. CloudLink Center
provides centralized, policy-based management for these keys, enabling single-screen security monitoring and management
across one or more PowerFlex deployments.

About Dell EMC CloudLink for Containers

CloudLink supports data encryption in a Kubernetes containerized environment. CloudLink encryption for containers enables
you to encrypt shared volumes in a Kubernetes cluster. This functionality leverages Kubernetes 1.14 to 1.21 Container Storage
Interface (CSI), which is customizable to the user environment, and features a quick, easy setup with the UI or REST-API.
Encryption of Containers Agents sits between the Application and the CSI Storage Plugin encrypting the application data
before it is sent to storage-thus providing both Data at Rest and Data in Motion. One CloudLink Center instance can support
multiple Kubernetes clusters. Each Kubernetes cluster node can have multiple Container agents running on it, which includes
one Encryption for Containers agent for each driver.

About Dell EMC CloudLink Administration Guide

This guide contains instructions for managing day-to-day operations and administering Dell EMC CloudLink.

Intended audience for the CloudLink Administration

Guide
This guide is intended for CloudLink Center administrators who use the CloudLink Center administration interface to manage the
security of machines that are registered to CloudLink Center.
This guide is also intended for IT administrators who are responsible for the deployment and maintenance of machines in the
CloudLink Center environment, but not necessarily for the security of data on those machines. The reader of this Administration
Guide is expected to have prior working knowledge of VMs and data encryption.

Get started with Dell EMC CloudLink

Before you can use CloudLink Center, you must deploy CloudLink into your enterprise infrastructure or into the public cloud. For
deployment information, see the Dell EMC CloudLink Deployment Guide.
Use a web browser to access the CloudLink Center management interface. For more information, see Access CloudLink Center.

12 About Dell EMC CloudLink

 NOTE: CloudLink Center uses a self-signed certificate by default. You can import a certificate issued by a certification
authority.

CloudLink Center server address

CloudLink Center server address is used frequently. For example, you provide the address in the URL used to access the
CloudLink Center Graphical User Interface (GUI), and in commands used to download installation files.
The CloudLink Center address can be configured by using IPv4, IPv6, and hostname addresses. By default, IPv4 is used but you
can change it to IPv6 or hostname address using the Intial Configuration wizard. If the Domain Name System (DNS) has an
entry for CloudLink Center, it is recommended that you specify the CloudLink Center server address as a hostname in a Fully
Qualified Domain Name (FQDN) format, such as clc.example.com. For more information, see Domain Name System servers in
CloudLink. If you want to use an IP address, use a static one.
NOTE: In a CloudLink Center cluster, the cluster node servers and CloudLink Agents use this server address for
communication. Before creating the cluster, specify the server address in the format you prefer for each server. You
can use a mix of FQDNs and IP addresses in a cluster, but you cannot change the format after creating a cluster.
For more information about prerequisites and requirements for server addresses in clusters, see the Dell EMC CloudLink
Deployment Guide.

About Dell EMC CloudLink 13

 2
Manage CloudLink licenses
This chapter provides information about the CloudLink licenses and managing them in CloudLink Center.
CloudLink license files determine the volume of machine instances, Key Management Interoperability Protocol (KMIP) clients,
CPU sockets, encrypted storage capacity, or physical machines with SEDs that your organization can manage using the
CloudLink Center. License files also define the CloudLink Center usage duration. For example, your license might enable you to
run 25 machines in CloudLink Center for 365 days, or encrypt 5 TB of data space in CloudLink Center for perpetuity.
Licensing involves uploading a license file to make it available to CloudLink Center. For more information, see Upload CloudLink
license files.
You upload a license during initial server configuration. For more information, see the Dell EMC CloudLink Deployment Guide.
Topics:
• View CloudLink licenses
• Upload CloudLink license files
• Delete CloudLink license files
• Manage licensed hosts in CloudLink Center

View CloudLink licenses

Use this procedure to view the licenses uploaded in CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click System > License.
The CloudLink licenses are displayed. View the following information for each installed license:
● Licensing
○ Encryption for Machines licenses—Licensed per machine for volume encryption. This license defines the number of
machines, virtual, or bare–metal, that can be protected using the CloudLink Center.
○ Encryption for PowerFlex licenses—Encrypted capacity for PowerFlex
This license defines the total storage that can be encrypted using the CloudLink Center.
○ Encryption for Containers licenses—Enables data encryption for containers. A single Container license supports any
number of Kubernetes clusters.
○ Key Management over KMIP license—Licensed KMIP clients
This license defines the number of KMIP clients that can be managed using the CloudLink Center.
○ Key Management for SED licenses—Number of physical machines with SEDs
A single Key Management for SEDs license is used per physical machine regardless of the number of SEDs connected
to that machine.
● Type—Following are the license types:
○ Subscription—The license expires on a predefined date and time. Subscription licenses are applicable only for
Encryption for Machines.
○ Perpetual—The license never expires.
● Limit—The maximum number of licensed machine instances, physical machines with SEDs, amount of encrypted
capacity, or KMIP clients.
● Duration—The number of days that the license is valid.
● Start Date—The date that the license takes effect.
● End Date—The date that the license expires.

14 Manage CloudLink licenses

Upload CloudLink license files
Use this procedure to upload license files to CloudLink Center. License files must be uploaded before they can be used.

Steps
1. Log in to CloudLink Center.
2. Click System > License > Upload License.

3. In the Upload License dialog box, click to select the required license file, and then click Upload.

Delete CloudLink license files

Use this procedure to delete a license and replace it with a new license.

Steps
1. Log in to CloudLink Center.
2. Click System > License.
3. Select the check box next to the license that you want to delete.
4. Click Delete.
5. In the Confirm License Deletion dialog box, when prompted to confirm the request, click Delete.

Manage licensed hosts in CloudLink Center

This topic provides information about the licensed hosts and managing them in the CloudLink Center.
Using a socket-based license requires the following—a socket license, a cloud provider, and a VMware ESXi host.
Upload a socket license as described in Upload CloudLink license files. Uploading a socket license enables the Licensed Hosts
panel, under the Location. You can skip this if you uploaded a socket license when you deployed CloudLink Center.
Add a cloud provider as described in Add approved Cloud Providers to approved locations. It must be a VMware vCenter cloud
provider.

Add a licensed host

Use this procedure to add an ESXi host to use socket licenses. The number of sockets reported by the host are automatically
subtracted from the total number of available licensed sockets.

Steps
1. Log in to CloudLink Center.
2. Click Location > Licensed Hosts.
3. Click Add.
4. In the Add Host dialog box, select a provider and a host, and then click Add.

View a licensed host

Use this procedure to view the licensed ESXi hosts you added.

Steps
1. Log in to CloudLink Center.
2. Click Location > Licensed Hosts.
The list of licensed ESXi hosts is displayed. You can view the following information for each licensed ESXi host:

Manage CloudLink licenses 15

 ● Provider—The name of the cloud provider
● Host—The ESXi host added from the cloud provider
● Number of Sockets—The number of licensed sockets on the ESXi host

Delete a licensed host

Use this procedure to delete a licensed host to free socket licenses.

Steps
1. Log in to CloudLink Center.
2. Click Location > Licensed Hosts.
3. Select the check box next to the licensed host you want to delete.
4. In the Confirm Socket Deletion dialog box, when prompted to confirm the delete request, click Delete.

16 Manage CloudLink licenses

 3
Log in to CloudLink Center
Topics:
• Access CloudLink Center
• Change maximum session timeout
• Change the automatic logout interval
• Change the number of login attempts before lockout
• Enable or disable special characters in password

Access CloudLink Center

Most management tasks are performed from CloudLink Center. Access CloudLink Center from an HTTPS session using a web
browser by enabling the JavaScript.

Steps
1. In the web browser, type the CloudLink Center URL in the following format:

https://clc_address

Where,
clc_address is the CloudLink Center address.
The clc_address must be in either the FQDN, IPv4, or IPv6 format. For more information, see CloudLink Center server
address.

2. On the CloudLink Center home page, do one of the following:

● Type a username and password.
For information about the first-time login to CloudLink Center or about the username or password, see the Dell EMC
CloudLink Deployment Guide.
● Click Log in with my Windows credentials.
This option is available only for domain users if CloudLink Center has been added to the Microsoft Windows domain. For
more information, see Assign Microsoft Windows User Account for CloudLink Center User Roles.

CloudLink Center server address

This topic provides information about the CloudLink Center server address.
You use the CloudLink Center server address frequently. For example, you provide the address in the URL used to access the
CloudLink Center user interface (UI), and the commands used to download installation files.
The CloudLink Center address can be configured as an IPv4 address, IPv6 address, or hostname. The address is set to IPv4
by default, but it can be changed to an IPv6 address or hostname in the Initial Configuration wizard. If the Domain Name
System (DNS) has an entry for CloudLink Center, it is recommended that you specify the CloudLink Center server address as
a hostname in fully qualified domain name (FQDN) format, such as clc.example.com. For more information, see DNS servers in
CloudLink Center. If you choose to use an IP address, use a static one.
NOTE: In a CloudLink Center cluster, cluster node servers and CloudLink Agents use this server address for communication.
Before creating the cluster, you must specify the server address in the format you prefer for each server. You can use a mix
of FQDNs and IP addresses in a cluster, but you cannot change the format after creating a cluster.
For more information about prerequisites for server addresses in clusters, see the Dell EMC CloudLink Deployment Guide.

Log in to CloudLink Center 17

Change maximum session timeout
For security, CloudLink Center automatically ends a session that has been active for a specified duration. You can set this
maximum session timeout.

Steps
1. Log in to CloudLink Center.
2. Click System > Login Options.
3. Click Change Max Session Timeout.
4. In the Change Max Session Timeout dialog box, enter the max session timeout in minutes.
5. Click Change.

Change the automatic logout interval

Use this procedure to change the automatic logout interval in CloudLink Center.

About this task

If no activity has occurred for a specified period, the web application automatically logs off a user. You can configure this
timeout from zero to 60 minutes, where zero implies that no automatic logout occurs.

Steps
1. Log in to CloudLink Center.
2. Click System > Login Options.
3. Click Change UI Idle Timeout.
4. In the Change UI Idle Timeout dialog box, enter the UI idle timeout in minutes.
5. Click Change.

Change the number of login attempts before lockout

Use this procedure to change the number of login attempts before lockout.

About this task

You can specify the number of times that a user can provide an incorrect password before CloudLink Center locks the user out.
For more information about unlocking users, see Unlock CloudLink accounts.
NOTE: By default, you are allowed five consecutive failed login attempts before your account is automatically locked for
15 minutes. After this, you are allowed three consecutive failed login attempts for every 15 minutes until you can login
successfully.

Steps
1. Log in to CloudLink Center.
2. Click System > Login Options.
3. Click Change Login Attempts.
4. In the Change Login Attempts dialog box, enter the number of attempts after which the CloudLink Center session must be
automatically locked for a user.
5. Click Change.

18 Log in to CloudLink Center

Enable or disable special characters in password
This topic provides information about enabling or disabling the use of special characters in your password.

Steps
1. Log in to CloudLink Center.
2. Click System > Login Options.
3. Click Require Special Characters In Password.
The Require Special Characters In Password dialog box is displayed.
4. From the Require Special Characters list, select the required value, and then click Change.

Log in to CloudLink Center 19

 4
CloudLink Center Graphical User Interface
(GUI)
CloudLink Center provides an easy-to-use interface with many features to help you manage registered machines, and to
configure and monitor the environment.
Topics:
• Navigate through CloudLink Center GUI
• Dell EMC CloudLink Center home page

Navigate through CloudLink Center GUI

This topic provides information about how to navigate through the CloudLink Center GUI.
The following screenshot shows CloudLink Center and identifies the primary navigation features.

Figure 1. CloudLink Center Home

● 1—CloudLink Center serverCloudLink Center

Identifies the CloudLink Center server that you are logged in to.

20 CloudLink Center Graphical User Interface (GUI)

● 2—Contents panel
Lists the pages that you can select in the Edit panel.
● 3—Edit panel
Shows the page that is selected in the Contents panel.
● 4—Manual lock
Indicates that CloudLink Vault is locked.
The Manual lock icon disappears when the CloudLink Center Vault is unlocked. For more information, see Manage CloudLink
Vault.
● 5—Alarms notification
Displays a badge with the number of current alarms, if any.
An alarm represents a state or condition that you should be aware of. Click the Alarms notification icon to view alarms. For
more information, see View CloudLink Center alarms.
● 6—User Name menu
Displays your user name.
You can log out of CloudLink Center from this menu.
NOTE: Every CloudLink Center user is assigned a role that determines the permissions of the user. If you notice that
few CloudLink Center features are not available to you, contact your secadmin user.

CloudLink Center Graphical User Interface (GUI) 21

Dell EMC CloudLink Center home page
The CloudLink Center Home page provides a dashboard view of CloudLink Center.

Figure 2. CloudLink Center Home page

The Home page includes the following panels:

● 1—Information
Provides connection information about the server on which CloudLink Center is running.
● 2—User Sessions
Lists the users who are logged in to CloudLink Center, including the time of the user’s login and last action. For more
information, see View user sessions in CloudLink Center.
● 3—Alarms

22 CloudLink Center Graphical User Interface (GUI)

 Lists the alarms that are active. An alarm represents a state or condition of which you must be aware. For more information,
see View and manage alarms.
● 4—Pending Machines
Lists the machines that are waiting for you to accept or reject startup. For more information, see Accept or reject pending
machines in CloudLink Center.
● 5—System Performance
Provides information about the server that is hosting CloudLink Center, including CPU and memory usage, available disk
space, and so on.
● 6—Security Events
Provides information about user logins, failed vault unlock attempts, machine registration, changes to the CloudLink Center
Vault, secure user actions, and encryption key activities. For more information, see Monitor CloudLink Center.

CloudLink Center Graphical User Interface (GUI) 23

 5
Common tasks you can perform in CloudLink
Center
This chapter provides information on the common tasks you can perform in CloudLink Center.
Topics:
• Save tabulated data to a CSV file
• Filter table data
• Refresh CloudLink Center page data
• View CloudLink Center alarms

Save tabulated data to a CSV file

Use this procedure to save data to a CSV file.

About this task

All the CloudLink Center features that have data available in tables, enable you to export information to a CSV file. For example,
on the Machines page, you can export the list of machines that are registered with CloudLink Center, and then include the list
in a distribution report.

Steps
1. Log in to CloudLink Center.
2. Go to a page in the CloudLink Center menu that supports the file export feature.

3. Click .
The data is exported to a standard comma-separated value (CSV) file that is downloaded to your Downloads folder.

Filter table data

About this task
For tables with many rows, it might be difficult to quickly find a particular row or subset of rows. For example, if hundreds of
machines are registered or pending registration with CloudLink Center, the Machines table spans many pages.
For convenience, use the Filter icon to quickly search for table rows that match criteria that you specify.
To help you define a search criteria:
● Type text in the filter box to see all table rows that contain the text. For example, type Connect in the Status box to see
all table rows where the status is Connected or Disconnected. Both these words contain the criteria Connect.
● Type an exclamation mark as the first symbol in a filter box to see all table rows that do not match the criteria. For example,
type !102 in the IP address box to see all table rows that do not contain 102 in the IP address.
● Type text that is enclosed in double or single quotation marks to see all table rows with an exact match for the criteria. For
example, type "Connected" in the Status box to see only table rows where the status is Connected.
Similarly, type !"vmware" in the Platform box to see all table rows where the platform is not VMware.

● Search criteria is case-insensitive. For example, vmware and VMware are considered to be the same text.

24 Common tasks you can perform in CloudLink Center

Steps
1. Log in to CloudLink Center.
2. Go to a page in the CloudLink Center menu that supports the filter feature.

3. Click .
A set of search boxes appears above the table header. Type your search criteria in any of the search boxes.

Refresh CloudLink Center page data

About this task
Generally, CloudLink Center pages display live information in real time. However, to ensure that you are viewing the most
current information:

Steps
1. Log in to CloudLink Center.

2. Click icon.

View CloudLink Center alarms

An alarm represents a state or condition. When one or more alarm conditions exist, CloudLink Center displays a badge on the
Alarms icon in the home page. The badge indicates the number of alarms.

Steps
1. Log in to CloudLink Center.

2. On the Home page, click .

Next steps
CloudLink Center removes alarms from the Alarms page when the condition or state that triggered the alarm is resolved. For
example, CloudLink Center triggers an alarm if a backup file is generated but not downloaded. When you download the backup
file, the alarm is automatically deleted.

Common tasks you can perform in CloudLink Center 25

 6
Best practices to secure data in CloudLink
Center
After configuring and setting up CloudLink Center, it is recommended that you follow certain best practices to secure your data
in CloudLink Center.
Following are the best practices to manage and secure the CloudLink Center and encryption keys:
● Rotate keys automatically—It is recommended to rotate keys on a scheduled basis. By setting an automatic rotation interval,
encryption keys are updated without further effort . These rotations can be set at one day, seven days, 30 days, and 365
days interval. You can also customize the rotation interval. You can set the key rotation interval while creating a machine
group or update it while modifying the machine group properties. For more information about setting key lifetime, see Create
a machine group to CloudLink Center.
● Shred keys periodically—It is recommended to shred keys periodically to protect the data. Key shredding is destroying
or deleting the encryption keys that is used for securing the data that was previously stored on the respective machine.
You can shred a key by shredding a machine from CloudLink Center. By shredding a machine, you are deleting keys in all
accessible keystores. For more information about shredding a machine from CloudLink Center, see Shred a machine from
CloudLink Center.
● Automatically backup CloudLink Center—To prevent data loss or database corruption, it is important to have a backup of
CloudLink Center so that you can deploy a new server and restore CloudLink Center from the backup. CloudLink Center
automatically generates a backup file each day at midnight (UTC time). You can choose to change this backup schedule to
an hourly basis or how frequently you want to backup CloudLink Center. For more information about changing the schedule
for automatic backups, see Change the schedule for automatic backups.

26 Best practices to secure data in CloudLink Center

 7
Manage secure machines on CloudLink
Center
From CloudLink Center, manage the secure machines to which CloudLink Center Agent has been deployed. To help you
administer and manage these machines, organize them using machine groups. For all machines in a group, the machine group
policies determine the role that administers the machines, the conditions under which machines may start up automatically, the
encryption that must be in effect for the machine, and so on.
For individual machines in a group, you can:
● Encrypt and decrypt volumes.
● Encrypt and erase devices.
● Decide whether or not to enable a particular volume or device to be exempt from the policy for the machine group.
● Accept, reject, or remove a machine.
Topics:
• CloudLink self-encrypting drives (SEDs)
• CloudLink prestartup authorization
• CloudLink Center registered machines
• Accept or reject pending machines in CloudLink Center
• Accept a pending machine
• Reject a pending machine
• View registered machines
• Move a registered machine to a different machine group
• Scenarios for removing machine from CloudLink Center
• Shred encrypted CloudLink machines
• View event history of a machine
• Refresh mounted devices or devices of a Linux machine
• Work with cloned machines in CloudLink Center
• Restart the CloudLink Agent service on Linux machines
• CloudLink Center machine volumes
• Machine devices
• Manage a Self-encrypting Drive from CloudLink Center
• Manage a self-encrypting drive from the CLI
• Encrypt the devices of a machine from the CLI
• Release a self-encrypting drive
• Release management of a self-encrypting drive from the CLI
• Monitor the real-time progress of encryption and decryption processes
• Change the CloudLink Center IP address
• Move a machine to a different CloudLink Center
• Add a new CloudLink Center to an existing cluster and remove the old CloudLink Center
• Unlock out-of-band data disks with an ISO image file
• Unlock out-of-band data disks with a RAW file

CloudLink self-encrypting drives (SEDs)

This topic provides information about the SEDs in CloudLink Center.
When managing SEDs from CloudLink Center, be aware of the following:
● CloudLink Center can manage encryption keys for self-encrypting drives (SEDs).

Manage secure machines on CloudLink Center 27

 NOTE: Note: You must not encrypt SEDs even when you have a license that supports SED features because such a
license supports only managing and releasing SEDs. To identify if a drive is of SED type, look at the SED section in the
Machines page. If info about the SED drive is displayed, then it implies that the drive is of SED type. Else, it is not.
● Manage SEDs in CloudLink Center by locking and unlocking when the CloudLink agent is installed on machines with SEDs.
● When CloudLink Center manages SEDs, SED encryption keys are stored in the current keystore for the machine group they
are in.
● The functionality for managing SEDs requires a separate SED license.
● When CloudLink Center takes ownership of an SED, it releases SED encryption keys when the physical machine containing
the SEDs is powered on or restarted.
● If the SED cannot retrieve the key from CloudLink Center, the SED remains locked.

CloudLink prestartup authorization

Prestartup authorization of CloudLink Center machines applies to only Enterprise and Microsoft Azure and Azure Stack.
Pre-startup authorization enables a machine to start up automatically when:
● The machine has been previously registered with CloudLink Center and can connect to it.
● The boot volume of a machine is encrypted, and the machine meets key release policies for boot volume encryption. For
more information, see CloudLink key release policies.
NOTE: If the boot volume of a machine is not encrypted, but one or more data volumes are encrypted, the machine
is allowed to start. CloudLink Center determines whether encryption keys for encrypted data volumes can be released
automatically based on key release policies. If key release policies are not met for the data volume, CloudLink Center
puts the machine in the pending state.
If a machine does not pass prestartup authorization, CloudLink Center puts the machine in the pending state and you must
explicitly accept the machine before startup is allowed to continue.

CloudLink Center registered machines

From CloudLink Center, manage individual machines on which CloudLink Agent has been deployed. For example, you can view a
list of machines and their current states, and accept or reject machine startup.
Each machine registered with CloudLink Center is assigned a unique serial number that is stored in the CloudLink Center
database. If a machine has more than one volume or device, CloudLink Center management operations can be performed on
individual volumes or devices. For example, you can:
● Encrypt or decrypt volumes on an individual basis
● Encrypt or erase devices on an individual basis

CloudLink Center machine startup

This topic provides information about machines starting automatically using CloudLink key release policies.
Enable machines to start up automatically using key release policies set for the machine group. For more information, see
CloudLink key release policies.
After starting, if a machine does not meet the requirements of all the key release policies, CloudLink Center puts the machine
in the pending state. In this state, an administrator must explicitly accept the startup of the machine. For example, you can
set a key release policy so that CloudLink Center does not allow a machine to start up automatically if its IP address does not
belong to an approved network for the machine group. For more information about the pending state and manually accepting
the startup of a machine, see Accept or reject pending machines in CloudLink.

CloudLink Center machine states

This topic provides information about the different statuses of machines in CloudLink Center.
Each registered machine is assigned a state that you can view in CloudLink Center. For more information, see View registered
machines. The state of a machine determines the actions that you can perform, including:

28 Manage secure machines on CloudLink Center

● Encrypting volumes and devices
● Decrypting volumes
● Erasing devices
● Accepting or rejecting startup of a machine
● Removing machines
The preceding actions depend on whether the machine is running Windows or Linux.

Accept or reject pending machines in CloudLink

Center
This topic provides information about accepting or rejecting pending machines in CloudLink Center.
When a registered machine with an encrypted boot volume or a device attempts to start up, CloudLink Center may cancel the
startup process and put the machine in the pending state. This state implies that key release policies are not met, and CloudLink
Center cannot release encryption keys for the machine’s boot volume or device. For more information, see CloudLink key release
policies.
You can view the reason for the pending state in the Details column of the Machines panel. As a one-time option, you can then
choose to manually:
● Accept the startup of the machine. CloudLink Center releases encryption keys for the boot volume or device, and the
machine continues its startup process. CloudLink Center displays the machine in connected state.
● Reject the startup of the machine. CloudLink Agent disconnects from CloudLink Center and stops requesting encryption
keys. CloudLink Center displays the machine in the disconnected state.
For example, by default, CloudLink Center ensures that the IP address of the machine belongs to an approved network for the
machine’s group. For more information, see Manage approved networks for machine groups. If the IP address is not in this list,
CloudLink Center puts the machine in the pending state. After determining whether you want to allow this machine to start up,
you select to accept or reject the startup process.
Accepting or rejecting a machine applies to the current startup process only. The next time a previously accepted or rejected
machine starts, it is put in the pending state again if any reason for this state is detected. You must once again choose whether
to accept or reject the machine. If no conditions exist for the pending state (for example, the previous issue has been resolved),
the machine is in connected state.

Manage secure machines on CloudLink Center 29

Accept a pending machine
Use this procedure to accept a pending machine.

Prerequisites
You can accept a machine only if the machine is in the pending state.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the machine you want to accept.
4. Click Accept.
5. In the Confirm Accept Machine dialog box, when prompted to confirm the accept request, click Accept.

Reject a pending machine

Use this procedure to reject a pending machine.

Prerequisites
You can reject a machine only if the machine is in the pending state.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the machine you want to reject.
4. Click Reject.
5. In the Confirm Reject Machine dialog box, when prompted to confirm the reject request, click Reject.

View registered machines

You can view the list of machines that are registered in CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
All the machines that are registered in CloudLink Center are displayed.

Move a registered machine to a different machine

group
Every machine that is registered with CloudLink Center belongs to a machine group. You can change the machine group to
which a machine belongs.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the machine you want to move to a different machine group.
4. Click Actions > Move to Group.

30 Manage secure machines on CloudLink Center

5. In the Move Machine to Another Group dialog box, select the required group from the Move to list.
6. Click Move.

Scenarios for removing machine from CloudLink

Center
This topic provides information about the scenarios for removing a machine from CloudLink Center.
Remove a machine when you no longer want it registered with CloudLink Center. Typically, you remove a machine because:
● You no longer want to use the machine in the CloudLink environment.
○ In this case, decrypt any encrypt volumes and remove CloudLink Agent from the machine. The machine must be in the
disconnected state.
○ In this case, erase any encrypted devices and remove CloudLink Agent from the machine. The machine must be in the
disconnected state.
● You want to release a machine instance license.
○ In this case, deregister the machine from CloudLink Center. At some time in the future, you may re-register the machine.
The machine must be in the disconnected state.
NOTE: The capacity of an encrypted capacity license is increased when a device is decrypted.

Remove a machine from CloudLink Center

Use this procedure to remove a machine from CloudLink Center. If you no longer want to use a machine in the CloudLink
environment, you can remove it so that the machine is unregistered from CloudLink Center and CloudLink Agent is automatically
uninstalled.

Prerequisites
The machine must be in the disconnected state.
It is recommended that you decrypt the boot volume and any additional data volumes (Windows) or mounted devices (Linux)
that you want to use after the machine has been de-registered from CloudLink Center, as they will be inaccessible otherwise.
For more information, see CloudLink Center machine volumes.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the machine you want to remove.
4. Click Remove.
5. In the Confirm Machine Removal dialog box, when prompted to confirm the removal of the machine request, click
Remove.

Release a license
Use this procedure to release a license in CloudLink Center.

Prerequisites
The machine must be in the disconnected state.

About this task

If you want to temporarily remove a machine instance, encrypted capacity, or a KMIP client from CloudLink Center to release a
license, ensure it is in the disconnected state. Once removed, the machine does not appear in the Machines panel. However,
if the machine is restarted, it is listed in this panel in the pending state. For more information, see Accept or reject pending
machines in CloudLink.

Manage secure machines on CloudLink Center 31

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the machine you want to release a license.
4. Click Remove.
5. In the Confirm Machine Removal dialog box, when prompted to confirm the removal of the machine request, click
Remove.

Shred encrypted CloudLink machines

Shred encrypted machines to make the machines and their volumes or devices completely inaccessible by destroying their keys
in the keystore.
If you attempt to shred a machine and a keystore that contains keys for the machine is not accessible, CloudLink Center does
not shred the machine. CloudLink Center deletes keys in all accessible keystores. You can try to shred the machine again after
the inaccessible keystore is accessible.
With one exception, shredding a machine prevents that machine, including all backups, from being started again. The exception
is when the keys are in the CloudLink Vault keystore and a backup of CloudLink Center exists that might have those keys.

Shred a machine from CloudLink Center

Use this procedure to shred a machine from CloudLink Center.

Prerequisites
● The machine must be in the disconnected state.
● Decrypt the disks of the machines.
● Uninstall CloudLink Agent on the machine.

About this task

If you shred a machine that has older shared keys from cloning or upgrading, the shared keys are not deleted and an error
message stating “Some keys have not been deleted” is displayed. The current keys for the machine are deleted. However, if the
machine boot drive was encrypted, it no longer boots.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the machine whose keys you want to shred and remove the machine from the CloudLink
Center.
4. Click Actions > Shred.
5. In the Confirm Machine Shredding dialog box, enter the name of the machine to confirm it.
6. Click Shred.

View event history of a machine

Use this procedure to view the history of a machine.

About this task

You can view only the events for a selected machine. For information about choosing the timeframe in which events occurred
and the information that is provided on the Events page, see CloudLink events and corresponding syslog severity numbers.

32 Manage secure machines on CloudLink Center

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the machine to view the event history of that machine.
4. Click Actions > Show Event History.
The event history of the selected machine is displayed in the Events page.

Refresh mounted devices or devices of a Linux

machine
Use this procedure to refresh mounted devices or devices of a Linux machine.

About this task

If you add a new mounted device or a device for a Linux machine, you must refresh the machine, so that the new device is
added to the Machines panel.

Steps
Enter the following command at the Command Line Interface (CLI):
svm reload [–v ].

Next steps
For information about optional svm parameters, see Linux commands for CloudLink Agent.

Work with cloned machines in CloudLink Center

This topic provides information about cloned machines in CloudLink Center.
Each machine that is registered with CloudLink Center is assigned a unique serial number that is stored in the CloudLink Center
database. By default, if you clone a registered machine in the connected state, and then start the clone, CloudLink Center puts
the clone in the pending state. For more information, see CloudLink Center machine states.
CloudLink Center puts the clone in the pending state because the default key release policy does not enable CloudLink Center to
release keys to a clone of a previously registered machine. You can change this key release policy, enabling automatic release of
keys to clones of machines belonging to the group. For more information, see CloudLink key release policies.
To indicate the relationship with the machine in the pending state to the machine from which it was cloned, the serial number
for the machine clone is the same as the original machine, except for the last two digits.
As shown in the following screenshot, data of the selected machine indicates that the machine is in pending state. The serial
number for the pending machine ends with 60 and the serial number for the machine from which it was cloned ends with 00.

Manage secure machines on CloudLink Center 33

Figure 3. Cloned machine serial numbers

To enable the startup process for the cloned machine to continue, you must accept the machine. For more information, see
Accept or reject pending machines in CloudLink. After a cloned machine is accepted, it is restarted and assigned a new serial
number.
For Enterprise and Microsoft Azure and Azure Stack—If the machine passes the pre-startup authorization, all subsequent
startup operations of the machine are automatically enabled. For more information about prestartup authorization, see CloudLink
prestartup authorization.

Change encryption keys on Linux machines

This topic provides information about changing encryption keys on Linux machines.
If PowerFlex SDS devices on the original machine were encrypted when the clone was created, the data on both machines
is encrypted with the same key. If you want data on each machine encrypted with different keys, you must erase, and then
encrypt any encrypted devices on one of the machines. For more information, see CloudLink Center machine devices.
If boot or data volumes on the original machine were encrypted when the clone was created, the data on both machines is
encrypted with the same key. If you want data on each machine encrypted with different keys, you must decrypt and then
encrypt any encrypted volumes on one of the machines. For more information, see CloudLink Center machine volumes.

Change encryption keys on Windows machines

New keys are generated for the cloned machine when it is accepted.

34 Manage secure machines on CloudLink Center

Change hostnames
The hostname for a cloned machine is the same as the machine from which it was cloned. To help distinguish machines from
their clones, you may want to change the hostname for clones. See the documentation provided for the clone’s operating
system.

Restart the CloudLink Agent service on Linux

machines
Use this procedure to restart the CloudLink Agent service on Linux machines.

About this task

For Linux machines, you must restart the CloudLink Agent service if the networking configuration is changed after deploying the
CloudLink Agent.

Steps
Enter the following command at the CLI:

service svmd restart

CloudLink Center machine volumes

This topic provides information about machine volumes in CloudLink Center.
Each machine that is registered to CloudLink Center is assigned a unique serial number that is stored in the CloudLink Center
database. If a machine has more than one volume, CloudLink Center management operations (such as encrypting or decrypting
a machine’s boot or data volumes) can be performed on individual volumes.

Table 1. Boot and Data encryption supported on bare-metal and VMs by CloudLink
Encryption on Boot volume Data volume
VM Yes Yes.
Physical machine No. CloudLink does not support boot volume Yes.
encryption on physical machines.

Before removing a machine that you no longer want under CloudLink Agent control, you should decrypt the volumes if you want
to continue using the machine. Otherwise, its volumes remain encrypted and inaccessible.
For information about monitoring encryption or decryption processes on a machine, see Monitor the real-time progress of
encryption and decryption processes.

Encrypt a volume
By using CloudLink Center, you can encrypt system partitions or data volumes.
The following Linux system partitions are automatically encrypted or decrypted with the / partition:
● /
● /bin
● /sbin
● /root
● /lib
● /var
● /usr

Manage secure machines on CloudLink Center 35

● /usr/local
● /initrd
● /tmp
● /home
● /opt
WARNING: If at least one system partition is encrypted by CloudLink 6.7 or earlier, you cannot encrypt an
individual system partition. You must first decrypt all system partitions, then encrypt / , to encrypt all system
partitions at once.
If more than one volume on the machine is unencrypted, select the one that you want to encrypt. You can encrypt only one
volume at a time.
For Linux machines, CloudLink encrypts using dm-crypt. The device must be mounted. CloudLink Center first unmounts the
mount point. If files are open, an error occurs and the encryption does not occur.
When encryption is completed, CloudLink Center restarts the machine.

Encrypt a data volume on a self-encrypting drive

Use this procedure to encrypt a data volume on a self-encrypting drive.

About this task

You can encrypt a data volume on a self-encrypting drive (SED), as long as SED encryption is not being managed by CloudLink.
If SED encryption is managed by CloudLink, then volume encryption is blocked. You do not need an SED license to encrypt data
volumes on an SED.

NOTE: CloudLink does not support boot volume encryption on physical machines.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the SED whose data volume you want to encrypt.
4. Click Actions > Encrypt.
The Encrypt dialog box is displayed.
5. From the Volumes list, select the data volume.
6. Click Encrypt.

Encrypt devices of a Linux Machine from the CLI

As an alternative to encrypting a mounted device of a Linux machine from CloudLink Center, you can encrypt it from the CLI.

Prerequisites
The device must be mounted.

About this task

The following Linux system partitions are automatically encrypted or decrypted with the / partition:
● /
● /bin
● /sbin
● /root
● /lib
● /var
● /usr
● /usr/local

36 Manage secure machines on CloudLink Center

● /initrd
● /tmp
● /home
● /opt
WARNING: If at least one system partition is encrypted by CloudLink 6.7 or earlier, you cannot encrypt an
individual system partition. You must first decrypt all system partitions, then encrypt / , to encrypt all system
partitions at once.
You can encrypt the data volume for a Linux machine from the CLI. If more than one volume on the machine is unencrypted, you
choose the one that you want to encrypt. You can encrypt only one volume at a time.
The process used to encrypt the data volume is the same as when encrypting from CloudLink Center. For more information, see
Encrypt a volume.
Use one of the following methods to encrypt devices of the Linux machine:

Steps
● Enter the following command:

svm encrypt [mount_point]

For example:

svm encrypt /MyData/MyMountPoint

● You can also force encryption. Enter the following command from the CLI:

svm encrypt –f [mount_point]

For example:

svm encrypt -f /MyData/MyMountPoint

NOTE: The -f option restarts a Linux machine and encrypts the data partition. The -f option is for users who want to
encrypt a Linux data partition that is in use.
For more information about the svm parameters, see Linux commands for CloudLink Agent.

Decrypt a volume
This topic provides information about decrypting a volume.
By using CloudLink Center, you can decrypt boot or data volumes in the connected state on Windows or Linux machines.
If more than one volume is encrypted, select the one that you want to decrypt.
Decrypting a volume means that it no longer complies with the volume encryption policy for the machine group, CloudLink
Center prompts you to confirm that you want to decrypt the volume. For information, see CloudLink Center volume encryption
policy. If you select to decrypt the volume, CloudLink Center triggers an alarm and you can opt to enable its non-compliance
through an exemption. For more information, see Types of volume encryption policies in CloudLink.

Decrypt a data volume on a self-encrypting drive

Use this procedure to decrypt a data volume on a self-encrypting drive (SED).

Prerequisites
The machine must be in the connected state.

Manage secure machines on CloudLink Center 37

About this task

NOTE: CloudLink does not support boot volume encryption or decryption on physical machines.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the SED whose data volume you want to decrypt.
4. Click Actions > Decrypt.
The Decrypt dialog box is displayed.
5. From the Volumes list, select the data volume.
6. Click Decrypt.

Decrypt boot volume of a linux machine from the CLI

As an alternative to decrypting the boot volume of a Linux machine from CloudLink Center, you can decrypt it from the CLI.
If you decrypt a volume and it no longer complies with the volume encryption policy of a group, then CloudLink Center triggers
an alarm. You can choose to allow its noncompliance through an exemption. For more information, see Types of volume
encryption policies in CloudLink.
The procedure used to decrypt the boot volume depends on the version of CloudLink that was used to encrypt the boot volume.
CloudLink version 5.0 and earlier uses eCryptfs for encryption. CloudLink version 6.9 and later uses dm-crypt.

Decrypt a boot volume encrypted using CloudLink version 6.9 and later
Use this procedure to decrypt a boot volume that was encrypted using CloudLink version 6.9 and later.

Steps
1. Back up all data.
2. At the CLI, enter the following command:

svm decrypt / [–v ]

For more information about this command, see Linux commands for CloudLink Agent.

3. When prompted to restart the machine, click Yes.

4. Wait until the machine is displayed under Agents > Machines. The machine must be in the Connected state.
NOTE: The time required to complete this operation depends on the size of the boot disk and the environment type.

Decrypt a boot volume encrypted using CloudLink 5.0 or earlier

Use this procedure to decrypt a boot volume that was encrypted using CloudLink 5.0 or earlier version.

Steps
1. Back up all data.
2. Attach a second disk that is as large as the root disk.
This disk must not contain any data because it is overwritten with contents from the encrypted disk. Do not mount this
drive.

3. At the CLI, enter the following command:

svm decrypt /[target_disk] [–v ]

where, target_disk is the drive that was attached in Step 2.

38 Manage secure machines on CloudLink Center

 For example:

svm decrypt /dev/sdb

For more information about this command, see Linux commands for CloudLink Agent.

4. When prompted to restart the machine, click Yes.

5. Wait until the machine is displayed under Agents > Machines. The machine must be in connected state.
NOTE: The time required to complete this operation depends on the size of the boot drive and the environment type.

6. Detach the second disk when the status of the boot volume is connected and decrypted in CloudLink Center.

Decrypt the mounted volumes of a Linux machine from the CLI

Use this procedure to decrypt the mounted volumes of a Linux machine from the CLI.
As an alternative to decrypting the mounted volumes of a Linux machine from CloudLink Center, you can decrypt them from
the CLI. This process decrypts the data to a new volume that is mounted with the same name as the encrypted mount point. In
addition to decrypting the data, this process unregisters the mount point from CloudLink Center.
If you decrypt a volume and it no longer complies with the volume encryption policy of a group, then CloudLink Center generates
an alarm. You can choose to allow its noncompliance through an exemption. For more information, see Types of volume
encryption policies in CloudLink.
The procedure used to decrypt a volume depends on the version of CloudLink that was used to encrypt the volume.
● CloudLink version 5.0 and earlier uses eCryptfs to encrypt volumes.
● CloudLink version 6.9 and later uses dm-crypt.

Decrypt a volume encrypted using CloudLink version 6.9 and later

Use this procedure to decrypt a volume encrypted using CloudLink version 6.9 and later.
Use one of the following methods to encrypt devices of the Linux machine:
● Enter the following command:

svm decrypt [mount_point]

For example:

svm decrypt /MyData/MyMP

● You can also force encryption. Enter the following command at the CLI:

svm decrypt –f [mount_point]

For example:

svm decrypt -f /MyData/MyMountPoint

NOTE: The -f option restarts a Linux machine and decrypts the data partition. The -f option is for users who want to
decrypt a Linux data partition that is in use.
For more information about svm parameters, see Linux commands for CloudLink Agent.

Decrypt a volume encrypted using CloudLink version 5.0

Use this procedure to decrypt a volume encrypted using CloudLink version 5.0.

Steps
1. Add a drive that has a similar or more disk space as the encrypted drive.

Manage secure machines on CloudLink Center 39

 For example:

/dev/sdc

This disk must not contain any data as it is overwritten with contents from the encrypted disk.

2. Mount the new disk.

For example, mount it to the following directory:

/MyData/AdditionalMP

3. Decrypt the encrypted data disk by entering the following command:

svm decrypt [encrypted_mount_point] [additional_mp]

For example:

svm decrypt /MyData/MyMP /MyData/AdditionalMP

All the decrypted data is now on an additional disk /dev/sdc, which is mounted to /MyData/AdditionalMP.
If you want to keep your decrypted data mounted to the original location (for example, /MyData/MyMP), complete Steps 4
to 7.
If you want to keep your decrypted data on the new mount point (for example, /MyData/AdditionalMP), go to Step 8.

4. Copy your data from the new mount point to the original mount point:

mv /MyData/AdditionalMP /MyData/MyMP

5. Unmount the new disk:

umount /MyData/AdditionalMP

6. Edit the /etc/fstab file.

For example, you must update any lines that refer to the original mount point:

/dev/sdc1 /MyData/MyMP ext4 defaults 1 2

7. Mount the original mount point /MyData/MyMP.

8. Reload the configuration into CloudLink by entering the following command:

svm reload

Unlock a moved volume

Use this procedure to unlock a moved volume.

About this task

A key release policy determines the conditions under which CloudLink Center enables keys to be released (if any) when it
detects that a volume is associated with a different machine than the one recorded in the CloudLink Center database. For more
information, see CloudLink key release policies.
The policy may require that you manually unlock the volume. For information about the procedure for moving a volume and
manually unlocking the volume, see Move an encrypted drive to another machine.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.

40 Manage secure machines on CloudLink Center

3. Select the check box next to the machine whose moved data volume you want to accept.
4. Click Actions > Pending Volumes/Disks.
The Pending Volumes/Disks dialog box is displayed.
5. From the Pending Volume/Disk list, select the required data volume.
6. Click Accept.

Machine devices
This topic provides information about encrypting empty device that can be added to PowerFlex SDS.
CloudLink encrypts empty devices so that the encrypted device can be added to PowerFlex SDS. An empty device does not
contain partitions or a file system. If the device is already added to PowerFlex, the device should be removed before you encrypt
it because the encrypted device no longer contains the original data. An encrypted device can be erased so it can be used for
another purpose, but this process destroys all data.
Before removing a machine from CloudLink Center, you must erase its devices to continue using them. Else, the devices of the
machine remain encrypted and inaccessible.

Encrypt a PowerFlex SDS device

Use this procedure to encrypt a PowerFlex SDS device.

Prerequisites
The device must not have a file system.

About this task

By using the CloudLink Center, you can software-encrypt a PowerFlex SDS device when the machine is in the Connected state.
Encrypting a device is a quick operation because typically the device contains no data. Currently, if you are using CloudLInk 7.1
and earlier version and encrypting any SDS or SED device, then the mapper name will be /dev/mapper/svm_sdx. However, a
new and fresh installation of the CloudLink 7.1.2 version or upgradation to 7.1.2 will have different mapper paths as follows:
● New installation of 7.1.2
○ When encrypting any SDS or SED device, the mapper path is displayed as follows: /dev/mapper/svm_wwn-XXX for
SDS drives.
○ For NVMe drives, the mapper path is /dev/mapper/svm_nvme-XXX.
● Upgrade to 7.1.2
○ Existing encrypted volumes of 7.1 will still use the old mapper name which is /dev/mapper/svm_sda until the machine
is restarted for the first time. During restart, the following message is displayed: Please update the device mapper.
After the first restart, the old mapper name gets modified to the new mapper name: /dev/mapper/svm_wwn-XXX
for SDS drives and /dev/mapper/svm_nvme-XXX for NVMe drives. The older mapper name information is saved
to /usr/share/securevm/disk_details.dmp.
NOTE: Here, XXX is the WWN number of either an SDS or NVMe device.

CAUTION: Only PowerFlex 3.6.0.2 and later versions will support the new SDS mapper introduce in
CloudLink 7.1.2. PowerFlex must be upgraded to 3.6.0.2 prior to upgrading CloudLink to 7.1.3. To upgrade
CloudLink agents on SDS nodes to use CloudLink 7.1.2 or 7.1.3, you must manually update the PowerFlex
devices. For information about using the upgraded mapper path on PowerFlex 3.6.0.2 and later versions,
see the "Migrate the PowerFlex nodes to the new CloudLink path" section in the Dell EMC PowerFlex
CloudLink for SDS Devices document available on the support site.
Any unencrypted drives at the time of upgrade to 7.1.2 and the encrypted drives (after upgrade) will then generate
mapper name as /dev/mapper/svm_wwn-XXX for SDS drives and /dev/mapper/svm_nvme-XXX for NVMe.
If more than one device on the machine is unencrypted, select the one you want to encrypt. You can only encrypt one device
at a time. The software-encrypted device will have a new mapper. For example, /dev/sdc will be mapped to /dev/mapper/
svm_wwn-XXX. Only the new encrypted mapper (dev/mapper/svm_wwn-XXX) can be used as a PowerFlex SDS device.

Manage secure machines on CloudLink Center 41

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the PowerFlex SDS device you want to encrypt.
4. Click Actions > Encrypt.
The Encrypt dialog box is displayed.
5. From the Volumes/Devices list, select the required PowerFlex device.
6. Click Encrypt.
NOTE: The Boot and Manual Data and Boot and All Data encryption policies are not supported on the SDS drives
installed on a PowerFlex device.

Erase a PowerFlex SDS device

Use this procedure to erase a PowerFlex SDS device.

Prerequisites
The machine must be in the connected state.

About this task

If more than one device is encrypted, choose the one that you want to erase.

NOTE: Erase a device before you remove it.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the machine whose device data you want to erase.
4. Click Actions > Erase.
5. In the Erase dialog box, perform the following:
a. From the Devices list, select the required PowerFlex SDS device.
b. In the Confirm Device Name box, enter the PowerFlex SDS device name to confirm it, and then click Erase.

Erase a PowerFlex SDS device

Use this procedure to erase a PowerFlex SDS device using the PowerFlex GUI.

Steps
1. Use the PowerFlex GUI to remove the device from the PowerFlex Data Server.
The device type is changed to an encrypted raw device in CloudLink Center.

2. Log in to CloudLink Center.

3. Click Agents > Machines.
4. Select the device you want to erase.
5. Click Actions > Erase.
6. In the Erase dialog box, confirm the device path and name.
NOTE: All data on the device is erased.

7. The device is changed to an unencrypted raw device.

42 Manage secure machines on CloudLink Center

Unlock a moved device
Use this procedure to unlock a moved device.

About this task

A key release policy determines the conditions under which CloudLink Center enables keys to be released (if any) when it
detects that a device is associated with a different machine than the one recorded in the CloudLink Center database. For more
information, see CloudLink key release policies.
The policy may require that you manually unlock the device. For information about the procedure for moving a device and
manually unlocking the device, see Move an encrypted drive to another machine.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the machine whose moved disk you want to accept.
4. Click Actions > Pending Volumes/Disks.
The Pending Volumes/Disks dialog box is displayed.
5. From the Pending Volume/Disk list, select the required device.
6. Click Accept.

Manage a Self-encrypting Drive from CloudLink

Center
Use this procedure to manage a Self-Encrypting Drive (SED). Manage SED option is only available if an SED license is uploaded
and an SED is detected in the physical machine managed by CloudLink Center.

About this task

When CloudLink Center manages an SED, the SED is locked and the encryption key must be released by CloudLink Center to
unlock the SED. When a machine with SEDs is powered on, or when an SED is removed from a machine, the SED must be
unlocked by CloudLink Center.

NOTE: The Manage SED option does not change any data on an SED. It only takes ownership of the encryption key.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the SED you want to manage.
4. Click Actions > Manage SED.
The Encrypt dialog box is displayed.
5. From the Volumes list, select the required data volume.
6. Click Encrypt.

Manage a self-encrypting drive from the CLI

Use this procedure to manage a SED drive from the CLI.

About this task

As an alternative to managing an SED from CloudLink Center, you can manage it from the CLI.

Manage secure machines on CloudLink Center 43

Steps
Enter the following command at the CLI:

svm manage [device_name]

For example:

svm manage /dev/sdb

Encrypt the devices of a machine from the CLI

As an alternative to encrypting a machine’s device from CloudLink Center, you can encrypt it from the CLI.

Prerequisites
The device must not have a file system.

About this task

The process used to encrypt the data device is the same as when encrypting from CloudLink Center. For more information, see
Encrypt a PowerFlex SDS device

Steps
Enter the following command at the CLI:

svm encrypt [device_name]

For example:

svm encrypt /dev/sdb

For more information about thesvm parameters, see Linux commands for CloudLink Agent.

Release a self-encrypting drive

Use this procedure to release an SED.

About this task

The Release SED option is available only if an SED license is uploaded and an SED is detected in the physical machine managed
by CloudLink Center.
When CloudLink releases an SED, the SED is unlocked and the encryption key is released by CloudLink Center.

NOTE: The Release SED option does not change any data on an SED. It only releases ownership of the encryption key.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the machine whose SED you want to release.
4. Click Actions > Release SED.
5. From the SEDs list, select the required SED.
6. Click Release.

44 Manage secure machines on CloudLink Center

Release management of a self-encrypting drive from
the CLI
Use this procedure to release the management of a SED from the CLI.

Steps
Enter the following command:

svm release [device name]

svm release /dev/sdb

Monitor the real-time progress of encryption and

decryption processes
This topic provides information about monitoring progress of the encryption and decryption process on a Windows or a Linux
machine.

Windows machines
Use this procedure to monitor the progress of encryption or decryption processes on a Windows machine.

About this task

You can also monitor the progress in the Machines panel. For more information, see View registered machines.

Steps
1. Click the CloudLink Agent icon in the Windows taskbar.
2. Click the Volumes Status option to display the percentage of encryption or decryption that is complete.

Linux machines
After initiating an encryption process on Linux machine, the current encryption progress is displayed in the machine console. You
can also monitor progress in the Machines panel. For more information, see View registered machines.
The progress of decryption processes is not available for Linux machines.

View volume encryption policy compliance

This topic provides information about the different states of volume encryption policies.
For each machine volume, CloudLink Center indicates its state relative to the machine group’s volume encryption policy.
For a selected machine, you can view the policy states for each volume on the Machines panel. For more information, see View
registered machines.
Volume policy states include:
● OK—The volume complies with the volume encryption policy for the machine group. Any policy exemptions have been
allowed.
● Violated—The volume does not comply with the volume encryption policy for the machine group.

Manage secure machines on CloudLink Center 45

Exempt volumes from encryption in CloudLink Center
This topic provides information about exempting volumes from encryption.
The volume encryption policy for a machine group applies to all volumes for all machines belonging to the group. You may want
to exempt a particular volume from the policy. For example, you might have assigned the Boot and All Data volume encryption
policy to a machine group. However, you want one volume on an individual machine in that group to be decrypted. When you
manually decrypt this volume, it no longer complies with the volume encryption policy for the machine group.
To indicate that a volume does not comply with the machine group’s volume encryption policy, CloudLink Center:
● Triggers an alarm
● Displays an exempt link next to the volume name on the Machines panel
You can specify that you want to allow the non-compliance by allowing an exemption to the volume.
Only decryption of a volume that does not comply with the existing volume encryption policy generates an alarm. Encryption of
a volume will not make a volume non-compliant.

Exempt a volume from the volume encryption policy

Use this procedure to exempt a volume from the volume encryption policy.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the machine whose volume you want to exempt.
4. Click Actions > Exempt.

Change the CloudLink Center IP address

This topic provides information about changing the CloudLink Center IP address.
If you want to change the static IP of CloudLink Center and you deployed CloudLink Agent using the static IP, you must change
the CloudLink Center IP address.
You must update each CloudLink Agent with the new CloudLink Center IP address, which is used by CloudLink Agent to
communicate with CloudLink Center.

Change the CloudLink Center IP address on a Windows machine

Use this procedure to change the CloudLink Center IP address on a Windows machine.

Steps
Enter the following command at the PowerShell CLI:

svm /S clc_address

For more information about this command, see Linux commands for CloudLink Agent.

46 Manage secure machines on CloudLink Center

Change the CloudLink Center IP address on a Linux machine
Use this procedure to change the CloudLink Center IP address on a Linux machine.

Steps
Enter the following command at the CLI of a Linux machine:

svm -S clc_address [–v ]

For more information about this command, see Linux commands for CloudLink Agent.

Move a machine to a different CloudLink Center

Use this procedure to move a machine to a different CloudLink Center.

About this task

For Enterprise and Microsoft Azure and Azure Stack—You may want to move a machine under the management of a different
CloudLink Center. You must decrypt volumes before moving the machine. Encrypted volumes moved to another machine will not
be accessible.
For PowerFlex—You may want to move a machine under the management of a different CloudLink Center. You must erase
devices before moving the machine. Moving encrypted devices to a new CloudLink Center that is not part of the CloudLink
Center cluster is not supported.
However, you can add a new CloudLink Center to the cluster, and then remove the old CloudLink Center. For more information,
see Add a new CloudLink Center to an existing cluster and remove the old CloudLink Center.

Steps
1. Depending on whether it is a volume or a device, do the following :
● Decrypt any encrypted volumes on the machine
● Erase any encrypted devices on the machine
2. Uninstall the CloudLink Agent.
3. Deploy CloudLink Agent to the machine from the new CloudLink Center.
For information about deploying CloudLink Agent, see the Dell EMC CloudLink Deployment Guide.

Add a new CloudLink Center to an existing cluster and

remove the old CloudLink Center
Use this procedure to add a new CloudLink Center to an existing cluster and remove the old CloudLink Center.

Steps
1. Create a backup of the original CloudLink Center cluster. See CloudLink Center backup for more information.
2. Add a new CloudLink Center to the original CloudLink Center cluster. For more information, see Associate a server to a
CloudLink Center cluster for more information.
3. Wait for the initial synchronization to complete.
4. Wait at least 10 minutes for the machines to discover the new CloudLink Center.
5. Power off the original CloudLink Center cluster.
6. Wait for all machines to connect to the new CloudLink Center cluster.
7. Remove the original CloudLink Center from the cluster. For more information, see Remove a CloudLink Center cluster server.

Manage secure machines on CloudLink Center 47

Unlock out-of-band data disks with an ISO image file
You can unlock data disks attached to machines that are disconnected from CloudLink Center using an ISO image file.
CAUTION: Because you can possibly lose data, it is recommended that you submit a support ticket at Dell
Technologies Online Support so that a CloudLink support team member can assist you.

Unlock data disks of Linux machines using an ISO image file

Use this procedure when a Linux machine cannot access CloudLink Center due to networking issues, and the data disk or disks
are locked.

Prerequisites
● Root Shell access on the machine that has the locked disk
● CloudLink Center administrative access
● VMware access that enables mounting an ISO image file on the machine with the locked disk

48 Manage secure machines on CloudLink Center

About this task

Manage secure machines on CloudLink Center 49

Next steps
The svm service may stop running on the Linux machine after the machine is reconnected to CloudLink Center. Run one of the
following commands to start the svm service:

systemctl restart svmd

service svmd start

Unlock data disks of Windows machines using an ISO image file

Use this procedure when a Windows machine cannot access CloudLink Center due to networking issues, and the data disk is
locked.

Prerequisites
● Administrative access on the machine that has the locked disk
● CloudLink Center administrative access
● VMware access that enables mounting an ISO image file on the machine with the locked disk

Steps
1. Start the Windows machine before you attempt to unlock the disk.
2. Log in as an administrator to the Windows machine that has the locked disk.
3. In PowerShell, confirm that the data disk is locked using the following command:

svm status

4. Run the following PowerShell command at the CLI:

svm unlock

50 Manage secure machines on CloudLink Center

 A challenge code is displayed. You require this to download the ISO file.
5. Leave the PowerShell session open. Do not press Enter to continue.
6. In the Machines panel in CloudLink Center, select the machine with the locked disk.
7. From the Actions menu, select Download Key File.
8. From the File Type list, select the ISO image file .
9. In the Challenge box, enter the challenge code.
10. Type the challenge code into the Challenge field.
11. Click Download, and then save the ISO image file.
12. Upload the ISO image file to the vCenter Server datastore.
13. Use the Edit Settings option in vSphere Client to add or connect to that virtual CD/DVD drive, and then attach the ISO
image file in the datastore.
14. Ensure that the virtual CD/DVD is connected to the machine with the locked disk.
15. On the Windows machine that has the locked disk, return to the PowerShell session and press Enter.
16. Confirm that the data disk is unlocked by running the following PowerShell command:

svm status

17. Use the Edit Settings option in vSphere Client to remove the ISO image file from the virtual CD/DVD.

Unlock out-of-band data disks with a RAW file

You can unlock data disks attached to machines that are disconnected from CloudLink Center using a key file.
CAUTION: Because you can possibly lose data, it is recommended that you submit a support ticket at Dell
Technologies Online Support so that a CloudLink support team member can assist you.

Unlock data disks of Linux machines using a RAW file

Use this procedure when a Linux machine cannot access CloudLink Center due to networking issues, and the data disk or disks
are locked.

Prerequisites
● Root Shell access on the machine that has the locked disk
● CloudLink Center administrative access

Steps
1. Start the Linux machine before you attempt to unlock the disk.
2. Log in as root to the Linux machine that has the locked disk.
3. Confirm that the data drives are locked using the following command:

svm status

4. Run the following command:

svm unlock

A challenge code is displayed. You require this to download the RAW file.
5. Keep the session open. Do not press Enter.
6. On CloudLink Center GUI, in the left panel, select the machine with the locked disk.
7. From the Actions menu, select Download Key File.
8. From the File Type list, select the RAW file.
9. In the Challenge box, enter the challenge code.
10. Click Download and save the RAW file.

Manage secure machines on CloudLink Center 51

11. Copy the RAW file to the Linux machine's root (/) directory.
12. On the Linux machine that has the locked disk, return to the PowerShell and press Enter.
13. Ensure that the data disk is unlocked by running the following command:

svm status

14. The svm service may stop running on the Linux machine after the machine is reconnected to CloudLink Center. Run one of
the following commands to start the svm service:

systemctl restart svmd

service svmd start

Unlock data disks of Windows machines using a RAW file

Use this procedure when a Windows machine cannot access CloudLink Center due to networking issues, and the data disk or
disks are locked.

Prerequisites
● Administrative access on the machine that has the locked disk
● CloudLink Center administrative access

Steps
1. Start the Windows machine before you attempt to unlock the disk.
2. Log in as an administrator to the Windows machine that has the locked disk.
3. Confirm that the data disks are locked by running the following command:

svm status

4. Run the following command:

svm unlock

A challenge code is displayed. You require this to download the RAW image file.
5. Keep the session open. Do not press Enter.
6. On CloudLink Center GUI, in the left panel, select the machine with the locked disk.
7. From the Actions menu, select Download Key File.
8. From the File Type list, select the RAW image file.
9. In the Challenge box, enter the challenge code.
10. Click Download and save the RAW image file.
11. Copy the RAW file to the Windows machine's C drive.
12. On the Windows machine that has the locked disk, return to the PowerShell session and press Enter.
13. Ensure that the data disk is unlocked by running the following PowerShell command:

svm status

52 Manage secure machines on CloudLink Center

 8
Manage secure machine groups on CloudLink
Center
You can organize machines into groups for administrative or operational purposes. For example, you might group machines for
your Finance department where the volume encryption policy requires encryption of all boot and data volumes. You might also
group machines for your DevOps department where the volume encryption policy requires encryption of only boot volumes.
Each machine group might have a different administrator.
Each machine must belong to a machine group. A machine is assigned to a machine group during deployment. If you do not
specify a group during deployment, the machine is assigned to the built-in machine group named Default. You can change the
machine group that a machine belongs to after deployment.

All machines in a group use the same:

● Key release policies that determine when a machine in the group can start up automatically. For more information, see
CloudLink key release policies.
● For Enterprise and Microsoft Azure and Azure Stack—Volume encryption policy that determines the types of volumes that
must be encrypted (boot, data, or both boot and data). Volume encryption policy applies to virtual machines (boot and data
volumes) or physical machines (data volume only). Volume encryption policy does not apply to a physical machine’s boot
volume. For more information, see CloudLink Center volume encryption policy.
● Keystore where encryption keys are stored. For more information, see Manage encryption keystores and keys in CloudLink
Center.
● Managing roles that determine the roles that administer it. Only users belonging to a managing role for a machine group can
view and make changes to it.
● Approved networks from which machines in the machine group can start up automatically. For more information, see
Manage approved networks for machine groups.
● Approved location that is used to verify that a machine is in the correct place. For more information, see Manage approved
locations for machine groups.

Manage secure machine groups on CloudLink Center 53

● Key lifetime that determines the frequency that CloudLink Center updates encryption keys for machines in the group. Once a
key is updated, the previous key is expired. By default, keys never expire, which is referred to as an infinite lifetime. You can
change the key lifetime.
Topics:
• CloudLink key release policies
• CloudLink pending machine policy
• CloudLink Center volume encryption policy
• CloudLink Center machine group properties
• View machine groups on CloudLink Center
• Create a machine group to CloudLink Center
• Modify a machine property on a CloudLink Center machine group
• Change the volume encryption policy
• Change the location of a machine group on CloudLink Center
• Change key release policies of a machine group on CloudLink Center
• Change pending policies of a machine group on CloudLink Center
• Generate a registration code for a machine group on CloudLink Center
• Scenarios for using maximum usage of CloudLink licenses
• Reset the license usage for a machine group
• Delete a machine group from from CloudLink Center
• Manage approved networks for machine groups
• Manage approved locations for machine groups

CloudLink key release policies

This topic provides information about the key release policies available in CloudLink.
Before CloudLink Center automatically releases keys, a machine must:
● Fulfill the requirements of a key release policies.
● Use an IP address that belongs to an approved network. For more information, see Manage approved networks for machine
groups.
● Belong to an approved location. For more information, see Manage approved locations for machine groups.
● Not have been previously removed. For more information, see Remove a machine from CloudLink Center.
Key release policies may be required to enable:
● A machine to start as part of the prestartup authorization process
● Access to encrypted data volumes
If a machine does not meet the policies, CloudLink Center puts the machine in the pending state. To enable a key release policy,
you must manually select a key release policy. For more information about manually enabling key release policies, see Accept or
reject pending machines in CloudLink.
Key release policies are set for a machine group. For more information, see Manage secure machine groups on CloudLink Center.

Preboot unlock for PowerFlex devices

To enable preboot unlock of devices connected to PowerFlex machines, change all of a machine group's pending policies to
Allow Automatically. This prevents the PowerFlex machine from being placed in the pending state and allows the connected
devices to be unlocked.

54 Manage secure machine groups on CloudLink Center

CloudLink Center Key Release Policies Matrix
Key release policies inform CloudLink Center whether or not a volume encryption key can be released to an agent when a
machine is powered on.

Table 2. Key release policies in CloudLink Center

Key release What the policy checks for?
policy name
Pending Determines whether a machine is placed in pending state when it connects to CloudLink Center:
Machine policy ● For the first time.
● From a network or location not previously associated with the machine.
Allows the machine to automatically register to CloudLink Center or remain in pending state and require
manual approval. For more information, see CloudLink pending machine policy.
Pending Machine policy (New Machine)
● Determines if a newly added machine has an approved IP address.
● If yes, allows the machine to automatically register to CloudLink Center or remain in pending state and
require manual approval.

Volume Determines the volumes that must be encrypted for VMs. For example, the All Data policy encrypts data on
Encryption all existing data volumes. When a policy states that a specific volume encryption requirement is optional, then
policy administrators must manually choose which volumes to encrypt using CloudLink Center. By default, this policy
is set for a machine group but can be changed. For individual machines in a group, you can enable a selected
volume to be exempt from the group policy. For more information, see CloudLink Center volume encryption
policy.

Volume Encryption policy: Boot and Manual Data

Encrypt boot volumes. Data volumes are not encrypted.

Volume Encryption policy: All Data

Encrypt data volumes. Boot volumes are not encrypted.
● Windows machines: Data volumes are auto encrypted when added.
● Linux machines: Based on the policy settings, the data volumes are automatically encrypted.

Volume Encryption policy: Boot and All Data

Boot and all data volumes are encrypted.
● Windows machines: Data volumes are auto encrypted when added.
● Linux machines: Based on the policy settings, the data volumes are automatically encrypted.

Volume Encryption policy: Manual

The boot and data volumes need not be encrypted. This implies that encryption is optional on all volumes.

Approved Approved networks are definitions within CloudLink Center that specify which IP addresses or address ranges
networks are allowed for CloudLink agents that request for keys. CloudLink Center will automatically release keys if
a machine's IP address is on an approved network. CloudLink Center supports IPv4 and IPv6 addresses for
specifying IP addresses for approved networks.
Checks if the machine IP address belongs to a list of approved networks for its machine group. If the machine
belongs and all other key release policies are met, the machine is allowed to start. If not, put the machine
in Pending state. However, during initial startup following deployment of CloudLink Agent, CloudLink Center
allows the machine to go directly to the connected state. If the machine is restarted, CloudLink Center puts
it in the pending state. If a machine starts up and its IP address does not belong to an approved network,
the machine is put in the pending state. For more information, see Manage approved networks for machine
groups.

Approved Sometimes it is necessary to limit data access by location. Data regulations may mandate that machines only
locations containing specific data reside and run in specific locations or data centers. CloudLink agent can validate
that a machine is running in an approved location, within VMware vCenter, Microsoft Azure, or Amazon
Web Services environments. For example, you can create an approved location named "US Datacenter" and
select it as an approved location for multiple machine groups. An approved location is created using specific

Manage secure machine groups on CloudLink Center 55

Table 2. Key release policies in CloudLink Center (continued)
Key release What the policy checks for?
policy name

locations from a cloud provider. For example, the VMware vCenter provider allows data centers, clusters,
ESXi hosts, or vCenter folders to be specified as an approved location.
When a machine starts up, its location is checked against a list of approved locations for its machine group.
If a machine group has no assigned approved locations, then no check is performed. A machine is allowed
to start if it belongs to an approved location for its machine group and all key release policies are met. The
location of a machine is periodically checked while it is running to ensure it has not been moved. Approved
locations are also checked when a machine registers with CloudLink Center. CloudLink validates that a
machine is running in an approved VMware vCenter, Microsoft Azure subscription, Microsoft Azure Stack
subscription, or Amazon Web Services location. For more information, see Manage approved locations for
machine groups.

Types of CloudLink key release policies

This topic provides information about the different types of CloudLink key release policies.

CloudLink pending machine policy

This topic provides information about the CloudLink pending machine policy.
The pending machine policy determines whether or not a machine is placed in the pending state when it connects to CloudLink
Center for the first time. Or, when it connects from a network or location not previously associated with the machine. You can
select to allow the machine to automatically register with CloudLink Center, or remain in the pending state and require manual
approval.
The following pending machine policy is applicable only to Enterprise and Microsoft Azure and Azure Stack:
New Machine—If a new machine that has an approved IP address is added to CloudLink Center, you can choose to allow it to
automatically (default) connect to CloudLink Center or require manual approval to connect to CloudLink Center.
This policy applies to VMs.
Change the pending machine policy the same way you change a key release policy. For more information, see Change key
release policies of a machine group on CloudLink Center.

CloudLink Center volume encryption policy

This topic provides information about the volume encryption policy in CloudLink Center.
Volume encryption policy determines which volumes must be encrypted for virtual or physical machines. For example, the All
Data volume encryption policy requires that all existing data volumes on a machine be encrypted.
Volume encryption policy applies to boot or data volumes for VMs.
Volume encryption policy is set for a machine group and can be changed at any time. For more information, see Manage secure
machine groups on CloudLink Center.
For an individual machine in a machine group, you can enable a particular volume to be exempt from the group policy. For more
information, see View volume encryption policy compliance.

Types of volume encryption policies in CloudLink Center

This topic provides information about the different types of volume encryption policies available in CloudLink Center.
● Boot and Manual Data—The boot volume must be encrypted. Data volumes are not required to be encrypted.
● All Data—Data volumes must be encrypted. The boot volume is not required to be encrypted.
○ On Windows machines, data volumes added are automatically encrypted.
○ On Linux machines, Based on the policy settings, the data volumes are automatically encrypted.

56 Manage secure machine groups on CloudLink Center

● Boot and All Data—The boot and all data volumes must be encrypted.
○ On Windows machines, data volumes added to the machine are automatically encrypted.
○ On Linux machines, Based on the policy settings, the data volumes are automatically encrypted.
● Manual—The boot and data volumes are not required to be encrypted.
NOTE: Key release requires that the boot volume is encrypted. For more information, see CloudLink key release policies.

NOTE: The Boot and Manual Data and Boot and All Data encryption policies are not supported on the SDS drives
installed on a PowerFlex device.

Handle existing encrypted Windows volumes in CloudLink

You can deploy CloudLink Agent to Windows machines with volumes that are already encrypted by BitLocker. During
deployment, these volumes remain encrypted, and are put under CloudLink Center management.

CloudLink Center machine group properties

This topic provides information about the group properties of a machine in CloudLink Center.
A machine group is composed of several properties. You define many of these properties when creating a machine group. You
can modify these properties at a later time. Other properties are for informational purposes only and cannot be changed.
Machine group properties include:
● Name —The unique name of the machine group.
● Description (optional)—A brief description of the machine group.
● Keystore —The keystore used by all machines in the group. For information, see Set the current keystore.
● Managed By—The names of the roles that administer this machine group.
● Approved Networks (optional)—The networks to which machines in this group belong. The networks must be defined as
an approved network. For more information, see Manage approved networks for machine groups.
● Approved Locations (optional)—An approved location is used to verify that a machine is in the correct place when the
machine starts. For more information, see Manage approved locations for machine groups.
● Shutdown on Locations Failure—Whether or not to automatically power off a machine that starts up outside of an
approved location.
● Registration Code—The code used when deploying CloudLink Agent to a machine to assign it to this machine group.
During deployment of CloudLink Agent to a machine, it is assigned to the Default machine group if no group registration
code is provided. As a deployment option, you can assign the machine to another, existing group by specifying the machine
group’s registration code in the deployment command. For more information, see the Dell EMC CloudLink Deployment Guide.
● Volume Encryption Policy (For Enterprise and Microsoft Azure and Azure Stack)—The volume encryption policy that
applies to all machines in a group. For more information, see CloudLink volume encryption policy.
● Manage SED Drives —Select Enabled to have CloudLink manage SED encryption keys. When a machine with SEDs is
registered with this machine group, CloudLink Center controls releasing keys to all SEDs in that machine.
If you select Disabled, a CloudLink administrator must manually select each SED in the machine to control encryption key
release.
This property is only available if you have an SED license and select either the All Data or Boot and All Data encryption
policy.
● Machine Agent Upgrade —Whether or not to automatically upgrade a machine's CloudLink Agent when you upgrade
CloudLink Center.
● Max Usage Since Last Reset —The maximum number of encrypted machine instances (instance or socket license) or
encrypted capacity used in this group since the last reset. This information might be useful if you are assessing your peak
license usage over a specific time frame.
● Current Usage—The number of machine instances currently encrypted (instance or socket license) or encrypted capacity
used in a group.
● Key Lifetime—The frequency that CloudLink Center updates or rotates encryption keys for machines (drives or volumes) in
the group. Once a key is updated, the previous key expires. By default, keys never expire, which is referred to as an infinite
lifetime. For example, when you set the Key Lifetime property of a machine group to 180 days, CloudLink automatically
performs a KEK rotation for all encrypted volumes and managed SEDs defined in that machine group.

Manage secure machine groups on CloudLink Center 57

 You can trigger automatic encryption key changes based on a time interval of days. For example, if you specify an interval of
one day, new encryption keys are generated every day.
When modifying a key lifetime, you can change the following values:
○ Infinite—The encryption key never expires
○ <Number> days—A list of preset values for the number of days before expiry
○ Custom—A number of days before expiry that you specify

● Policies —The current setting of the key release policies that control automatic startup of machines in the group. For more
information, see CloudLink key release policies.

View machine groups on CloudLink Center

You can view a list of machine groups for which you have permission to view.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machine Groups.
The machine groups are displayed.

Create a machine group to CloudLink Center

A machine group must exist before you can assign a machine to it.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machine Groups.
3. Click Add.
4. In the Add New Group dialog box, provide the following information:
● Name
● Description
● Volume Encryption Policy
● Manage SED Drives
NOTE: This property is only available if you have an SED license and select either the All Data or Boot and All Data
encryption policy.
● Keystore
● Managed By
● Approved Networks (optional)
● Key Lifetime
● Machine Agent Upgrade
5. Click Add.

Modify a machine property on a CloudLink Center

machine group
You can modify all properties for a machine group, except the name.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machine Groups.
3. Select the check box next to the machine group you want to modify.

58 Manage secure machine groups on CloudLink Center

4. Click Actions > Modify.
5. In the Modify Group dialog box, modify or provide the following machine properties:
● Description
● Volume Encryption Policy
● Manage SED Drives
NOTE: This property is only available if you have an SED license and select either the All Data or Boot and All Data
encryption policy.
● Keystore
● Managed By (not available for the Default machine group)
● Approved Networks (optional)
● Key Lifetime
● Machine Agent Upgrade
6. Click Modify.

Change the volume encryption policy

Use this procedure to change the volume encryption policy for a machine group.

About this task

For example, a particular machine group may use the Boot and Manual Data policy. This policy requires that only the boot
volume is encrypted for machines in this group. No data volumes must be encrypted. You may want to change to the All Data
policy so that data volumes added to Windows machine are automatically encrypted.
Changing the volume encryption policy does not affect the boot volume or any existing data volumes. The new policy is applied
when data volumes are added to the machine.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machine Groups.
3. Select the check box next to the machine group whose volume encryption policy you want to change.
4. Click Action > Modify.

Change the location of a machine group on CloudLink

Center
Use this procedure to change the location of a machine group on CloudLink Center.

About this task

You can add an approved location to a machine group. Create an approved location before you add it to a machine group. For
more information, see Manage approved locations for machine groups.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machine Groups.
3. Select the check box next to the machine group whose group location you want to change.
4. Click Actions > Change Locations.
5. In the Change Group Approved Locations dialog box, change or specify the following machine properties:
● Name
● Approved Locations
● Shutdown on Locations Failure

Manage secure machine groups on CloudLink Center 59

 NOTE: If you set Shutdown on Locations Failure to Yes, you must specify the duration for which CloudLink must
wait before automatically powering off the machine.
6. Click Change.

Change key release policies of a machine group on

CloudLink Center
For a machine group, you can modify the key release policies that must be met for a machine in that group to start
automatically.
Here are two examples where default policy settings cause CloudLink Center to prevent a machine from starting up
automatically:
● A machine attempts to start up with a different IP address than the IP address recorded for that machine in the CloudLink
Center database. CloudLink Center puts this machine in the pending state.
● A machine that is registered with CloudLink Center cannot boot, so you move its encrypted data volume or PowerFlex
SDS device to another registered machine. When this machine attempts to start, CloudLink Center detects that the data
volume or PowerFlex SDS device is associated with a different machine than the machine recorded in the CloudLink Center
database. CloudLink Center allows the machine to start up, but puts it in the pending state and locks the moved data volume
or PowerFlex SDS device to make it inaccessible.
When machines are in the pending state, you can manually accept or reject the startup. For more information, see Accept or
reject pending machines in CloudLink.
To avoid having to manually accept each startup, you can change the default key release policy to allow CloudLink Center to
release keys for volumes or devices of a machine when machines start up. For example, you can allow CloudLink Center to
release the key for moved data volumes on startup. CloudLink Center also updates its database to associate the moved data
volume with the current machine and automatically unlocks data volumes.
● For instructions about unlocking a moved volume or a device, see Unlock a moved volume or a device.
● For instructions about moving a data volume or a PowerFlex SDS device, see Move an encrypted disk to another machine.

Change pending policies of a machine group on

CloudLink Center
For a machine group, you can modify the key release policies that must be met for a machine in that group to start
automatically.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machine Groups.
3. Select the check box next to the machine group whose key release policies you want to change.
4. Click Actions > Change Pending Policies.
5. In the Change Group Policies dialog box, change or specify the following policy setting values:
● Require Manual Approval (default)—If the key release policy is not met, you must manually accept the startup.
● Allow Automatically—If the key release policy is not met, the startup is allowed to continue. .
● Allow If Address Is On The Same Subnet —This value is only available for the When a new IP address detected
policy.
If the IP address of the machine is different from the address stored in the CloudLink Center database, but remains in
the same subnet (/24 mask), the startup is allowed to continue. The new IP address is recorded for this machine in the
database.
This option is useful when you know that the IP address of a machine may change. For example, in some cloud
environments (such as Microsoft Azure), the public IP address of a machine may change when it is powered off and
restarted. A new IP address is assigned from the same subnet as the previous address.

6. Click Change.

60 Manage secure machine groups on CloudLink Center

Generate a registration code for a machine group on
CloudLink Center
When you create a machine group, CloudLink Center generates a registration code. You may want to generate a new
registration code for a machine group. For example, you might suspect that the existing machine code has been compromised.

About this task

The registration code is used to assign a machine to a machine group during deployment. For more information, see CloudLink
Machine group properties.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machine Groups.
3. Select the check box next to the machine group for which you want to generate a new registration code.
4. Click Actions > Generate New Code.
5. In the Confirm Code Generation dialog box, click Generate.

Scenarios for using maximum usage of CloudLink

licenses
This topic provides information about the scenarios for using maximum usage of CloudLink licenses.
CloudLink Center keeps track of the:

These values work in combination to help you understand your license usage, as described in the following example.
● You encrypt three machines in the Production machine group. Both the Max Usage Since Last Reset and Current Usage
values are 3.

Manage secure machine groups on CloudLink Center 61

● At a later time, you move one machine to another machine group. The Max Usage Since Last Reset value is 3 and the
Current Usage value is 2.
● You reset the usage for the Production machine group. The Max Usage Since Last Reset value is 2 and the Current Usage
value is 2.
If you reset the usage for a machine group at regular intervals (for example, on the first day of each month), you can monitor
your license usage over time.

Reset the license usage for a machine group

About this task
If you are assessing your peak license usage over a specific time frame, you can reset the license usage for a machine group. For
more information, see Scenarios for using maximum usage of CloudLink licenses.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machine Groups.
3. Select the check box next to the machine group whose license usage you want to reset.
4. Click Actions > Reset Usage.
5. In the Confirm Usage Reset dialog box, click Reset.

Delete a machine group from from CloudLink Center

You can delete any machine group except the built-in Default machine group.

Prerequisites
● You must be a user who is assigned to a role that manages the machine group you want to delete.
● The machine group must not have any machines assigned to it.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machine Groups.
3. Select the check box next to the machine group you want to delete.
4. Click Actions > Delete.

Manage approved networks for machine groups

When a machine starts up, its IP address is checked against a list of approved networks (or approved IP addresses) for its
machine group. If the IP address of the machine belongs to an approved network for the group and all key release policies are
met, the machine is allowed to start. For more information, see CloudLink key release policies.
Each approved network is assigned a unique name, which allows approved networks to be reused across machine groups. For
example, you might create an approved network named CloudLink Lab and select that name to easily specify it as an approved
network for machine groups.
If a machine starts up and its IP address does not belong to an approved network for the group, the machine is put in the
pending state.
There is one circumstance in which a machine can automatically start if its IP address does not belong to an approved network.
On initial startup following deployment of CloudLink Agent, CloudLink Center allows the machine to go directly to the connected
state. However, if the machine is restarted, CloudLink Center puts it in the pending state.
CloudLink Center supports IPv4 and IPv6 addresses for specifying IP addresses for approved networks.

62 Manage secure machine groups on CloudLink Center

View approved networks on CloudLink Center
You can view the list of approved networks that have been defined in CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Approved Networks.
The list of approved networks is displayed.

Add an approved network to CloudLink Center

About this task
You add approved networks that you want to assign to machine groups. Adding an approved network involves defining its name
and, optionally, description. After adding an approved network, you specify its IP addresses. For more information, see Add IP
addresses to an approved network in CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Approved Networks > Add.
3. In the Add Network dialog box, provide the following:
● Name—The unique name of the approved network. This name makes it easier to assign to a machine group.
● Description (optional)— A brief description of the approved network.
4. Click Add.

Add IP addresses to an approved network in CloudLink Center

You add the IP address that you want automatically approved to each approved network. CloudLink Center supports IPv4 and
IPv6 addresses for specifying IP addresses for approved networks.

Prerequisites
Before you can add IP addresses, the approved network must exist. For information, see Add an approved network to CloudLink
Center.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Approved Networks > Add.
3. Select the check box next to the network to which you want to add an IP address.
4. Click Actions > Add IP to Network.
5. In the Add IP to Network dialog box, select the required IP address type and enter the IP address.
The IP address format listed depends on the IP address type that you select from the Type list.
6. From the Type list, select one of the following IP address type:
a. If you select IP Address, then enter the IP address in the IP box
b. If you select the IP Addresses Range, then specify the Start IP and End IP range in the Start IP and End IP box.
c. If you select CIDR, then specify a network of IP addresses using CIDR in the CIDR box.
7. Click Add.

Manage secure machine groups on CloudLink Center 63

Edit IP addresses of an approved network in CloudLink Center
You can edit or an IP address for an approved network.

About this task

You can edit the approved network type and its associated IP addresses. For more information, see Add IP addresses to an
approved network in CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Approved Networks.
3. Select the check box next to the network whose IP address you want to edit.
The IP addresses are displayed below the table entries.
4. To edit an IP address, click Edit.
5. In the Modify IP dialog box, select the required ACL Type and enter the IP address.
The IP address format listed depends on the ACL type that you select from the ACL Type list.
6. From the ACL Type list, select one of the following ACL type:
a. If you select IP Address, then enter the IP address in the IP box
b. If you select the IP Addresses Range, then specify the Start IP and End IP range in the Start IP and End IP box.
c. If you select CIDR, then specify a network of IP addresses using CIDR in the CIDR box.
7. Click Modify.

Delete IP addresses of an approved network in CloudLink Center

You can delete an IP address for an approved network.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Approved Networks.
3. Select the check box next to the network whose IP address you want to delete.
The IP addresses are displayed below the table entries.
4. To delete an IP address, click Delete.
5. In the Confirm IP Deletion dialog box, when prompted to confirm the request, click Delete.

Modify an approved network

You can modify an approved network by changing its description.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Approved Networks.
3. Select the check box next to the network whose description you want to change.
4. Click Actions > Modify.
5. In the Modify dialog box, enter the description.
6. Click Modify.

64 Manage secure machine groups on CloudLink Center

Delete an approved network
You can delete an approved network, as long as it has not been assigned to a machine group.

Steps
1. Log in to CloudLink Center.
2. Click Agents > Approved Networks.
3. Select the check box next to the network you want to delete.
4. Click Actions > Delete.
5. In the Confirm Network Deletion dialog box, when prompted to confirm the deletion request, click Delete.

Manage approved locations for machine groups

This topic provides information about the approved locations for machine groups in CloudLink Center.
It is sometimes necessary to limit data access by location. Data sovereignty regulations might mandate that machines containing
specific data only reside and run in specific locations or data centers.
CloudLink can validate that a machine is running in an approved VMware vCenter, Microsoft Azure subscription, Microsoft
Azure Stack subscription, or Amazon Web Services location. Each approved location is given a unique name, which allows
approved locations to be reused across machine groups. For example, you can create an approved location named “US
Datacenter” and select it as an approved location for multiple machine groups. An approved location is created using specific
locations from a cloud provider. For example, the VMware vCenter provider allows data centers, clusters, ESXi hosts, or
vCenter folders to be specified as an approved location.
When a machine starts up, its location is checked against a list of approved locations for its machine group. If a machine group
has no assigned approved locations, then no check is performed. A machine is allowed to start if it belongs to an approved
location for its machine group and all key release policies are met. For more information, see CloudLink key release policies.
If a machine starts up and it is not located in an approved location for the machine group, CloudLink Center can automatically
power off the machine after a specified duration, or leave the machine powered on.
The location of a machine is periodically checked while it is running to ensure it has not been moved. A machine is powered off
if its location has changed and it is no longer running in an approved location. Machines may also power off if you change the
approved locations in CloudLink Center. This shutdown limits data exposure in an unapproved location. All power off requests is
recorded as a security event that includes information about how long the machine may have been running in the unapproved
location.
Approved locations are also checked when a machine registers with CloudLink Center. Registration is unsuccessful if the
location of a machine is not approved for use within the machine group.

View approved locations

Use this procedure to view the list of approved locations that have been defined in CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click Location > Approved Locations.
The list of approved locations is displayed.

Add approved Cloud Providers to approved locations

A Cloud Provider is a server or host that provides information about the location of a machine. CloudLink Center supports
VMware vCenter, Microsoft Azure, and Amazon Web Services as Cloud Providers. The VMware vCenter provider enables an
entire vCenter, a data center, a cluster, a folder, or an ESXi host to be specified as a location.

Prerequisites
A Cloud Provider host, such as VMware vCenter.

Manage secure machine groups on CloudLink Center 65

Steps
1. Log in to CloudLink Center.
2. Click Location > Cloud Providers > Add.
3. In the Add New Provider dialog box, enter the provider name, description, and select the type of the Cloud provider.
The Cloud provider values listed depends on the type of the Cloud Provider that you select from the Type list.
4. From the Type list, select the required Cloud provider.
a. If you select VMware vCenter, then enter the following information.
● Address—Cloud Provider address, in FQDN format or an IPv4 or IPv6 address
● Username—Domain and username for the Cloud Provider account
● Password—Password for the Cloud Provider account
b. If you select Microsoft Azure Subscription, then enter the following information:
● Subscription ID—Azure subscription ID
● Client ID—Azure client ID
● Client Key—Azure client key

NOTE: Use Microsoft Azure Subscription only with machines deployed in the new portal at portal.azure.com.

c. If you select Microsoft Azure Stack Subscription, then enter the following information:
● Server—The server hostname or IP address
● Subscription ID—Azure subscription ID
● Client ID—Azure client ID
● Client Key—Azure client key
d. If you select Amazon Web Services, then enter the following information:
● Region—Physical location of the AWS Cloud Provider
● Access Key ID—Access key for your AWS account. This access key must have permission to check for running
instances associated with your AWS account. At a minimum, the AWS account must have the Identity and Access
Management (IAM) policy Amazon EC2 Read Only Access.
● Secret Access Key—Secret access key for your AWS account
5. Click Add.

Add an approved location

You can add approved locations and assign them to machine groups.

Steps
1. Log in to CloudLink Center.
2. Click Location > Approved Locations > Add.
3. In the Add Location dialog box, enter the name and description of the approved location.
4. Click Add.

Add a Cloud Provider instance to an approved location

A Cloud Provider instance is a location in a Cloud Provider, such as a datacenter or cluster. The instance can be defined as all of
a Cloud Provider or a subset of a Cloud Provider.

Prerequisites
A Cloud Provider host, such as VMware vCenter. For more information see, Add approved Cloud Providers to approved
locations.

Steps
1. Log in to CloudLink Center.
2. Click Location > Approved Locations.

66 Manage secure machine groups on CloudLink Center

3. Select the check box next to the approved location to which you want to add a cloud provider instance.
4. Click Actions > Add Instance to Location.
5. In the Add Instance to Location dialog box, select a previously added provider and type of the provider.
6. Click Add.

Modify Cloud Providers

Use this procedure to modify a Cloud Provider.

Steps
1. Log in to CloudLink Center.
2. Click Location > Cloud Providers.
3. Select the check box next to the cloud provider you want to modify.
4. Click Actions > Modify.
5. In the Modify Provider dialog box, modify the Cloud Provider description, username, or password. For more information,
see Add approved Cloud Providers to approved locations.

Delete Cloud Providers

Use this procedure to delete a Cloud Provider.

Steps
1. Log in to CloudLink Center.
2. Click Location > Cloud Providers.
3. Select the check box next to the cloud provider you want to delete.
4. Click Actions > Delete.
5. In the Confirm Provider Deletion dialog box, when prompted to confirm the delete request, click Delete.

Modify approved locations

Use this procedure to modify an approved location.

Steps
1. Log in to CloudLink Center.
2. Click Location > Approved Locations.
3. Select the check box next to the approved location you want to modify.
4. Click Actions > Modify.
5. In the Modify Location dialog box, modify the description of the location.

Delete approved locations

Use this procedure to delete an approved location that is not assigned to a machine group.

Steps
1. Log in to CloudLink Center.
2. Click Location > Approved Locations.
3. Select the check box next to the approved location you want to delete.
4. Click Actions > Delete.
5. In the Confirm Location Deletion dialog box, when prompted to confirm the delete request, click Delete.

Manage secure machine groups on CloudLink Center 67

 9
Secure CloudLink Center agents using third-
party signed certificates
In CloudLink versions earlier than 7.1.3, agents are typically installed by using certificates that are internally generated by agents.
However, in CloudLink 7.1.3 and later versions, you can enhance your data security by using a third-party signed (CA-signed)
certificate that must be assigned to an agent machine. You can configure third-party signed CA certificate on a CloudLink
Center server which will be used to generate unique individual certificates for each agents. Agents must be configured to use
these certificates to connect with the CloudLink server. For information about downloading and installing self-signed agents,
see the "Deploy, configure, and verify CloudLink Agents on Windows and Linux machines" chapter in the Dell EMC CloudLink
Deployment Guide available on the support site.
NOTE: If you are using a CloudLink version earlier than 7.1.3 where an agent uses self-signed certificate, and you want to
assign the third-party signed certificate to that agent, then you must first upgrade to CloudLink 7.1.3. For information about
upgrading to CloudLink 7.1.3, see the Dell EMC CloudLink Upgrade Guide available on the support site.
Key aspects of this feature:
● You can use a third-party signed certificate on either Windows or Linux agent machines.
● You cannot assign one third-party signed agent certificate to more than one agent machine. To assign certificates to agents,
you must separately download certificate for each machine from CloudLink Center.
● You can generate a CSR from CloudLink and get signed by third party CA and upload the certificate.
● You can opt to not use third-party signed certificate for connecting agent machines to CloudLink.
● Currently, only the PEM format CA certificate is supported.
Topics:
• Generate a CSR using CloudLink to get a third-party certificate for an agent machine
• Upload a third-party signed CA certificate to CloudLink
• Download a third-party signed certificate for CloudLink agent
• Assign third-party signed certificate to a CloudLink Center Linux agent
• Assign third-party signed certificate to a CloudLink Center Windows agent

Generate a CSR using CloudLink to get a third-party

certificate for an agent machine
By using CloudLink, you can generate a CSR so it can be signed by an external CA. You can also get a certificate independently
issued by a third party. To generate a CSR by using CloudLink, do the following:

Steps
1. On the CloudLink Center GUI, click AGENTS > Agent Download.
2. Click Actions > Generate CSR.
3. In the GENERATE CERTIFICATE SIGNING REQUEST dialog box, enter or select data.
NOTE: By default, the Common Name field is populated with the hostname of CloudLink Center.

4. Click Generate.
A CSR file is generated.
5. Send it to a third-party to get a CA-approved certificate, and then upload it by selecting the CLOUDLINK GENERATED
option when uploading to CloudLink. See Upload a third-party signed CA certificate to CloudLink.
6. After you receive the CA certificate, upload it to CloudLink so you can generate individual certificates for each agent on
CloudLink, and then assign certificates to connect agents to CloudLink. See Upload a third-party signed CA certificate to
CloudLink.

68 Secure CloudLink Center agents using third-party signed certificates

Upload a third-party signed CA certificate to
CloudLink
To assign a third-party signed certificate to an agent, you must upload the certificate to CloudLink so you can generate,
download, and assign a CA-approved certificate for each agent. To upload a certificate, do the following:

Steps
1. On the CloudLink Center GUI, click AGENTS > Agent Download.
2. Click Actions > Upload CA.
3. From the Certificate Format drop-down menu, select one of the following:
● THIRD PARTY GENERATED PEM—Select to upload a PEM certificate that is issued by an independent CA, and then
upload both the certificate and key files.
NOTE: Currently, only the PEM format is supported. However, KMIP servers support both the PEM and PKCS12
formats.
● CLOUDLINK GENERATED—Select to upload a certificate issued by a CA whose CSR was generated by CloudLink. See
Generate a CSR using CloudLink to get a third-party certificate for an agent machine.
4. To review the summary of a certificate, click Preview.
Information about the certificate name, expiry date, and fingerprint is displayed.
5. Click Upload. The third-party signed certificate is uploaded to CloudLink. A message is displayed indicating that an SVM CA
certificate is successfully uploaded. You can view more information about this in the Actions list.
NOTE: Each time you upload a new third-party signed certificate, the agent machines already assigned—with third-
party signed certificates and connected to CloudLink—are automatically disconnected from CloudLink.

NOTE: You can choose to not use third-party signed certificate for connecting agent machines to CloudLink. However,
if a new third-party signed certificate is uploaded to CloudLink, then the already connected agents are disconnected
after restarting. To re-initiate the connection, run the following command at PowerShell: svm /S <CloudLink IP>.

6. Go to the Agent Download page, again download agent certificate for each agent machine, and then assign it to individual
agent machine.
For information about assigning a third-party signed certificate to CloudLink agents, see Assign third-party signed certificate
to a CloudLink Center Windows agent or Assign third-party signed certificate to a CloudLink Center Linux agent.

Download a third-party signed certificate for

CloudLink agent
By using the CloudLink GUI, you can generate and download a certificate for each agent machine, and then assign it to
individual agent machines. A third-party signed agent certificate can be used both on a Windows and Linux agent. However, any
third-party signed certificate cannot be used on more than one agent. To download a certificate, do the following:

Steps
1. On the CloudLink Center GUI, click AGENTS > Agent Download.
2. Click Download Agent Certificate.
The third-party signed certificate is downloaded in a compressed file that has the securevm.cer and securevm.key
files. The .CER file is a certificate file and the .KEY file is a private key file.
NOTE: You can download the third-party certificate to any folder on a Windows system, but you must correctly specify
the file folder path when running the msiexec or clagent.bat command.
3. Expand the compressed file folder.
4. Save both the expanded files to a folder on the agent machine.
The folder name must not have any white spaces. For example, My Folder is incorrect. However, My_Folder is accepted.

Secure CloudLink Center agents using third-party signed certificates 69

Assign third-party signed certificate to a CloudLink
Center Linux agent
You can enable Linux agents to use a third-party signed certificate during two scenarios:
● A fresh deployment of CloudLink 7.1.3. See Assign third-party signed certificate during new installation of CloudLink 7.1.3 on
Linux agent.
● Upgrade of CloudLink from 7.x.x versions to 7.1.3. See Assign third-party signed certificate to a Linux agent when upgrading
CloudLink from 7.x.x.

Assign third-party signed certificate during new installation of

CloudLink 7.1.3 on Linux agent
To download a third-party signed certificate and assign it to a Linux agent associated with a newly deployed CloudLink 7.1.3, do
the following:

Steps
1. Install and connect an agent to CloudLink Center. See the "Install CloudLink Agent using Standard mode" section in the Dell
EMC CloudLink Center Deployment Guide.
2. Download a third-party signed certificate for CloudLink agent.
3. Install third-party certificate and key on a Linux agent or Install and connect Linux agent to CloudLink by using Linux Installer
script.
4. Enable CloudLink to authenticate an agent assigned with a third-party signed certificate.

Enable client authentication

If you are using CloudLink versions earlier than 7.1.3, then agents are installed by using certificates self-signed by the agents.
However, in CloudLink 7.1.3 and later versions, the Client Authentication feature enables you to use the third-party signed
certificate to connect to CloudLink.
Even after you upgrade CloudLink to 7.1.3, the machines are still in connected state. However, if you enable the Client
Authentication mode, then the machines go to disconnected state because the agent machines are not connected to CloudLink
by using the third-party signed certificate. If you want to continue your agent machines in the self-signed certificate mode,
disable the Client Authentication mode.
NOTE: If you are using a CloudLink version earlier than 7.1.3 where an agent uses self-signed certificate, and you want to
assign the third-party signed certificate to that agent, then you must first upgrade to CloudLink 7.1.3. For information about
upgrading to CloudLink 7.1.3, see the Dell EMC CloudLink Upgrade Guide available on the support site.

Enable CloudLink to authenticate an agent assigned with a third-party

signed certificate
By default, the Client Authentication mode is disabled on CloudLink Center. To enable the Client Authentication feature, do the
following:

Steps
1. On the CloudLink GUI, in the left pane, click AGENTS > Agent Download.
2. In the working pane, from the Actions list, select Change Client Authentication.
3. In the CHANGE CLIENT AUTHENTICATION dialog box, from the drop-down menu, select Enabled.
● Enabled—Agent is connected by using only the third party certificate.
● Disabled—Agent is connected by using either self-signed internal certificate or third-party certificate.
4. Click Change.
All the connected agents are verified to detect whether they are connected to CloudLink by using a valid third-party signed
certificate. If yes, status of agents is displayed as Connected. Else, it is indicated as Disconnected.

70 Secure CloudLink Center agents using third-party signed certificates

 NOTE: After uploading the third-part CA certificate to CloudLink, enable client authentication on CloudLink so all the
exiting machines will get disconnected. After you individually assign the new third-party signed certificate to individual
agents, they will connect to CloudLink by using the new certificates.
To connect an agent by using a third-party signed certificate, do one of the following:
● Assign third-party signed certificate to a CloudLink Center Linux agent.
● Assign third-party signed certificate to a CloudLink Center Windows agent.

Install third-party certificate and key on a Linux agent

To install a Linux agent and connect it to CloudLink by using the Linux Installer package when newly deploying CloudLink 7.1.3,
do the following:

Steps
1. Download a third-party signed certificate for CloudLink agent.
2. Ensure that both the expanded files are stored to the /tmp directory on the agent.
NOTE: Unlike for Windows agents, you must save the third-party signed certificate for Linux agents only in the /tmp
directory.

3. Complete the tasks listed in the " Download CloudLink Agent installer script for Standard mode on Linux CLI." section of the
Dell EMC Deployment Guide available on the support site.

Install and connect Linux agent to CloudLink by using Linux Installer script
To install a Linux agent and connect it to CloudLink by using the Linux Installer script when newly deploying CloudLink 7.1.3, do
the following:

Steps
1. Download a third-party signed certificate for CloudLink agent.
2. Ensure that both the expanded files are saved to the /tmp directory on the agent.
NOTE: Unlike for Windows agents, you must save the third-party signed certificate for Linux agents only in the /tmp
directory.

3. Complete the tasks listed in the " Download CloudLink Agent installer script for Standard mode on Linux CLI." section of the
Dell EMC Deployment Guide available on the support site.

Assign third-party signed certificate to a Linux agent when

upgrading CloudLink from 7.x.x
If you have a Linux agent that is installed by using a self-signed certificate, then you can reassign a third-party signed certificate
to the agent. This connects CloudLink to the agent in a secure manner. To replace a self-signed certificate with a third-party
signed one, re-register a Linux agent machine to CloudLink, and then do the following:

Steps
1. Upgrade CloudLink Center from 7.x.x version to 7.1.3. See the latest version of Dell CloudLink Center Upgrade Guide
available on the support site.
2. Download a third-party signed certificate for CloudLink agent.
3. Run the following command at the Command Line Interface (CLI): svm -C <directory where the securevm.cer
& securevm.key are saved>. For example, svm -C /home/my_folder.
The following message is displayed: Configuring third party certificate. The agent is installed with a third-party
certificate and key, and then successfully configured.
4. Restart the Agent service on the agent VM by running the following command: service svmd restart.
5. Re-register the agent to CloudLink by running the command: svm -S <CloudLink IP address>.

Secure CloudLink Center agents using third-party signed certificates 71

 The agent is connected to CloudLink. The state of agent will be either Pending or Connected based on the Approved
Network key release policy you have set up.

Assign third-party signed certificate to a CloudLink

Center Windows agent
You can assign a third-party signed certificate to Windows agents in two scenarios:
● New deployment of CloudLink 7.1.3. See Assign third-party signed certificate during new installation of CloudLink 7.1.3 on
Windows agent.
● Upgrade of CloudLink from earlier versions. See Assign third-party signed certificate to Windows agents during upgradation
of CloudLink from earlier versions.

Assign third-party signed certificate during new installation of

CloudLink 7.1.3 on Windows agent
To download a third-party signed certificate and assign it to a Windows agent associated with a newly deployed CloudLink 7.1.3,
do the following:

Steps
1. Download a third-party signed certificate for CloudLink agent.
2. Install and connect Windows agent to CloudLink by using Windows Installer package or Install and connect Windows agent to
CloudLink by using Windows Installer script.
3. Enable CloudLink to authenticate an agent assigned with a third-party signed certificate.

Install and connect Windows agent to CloudLink by using Windows Installer

package
To install a Windows agent and connect it to CloudLink by using the Windows Installer package when newly deploying CloudLink
7.1.3, do the following:

Steps
1. On the CloudLink GUI, in the left pane, click AGENTS > Agent Download.
2. In the working pane, select the check box corresponding to 64-bit Installer Package.
3. Click Download Selected.
The securevm-windows-x64.msi file is downloaded.
4. Run the following command at the Command Line Interface (CLI): msiexec /i securevm-windows-x64.msi
CLOUDLINKCENTER=CLC_IP CERTPATH=<folder where the securevm.cer & securevm.key are saved>.
The agent is installed and successfully connected to CloudLink by using the thirty-party signed certificate. After successful
connection, the state of agent will be either Pending or Connected based on the Approved Network key release policy you
have set up.
5. If you want the agent machine to operate by using the third-party signed certificate mode, Enable CloudLink to authenticate
an agent assigned with a third-party signed certificate.
6. Delete the certificate and key files from the folder every time after installing an agent by using a third-party signed
certificate.

72 Secure CloudLink Center agents using third-party signed certificates

Install and connect Windows agent to CloudLink by using Windows Installer
script
To install a Windows agent and connect it to CloudLink by using the Windows Installer script when newly deploying CloudLink
7.1.3, do the following:

Steps
1. On the CloudLink GUI, in the left pane, click AGENTS > Agent Download.
2. In the working pane, select the check box corresponding to Windows Installer Script.
3. Click Download Selected.
The Windows clagent.bat agent file is downloaded.
NOTE: You can download an agent file by using the PowerShell interface also.
4. Run the following command at the Command Line Interface (CLI): clagent.bat /S <CLC IP> /P <folder where
the securevm.cer & securevm.key are saved>.
The agent is installed and successfully connected to CloudLink by using the CA-signed certificate. After successful
connection, the state of agent will be either Pending or Connected based on the Approved Network key release policy you
have set up.
5. If you want the agent machine to operate by using the CA-signed certificate mode, Enable CloudLink to authenticate an
agent assigned with a third-party signed certificate.
6. Delete the certificate and key files from the folder every time after installing an agent by using a third-party signed
certificate.

Assign third-party signed certificate to Windows agents during

upgradation of CloudLink from earlier versions
If you have a Windows agent that is already installed by using a self-signed certificate, then you can reassign a third-party
signed certificate to the agent. This connects CloudLink to the agent in a secure manner. To replace a self-signed certificate
with a third-party signed one, connect a Windows agent machine to CloudLink, and then do the following:

Steps
1. Run the following command at the PowerShell interface: Svm CERTPATH=<folder where the securevm.cer &
securevm.key are saved>. For example, svm certpath c:\my_folder.
The following message is displayed: Successfully assigned the agent certificate. The agent is installed and successfully
connected to CloudLink by using the CA-signed certificate.
2. Restart the Agent service either by using Windows Service Control Manager or by running the following command at the
PowerShell interface: Restart-Service SecureVMSvc.
After restarting, the machine status is displayed as Connected on the Machines page of CloudLink.
3. Delete the certificate and key files from the folder every time after installing an agent by using a third-party signed
certificate.

Secure CloudLink Center agents using third-party signed certificates 73

 10
Manage Key Management Interoperability
Protocol (KMIP) servers in CloudLink Center
A KMIP server is used to store public and private keys for encrypted machines.

NOTE: The KMIP Server menu is only available in the CloudLink Center Contents panel after a KMIP license is uploaded.

CloudLink Center supports the Key Management Interoperability Protocol (KMIP) to enable applications supporting that
protocol to securely store keys and certificates.
The applications, or KMIP clients, are given access to a single KMIP partition. A KMIP partition is a container for keys and
certificates that are created by the client. Multiple clients can be assigned to the same partition. All objects within a partition are
encrypted using a key that is saved to the keystore of a partition and are stored in the CloudLink Center database.
NOTE: Adding KMIP clients and generating new certificates for KMIP clients functions are unavailable in Microsoft Edge
and Internet Explorer. Use Mozilla Firefox or Google Chrome if you must add or modify KMIP clients or generate a new
certificate.

KMIP Client High Availability (HA)

A KMIP Client provides high availability if one of the KMIP servers is unavailable. For example, a KMIP server may become
unavailable unexpectedly due to a connection issue. A KMIP server may also become unavailable during periods of planned
maintenance.
The CloudLink KMIP Client HA supports a KMIP server cluster of up to four KMIP servers.
Use the same KMIP certificates, keys, and credentials to access all the KMIP servers.
Topics:
• Change KMIP server certificates
• Change Subject Alternate names
• Download KMIP server certificate
• Generate CSR for KMIP servers
• Upload KMIP server CA-signed certificate
• Change KMIP CSR server certificate lifetime
• Manage KMIP partititions
• Manage KMIP clients

Change KMIP server certificates

Use this procedure to change the KMIP server certificate if required. Change KMIP certificates if the hostnames in the
certificate are no longer valid.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Information.
3. Click Actions > Change Server Certificate.
4. In the Confirm Certificate Change dialog box, when prompted to confirm the request, click Change.

74 Manage Key Management Interoperability Protocol (KMIP) servers in CloudLink Center

Change Subject Alternate names
Use this procedure to change the additional host names used for the KMIP server certificate.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Information.
3. Click Actions > Change Subject Alternative Names.
The Change Subject Alternative Names dialog box is displayed.
4. In the Subject Alternative Names box, enter the subject alternative names, and then click Change Server Certificate.

Download KMIP server certificate

Use this procedure to download the current KMIP server certificate.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Information.
3. Click Actions > Download Server Certificate.
The KMIP certificate is downloaded to your Downloads folder.

Generate CSR for KMIP servers

Use this procedure to generate a certificate signing request (CSR). A certificate authority (CA) must sign the CSR as an
intermediate certificate generated by the CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Information.
3. Click Actions > Generate CA CSR.
4. In the Generate Certificate Signing Request dialog box, enter the common name, organization name, organization unit,
city or locality, state or province, and select the country, and then click Generate.

Next steps
Submit the generated CSR file to a CA that will issue and sign your certificate.

Upload KMIP server CA-signed certificate

When you upload a KMIP server CA-signed certificate and an optional private key, the web server restarts and the connection is
ended. After uploading the CA-signed certificate, verify the subject, end date, and fingerprint. Any KMIP client certificates that
are generated uses this CA-signed certificate.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Information > Actions > Upload CA Signed PEM.
The Upload KMIP CA certificate dialog box is displayed.
3. From the CSR Generated By list, select one of the following values:
● If you select Third Party PEM, then perform the following:

a. In the Certificate box, click to select the KMIP CA certificate.

Manage Key Management Interoperability Protocol (KMIP) servers in CloudLink Center 75

 b. In the Key box, click to select the key for the KMIP CA certificate.

● If you select CloudLink, then in the Certificate box, click to select the KMIP CA certificate.
● If you select Third Party PKCS12, then perform the following:

a. In the Certificate box, click to select the KMIP CA certificate.

b. In the Password box, enter a password for the KMIP CA certificate.
The CSR is used as an intermediate CA to sign the KMIP Client certificates after the CSR is signed by your CA. The signed
CSR that you upload should include the following certificate parameters that are required for signing end certificates:
● Key Usage: Certificate Signing
● Basic Constraints: Subject Type=CA, Path Length Constraint=0
4. Click Upload.

Change KMIP CSR server certificate lifetime

Use this procedure to change the maximum lifetime for KMIP server certificates.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Information.
3. Click Change Lifetime.
The Change Certificate Lifetime dialog box is displayed.
4. In the Years box, enter the KMIP CSR certificate lifetime in years, and then click Apply.

Manage KMIP partititions

This topic provides information about managing KMIP partitions.

View KMIP partitions

Use this procedure to view KMIP partitions.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Partitions.
The KMIP partitions are displayed.

Add a KMIP partition

Use this procedure to add a KMIP partition to store keys and certificates separately from other KMIP clients. After adding a
KMIP partition, you must add a KMIP client.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Partitions > Add.
3. In the Add New Partition dialog box, enter the partition name, description, keystore, key caching, and the user role
managing this KMIP partition information.
4. Click Add.

76 Manage Key Management Interoperability Protocol (KMIP) servers in CloudLink Center

Modify a KMIP partition
Use this procedure to modify a KMIP partition.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Partitions.
3. Select the check box next to the KMIP partition you want to modify.
4. Click Actions > Modify.
5. In the Modify Partition dialog box, modify the required values.
6. Click Modify.

View KMIP partition objects

Use this procedure to view the KMIP partition objects.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Partitions.
3. Select the check box next to the KMIP partition whose objects you want to view.
4. Click Actions > Show Objects.

Shred a KMIP partition

Use this procedure to shred a KMIP partition. You can shred a KMIP partition, if it is not assigned to a KMIP client.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Partitions.
3. Select the check box next to the KMIP partition you want to shred.
4. Click Actions > Shred.
5. In the Confirm Partition Shred dialog box, enter the name of the KMIP partition to confirm it.
6. Click Delete.

Rotate encryption keys on a KMIP partition

Use this procedure to rotate encryption keys to another keystore. Key rotation replaces all the encryption keys in a KMIP
partition with new ones.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Partitions.
3. Select the check box next to the KMIP partition whose encryption keys you want to rotate.
4. Click Actions > Rotate Key.
5. In the Rotate Key dialog box, select the keystore, and then click Rotate.

Manage Key Management Interoperability Protocol (KMIP) servers in CloudLink Center 77

Stop key rotation of a KMIP partition
Use this procedure to stop encryption key rotation to another keystore if required.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Partitions.
3. Select the check box next to the KMIP partition whose encryption keys you want to stop.
4. Click Actions > Stop Key Rotation.
5. In the Confirm Stop Key Rotation dialog box, enter the name of the KMIP partition to confirm it, and then click Stop Key
Rotation.

View the event history of a KMIP partition

Use this procedure to view the event history of a KMIP partition.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Partitions.
3. Select the check box next to the KMIP partition whose event history you want to view.
4. Click Actions > Show Event History.

Manage KMIP clients

This topic provides information about managing KMIP clients.

Add a KMIP client

Use this procedure to add a KMIP client. Adding a KMIP client also generates a certificate for the KMIP client.

About this task

The KMIP client is used to connect to and authenticate the connection with the key management server. Add KMIP client
feature is unavailable in Microsoft Edge and Internet Explorer. Use Mozilla Firefox or Google Chrome if you must add a KMIP
client.
CloudLink supports two KMIP credential types:
● Username and password
● Device
Device credentials can be used to uniquely identify back-end devices.
NOTE: For device credentials, the combination of serial number, device ID, network ID, machine ID, and media ID must be
unique.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Clients > Add.
3. In the Add New Client dialog box, enter the following information:
● If you select the Username and Password from the Credential Type list, enter the following information:
○ Username—Username for client authentication from the KMIP client
○ Partition—The KMIP partition to which the client has access.
○ Password—Password for client authentication from the KMIP client
○ Confirm Password—Password confirmation

78 Manage Key Management Interoperability Protocol (KMIP) servers in CloudLink Center

 ○ Certificate Format—Select a PEM certificate, password-protected PKCS12 (RC2), or a PKCS12 (3DES) certificate.
○ Notes—Enter the name of the application using KMIP client.
● If you select the Device from the Credential Type list, enter the following information:
○ Serial Number—A serial number, such as the hardware serial number of a device
○ (Optional) Partition—The KMIP partition to which the client has access.
○ (Optional) Password—An optional password or shared secret that is used to authenticate the device.
○ Confirm Password—Password confirmation
○ Device ID—A generic device identifier
○ Network ID—A network identifier, such as the MAC address of a connected device
○ Machine ID—A machine identifier, such as a client aggregator identifier
○ Media ID—A media identifier, such as a storage volume identifier
○ Certificate Format—Select a PEM certificate, password-protected PKCS12 certificate
○ PKCS12 Password—Password for the PKCS12 (RC2) or PKCS12 (3DES) certificate
○ Confirm PKCS12 Password—Confirm the password for the PKCS12 (RC2) or PKCS12 (3DES) certificate.
○ Notes—Enter the name of the application using KMIP client.

Change the KMIP client password in CloudLink Center

Use this procedure to change the password of a KMIP client.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Clients.
3. Select the checkbox next to the KMIP client whose password you want to change.
4. Click Actions > Change Password.
5. In the Change Client's Password dialog box, type the password and retype to confirm it, and then click Change.

Change KMIP client notes in CloudLink Center

Use this procedure to change the notes of a KMIP client.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Clients.
3. Select the checkbox next to the KMIP client whose notes you want to change.
4. Click Actions > Change Notes.
5. In the Change Client's Notes dialog box, enter the notes, and then click Change.

Generate a new certificate for KMIP clients

Use this procedure to generate a new certificate for KMIP clients.

About this task

KMIP clients work only with the new certificate that is generated. The old certificate does not work once a new certificate is
generated.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Clients.
3. Select the check box next to the KMIP client to generate a new certificate.
4. Click Actions > Generate New Certificate.

Manage Key Management Interoperability Protocol (KMIP) servers in CloudLink Center 79

5. In the Confirm New Certificate Generation dialog box, when prompted to confirm the request, click Change.

Delete a KMIP client

Use this procedure to delete a KMIP client.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Clients.
3. Select the check box next to the KMIP client you want to delete.
4. Click Actions > Delete.
5. In the Confirm KMIP Client Deletion dialog box, when prompted to confirm the delete request, click Delete.

View the event history of a KMIP client

Use this procedure to view the event history of a KMIP partition.

Steps
1. Log in to CloudLink Center.
2. Click KMIP Server > Clients.
3. Select the check box next to the KMIP client whose event history you want to view.
4. Click Actions > Show Event History.

80 Manage Key Management Interoperability Protocol (KMIP) servers in CloudLink Center

 11
Manage CloudLink Encryption for Containers
CloudLink encryption for containers enables you to encrypt shared volumes in a Kubernetes cluster. One CloudLink Center
instance can support multiple Kubernetes clusters. Each Kubernetes cluster node can have multiple Encryption for Containers
agents running on it, which includes one Encryption for Containers agent for each driver.
Using the CloudLink Center web interface, you can add Kubernetes clusters on which you can deploy containerized applications.
CloudLink supports the following:
● Kubernetes version 1.20 and 1.21 (For CloudLink Center 7.1.3 and later versions)
● Kubernetes version 1.18 to 1.19 (For CloudLink Center 7.1)
● Kubernetes version 1.14 to 1.17 (For CloudLink Center 7.0)
● Tanzu Kubernetes version 1.1 or later
● OpenShift Cluster version 4.3 or later
● Storage types that support Container Storage Interface (CSI):
○ Generic NFS (Supports File Systems)
○ PowerScale 1.5.0 (Supports File Systems). The CSI specification versions supported by CloudLink when deployed on
PowerScale: CloudLink 7.1–7.1.2 (CSI v1.2.0) and CloudLink 7.1.3 (CSI v1.5.0)
○ PowerFlex (Supports File Systems and Raw Block Volume provisioning). The CSI specification versions supported by
CloudLink when deployed on PowerFlex: CloudLink 7.0 (CSI v1.1.3), CloudLink 7.1–7.1.2 (CSI v1.3.0), and CloudLink 7.1.3
(CSI v1.5.0).
○ PowerStore (Supports File Systems). The CSI specification versions supported by CloudLink when deployed on
PowerStore: CloudLink 7.1.3 (CSI v2.0).
● FIPS validated dm-crypt crypto module for container block volume encryption
Topics:
• Change Kubernetes server certificate lifetime
• Change Kubernetes server certificate
• Download Kubernetes server certificate
• Generate a CSR for Kubernetes
• Upload Kubernetes server CA-signed certificate
• Download the Kubernetes Helm package
• Download the Kubernetes node plugin and dockerfile
• Add a Kubernetes cluster
• Modify a Kubernetes cluster
• Generate a new Kubernetes cluster certificate
• Delete a Kubernetes cluster
• View the event history of a Kubernetes cluster
• View Kubernetes nodes
• View Kubernetes volumes from Kubernetes clusters or Kubernetes nodes
• Accept Kubernetes volumes
• Supported volume access modes for updating keys for Kubernetes volumes
• Generate an update key for Kubernetes volumes from Kubernetes clusters or Kubernetes nodes

Change Kubernetes server certificate lifetime

Use this procedure to change the maximum lifetime for Kubernetes server certificates.

Steps
1. Log in to CloudLink Center.
2. Click Containers > Information.

Manage CloudLink Encryption for Containers 81

3. Click Change Lifetime.
The Change Cetificate Lifetime dialog box is displayed.
4. In the Years box, enter the required number of years, and then click Apply.

Change Kubernetes server certificate

Use this procedure to change the Kubernetes server certificate if required. Change Kubernetes certificates if the hostnames in
the certificate are no longer valid.

Steps
1. Log in to CloudLink Center.
2. Click Containers > Information.
3. Click Actions > Change Server Certificate.
4. In the Confirm Certificate Change dialog box, when prompted to confirm the request, click Change.

Download Kubernetes server certificate

Use this procedure to download the current Kubernetes server certificate.

Steps
1. Log in to CloudLink Center.
2. Click Containers > Information.
3. Click Actions > Download Server Certificate.
The Kubernetes server certificate is downloaded to your Downloads folder.

Generate a CSR for Kubernetes

Use this procedure to generate a certificate signing request (CSR), which involves CloudLink Center generating a private key
and signing the request. The request is then fulfilled by a certificate authority (CA) and the final certificate is uploaded to
CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click Kubernestes > Information.
3. Click Actions > Generate CA CSR.
4. In the Generate Certificate Signing Request dialog box, enter the name, organization, organization unit, city or locality,
state or province, and select the country, and then click Generate.

Upload Kubernetes server CA-signed certificate

Use this procedure to upload a new certificate and an optional private key, the web server restarts and the connection is
terminated. After uploading a certificate signed for CloudLink Center, verify the subject, end date, and fingerprint to ensure that
it is the correct certificate.

Steps
1. Log in to CloudLink Center.
2. Click Containers > Information.
3. Click Actions > Upload CA Signed PEM.
The Upload Kubernetes CA Certificate dialog box is displayed.

4. In the Certificate box, click to select the certificate, and then click Upload.

82 Manage CloudLink Encryption for Containers

Download the Kubernetes Helm package
Use this procedure to download the Kubernetes Helm package.

Steps
1. Log in to CloudLink Center.
2. Click Containers > Kubernetes Download.
3. Select the check box next to the CloudLink Kubernetes Helm package, and then click Download Selected.
The Kubernetes Helm package is downloaded to your Downloads folder.

Download the Kubernetes node plugin and dockerfile

Use this procedure to download the Kubernetes node plugin and dockerfile.

Steps
1. Log in to CloudLink Center.
2. Click Containers > Kubernetes Download.
3. Select the check box next to the CloudLink Kubernetes Node Plugin and Dockerfile, and then click Download Selected.
The Kubernetes node plugin and dockerfile is downloaded to your Downloads folder.

Add a Kubernetes cluster

Use this procedure to add a Kubernetes cluster.

Steps
1. Log in to CloudLink Center.
2. Click Containers > Kubernetes Clusters > Add
3. In the Add New Cluster dialog box, enter a cluster name, description, and select a keystore, key release policy mode, and
the managed by role that administers the Kubernetes cluster.
4. Click Add.

Modify a Kubernetes cluster

Use this procedure to modify a Kubernetes cluster.

Steps
1. Log in to CloudLink Center.
2. Click Containers > Kubernetes Clusters.
3. Select the check box next to the Kubernetes cluster you want to modify.
4. Click Actions > Modify.
5. In the Modiify Cluster dialog box, enter the description and select a keystore, key release policy mode, and managed by
role, and then click Modify.

Generate a new Kubernetes cluster certificate

Use this procedure to change the existing Kubernetes cluster certificate by generating a new certificate.

Steps
1. Log in to CloudLink Center.

Manage CloudLink Encryption for Containers 83

2. Click Containers > Kubernetes Clusters.
3. Select the check box next to the Kubernetes cluster whose certificate you want to change.
4. Click Actions > Generate New Certificate.
5. In the Confirm Kubernetes Cluster Certificate Change dialog box, when prompted to confirm the request, click
Generate.

Delete a Kubernetes cluster

Use this procedure to delete a Kubernetes cluster.

Steps
1. Log in to CloudLink Center.
2. Click Containers > Kubernetes Clusters
3. Select the check box next to the Kubernetes cluster you want to delete.
4. Click Actions > Delete.
5. In the Confirm Cluster Deletion dialog box, when prompted to confirm the cluster delete request, click Delete.

View the event history of a Kubernetes cluster

Use this procedure to view the event history of a Kubernetes cluster.

Steps
1. Log in to CloudLink Center.
2. Click Containers > Kubernetes Clusters.
3. Select the check box next to the Kubernetes cluster whose event history you want to view.
4. Click Actions > Show Event History.

View Kubernetes nodes

Use this procedure to view the Kubernetes nodes.

Steps
1. Log in to CloudLink Center.
2. Click Containers > Kubernetes Nodes.

View Kubernetes volumes from Kubernetes clusters or

Kubernetes nodes
Use this procedure to view the Kubernetes volumes.

Steps
1. Log in to CloudLink Center.
You can view the Kubernetes volumes either from Kubernetes Clusters or from Kubernetes Nodes.
2. To view the Kubernetes volumes from Kubernetes Clusters:
a. Click Containers > Kubernetes Clusters.
b. Select the check box next to the Kubernetes cluster whose volumes you want to view.
c. Click Actions > Show Volumes.
The Kubernetes volumes are displayed.

84 Manage CloudLink Encryption for Containers

3. To view the Kubernetes volumes from Kubernetes Nodes:
a. Click Containers > Kubernetes Nodes.
b. Select the check box next to the Kubernetes node whose volumes you want to view, and then click Show Volumes.
The Kubernetes volumes are displayed.

Accept Kubernetes volumes

Use this procedure to accept a pending Kubernetes volume.

Prerequisites
You can accept a Kubernetes volume only if the volume is in the pending state.

Steps
1. Log in to CloudLink Center.
2. Click Containers > Kubernetes Nodes.
3. Select the check box next to the Kubernetes node whose volume you want to accept, and then click Show Volumes.
The pending volumes are displayed.
4. Select the check box next to the Kubernetes volume you want to accept, and then click Accept.
5. In the Confirm Accept Volume dialog box, when prompted to confirm the request, click Accept.

Supported volume access modes for updating keys for

Kubernetes volumes
Supported volume access modes for updating keys for Kubernetes volumes.
CloudLink Center supports three kinds of access modes for PVs or PVCs:
● ReadOnlyMany—the volume can be mounted as read-only by multiple nodes.
● ReadWriteOnce—the volume can be mounted as read/write by a single node.
● ReadWriteMany—the volume can be mounted as read/write by multiple nodes.

Supported volume access modes for updating key for Kubernetes volumes
Access mode Update key for Kubernetes volume

PowerFlex CSI v1.1.5 NFS CSI v2.0

ReadOnlyMany not supported not supported
ReadWriteOnce supported supported
ReadWriteMany not supported supported

Generate an update key for Kubernetes volumes from

Kubernetes clusters or Kubernetes nodes
Update key generates a new key for the key encryption key. The following procedure explains how to update the key encryption
key for Kubernetes volumes.

Steps
1. Log in to CloudLink Center.

Manage CloudLink Encryption for Containers 85

 You can update the key encryption key for the Kubernetes volumes either from Kubernetes Clusters or from Kubernetes
Nodes.
2. To generate an update key for the Kubernetes volumes from Kubernetes Clusters:
a. Click Containers > Kubernetes Clusters.
b. Select the checkbox next to the Kubernetes clusters for which you want to update the key.
c. Click Actions > Show Volumes.
d. Select the checkbox next to the Kubernetes volumes for which you want to update the key.
e. Click Update Key.
f. In the Confirm Update Key for Volume dialog box, when prompted to confirm the request, click Update Key.
3. To generate an update key for the Kubernetes volumes from Kubernetes Nodes:
a. Click Containers > Kubernetes Nodes.
b. Select the check box next to the Kubernetes node for which you want to update the key, and then click Show Volumes.
c. Select the check box next to the Kubernetes volumes for which you want to update the key, and then click Update Key.
d. In the Confirm Update Key for Volume dialog box, when prompted to confirm the request, click Update Key.

86 Manage CloudLink Encryption for Containers

 12
Manage CloudLink Center user roles
This chapter provides information about CloudLink Center built-in roles, custom roles, and managing these roles.
A role determines the permissions in CloudLink Center of users who are assigned that role. For example, you may assign one
or more users the Admin role, which lets them perform many administrative functions in CloudLink Center. However, this role
does not permit its users to perform functions that require the higher level of security available in the SecAdmin role, such as
keystore configuration.
Topics:
• Built-in CloudLink Center user roles
• Implicit user role permissions for using CloudLink Center
• Manage custom roles
• View CloudLink Center user roles
• Add CloudLink Center user role
• Modify CloudLink Center user roles
• Change managing roles
• Delete CloudLink Center custom user roles

Built-in CloudLink Center user roles

This topic provides information on built-in roles in CloudLink Center.
CloudLink Center provides three built-in roles: SecAdmin, Admin, and Observer. You can define additional roles to customize the
permissions allowed for users assigned to that role, as required.

The SecAdmin role has permission to view and manage all objects (such as a role, user, keystore, or machine group). For
example, a user assigned the SecAdmin role can see all machine groups, regardless of the managing role assigned to individual
machine groups.
CloudLink Center provides a built-in user account that is assigned the SecAdmin role. For more information, see Secadmin user
(built-in) role. CloudLink Center does not provide built-in user accounts for Admin or Observer roles. If built-in roles do not meet
your requirements, you can create custom roles. For more information, see Add CloudLink Center user roles.

Manage CloudLink Center user roles 87

Implicit user role permissions for using CloudLink
Center
This topic provides information about the implicit user role permissions for using CloudLink Center.
For a given object (such as a role, user, keystore, or machine group), a role with permissions that allow changes to that object
automatically includes any view permissions. For example, if a role includes the Add User or Delete User permission, the role
automatically includes the View Users permission, even if it is not explicitly assigned.

Manage custom roles

This topic provides information about managing custom roles in CloudLink Center.
Every custom role has a role that administers it (referred to as the managing role). Only users belonging to a managing role for a
role can administer it and administer users belonging to that role.
For example, to delete a role named TestRole, you must be a user assigned to a role that is identified as a managing role
for TestRole and that managing role must contain the Delete Role permission. To add a user in TestRole, you must be a
user assigned to a role that is identified as a managing role for TestRole and that managing role must contain the Add User
permission.
You can assign one or more managing roles to a role. For example, an IT – East Coast role might be managed by both the IT –
North America role and the IT – US role.
You assign managing roles when creating a custom role. For more information, see Add CloudLink Center user role. Managing
roles for a custom role can be changed by users belonging to one of those managing roles. For more information, see Change
managing roles. For information about permissions available for custom roles, see Role-Based Access Control for CloudLink .

NOTE: This guide assumes that you belong to the appropriate managing roles to perform tasks.

Role administration example

This topic provides information about a role administration example.
To understand custom role management, let us look at the following examples. For these examples, a user who is named John
has three roles:
● Role Creator with only the Add Role permission
● East Coast User Management with the Add User and Change User Password permissions
● Role Deleter with Delete Role permission
To create a new role, a user must have the Add Role permission. They can acquire this permission from any role they belong to.
For example, if John belongs to three roles and any of those roles contains Add Role, he is allowed to create a new role and set
any role as the managing role. John has the Add Role permission from his membership in Role Creator.
To delete a role, the user must have the Delete Role permission and that permission must come from one of the role's managing
roles. For example, if John wants to delete TestRole, then Role Deleter must be one of the managing roles. If only East Coast
Management was one of the managing roles, John can manage users with this role but John cannot delete it.
To change the password of a user, the user must have the Change User Password permission for all the roles that a user
belongs to. For example, to change John's password, another user requires the Change User Password permission using a
managing role for Role Creator, East Coast User Management, and Role Deleter.

View CloudLink Center user roles

Use this procedure to view the user roles in CloudLink Center. You can view existing roles, which include the built-in roles and
any custom roles that you have defined.

Steps
1. Log in to CloudLink Center.

88 Manage CloudLink Center user roles

2. Click System > Roles.
The CloudLink Center user roles are displayed. The following information is displayed for each user role:
● Name—The name of the role.
● Description—A description that meaningfully identifies the purpose or scope of the role.
● Built In—A flag that identifies whether the role is provided with CloudLink Center.
● Managed By—The names of the roles that administer this role. For information, see Manage custom roles.
In addition to the information provided in the Roles table, the following information is displayed for each selected user
role:
● Permissions—A list of permissions assigned to this role. For information, see Role-Based Access Control for CloudLink.

Add CloudLink Center user role

Use this procedure to add a user role in CloudLink Center.

About this task

If built-in roles do not meet your requirements, you can create roles to customize the permissions for users assigned to that role,
as required. For more information about built-in roles, see Built-in CloudLink Center user roles.
A custom role can include any combination of permissions. For example, you might create a custom role named AdminDelegate
that allows only a subset of Admin permissions, such as unlocking accounts. In the event that an Admin user is not available, the
AdminDelegate is available to help users who are locked out of their accounts. This AdminDelegate role cannot perform more
sensitive activities, such as changing passwords.
A user can be assigned multiple roles, which gives them a combined set of permissions. For more information, see Add CloudLink
Center users.

Steps
1. Log in to CloudLink Center.
2. Click System > Roles > Add.
3. In the Add New Role dialog box, enter the following information:
● Name—The name of the role.
● Description—A description that meaningfully identifies the purpose or scope of the role.
● Use Permissions From—An existing role from which you want to copy permissions.
● Permissions—A list of permissions assigned to this role. The initial permissions are the same as those for the role
selected in Use Permissions From. Customize the permissions for the role you are creating. For information about
permissions, see Role-Based Access Control for CloudLink .
● Managed By—The names of the roles that administer this role. For information, see Manage custom roles.
4. Click Add.

Modify CloudLink Center user roles

Use this procedure to modify a user role in CloudLink Center. You can modify only custom user roles. You cannot modify built-in
roles.

Steps
1. Log in to CloudLink Center.
2. Click System > Roles.
3. Select the check box next to the custom user role you want to modify.
4. Click Actions > Modify.
5. In the Modify Role dialog box, change the description and the permissions.
6. Click Modify.

Manage CloudLink Center user roles 89

Change managing roles
Use this procedure to change the managing role for a role.

Prerequisites
You must be a user who is assigned to a role that manages the role you want to change.

About this task

You can change the managing role for a role. For example, a change to your organization’s structure may mean that a particular
managing role no longer has the authority to manage one of its current roles. For more information, see Manage custom roles.

Steps
1. Log in to CloudLink Center.
2. Click System > Roles.
3. Select the check box next to the custom role you want to change.
4. Click Actions > Change Managing Roles.
5. In the Change Managing Roles dialog box, select the required role from the Managed By list.
6. Click Change.

Delete CloudLink Center custom user roles

Use this procedure to delete custom user roles in CloudLink Center.

Prerequisites
You must be a user who is assigned to a role that manages the role you want to delete.

Steps
1. Log in to CloudLink Center.
2. Click System > Roles.
3. Select the check box next to the custom user role you want to delete.
4. Click Actions > Delete.
5. In the Confirm Role Deletion dialog box, when prompted to confirm the delete request, click Delete.

90 Manage CloudLink Center user roles

 13
Manage CloudLink Center users and groups
This topic provides information about the different user account types that you can create, logging in using two-factor
authentication and managing users in CloudLink Center.
Each person who must work with CloudLink must be defined as a user in CloudLink Center. Each user is assigned a role that
determines their permissions in CloudLink Center.
A user can be assigned multiple roles, giving them a combined set of permissions.
For Enterprise and Microsoft Azure and Azure Stack—You can also use existing user accounts in the Microsoft Windows
domain of your organization and assign those accounts to the appropriate CloudLink Center role.
Topics:
• Secadmin user (built-in) role
• CloudLink Center user types
• 2-Factor Authentication (2FA) in CloudLink Center
• View CloudLink Center users
• Add CloudLink Center users
• Change user roles in CloudLink Center
• Change user password in CloudLink Center
• Change 2-Factor Authentication (2FA) for accessing CloudLink Center
• Unlock CloudLink accounts
• Delete CloudLink Center users

Secadmin user (built-in) role

This topic provides information about the secadmin user role which is a built-in role in CloudLink Center.
CloudLink Center provides a built-in user with the username secadmin, and assigns the SecAdmin role to that user. For more
information, see Built-in CloudLink Center user roles.
First-time access to CloudLink Center after deployment requires logging in as a secadmin user, and providing a default
password. The secadmin user has to change the default password immediately after the first-time login to CloudLink Center. For
information about first-time login to CloudLink Center, including the default password that is used, see the Dell EMC CloudLink
Deployment Guide.
After deployment, you can continue using this built-in secadmin user. You cannot delete this user, change the user name
(secadmin), or change the role. These restrictions mean that no administrative activity can result in you being locked out from
CloudLink Center. It is recommended that you store the built-in secadmin account credentials safely in a location which only
trusted security officers can access. You can create other user accounts for daily operations.

CloudLink Center user types

This topic provides information about the user types in CloudLink Center.
You can create the following types of CloudLink Center user accounts:
● Local—These user accounts exist only in CloudLink.
● (For Enterprise only) Domain—These user accounts represent existing user accounts in the Microsoft Windows domain of
your organization.
● (For Enterprise only) Domain Group—These user accounts represent existing group accounts in the Microsoft Windows
domain of your organization. CloudLink supports only Active Directory universal groups.
● Client —These user accounts are intended only for use with the REST APIs. Provide a name and secret for authenticating
the REST APIs from a client application. For more information, see the REST API documentation.

Manage CloudLink Center users and groups 91

 For more information, see Add CloudLink Center users.

CloudLink local accounts

Local user accounts exist only within CloudLink. To log in to CloudLink Center, local users provide a password that you define
when setting up the account.

CloudLink Domain and Domain Group Accounts

This topic provides information about the domain and domain group accounts in CloudLink Center.
Rather than creating users for your CloudLink needs, you can use existing accounts in the Microsoft Windows domain of your
organization and assign those accounts to the appropriate CloudLink Center role.
Domain accounts are convenient because:
● If CloudLink Center has been configured to use Integrated Windows Authentication (IWA), domain users and groups can use
their Windows login credentials to log in to CloudLink Center.
● If you use Windows domain groups, you can create a user in CloudLink Center that corresponds to it. You do not have to
create a domain account in CloudLink Center for every user in the Windows domain group.
This practice is useful if you have a Windows domain group for administrators and you want all administrators to have access
to CloudLink Center. For security, CloudLink Center uniquely records audits for actions that are taken by each administrator.
If an administrator belongs to more than one Windows domain group, and two or more of these groups have corresponding
user accounts in CloudLink Center, the administrator has all the privileges of all their user accounts.

Before you can add domain accounts, you must configure a Microsoft Windows domain. For more information, see Configure
Microsoft Windows domain users.
NOTE: To ensure that CloudLink can correctly check the group membership of a user, it is recommended to set the scope
of the domain group to Universal.

2-Factor Authentication (2FA) in CloudLink Center

This topic provides information about the 2FA in CloudLink Center.
For Enterprise and Microsoft Azure and Azure Stack—To access CloudLink Center, a user must provide both a user name and
password. For increased security, you may require a user to log in using 2FA. After providing the CloudLink Center credentials,
the user must provide additional credentials generated by a third-party provider.
CloudLink supports two-factor authentication using these third-party providers:
● Google Authenticator—This application is typically installed on the user’s mobile device and generates a token that the user
provides as the additional credentials when logging in to CloudLink Center.
● RSA SecurID—A hardware or software token generates a tokencode that the user provides as the additional credentials
when logging in to CloudLink Center.
For PowerFlex—To access CloudLink Center, a user must provide both a user name and password. For increased security,
you may require a user to log in using 2FA. After providing the CloudLink Center credentials, the user must provide additional
credentials generated by a third-party provider.
CloudLink supports two-factor authentication using these third-party providers:
● Google Authenticator—This application is typically installed on the user’s mobile device and generates a token that the user
provides as the additional credentials when logging in to CloudLink Center.
● RSA SecurID—A hardware or software token generates a token code that the user provides as the additional credentials
when logging in to CloudLink Center.
Two-factor authentication is available for individual local and domain users, but not for domain group users. For more
information, see CloudLink Center user types.
NOTE: If you configure CloudLink Center to use Integrated Windows Authentication (IWA) and 2FA, CloudLink Center uses
only the IWA credentials for domain users.

92 Manage CloudLink Center users and groups

Before you can set up users for two-factor authentication using RSA SecurID, you must configure the RSA Authentication
Manager. For more information, see RSA Authentication Manager.

View CloudLink Center users

Use this procedure to view the existing users in CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click System > Users & Groups.
The following user information is displayed about each user account:
● User Name—Identifies the user in the system. If the user type is domain, this value is the exact username from the
domain user account.
● Access Roles—Identifies the role for the user that determines the user’s access permissions. For more information, see
Manage custom roles.
● User Type—Identifies whether the user is a local, domain, domain group, or client user. For more information, see Add
CloudLink Center users.
● Built-in—Displays Yes for built-in users, and No for users you have created.
● Locked—Indicates whether the user has been locked out of CloudLink Center because of too many incorrect login
attempts. For more information, see Unlock CloudLink accounts.
● 2fa—Indicates whether the user is required to log in to CloudLink Center using two-factor authentication. For more
information, see CloudLink local accounts.
Values include:
○ None
○ RSA SecurID
○ Google

Add CloudLink Center users

Use this procedure to add users in CloudLink Center.

Prerequisites
If you are adding a user that represents a Windows domain group, the user must exist in the Windows domain. CloudLink does
not validate user presence in a Windows domain.

About this task

Every CloudLink Center user must have an account. The account information uniquely identifies the user and determines their
access permissions in CloudLink Center.
NOTE: An administrator can add a new user only if the access role is a custom role, and the custom role must belong to a
managing role.

Steps
1. Log in to CloudLink Center.
2. Click System > Users & Groups > Add.
3. In the Add New User dialog box, enter the following information:
● User Name—Identifies the user in the system. If the user type is Domain or Domain Group, type the exact account name
as defined in the Windows domain.
● Access Roles—Identifies the role for the user that determines the user’s access permissions. For more information, see
Manage custom roles.
● User Type—Identifies whether the user is a local, domain user domain group or a client.
● 2fA Type—Indicates whether the user is required to log in to CloudLink Center using 2FA. For more information, see
2-Factor Authentication (2FA) in CloudLink

Manage CloudLink Center users and groups 93

 ● Password (local users only)—Defines the initial password of the user.
● Confirm Password (local users only)—Retype the initial password of the user.
● Change Password (local users only)—Determines whether the user must change the initial password on first login (On
the first login) or when they choose to (On demand).
4. Click Add.

Additional account set up for Google two-factor authentication

This topic provides information about the additional account set up for Google two-factor authentication
For users with 2fa Type set to Google, a dialog box similar to the following is displayed after you create a user:

Figure 4. Change 2fa page

You must recommend a user to scan the QR code using the Google Authenticator application on the user’s mobile device.
Alternatively, you can provide the user with the Account Name and Secret Key value, which the user can enter manually into the
Google Authenticator application. For manual entry, ensure the time-based option is selected in Google Authenticator.
NOTE: You may also want to provide the user with the Scratch Codes. Each of these codes can be used once instead of
the randomly generated token to log in to CloudLink Center. These codes are intended only for exceptional circumstances,
where the user may not have access to Google Authenticator and must log in to CloudLink Center.

Change user roles in CloudLink Center

Use this procedure to change the role of users to another existing role.

Steps
1. Log in to CloudLink Center.
2. Click System > Users & Groups.
3. Select the check box next to the user account whose role you want to change.
4. Click Actions > Change Roles.
5. In the Change User Roles dialog box, select the required role.
You can assign more than one role to a user.

6. Click Change.

94 Manage CloudLink Center users and groups

Change user password in CloudLink Center
Use this procedure to change the CloudLink Center password of a user.

About this task

Users can change their password, regardless of whether they have the Change User Password permission. Users can change
their passwords using the Change Password option in the User Name menu.

Steps
1. Log in to CloudLink Center.
2. Click System > Users & Groups.
3. Select the check box next to the user account whose password you want to change.
4. Click Actions > Change Password.
5. In the Change User Password dialog box, type the password and retype to confirm it.
6. Click Change.

Change 2-Factor Authentication (2FA) for accessing

CloudLink Center
Use this procedure to change whether a user is required to log in to CloudLink Center using 2FA.

About this task

If you change a user to require Google two-factor authentication, a new account must be created in Google Authenticator
using the credentials that CloudLink Center displays after you change the two-factor authentication type. For information, see
Additional account set up for Google two-factor authentication.

Steps
1. Log in to CloudLink Center.
2. Click System > Users & Groups.
3. Select the check box next to the user account whose 2FA you want to change.
4. Click Actions > Change 2fa.
5. In the Change 2FA dialog box, select the required 2FA type from the 2fa Type list.
6. Click Change.

Unlock CloudLink accounts

This topic provides information about unlocking user accounts in CloudLink.
For security, local users, including the built-in secadmin user, have a limited number of attempts to provide the correct password
when logging in to CloudLink Center. After the specified number of login attempts, the user is locked out of the account.
When a user is locked out of their account, CloudLink Center displays a message below the Password box indicating that
the account is locked. The account is automatically unlocked after fifteen minutes. If the user requires immediate access, the
account must be manually unlocked.
For more information about setting the number of login attempts, see Change the number of login attempts before lockout.
You can identify users who have been locked out on the Users page. For these users, the table displays Yes in the Locked
column.

Manage CloudLink Center users and groups 95

Manually unlock local CloudLink Center users
Use this procedure to manually unlock local users in CloudLink Center.

About this task

With the exception of the built-in secadmin user, users are manually unlocked from CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click System > Users & Groups.
3. Select the check box next to the user account whose account you want to unlock.
4. Click Actions > Unlock.
5. In the Unlock dialog box, select
6. Click Change.

Manually unlock built-in secadmin CloudLink Center users

Use this procedure to manually unlock the secadmin (built-in) user in CloudLink Center.

Prerequisites
You must have access to the CloudLink Center console interface, which is used to configure underlying network- or system-
level connections. You used the console interface for the first time when deploying CloudLink Center. For more information, see
the Dell EMC CloudLink Deployment Guide.

About this task

The built-in secadmin user is unlocked from the CloudLink Center console interface. This interface is the only way to unlock this
user if there are no other users assigned the SecAdmin role or they have also been locked out. For more information, see Built-in
CloudLink Center user roles.

Steps
1. Access the CloudLink Center console interface.
2. From the Update menu, select Unlock User.
3. Click OK.

Delete CloudLink Center users

Use this procedure to delete the user account in CloudLink Center. You can delete any user except the built-in secadmin user.

Prerequisites
You must have the Delete User permission in a managing role for all the roles of the users.

Steps
1. Log in to CloudLink Center.
2. Click System > Users & Groups.
3. Select the check box next to the user account you want to delete.
4. Click Actions > Delete.
5. In the Confirm User Deletion dialog box, when prompted to confirm the delete request, click Delete.

96 Manage CloudLink Center users and groups

 14
Manage encryption keystores and keys in
CloudLink Center
This chapter provides information about the encryption keystores, keys, and managing them in CloudLink Center.
CloudLink uses the following types of encryption keys to secure machines:

These keys can be stored in the CloudLink Center keystore or an external keystore. A keystore is a combination of a key location
and a key protector. For more information, see Best practices for key location access control and backup.
● For a machine, volume encryption keys secure the boot or data volumes, as determined by the key release policy. For more
information, see CloudLink key release policies.
● For a device, device encryption keys secure the encrypted devices. For more information, see CloudLink key release policies.
● The VKEK protects the volume or device encryption keys:
○ When CloudLink Center receives a request from CloudLink Agent to encrypt a volume on its machine, CloudLink Center
generates a new VKEK in a keystore and uses it to encrypt the volume encryption key.
○ When a volume requires decryption, CloudLink Center decrypts the volume encryption key using the VKEK and sends it
to CloudLink Agent.
Know the difference between the types of encryption keys that are used to secure machines. However, because volume or
device encryption keys are created and managed by native technologies in the operating system of the machines, they are not
discussed in detail in CloudLink documentation. Unless specified otherwise, the terms encryption keys and keys in this guide
refer to the VKEK.
During deployment, CloudLink Center creates an initial keystore for encryption keys called CloudLink Vault. For more information
about using CloudLink Vault, see Manage CloudLink Vault. If you do not want to use the initial, or default, keystore to store
encryption keys, external options are available, including Microsoft Active Directory, Amazon S3, S3-compatible bucket, or
External KMIP Server.
Encryption keys are also encrypted, or protected, by one or more key protectors, including CloudLink Vault, SafeNet LunaSA,
Microsoft Azure Key Vault, a KMIP key manager, or a password.
If you add keystores, only one keystore can be active for each machine group, but multiple keystores can be used in each
CloudLink Center or CloudLink Center cluster deployment. Keys that are generated by CloudLink Center are stored in a
keystore. You can modify and delete keystores.
If you have more than one keystore, you can move keys from a source keystore to a destination keystore. However, you cannot
move keys from a keystore that is assigned to a machine group. This approach is useful for keeping as many keys as possible
in a keystore. If you prefer, you can leave keys in the keystores where CloudLink Center created them. When CloudLink Center
requires a key, it checks each accessible keystore.

Manage encryption keystores and keys in CloudLink Center 97

You can change the frequency that CloudLink Center automatically updates keys, referred to as the key lifetime. For more
information, see the section "Key Lifetime" in the topic CloudLink Machine group properties. You can also manually update keys.
You can view keys in a keystore and the key history for a machine.
Topics:
• CloudLink Center encryption key location and protector options
• View keystores
• Configure a keystore
• Set the current keystore
• Modify key location of a keystore
• Modify key protector of a keystore
• Delete a keystore
• Resolve missing CloudLink Center key alarm
• Show keys in a keystore
• Move keys to another keystore
• View event history of a keystore
• Update keys

CloudLink Center encryption key location and

protector options
This topic provides information about the encryption key location and protector options in CloudLink Center.

Keystores
The term keystore implies the combination of a key location and a key protector. Encryption keys are stored in a key location
and are encrypted, or protected, by a key protector.

Key locations
CloudLink Center supports several options for the key location that is used to store encryption keys:
● Local Database—An internal key location
● Microsoft Active Directory—An external key location
● Amazon S3—An external key location
You must have an Amazon Web Services (AWS) account to use this location.
● S3-compatible bucket—An external S3-compatible key location
● External KMIP Server—In CloudLink Center 7.1.3 later versions, you can configure an external KMIP server so it can
generate and store keys.

Key protectors
CloudLink Center supports several options for encryption key protectors.

NOTE: The type of available key protector depends on the selected key location.

● CloudLink Vault—An internal key protector

● SafeNet LunaSA—An external key protector using a hardware security module (HSM) for protection
● Microsoft Azure or Azure Stack Key Vault—An external key protector using an Azure or Azure Stack Key Vault for
protection
● KMIP server—An external key protector using a Key Management Interoperability Protocol (KMIP) server for protection
● Password—The encryption key is protected with a password.

98 Manage encryption keystores and keys in CloudLink Center

Best practices for key location access control and backup
This topic provides information about the best practices for saving, backing up, and restoring CloudLink Center machine
encryption keys.
You are responsible for your encryption keys and for ensuring that the appropriate access control and backup policies and
procedures are in place to protect the keys against loss or theft. If your keys become unavailable, you cannot access any data
that was encrypted using those keys.
CloudLink Center backups are critical for restoring CloudLink Center. Have a backup of CloudLink Center so that you can deploy
a new server and restore CloudLink Center. If you are using the local database, volume encryption keys or device encryption
keys are stored in CloudLink Center. Backups are the only method of restoring keys so that you can access encrypted data.
NOTE: Ensure that you meet all prerequisites for restoring CloudLink Center from backup, otherwise you cannot access
encrypted data after restoring from a backup file.
For more information about CloudLink Center backups and restoring from a backup file, seeBack up and restore CloudLink
Center.
The following identifies the key protectors that are available for each type of key location.
Key Protector—CloudLink Vault
● Local database key location—Yes
● Microsoft Active Directory key location —No
● Amazon S3 key location—No
● S3-compatible bucket key location—No
● External KMIP Server—No
Key Protector—SafeNet LunaSA
● Local database key location—Yes
● Microsoft Active Directory key location —No
● Amazon S3 key location—No
● S3-compatible bucket key location—No
● External KMIP Server—No
Key Protector—Microsoft Azure or Azure Stack Key Vault
● Local database key location—Yes
● Microsoft Active Directory key location —No
● Amazon S3 key location—No
● S3-compatible bucket key location—No
● External KMIP Server—No
Key Protector—KMIP key manager
● Local database key location—Yes
● Microsoft Active Directory key location —Yes
● Amazon S3 key location—Yes
● S3-compatible bucket key location—Yes
● External KMIP Server—Yes
Key Protector—Password
● Local database key location—Yes
● Microsoft Active Directory key location —Yes
● Amazon S3 key location—Yes
● S3-compatible bucket key location—YesExternal KMIP Server—Yes

Manage encryption keystores and keys in CloudLink Center 99

CloudLink Center key location
This topic provides information about the key locations in CloudLink Center.

Local Database
CloudLink Center includes a secure local database protected by CloudLink Vault. This initial key location encrypts credentials
used to access remote resources. For example, CloudLink Vault stores credentials required to access the Microsoft Windows
domain, FTP or SFTP servers, and external key locations.
You can continue to use this initial key location or configure a different key location. When used as the key location, the
CloudLink Vault local database encrypts and stores VKEKs. If you delete a CloudLink Vault key location, all keys are destroyed.
For CloudLink Center clusters, CloudLink Vault is replicated to each server in a cluster. The key location is automatically available
on each cluster server.
CloudLink Center backups must be configured when using CloudLink Vault as the key location. For more information, see Best
practices for key location access control and backup.
NOTE: If you do not use the initial CloudLink Vault as the key location, CloudLink Center still requires it to store credentials
used to access remote resources. For more information about working with CloudLink Vault, see Manage CloudLink Vault.

Microsoft Active Directory organizational unit

The authentication credentials for Active Directory are stored in the CloudLink Vault. Ensure key safety by backing up the Active
Directory server.
If you delete an Active Directory keystore, the keys remain in the Active Directory base container. You can add this container to
CloudLink Center with the same key protector to regain access.

Amazon S3 bucket
The authentication credentials for Amazon S3 are stored in the CloudLink Vault. Ensure key safety by protecting your S3 bucket
from accidental deletion.
If you delete an Amazon S3 keystore, the keys remain in the S3 bucket. You can add this bucket to CloudLink Center with the
same key encryption password to regain access.

S3-compatible bucket
The authentication credentials for an S3-compatible bucket are stored in the CloudLink Vault. Ensure key safety by protecting
your S3-compatible bucket from accidental deletion.
If you delete an S3-compatible keystore, the keys remain in the S3-compatible bucket. You can add this bucket to CloudLink
Center with the same key encryption password to regain access.

External KMIP Server

In CloudLink Center 7.1.3 and later versions, you can configure an external KMIP server so it can generate and store encryption
keys required for agent or machine encryption. The key release policies applicable for an agent are applicable for external KMIP
servers also. It can be used for encrypting machines, PowerFlex devices, containers, and SED key management. However, the
aforesaid features are not applicable for Key Management over KMIP, because in this case, CloudLink acts as a KMIP server.

100 Manage encryption keystores and keys in CloudLink Center

CloudLink key protectors
A key protector is the protection mechanism used to encrypt and protect the volume or device encryption keys. Key protectors
include:

CloudLink Vault
For more information, see Manage CloudLink Vault .

SafeNet LunaSA
A SafeNet LunaSA key protector uses a hardware security module (HSM) to protect encryption keys.
The main authorization credentials to LunaSA HSM are configured on each server in a cluster. These credentials are not stored
in the CloudLink Vault.
For PowerFlex—If you delete a LunaSA keystore, the keys remain in the HSM. You can add this HSM to CloudLink Center with
the same password to regain access.

Microsoft Azure Key Vault

A Microsoft Azure Key Vault is a service provided by Microsoft Azure to protect your encryption keys.

KMIP server
A KMIP server can be used to protect your encryption keys. A KMIP server key protector protects all encryption keys stored in a
location.

Password
Encryption keys can be password protected.

View keystores
Use this procedure to view the keystores added. A keystore is a combination of a key location and a key protector.

Steps
1. Log in to CloudLink Center.
2. Click System > Keystores.
The list of keystores is displayed.

Configure a keystore
This topic provides information about configuring a keystore.
The initial CloudLink Vault keystore is configured during server setup. You can configure one or more additional keystores.
NOTE: You can have only one current, or active, keystore for each machine group, but multiple keystores can be used in
each CloudLink Center or CloudLink Center cluster deployment.

Manage encryption keystores and keys in CloudLink Center 101

Add a keystore
Use this procedure to add a keystore, in addition to the initial CloudLink Vault keystore.

Steps
1. Log in to CloudLink Center.
2. Click System > Keystores > Add.
3. In the Add New Keystore dialog box, enter the name and description, and then click Next.
4. Select the required keystore location from the Key Location Type list, and then click Next.
For instructions on adding a key location, see Add a key location.
5. Select the required key protector from the Protector Type list.
For instructions on adding a key protector, see Add a key protector.
6. Click Add.

Add an encryption key location

You can use the Local Database, Active Directory, Amazon S3 bucket, S3-compatible bucket, or an External KMIP Server to
create and store keys.

Local Database
You can use the local CloudLink Vault database to store encryption keys.

Active Directory
To use Microsoft Active Directory for the CloudLink keystore, you must have a Microsoft Windows domain controller that
is reachable by CloudLink Center. For information about configuring an Active Directory on a Windows server, see Configure
Active Directory (AD) for the CloudLink encryption keystore.
Verify that CloudLink Center has a DNS configured. For more information, see Configure CloudLink Center DNS properties.
When creating an Active Directory keystore, provide the following values:
● Domain—The domain name configured on the Active Directory host, such as example.com
● Base DN—The name of the container configured on the Active Directory host
For example: CN=MyKeys,OU=MyOU,DC=cloudlink,DC=com
● Hosts (comma separated)—The Active Directory hostname
For example: clc.example.com.
The Active Directory host is a Windows Server where Active Directory is configured. You can add additional Active Directory
hostnames for redundancy. Do not use an IP address.
● Username—The login name for the bind user
● Password—The password configured for the bind user

Amazon S3 Bucket
When creating an Amazon S3 Bucket keystore, provide the following values:
● Bucket Name—The name of the bucket resource for the keystore
If the bucket does not exist, CloudLink Center creates it. If the bucket exists, CloudLink Center tries to connect to it. If
CloudLink Center cannot connect to the bucket, CloudLink Center displays an Access Denied error.
● Region—The region where your bucket is expected to be located.
● Access Key ID—The Access Key ID associated with your AWS account
● Access Key—The Secret Access Key associated with your AWS account

102 Manage encryption keystores and keys in CloudLink Center

S3 Compatible Bucket
When creating an S3-compatible bucket keystore, provide the following values:
● S3 Endpoint—The endpoint for your S3-compatible bucket
● Bucket Name—The name of the bucket resource for the keystore
If the bucket does not exist, CloudLink Center creates it. If the bucket exists, CloudLink Center tries to connect to it. If
CloudLink Center cannot connect to the bucket, CloudLink Center displays an Access Denied error.
● URL Style—Either a virtual-hosted-style URL where the bucket name is a subdomain, or path-style URL where the bucket
name is appended to the domain name and is a part of URL path.
● Access Key—The access key associated with your S3-compatible storage account
● Secret Key—The secret key associated with your S3-compatible storage account
NOTE: You can test the configuration values using the Test button.

For encrypted key protector options, see Add an encrypted key protector.

External KMIP Server

In CloudLink Center 7.1.3 and later versions, you can configure an external KMIP server so it can generate and store encryption
keys required for agent or machine encryption. The key release policies applicable for an agent are applicable for external KMIP
servers also. It can be used for encrypting machines, PowerFlex devices, containers, and SED key management. However, the
aforesaid features are not applicable for Key Management over KMIP, because in this case, CloudLink acts as a KMIP server.

Add an encrypted key protector

This topic provides information about the different encrypted key protectors available in CloudLink Center.
You add an encrypted key protector to protect encryption keys. CloudLink supports CloudLink Vault, SafeNet LunaSA, Azure
KeyVault, and VMware KMIP servers as encryption key protectors because keys are stored externally on a KMS which acts as a
protector.

CloudLink Vault
You can choose CloudLink Vault as the key protector.

SafeNet LunaSA
You add a SafeNet LunaSA key protector with the assistance of Dell Technologies Support. Contact your Dell Technologies
representative for more information.

Azure KeyVault
When adding an Azure Key Vault as the key protector, provide the following values:
● Key ID—The identifier for the key used to protect the keystore
● Client ID—A character string assigned by Microsoft during registration
● Client Secret—A security key provided by Microsoft

KMIP
You can configure a KMIP server as a key protector. For more information about KMIP servers, see Manage Key Management
Interoperability Protocol (KMIP) servers in CloudLink Center.
You must meet the following additional requirements when using a KMIP server as a key protector:
● You must have a KMIP server. You can add up to four KMIP servers.
● One of the KMIP servers must be reachable by CloudLink Center.

Manage encryption keystores and keys in CloudLink Center 103

● CloudLink Center must have a DNS configured. For more information, see Configure Active Directory (AD) for the CloudLink
encryption keystore.
When adding a KMIP server or selecting external KMIP server as the source of generating and storing encryption keys, select or
enter the following information:
● Protector Type—If you select External KMIP Server as the location, then KMIP Proxy is displayed as the default
protector type.
● KMIP Server Address—KMIP server hostname

You can add up to four KMIP server addresses by clicking .

● Port —Optional parameter that defines the TCP port number to use with KMIP. If the port is not specified, use the KMIP
standard TCP port 5696.
● Credential Type —Username and Password, Device, or No Credentials
● Username/Serial Number—Username for client authentication to a KMIP server
● Password—Password for client authentication to a KMIP server (optional)
● Key —Private key for client authentication when authenticating a TLS connection
● Certificate—Certificate for client authentication when authenticating a TLS connection
● Trusted certificate—KMIP server certificate that is used as a trust anchor when authenticating a TLS connection.
NOTE: You can test the configuration values using the Test button.
● Password—You can protect encryption keys with a password.

Set the current keystore

This topic provides information about setting the current keystore.
CloudLink Center stores new encryption keys in the current keystore for the machine group. Only one keystore can be current
at a time for a machine group. You might want to change the current keystore after adding a new keystore in which you want
CloudLink Center to store new encryption keys.
When you switch the current keystore for a machine group, encryption keys are not automatically moved to the new keystore.
You can move keys to the new keystore, except for keys stored in SafeNet LunaSA.
You set the current keystore for a machine group by modifying the machine group. For more information, see Modify a machine
property on a CloudLink Center machine group .

Modify key location of a keystore

Use this procedure to modify key location and key protector properties after adding a keystore.

About this task

NOTE: Only one keystore can be active at a time for each Machine Group.

Steps
1. Log in to CloudLink Center.
2. Click System > Keystores.
3. Select the check box next to the keystore whose key location you want to modify.
4. Click Actions > Modify Key Location.

104 Manage encryption keystores and keys in CloudLink Center

Modify key protector of a keystore
Use this procedure to modify key protector properties after adding a keystore.

About this task

NOTE: Only one keystore can be active at a time for each Machine Group.

Steps
1. Log in to CloudLink Center.
2. Click System > Keystores.
3. Select the check box next to the keystore whose key protector you want to modify.
4. Click Actions > Modify Protector.

Delete a keystore
Use this procedure to delete a keystore.

About this task

You can delete any keystore that is not used in a machine group. A keystore in use by a machine group must be removed
from the machine group before it can be deleted. The results and behavior following deletion depend on the keystore type. For
information, see CloudLink encryption key location and protector options.
If you delete a keystore and later determine that it contained keys that are required to access encrypted volumes or devices,
you may be able to restore the keystore from a backup. For more information, see Restore keystores from a backup file.

Steps
1. Log in to CloudLink Center.
2. Click System > Keystores.
3. Select the check box next to the keystore you want to delete.
4. Click Actions > Delete.
5. In the Confirm Keystore Deletion dialog box, when prompted to confirm the delete request, click Delete.

Resolve missing CloudLink Center key alarm

This topic provides information about resolving the missing CloudLink Center key alarm.
Each day, CloudLink Center checks if it can access volume or device keys for connected and registered machines. If CloudLink
Center detects that it cannot access one or more volume or device keys, it generates the Missing Key alarm for each key. After
raising this alarm, CloudLink Center checks hourly to see whether the key has become available. CloudLink Center lowers the
alarm only when the key is available during the check. The alarm is also lowered when a machine is disconnected.
This alarm occurs if a keystore containing the required key becomes inaccessible because CloudLink Center cannot access the
volume or device keys that are stored in the keystore. This alarm also occurs if an administrator deletes a keystore that contains
required volume or device keys, or deletes a key from a keystore during a shred operation or by using external tools.
This alarm is intended to notify you in a timely manner that volume or device keys are missing. Actions that you must take to
resolve this alarm may include checking network connectivity for the keystore or restoring a keystore from a backup file. For
more information, see Restore keystores from a backup file.

Manage encryption keystores and keys in CloudLink Center 105

Show keys in a keystore
Use this procedure to view the keys stored in a selected keystore.

Steps
1. Log in to CloudLink Center.
2. Click System > Keystores.
3. Select the check box next to the keystore whose keys you want to view.
4. Click Actions > Show Keys .
The keys are displayed.

Move keys to another keystore

Use this procedure to move keys from one keystore to another. For example, you may want to use an external keystore such as
Microsoft Active Directory instead of the initial keystore. After configuring the external keystore, move keys to it from the initial
keystore.

Prerequisites
The source and destination keystores must both be accessible by CloudLink Center.

About this task

NOTE: Keys cannot be moved from a keystore that is assigned to a machine group.

Steps
1. Log in to CloudLink Center.
2. Click System > Keystores.
3. Select the check box next to the keystore whose keys you want to move.
4. Click Actions > Move Keys.
5. In the Move Keys dialog box, select the required keystore from the Move To list.
6. Click Move.

View event history of a keystore

Use this procedure to view the history of the encryption keys for a machine.

Steps
1. Log in to CloudLink Center.
2. Click System > Keystores.
3. Select the check box next to the keystore whose event history you want to view.
4. Click Actions > Show Key History.

Update keys
Use this procedure to update keys to reencrypt all the volume encryption keys of a machine with new volume key encryption
keys (VKEK).

Prerequisites
The machine must be in the connected state.

106 Manage encryption keystores and keys in CloudLink Center

Steps
1. Log in to CloudLink Center.
2. Click Agents > Machines.
3. Select the check box next to the machine whose keys you want to update.
4. Click Actions > Update Keys.

Manage encryption keystores and keys in CloudLink Center 107

 15
Monitor CloudLink Center
This chapter provides information about comprehensive monitoring of the CloudLink environment and its machines in CloudLink
Center.

Topics:
• Actions, events, security events, and alarms in CloudLink
• View CloudLink Center actions
• CloudLink events and corresponding syslog severity numbers
• View CloudLink Center events
• Security events in CloudLink
• View CloudLink Center security events
• View CloudLink Center alarms
• Change the CloudLink Center alarm state
• Manage email notifications in CloudLink Center
• View individual log files
• Download log files
• Generate diagnostic log files
• Enable the debug mode in CloudLink Center
• View user sessions in CloudLink Center
• End user sessions in CloudLink Center
• View usage in CloudLink Center
• Reset license usage in CloudLink Center

108 Monitor CloudLink Center

Actions, events, security events, and alarms in
CloudLink
When an action, event, or security event occurs, CloudLink Center displays a notification header and all notifications in
the bottom-right corner of the window. You can show or hide notifications using the icons in the notification header. The
notification header and notifications automatically disappear after a few seconds.
Each hour, CloudLink Center checks to determine if more than 10,000 actions, events, and security events exist. If so, CloudLink
Center deletes entries older than four days, starting with the oldest entry, until the total number of entries is less than 10,000.
In addition to action and event notifications, CloudLink Center raises alarms to make you aware of critical states or conditions.
For more information, see View and manage alarms.

View CloudLink Center actions

Use this procedure to view the actions initiated by users, such as uploading or assigning licenses, accepting a pending machine,
or setting the CloudLink Vault mode.

Steps
1. Log in to CloudLink Center.
2. Click Monitoring > Actions.
You can view the actions that happened in the last 10, 30 minutes, hour and all.

CloudLink events and corresponding syslog severity

numbers
CloudLink assigns one of six levels to each event to indicate its importance. These levels map to syslog levels 1 to 6. For
example, Alert is level 1, Critical is level 2 and so on.
Following are the event levels and their corresponding syslog number:
● Alert=1
● Critical=2
● Error=3
● Warning=4
● Notice=5
● Information=6
For alarms, CloudLink Center creates an event when an alarm is raised, assigning it a level of Error if the severity is high or
Warn if the severity is low. CloudLink Center creates another event if the condition or state that caused the alarm is resolved,
assigning this event the Information level.
For actions, CloudLink Center creates an event when the user initiates the action, assigning it to the Notice level. On completion
of the action, CloudLink Center may create additional events based on the internal processing of an action (if needed).
CloudLink Center always creates an event that indicates when an action completed.
CloudLink writes events to the configured syslog server. Details about when events were initiated and completed are available
only in the syslog server. These details are not provided in the Events table.

View CloudLink Center events

Use this procedure to view the internal activity in the system, as well as activity related to actions and alarms.

Steps
1. Log in to CloudLink Center.

Monitor CloudLink Center 109

2. Click Monitoring > Events.
You can view the events that happened in the last 10, 30 minutes, one hour and also all the events .

Security events in CloudLink

The Security Events page shows all CloudLink security events, such as:
● Logins by users
● Failed attempts to unlock the CloudLink Vault using a passcode
● Registrations for machines
● Changes to the CloudLink Vault mode
● Successful or failed attempts to start a secure user action
● Key activities such as requests, updates, or moves
CloudLink Center assigns each security event a level to indicate its importance. The level types are the same for events. For
information, see View CloudLink Center security events.
CloudLink writes security events to the configured syslog server.

View CloudLink Center security events

Use this procedure to view the security events in CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click Monitoring > Security Events.
You can view the security events that happened in the last 10, 30 minutes, one hour and also all the security events.

View CloudLink Center alarms

For more information about viewing CloudLink Center alarms, see View and manage CloudLink Center alarms.

Change the CloudLink Center alarm state

CloudLink Center provides two alarm states: Watched and Ignored.

About this task

To change the alarm notification states and email notification status in the CloudLink Center:

Steps
1. Log in to CloudLink Center.
2. Select System > Alarms Configuration.
3. Select the alarm you want to change.
4. Select Actions > Change.
5. In the Change, dialog box, select the following:
● From the State list, select one of the following values:
○ Watched—Future notifications for the selected alarm are reported.
○ Ignored—Future notifications for the selected alarm are ignored.
● From the Email Notification list, select one of the following.
○ Send
○ Do not Send

110 Monitor CloudLink Center

6. Click Change.

Manage email notifications in CloudLink Center

This topic provides information about the email notifications that can be sent when a CloudLink Center alarm is raised or
updated. You can configure the CloudLink Center server that generates an alarm to send an email notification whenever an
alarm is generated or updated.

Send test email in CloudLink Center

Use this procedure to send a test email in CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click System > Email Notifications.
3. Click Actions > Send Test Email.
4. In the Confirm Sending Test Email dialog box, when prompted to confirm the request, click Send.

Change email subject format in CloudLink Center

Use this procedure to change the email subject in CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click System > Email Notifications.
3. Click Actions > Change Email Subject Format.
The Change Email Subject Format dialog box is displayed.
4. In the Email Subject Format box, enter an email subject format, and then click Change.

Add recipient in CloudLink Center

Use this procedure to add a recipient.

Steps
1. Log in to CloudLink Center.
2. Click System > Email Notifications.
3. Click Actions > Add Recipient.
The Add Recipient dialog box is displayed.
4. In the Email Subject box, enter an email address, and then click Add.

Delete recipient from CloudLink Center

Use this procedure to delete a recipient.

Steps
1. Log in to CloudLink Center.
2. Click System > Email Notifications.
3. Select the check box next to the recipient you want to delete.
4. Click Actions > Delete Recipient.

Monitor CloudLink Center 111

5. In the Confirm Recipient dialog box, when prompted to confirm the delete request, click Delete.

Change email server configuration in CloudLink Center

Use this procedure to add an email server and account to use to send notifications.

Steps
1. Log in to CloudLink Center.
2. Click System > Email Notifications.
3. Click Change Configuration .
4. In the Change Email Server Configuration dialog box, select SMTP from the Server Type list, and then enter the
following information:
● Server Address—The SMTP server address
● Port—The SMTP server port
● Sender Address—The originating email address
● User Name—The email account username
● Password—The email account password
5. Click Change.

View individual log files

Use this procedure to view individual CloudLink Center log files. You can view the tail of an individual log file and specify the
frequency that it automatically refreshes.

Steps
1. Log in to CloudLink Center.
2. Click Monitoring > Diagnostics.
3. Click View Logs.
4. In the Select Logs To View dialog box, do the following:
a. From the Log File list, select a log file.
b. In the Lines To Show box, enter the number of lines from the tail of the log file to view.
c. In the Update Interval (sec) box, enter the frequency ( in seconds) to update the view with the current file content.
5. Click Show Logs.

Download log files

Use this procedure to download all the CloudLink Center log files in a compressed ZIP file. For example, when reporting an issue
to Dell Technologies Customer Support, this file is required.

Steps
1. Log in to CloudLink Center.
2. Click Monitoring > Diagnostics.
3. Click View Logs.
4. In the Select Logs To View dialog box, select a log file, and enter the required values for which you want to download the
log files.
5. Click Show Logs.
The required log file is displayed.
6. Click Actions > Download Logs.
The log file is downloaded to your Downloads folder.

112 Monitor CloudLink Center

Generate diagnostic log files
The Generate Diagnostics command creates a diagnostics log. Dell Technologies Customer Support uses this file if there is a
support issue. It is downloaded with the log files to your Downloads folder.

Steps
1. Log in to CloudLink Center.
2. Click Monitoring > Diagnostics.
3. Click View Logs.
4. In the Select Logs To View dialog box, select a log file, and enter the required values for which you want to create a
diagnostic file.
5. Click Show Logs.
The required log file is displayed.
6. Click Actions > Generate Diagnostics.
The Generate Diagnostics dialog box is displayed and diagnostic log file is generated.

Enable the debug mode in CloudLink Center

Only a Dell authorized support representative should perform this procedure. The authorized support representative uses the
debug mode when investigating support issues.

Steps
1. Log in to CloudLink Center.
2. Click Monitoring > Diagnostics.
3. Click View Logs.
4. In the Select Logs To View dialog box, select a log file, and enter the required values for which you want to enable the
debug mode.
5. Click Show Logs.
The required log file is displayed.
6. Click Actions > Enable Debug.
A challenge code and a key code are generated.
7. In the Enable Debug dialog box, enter the response in the Response box.
8. Click Enable.

View user sessions in CloudLink Center

Use this procedure to view information about the current session of each user. For users who are not currently logged in, you
can view information about their last session.

Steps
1. Log in to CloudLink Center.
2. Click Monitoring > Users Sessions.
The current user sessions are displayed.

Monitor CloudLink Center 113

End user sessions in CloudLink Center
Use this procedure to terminate a user session to immediately log out a user. The next time that the user performs a task in the
web browser, CloudLink Center displays its login screen.

Steps
1. Log in to CloudLink Center.
2. Click Monitoring > Users Sessions.
3. Select the check box next to the user whose user session you want to terminate.
4. Click Terminate.
5. In the Confirm User Session Termination dialog box, when prompted to confirm the termination request, click
Terminate.

View usage in CloudLink Center

Use this procedure to view usage statistics for machine instance, physical machines with SEDs, encrypted capacity, or KMIP
client. There is no usage statistics for VMware ESXi socket licenses.

About this task

You can view a chart of machine instance, physical machines with SEDs, encrypted storage capacity, or KMIP clients and
summary information about registered instances, registered physical machines with SEDs, SED encrypted storage capacity, and
KMIP clients.

Steps
1. Log in to CloudLink Center.
2. Click Monitoring > Usage.
3. In the License Usage page, select instance usage, capacity usage, SED instance usage, or KMIP client license usage.
The following usage statistics information is displayed corresponding to the usage type you select:
● Last Usage Reset—The date and time that license usage statistics were reset. This statistic is provided for machine
instance, physical machines with SEDs, or encrypted storage capacity. For more information, see Scenarios for using
maximum usage of CloudLink licenses.
● Max Usage Since Last Reset—The maximum number of machine instances registered, physical machines with SEDs
registered, or encrypted capacity used since the last reset. This information might be useful if you are assessing your
peak license usage over a specific time.
● Current Usage—The number of machine instances registered, physical machines with SEDs registered, or encrypted
capacity used.
The vertical axis of the graph represents the number of instances or amount of encrypted capacity that is registered or
used. The horizontal line represents dates.
The graph displays a horizontal blue or green line that shows the total assigned licenses. Hover over the blue line to view
information about that license.
The graph shows a blue or green line representing the number of registered machine instances, registered physical
machines with SEDs, or used encrypted capacity. The number of machine instances, physical machines with SEDs, or
encrypted capacity that can be registered with CloudLink Center on any given date equals the sum of the machine
instances, physical machines with SEDs, or encrypted capacity for all licenses valid on that date.

Reset license usage in CloudLink Center

Use this procedure to reset the value for the maximum number of registered machine instances, registered physical machines
with SEDs, or used encrypted capacity. For example, if you are monitoring the maximum number of machine instances
registered, physical machines with SEDs registered, or encrypted capacity used each month, reset the usage on the first day of
each month.

114 Monitor CloudLink Center

Steps
1. Log in to CloudLink Center.
2. Click Monitoring > Usage.
3. Select instance usage, capacity usage, SED instance usage, or KMIP client license usage from the list.
4. Click Reset Usage.
5. In the Confirm Usage Reset dialog box, when prompted to confirm the reset licenses usage request, click Reset.

Monitor CloudLink Center 115

 16
Back up and restore CloudLink Center
System issues such as power interruptions or hardware failures may cause problems in CloudLink Center, such as data loss or
database corruption. If problems occur, it is important to have a backup of CloudLink Center so that you can deploy a new
server and restore CloudLink Center from the backup.
Topics:
• CloudLink Center backup
• Change the filename prefix for the backup file
• View CloudLink Center backup information
• Generate a backup key pair
• Change the backup store for automatic backups
• Change the schedule for automatic backups
• Generate a backup file manually
• Download the current backup file
• Restore CloudLink Center from a backup file
• Restore a CloudLink Center cluster
• Restore keystores from a backup file
• Best practices for restoring and backing up keys and files in CloudLink Center

CloudLink Center backup

This topic provides information about CloudLink Center Backup.
A backup file includes all critical information to get CloudLink Center up and running, including keystore configuration, user
accounts, machine registrations and policies, and events. You can create backup files manually or automatically. You can create
a backup store where CloudLink Center stores automatic backups.

NOTE: A backup file does not include CloudLink Center cluster information or licenses.

CloudLink backup key pairs and backup files

This topic provides information about the backup key pairs and backup files in CloudLink Center.
A backup is stored in a file that is encrypted using an AES-256 key that is protected by an RSA-2048 key pair.
You generate the RSA-2048 key pair. The public key is stored in CloudLink Center. Download and save the private key when the
key pair is generated. To restore CloudLink Center from a backup file, both the backup file and its private key must be available
to you.
The key pair is assigned a sixteen-digit ID. This ID is included in the filenames for the private key that is required to use the
backup and for the backup file. The filename for the private key uses the prefix cckey. The filename for the backup file uses the
prefix ccbackup, by default. For more information about changing the prefix for the filename for the backup file, see Change
the filename prefix for the backup file.
The following are example file names for a private key and a backup file that requires the private key:
● Private Key File Name—cckey-189a6361dc9772060730b654d9422b5f.pem
● Backup File Name—ccbackup-189a6361dc9772060730b654d9422b5f-2015-03-23_09-15-01.bak

116 Back up and restore CloudLink Center

Change the filename prefix for the backup file
Use this procedure to change the filename prefix for the backup file.

About this task

By default, the filename for the backup file uses the prefix ccbackup. You can change this prefix. For example, if you
have multiple CloudLink Centers, you can use a prefix that uniquely identifies their backups. Using a different prefix for each
CloudLink Center can help you to better identify the required backup if you must restore a CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click System > Backup.
3. Click Actions > Change Backup File Prefix.
The Change Backup Prefix dialog box is displayed.
4. In the Change Backup File Prefix box, enter the prefix for the filename.
5. Click Change.

View CloudLink Center backup information

Use this procedure to view the CloudLink Center backup information.

Steps
1. Log in to CloudLink Center.
2. Click System > Backup.
The Backup page includes the following additional information if you use an FTP, SFTP, FTPS, or S3-compatible backup
store.
● Host—The remote FTP, SFTP, or FTPS host where a user is intended to save the CloudLink Center backups. You
can set this value to the host IP address or hostname (if DNS is configured). This field also lists the endpoint if an
S3-compatible backup store is used.
● Port—The port used to access the backup store.
● User—The user with permission to access the backup store.
● Directory—The directory in the backup store where backup files are available.

Generate a backup key pair

Use this procedure to generate a new backup key pair. For example, if the private key for the backup key pair is lost, you can
generate a new key pair. You cannot access your backup files without the associated private key. When you generate a new
key pair, CloudLink Center automatically generates a new backup file to ensure that the current backup can be opened with the
private key of the current key pair.

About this task

It is recommended that you follow the following practices when you generate a new backup key pair to ensure that you have
both a private key and backup file that it can open:

Back up and restore CloudLink Center 117

Steps
1. Log in to CloudLink Center.
2. Click System > Backup.
3. Click Actions > Generate and Download New Key.
The back up key pair is generated and downloaded to your Downloads folder.

Change the backup store for automatic backups

Use this procedure to change the backup store for automatic backups.

About this task

CloudLink Center automatically generates a backup file. You can use local storage or configure a remote backup store where
CloudLink Center stores the backup file.
Regardless of whether you have configured a backup store, you can manually download the backup file. For more information,
Download the current backup file.

Steps
1. Log in to CloudLink Center.
2. Click System > Backup.
3. Click Actions > Change Backup Store.
The Change Backup Store dialog box is displayed.
4. From the Store Type list, select a backup store, and enter the following information depending on the backup store you
selected:
● Host—The remote FTP, SFTP, or FTPS host where a user is intended to save the CloudLink Center backups. You can
set this value to the host IP address or hostname (if DNS is configured).
● Port—The port used to access the backup store
● User—The user with permission to access the backup store
● Password—The password used to access the backup store
● Directory—The directory in the backup store where backup files are available
● Access Key ID—The Access Key ID associated with your Amazon Web Services (AWS) account or S3-compatible
storage
● Access Key—The Secret Access Key that is associated with your AWS account or S3-compatible storage
● Bucket Name—The name of the bucket resource for the AWS or S3-compatible backup store

118 Back up and restore CloudLink Center

 ● Region—The region where your AWS bucket is located.
● EndPoint—The endpoint for an S3-compatible backup store
● URL Style—Either a virtual-hosted-style URL where the bucket name is a subdomain, or path-style URL where the
bucket name is appended to the domain name and is a part of URL path
● Certificate—You can upload a self-signed certificate for an S3-compatible backup store.
5. Click Change.

Next steps

NOTE: Click Test to test the backup store values.

Change the schedule for automatic backups

Use this procedure to change the schedule for generating automatic backups. CloudLink Center automatically generates a
backup file each day at midnight (UTC time).

Steps
1. Log in to CloudLink Center.
2. Click System > Backup.
3. Click Actions > Change Backup Schedule.
4. In the Change Backup Schedule dialog box, provide the following values:
a. From the Days list, select the days on which you want to automatically generate a backup file.
b. In the Hour, UTC list, select the hour at which you want to automatically generate a backup file.
5. Click Change.

Generate a backup file manually

Use this procedure to generate a backup manually if you want to preserve CloudLink Center before the next automatic back up.
When you generate a backup file manually, it is recommended that you download the backup file.

About this task

An alarm occurs under these conditions:
● A backup has never been created (either manually or automatically)
● A backup has not been generated (manually or automatically) in the last seven days
For example, this alarm may be triggered if CloudLink Center cannot write the automatically created backup file to disk. The
alarm may also be triggered if you are not using a backup store and have not manually downloaded the backup file in the last
seven days.

Steps
1. Log in to CloudLink Center.
2. Click System > Backup.
3. Click Generate New Backup.
A backup file is generated.

Download the current backup file

Use this procedure to download the current backup file at any time.

Prerequisites
You must have access to the last backup file that CloudLink Center generated automatically or you must manually generate a
backup file.

Back up and restore CloudLink Center 119

About this task
The current backup file is either:
● The last backup file that CloudLink Center automatically created
● The last backup file that you manually generated after the last automatic backup
When you download the current backup file, CloudLink Center displays the age of the backup file. For example, the message
might indicate that the current backup was generated 14 hours and 23 minutes ago. CloudLink Center also displays the identifier
of the private key needed to access the backup file.
The backup file is saved to your Downloads folder (for example, C:\Users\Administrator\Downloads). For information
about backup file names, see CloudLink backup key pairs and backup files.
After downloading the file, it is recommended that you move it to a location that is different from the CloudLink Center server.
If CloudLink Center fails, you can access the backup file and its private key.

Steps
1. Log in to CloudLink Center.
2. Click System > Backup.
3. Click Actions > Download Backup.
4. In the Download Current Backup dialog box, click Download.

Restore CloudLink Center from a backup file

Use this procedure to restore CloudLink Center from a backup file.

Prerequisites
● You must be a secadmin user to restore CloudLink Center from a backup file.
● You need a CloudLink license. Licenses are not included in backups. You must upload a license when restoring from the
backup.
● Backup file representing CloudLink Center at the time you want to restore
● Private key for that backup file
● Passcodes for unlocking CloudLink Vault
● If using an external keystore, access to the keystore that contains the keys used at the time the backup file was generated

About this task

If problems occur with CloudLink Center, you can deploy a new server and restore CloudLink Center from the backup file.

Steps
1. Deploy a new CloudLink Center server. For more information, see the Dell EMC CloudLink Deployment Guide.
2. In the Initial Configuration dialog box, select Restore from Backup from the Deployment Type list, and then click Next.
3. Select the backup file that you want to restore from and its backup key, and click Restore.
4. If the CloudLink Center server deployed in Step 1 has a different IP address than the original server, for each machine that
was under the control of the previous CloudLink Center, configure the server address of the new CloudLink Center.

Restore a CloudLink Center cluster

Do not restore a CloudLink Center server in a cluster from a backup file. It is not restored as part of the cluster. It is restored as
a standalone CloudLink Center.
CloudLink Center backups do not contain CloudLink Center cluster information. To restore a CloudLink Center that was part
of a cluster, you must delete the CloudLink Center you want to restore from the cluster. For more information, see Remove
a CloudLink Center cluster server. Next, deploy a new CloudLink Center and join it to the cluster. For more information, see
Associate a server to a CloudLink Center cluster.

120 Back up and restore CloudLink Center

Restore keystores from a backup file
If you delete a keystore and later determine that it contained keys required to access encrypted volumes, you might be able to
restore the keystore from a backup.

Prerequisites
NOTE: The Restore Keystore feature is unavailable in the CloudLink Center version 7.1.3. However, you can restore the
complete CloudLink Center information by using a backup file. For information about restoring, see Restore CloudLink
Center from a backup file.
● You must be a secadmin user
● Backup file that contains the keystore before it was deleted
● Private key for that backup file
● If manual unlock was used for CloudLink Vault when the backup was created, passcodes for unlocking CloudLink Vault at
that time

Steps
1. Log in to CloudLink Center.
2. Click System > Backup.
3. Click Actions > Restore Keystores.
4. In the Restore Keystores dialog box, do the following:

a. In the Key box, click to select your private key.

b. In the Backup box, click to select your backup file.

c. In the Unlock Passcode box, type the passcode for CloudLink Vault.

Next steps
When you restore keystores from a backup file, all keystores included in the backup are restored. On the Keystores page,
CloudLink Center lists both existing and restored keystores. The names of restored keystore begin with the prefix restored.
You can show the keys for each restored keystore to find the ones that are missing. You can then move all keys from a restored
keystore to the keystore for the appropriate machine group.
It is recommended that you delete restored keystores after obtaining the keys from a restored keystore.

Back up and restore CloudLink Center 121

Best practices for restoring and backing up keys and
files in CloudLink Center
This topic provides the best practices for restoring and backing up keys and files in CloudLink Center.

Keep the following information in mind when working with backup keys and files.
● During initial server configuration, you downloaded the private key for the RSA-2048 key pair. Ensure that you create a
backup of this key.
● After you have completed configuration following deployment (such as assigning licenses, creating user accounts, and
setting machine boot policy), create a backup.
● Ensure that you store the private key and backup files in separate, secure locations that are different from CloudLink Center.
To restore CloudLink Center from a backup file, both the backup file and its private key must be available to you.
● If you need to regenerate the private key (for example, the original key was lost), generate both the private key and a
backup file. Previous backup files are not accessible using the new private key.
● A backup includes the CloudLink Vault, Microsoft Azure Key Vault, and SafeNet LunaSA keystores. If you are using a
different keystore type, you must back up your encryption keys. For information, see Manage encryption keystores and keys
in CloudLink Center.
● If you are using RSA SecurID for two-factor authentication, you must clear the shared node secret after restoring a keystore
and before the first authentication attempt. For more information, see Clear an RSA node shared secret.
● A CloudLink Center cluster server that is restored from backup is not restored as part of a cluster. It is restored as a
stand-alone server. Cluster configuration is not part of the backup file. You must delete the server from the cluster and
redeploy it as a new CloudLink Center server, then associate it to the cluster.

122 Back up and restore CloudLink Center

 17
Create and manage CloudLink Center cluster
This chapter provides information about creating and managing a CloudLink Center cluster.
A CloudLink Center cluster provides high availability if one CloudLink Center server in the cluster becomes unavailable. For
example, a server may become unavailable unexpectedly due to a connection issue. A server may also become unavailable during
periods of planned maintenance, when a server is taken offline.
A CloudLink Center cluster is comprised of up to four CloudLink Center servers, where each is active at all times. There is no
primary server. The agents can be actively connected to any server in the cluster.
CloudLink Center replicates configuration information between all servers in a cluster. This replication means that all servers
contain the same critical configuration information: CloudLink licenses, volume encryption policy, user accounts, manual
passcodes for unlocking CloudLink Vault, actions, alarms, and security events.

A CloudLink Center cluster only replicates CloudLink Center server data. Data from external resources, such as key locations,
key protectors, and key management servers, are not replicated.
You can remove a server from a CloudLink Center cluster at any time. See Remove a CloudLink Center cluster server for more
information.
For information about upgrading a CloudLink Center cluster, see the Dell EMC CloudLink Upgrade Guide.
Topics:
• Create a CloudLink Center cluster
• Associate a server to a CloudLink Center cluster
• Upload a third-party signed certificate to communicate among cluster nodes

Create and manage CloudLink Center cluster 123

• Administer a cluster
• Guidelines for working with CloudLink Center clusters
• View CloudLink Center cluster servers
• Change a CloudLink Center cluster server name or address
• Remove a CloudLink Center cluster server

Create a CloudLink Center cluster

Use this procedure to create a CloudLink Center cluster.

Prerequisites
CloudLink Center server should be configured and deployed which acts as the initial server in the cluster.

Steps
1. Deploy and configure one or more CloudLink Center servers.
Each server must be deployed as a clean installation of CloudLink Center. For more information about deploying and
configuring CloudLink Center servers, see the Dell EMC CloudLink Deployment Guide.
2. Associate each additional server to the existing server using the Initial Configuration wizard. For more information, see
Associate a server to a CloudLink Center cluster

CloudLink Center server addresses in CloudLink clusters

This topic provides information about the CloudLink Center server addresses in CloudLink clusters.
In a CloudLink Center cluster, servers and CloudLink Agents use the CloudLink Center server address for communication. You
can specify this server address as a static IP address or a hostname in fully qualified domain name (FQDN) format, such as
clc.example.com.
Specify the server address in the format you prefer before creating the cluster. You can use static IPv4 addresses, static IPv6
addresses, and FQDNs to create a CloudLink Center cluster. You cannot change the format after creating the cluster. For more
information about prerequisites for server addresses in clusters, see the Dell EMC CloudLink Deployment Guide.

Associate a server to a CloudLink Center cluster

Use this procedure to associate a server to a CloudLink Center cluster. servers to the existing server to create a CloudLink
Center cluster.

Prerequisites
● Deployed and configured CloudLink Center server
● Server address for the CloudLink Center server is the initial server. If you have configured the DNS server first, then use the
hostname.
● For the initial server, CloudLink Center login credentials (username and password) for a user with Join To Cluster
permissions.
● Public server address for the new server, referred to as the Cluster Server Name or Address.

About this task

To create a CloudLink Center cluster, you associate servers to the existing server. You can associate one server at a time.
During the association of servers process, a server uses the same CloudLink Vault mode (automatic or manual) as the existing
server. You can change the CloudLink Vault mode for a new server after the association is complete. For more information, see
Domain Name System servers in CloudLink.

NOTE: Passcodes for unlocking CloudLink Vault operating in manual mode are global across the cluster.

124 Create and manage CloudLink Center cluster

Steps
1. On the Initial Configuration wizard, select Add as a Cluster Member from the Deployment Type list.
2. Click Next.
3. In the Server Name or IP Address box, enter the DNS name or IP address that is used to connect to this server.
4. Click Next.
5. Enter the following information:
● In the Server box, enter the IP address for the existing server.
● In the User Name and Password boxes, type the login credentials for a user that has the Join to Cluster permission.
6. Click Join Cluster.
After associating the server to the cluster, verify the status of both servers. For information, see View CloudLink Center
cluster servers.

Upload a third-party signed certificate to

communicate among cluster nodes
To enhance the security between nodes in a cluster, you can upload a third-party signed certificate. The certificate you upload is
used for inter-node communication.

Steps
1. Log in to CloudLink Center.
2. Click System > Cluster.
3. In the UPLOAD CLUSTER CA CERTIFICATE dialog box, enter or select the following information:
a. From the CSR Generated By drop-down menu, select the third-party certificate format. Currently, PEM and PKCS12
are supported.

b. In the Certificate box, click to select and upload the certificate file.

c. In the Key box, click to select and upload the key file.
To view the summary of files you uploaded, click Preview.
4. Click Upload. The CA-signed certificate file is uploaded to the cluster.

Administer a cluster
When accessing CloudLink Center to perform administration tasks, you can use any server in the cluster. The web application
shows the server that the agent is connected to, but operations can be initiated from any server.

Guidelines for working with CloudLink Center clusters

This topic provides the guidelines for working with CloudLink Center clusters.
When working with CloudLink Center clusters, keep the following in mind:
● Each server in a cluster has its own CloudLink Vault. For a CloudLink Vault in automatic mode, unlocking the CloudLink Vault
unlocks it only for the current server. CloudLink Vault for other servers in the cluster remains locked.
● If you want to use a keystore other than CloudLink Vault, for all servers in the cluster, configure DNS as described in Domain
Name System servers in CloudLink.
● For user accounts, configure the Microsoft Windows domain as described in Domain Name System servers in CloudLink.
● If a CloudLink Agent is disconnected from a cluster when waiting for a pending key release, it reconnects to a cluster server
if it is accepted.
● If you use a vSphere key management server (KMS), separately join each CloudLink Center in the cluster to the KMS.

Create and manage CloudLink Center cluster 125

View CloudLink Center cluster servers
Use this procedure to view the servers belonging to a CloudLink Center cluster. The Cluster Server Name or the Address
identifies the server on which you are using CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click System > Cluster.
The following information is displayed:
● Host—The common name of the server
● Server Name/Address—The hostname or IP address of the server
● Incoming Sync State—See "Outgoing Sync State" for sync state values
● Outgoing Sync State—Indicates whether information is being replicated across cluster servers. Following are the sync
states:
○ Initializing—status check initialization, show after restart or during the join process while sync is establishing.
○ Ok—The server has recorded a heartbeat within the last 15 minutes.
○ Error—Database synchronization error
○ Off—sync is not working at all, most likely due to network connectivity.
○ Time_Difference—time difference between two nodes is more than one minute.
● Awaiting Outgoing Monitoring Batches—The number of monitoring batches waiting to be sent to the selected
cluster server.
● Awaiting Outgoing Config Batches—The number of configuration batches waiting to be sent to the selected cluster
server.
● Awaiting Outgoing Heartbeat Batches—The number of heartbeat batches waiting to be sent to the selected cluster
server.

Change a CloudLink Center cluster server name or

address
Use this procedure to change a cluster server name or address after it is associated to a cluster.

Steps
1. Log in to CloudLink Center.
2. Click System > Cluster.
3. Select the check box next to the CloudLink Cluster whose server name or address you want to change.
4. Click Change Server Name/Address.
The Change Server Name/Address dialog box is displayed.
5. In the Server Name/Address, enter the cluster server name or address.
6. Click Change.

Remove a CloudLink Center cluster server

Use this procedure to remove a server from a CloudLink Center cluster.

Prerequisites
Before removing a server, power-off the server.

Steps
1. Log in to CloudLink Center.
2. Click System > Cluster.

126 Create and manage CloudLink Center cluster

3. Select the check box next to the cluster server you want to remove.
4. Click Delete.
5. In the Confirm Cluster Member Deletion dialog box, when prompted to confirm the delete request, click Delete.

Create and manage CloudLink Center cluster 127

 18
Manage CloudLink Vault
This chapter provides information about CloudLink Vault and managing it.
CloudLink Center includes an encrypted container, referred to as the CloudLink Vault that encrypts and protects:
● Credentials used to access remote resources
For example, CloudLink Vault stores credentials that are required to access the Microsoft Windows domain, FTP or SFTP
servers, and external keystores.
● Device or volume key encryption key (VKEK), if CloudLink Vault is used as the keystore.
For more information about using CloudLink Vault as the keystore, see CloudLink encryption key location and protector
options.

When a CloudLink Center server restarts, it must unlock CloudLink Vault before CloudLink Center can authorize machine
operations, ensuring that a stolen copy of CloudLink Vault or the disk on which it is stored does not contain any unprotected
secrets or encryption keys.
CloudLink Vault was configured during initial server setup. For more information, see Dell EMC CloudLink Deployment Guide. You
can view and change the configuration at any time to:
● Change the mode for opening the CloudLink Vault (automatic or manual).
● Change passcodes used to unlock the CloudLink Vault in manual mode.
For information about CloudLink Vault and CloudLink Center clusters, see Create and manage CloudLink Center cluster.
Topics:
• View the CloudLink Vault settings
• Change the CloudLink Vault mode
• Set the CloudLink Vault Passcodes
• Unlock the CloudLink Vault
• Guidelines for working with CloudLink Vaults

View the CloudLink Vault settings

Use this procedure to view the CloudLink Vault settings.

Steps
1. Log in to CloudLink Center.
2. Click System > Vault.
The following information is displayed:
● State—Identifies whether the CloudLink Vault is locked or unlocked. When locked, CloudLink Center displays a Manual
lock on the home page.
● Unlock Mode—Indicates whether the CloudLink Vault is set to automatic or manual mode.

Change the CloudLink Vault mode

Use this procedure to change the CloudLink Vault mode.

About this task

Two modes are available for unlocking the CloudLink Vault when CloudLink Center starts:

128 Manage CloudLink Vault

Steps
1. Log in to CloudLink Center.
2. Click System > Vault.
3. Click Actions > Change Mode.
4. In the Confirm Mode Unlock Change dialog box, when prompted to confirm the unlock mode change request, click
Change.

Set the CloudLink Vault Passcodes

Use this procedure to set the CloudLink Vault passcodes.

About this task

In manual mode, when CloudLink Center starts, an administrator must provide a passcode to unlock the CloudLink Vault.
One to three passcodes were defined during the initial server configuration. You can change passcodes at any time.

Steps
1. Log in to CloudLink Center.
2. Click System > Vault.
3. Click Actions > Set Passcodes.
4. In the Set Passcodes dialog box, type the passcode three times and retype to confirm them, and then click Set
Passcodes.

Unlock the CloudLink Vault

Use this procedure to unlock the CloudLink Vault.

About this task

If CloudLink Center cannot unlock the CloudLink Vault on startup, CloudLink Center triggers an alarm. You must manually unlock
the CloudLink Vault by providing a CloudLink Vault passcode. For more information, see Set the CloudLink Vault passcodes.

Steps
1. Log in to CloudLink Center.
2. Click System > Vault.
3. Click Unlock.

Manage CloudLink Vault 129

Guidelines for working with CloudLink Vaults
This topic provides information about the guidelines for working with CloudLink Vaults.
● When you restore a stand-alone CloudLink Center from a CloudLink backup file (see Restore CloudLink Center from a
backup file), and the CloudLink Vault is configured in Manual Unlock mode, you must use one of the defined passcodes to
unlock the CloudLinkvault.
● When you restore a stand-alone CloudLink Center from a CloudLink backup file (see Restore CloudLink Center from a
backup file), and the CloudLink Vault is configured in Auto unlock mode, the vault is automatically unlocked.
● When you restore a stand-alone CloudLink Center from a VMware backup or a clone, you must use one of the defined
passcodes to unlock the CloudLink vault for either Manual or Auto Unlock modes.
● When you upgrade to a new version of CloudLink, CloudLink Vault must be set to Auto Unlock mode. If CloudLink Vault is set
to Manual Unlock mode before the upgrade, it remains in Manual Unlock mode after the upgrade and the vault is locked. For
more information, see the Dell EMC CloudLink Upgrade Guide.

130 Manage CloudLink Vault

 19
Assign Microsoft Windows User Account for
CloudLink Center User Roles
This topic provides information about assigning Microsoft Windows user account for CloudLink Center user roles and
configuring them.
Rather than creating users for your CloudLink needs, you can use existing user accounts in the Microsoft Windows domain of
your organization and assign those accounts the appropriate CloudLink Center roles.
Before you can add Domain accounts, you must configure a Microsoft Windows domain. For information, see CloudLink Center
user types.
After joining the domain, domain users can log in to CloudLink Center using their Windows credentials.
Topics:
• View Microsoft Windows domain configuration
• Configure Microsoft Windows domain
• Modify Microsoft Windows domain
• Leave Microsoft Windows domain

View Microsoft Windows domain configuration

Use this procedure to view the Microsoft Windows domain configuration.

Steps
1. Log in to CloudLink Center.
2. Click System > Windows Domain.
The following information is displayed:
● Host Name—The Windows domain controller hostname
● Address—The domain controller host address
● Global Catalog Port Status
○ Accessible—CloudLink Center can reach the Global Catalog port.
○ Inaccessible—The Global Catalog port cannot be reached. While the Global Catalog port is inaccessible, all domain
login attempts fail.
● LDAP Port Status
○ Accessible—CloudLink Center can reach the LDAP port.
○ Inaccessible—The LDAP port cannot be reached. While the LDAP port is inaccessible, all domain login attempts fail.

Configure Microsoft Windows domain

The following procedure explains how to configure Microsoft Windows domain.

Prerequisites
Ensure that the following prerequisites are met before associating CloudLink Center to a Microsoft Windows domain:
● Configure a Microsoft Windows domain. For more information, see CloudLink Center user types.
● Verify that CloudLink Center has a DNS server configured. For more information, see Configure CloudLink Center DNS
properties.
● On the DNS server, create a reverse lookup zone for the Microsoft Windows domain controller subnet.
● On the DNS reverse lookup zone, configure a pointer to the Microsoft Windows domain controller.

Assign Microsoft Windows User Account for CloudLink Center User Roles 131
About this task
CloudLink Center dynamically locates the Microsoft Windows domain controller. When specifying the Windows domain
parameters, omit the Primary Host and Secondary Host values.
The username and the password that is provided are used to:
● Associate this server to an Active Directory domain and associate any future servers added to a CloudLink Center cluster.
● Validate the domain group membership of a domain user and determine the roles of the users.
NOTE: Ensure that the username and password that is used to associate the Windows domain is a dedicated user whose
password does not expire, because these credentials are saved and used.

Steps
1. Log in to CloudLink Center.
2. Click System > Windows Domain.
3. Click Configure.
4. In the Configure Windows Domain dialog box, enter the following information:
● Domain—The domain name configured on the Microsoft Windows domain host
For example: example.com
● Protocol—Select one of the following protocols:
○ LDAP using SASL or GSSAPI
○ LDAP over SSL
○ LDAP over TLS or StartTLS
If you choose LDAP over SSL, you cannot create a system account and you must upload a certificate.
● Create Computer Account—If you choose to create a system account, CloudLink creates the system account and its
principal in the Active Directory (AD) and Key Distribution Center (KDC) of the domain. This option is required only for
Integrated Windows Authentication (IWA).
If you choose not to create a system account, no changes are made in AD. All domain user and domain group features
(except IWA) work without creating a system account.
● Port Priority—Select Global Catalog or LDAP
● Allow Port Fallback—Select yes or no
● Primary Host—The Microsoft Windows domain controller hostname, which is a Windows server where the Microsoft
Windows domain is configured.
For example: clc.example.com
● Secondary Host—The Microsoft Windows domain hostname available for redundancy
● User—A user in a Microsoft Windows domain who has permission to add a server to the Microsoft Windows domain.
● Password—The password configured for the user

Modify Microsoft Windows domain

Use this procedure to modify Microsoft Windows domain.

Steps
1. Log in to CloudLink Center.
2. Click System > Windows Domain.
3. Select the check box next to the Windows Domain you want to modify.
4. Click Modify.
5. In the Modify Domain Configuration dialog box, change the required values.
6. Click Modify.

132 Assign Microsoft Windows User Account for CloudLink Center User Roles
Leave Microsoft Windows domain
Use this procedure to leave the Microsoft Windows domain.

Steps
1. Log in to CloudLink Center.
2. Click System > Windows Domain.
3. Select the check box next to the Windows Domain you want to leave.
4. Click Leave.
5. In the Confirm Domain Leaving dialog box, when prompted to confirm the request, click Leave.

Assign Microsoft Windows User Account for CloudLink Center User Roles 133
 20
RSA Authentication Manager
For increased security, you may require a user to log in using RSA SecurID two-factor authentication, where the user provides a
passcode, in addition to CloudLink Center credentials. For more information, see 2-Factor Authentication (2FA) in CloudLink.
Before you can set up users for this type of 2FA, you must configure RSA Authentication Manager.
Topics:
• Upload an RSA Authentication Manager configuration file
• Delete an RSA Authentication Manager configuration file
• Clear the shared node secret

Upload an RSA Authentication Manager configuration

file
Use this procedure to upload an RSA Authentication Manager configuration file to CloudLink Center, before you configure users
for 2FA using RSA SecurID.

Prerequisites
The configuration file generated from RSA Security Console, available in a location where it is accessible for uploading to
CloudLink Center.

About this task

You generate the configuration file (REC) using RSA Security Console, which puts the file in a compressed file (ZIP). You
download the ZIP file and extract the REC file from it. For more information, see the RSA Security Console documentation.
You can replace the current configuration file with a new file. Ensure that you clear the shared node secret using RSA Security
Console. For more information, see Clear the shared node secret.

Steps
1. Log in to CloudLink Center.
2. Click System > RSA Authentication Manager.
3. Click Upload Configuration.

4. In the Upload RSA Authentication Manager Configuration dialog box, click to select the configuration file, and
then click Upload.

Delete an RSA Authentication Manager configuration

file
If you no longer require two-factor authentication using RSA SecurID, you can delete its configuration file.

About this task

If any users are set up to use RSA SecurID two-factor authentication, CloudLink Center displays a message and does not delete
the configuration.
Ensure that you clear the shared node secret using RSA Security Console. For more information, see Clear the shared node
secret.

134 RSA Authentication Manager

Steps
1. Log in to CloudLink Center.
2. Click System > RSA Authentication Manager.
3. Select the check box next to the RSA Authentication Manager configuration file you want to delete.
4. Click Delete Configuration.
5. In the Confirm RSA Authentication Manager Deletion dialog box, when prompted to confirm the delete request, click
Delete.

Clear the shared node secret

This topic provides information about clearing the shared node secret in CloudLink Center.
RSA Authentication Manager requires a unique node secret for each Authentication Agent. RSA Authentication Manager
automatically creates the node secret it shares with CloudLink Center (an Authentication Agent) during its first successful
authentication.
If you delete or replace the configuration files (REC), the secret is deleted in CloudLink Center. CloudLink Center cannot present
this node secret when requesting authentication, and RSA Authentication Manager will not perform the authentication.
You must clear this shared node secret in RSA Security Console so that a new shared secret can be generated. For more
information, see the RSA documentation.

RSA Authentication Manager 135

 21
Manage CloudLink SysLog data
This chapter provides information about SysLog data, viewing, configuring and changing the syslog message format.
The actions, events, and security events visible in CloudLink Center can be automatically exported to a syslog server. It is
recommneded that you configure CloudLink to forward this information to a centralized log server or SIEM through syslog. All
existing and new information is forwarded through syslog.
Topics:
• View syslog configuration
• Change syslog server configuration
• Change syslog message format

View syslog configuration

Use this procedure to view the Syslog status and configuration.

Steps
1. Log in to CloudLink Center.
2. Click Server > Syslog.
The following information is displayed:
● Status—Following are the available statuses:
○ Postponed—Logs are not sent out until the syslog status is explicitly set to Resume.
○ Active—Messages are sent to the configured syslog server until the Postpone command is selected.
● Host—The host where system logs are sent.
● Facility—The facility on which you log the syslog messages are logged.

Change syslog server configuration

The following procedure explains how to change the syslog server configuration.

About this task

If your organization requires the long‑term retention of system events, it is recommended that you configure CloudLink to
forward its events to a centralized log server or SIEM using syslog. By default, CloudLink Center writes events to syslog using
the common event format (CEF).
You can configure a syslog logger to direct all system log messages to the configured remote host. For information about
network ports required, see the Dell EMC CloudLink Deployment Guide.

Steps
1. Log in to CloudLink Center.
2. Click Server > Syslog > Change Configuration.
3. In the Change Syslog Server Configuration dialog box, enter the following information:
a. In the Host box, enter the IP address of the host to store the system logs.
b. In the Port box, enter a port number to gather log messages.
c. From the Facility list, select a facility to log the syslog messages.
d. From the Protocol list, select one of the following protocols:
● UDP
● TCP

136 Manage CloudLink SysLog data

 ● Secure TCP (TLS 1.2)
e. If you select Secure TCP (TLS 1.2) protocol, do the following:

i. In the Server Certificate box, click to select the server certificate.

ii. In the Certificate Format list, select PEM certificate, or a password-protected PKCS12 (RC2) certificate.
iii. (Optional) In the PKCS12 Password box, enter a password for the PKCS12 (RC2) certificate.
iv. In the Confirm PKCS12 Password box, confirm the password for the PKCS12 (RC2) certificate.
4. Click Change.

Change syslog message format

Use this procedure to change the syslog message format.

Steps
1. Log in to CloudLink Center.
2. Click Server > Syslog > Change Syslog Format.
The Change Syslog Message Format dialog box is displayed.
3. From the Syslog Format list, select one of the following message format:
● CEF (default)—The Common Event Format (CEF) uses the CEF:0|Device Vendor|Device Product|Device Version|
Signature ID|Name|Severity|Extension message format.
● LEEF1—The Log Event Extended Format (LEEF) version 1.0 uses the LEEF:1.0|Vendor|Product|Version|EventID|
Extension message format.
● LEEF2—LEEF version 2.0 uses the LEEF:2.0|Vendor|Product|Version|EventID|^|Extension message format.
● Custom—The custom format is defined by an input string and variables.
4. Click Change.

Manage CloudLink SysLog data 137

 22
Manage CloudLink Center network settings
This chapter provides information about managing network settings in CloudLink Center.
You can change the CloudLink Center hostname, and enable or disable SSH access to CloudLink Center.
If CloudLink Center is deployed on Microsoft Azure, or Amazon Web Services you cannot reenable SSH access, if you are
blocked from the CloudLink Center console.
Topics:
• Change CloudLink Center hostname configuration settings
• Change CloudLink Center SSH configuration settings

Change CloudLink Center hostname configuration

settings
Use this procedure to change the CloudLink Center server hostname.

About this task

You are locked out of the CloudLink Center server if:
● You disable SSH access.
● You are blocked from the CloudLink Center server console.

Steps
1. Log in to CloudLink Center.
2. Click Server > Network.
3. Select the check box next to the interface whose hostname you want to change.
4. Click Change Hostname.
The Change Hostname dialog box is displayed.
5. In the Hostname box, enter a hostname, and then click Change.

Change CloudLink Center SSH configuration settings

Use this procedure to enable or disable SSH access to the CloudLink Center server.

Steps
1. Log in to CloudLink Center.
2. Click Server > Network.
3. Select the check box next to the interface whose SSH access you want to enable or disable.
4. Click Change SSH.
The Change SSH dialog box is displayed.
5. From the SSH list, select either enabled or disabled, and then click Change.

138 Manage CloudLink Center network settings

 23
Configure CloudLink Center DNS properties
This chapter provides information about configuring DNS properties in CloudLink Center.
Topics:
• DNS servers in CloudLink Center
• Add DNS for accessing CloudLink Center
• Set DNS server as the primary server for CloudLink Center
• PING a DNS server to test connection
• Delete a DNS associated with CloudLink Center

DNS servers in CloudLink Center

This topic provides information about the Domain Name System (DNS) servers in CloudLink Center.
You can configure CloudLink Center to resolve hostnames using a DNS server.
Configure CloudLink with a DNS server if you want to use hostnames or domain names for other servers that CloudLink
interacts with, such as:
● Resolving Network Time Protocol (NTP) server hostnames. For more information, see Manage NTP servers associated with
CloudLink Center.
● Creating a CloudLink Center cluster and use hostnames for servers in the cluster. For more information, see Create a
CloudLink Center cluster.

Add DNS for accessing CloudLink Center

Use this procedure to add a DNS server. You can add a maximum of three DNS servers, if you are not using DHCP.

Steps
1. Log in to CloudLink Center.
2. Click Server > DNS.
3. Click Add.
The Add DNS Server dialog box is displayed.
4. In the IP Address box, enter the IP address of the DNS server you want to add, and then click Add.

Set DNS server as the primary server for CloudLink

Center
Use this procedure to set DNS server as the primary server for CloudLink Center.

About this task

If more than one DNS server has been configured, one must be set as the primary DNS server.

Steps
1. Log in to CloudLink Center.
2. Click Server > DNS.
3. Select the check box next to the DNS server which you want to set as the primary DNS server, and then click Set Primary.

Configure CloudLink Center DNS properties 139

4. In the Confirm Primary DNS Server Change dialog box, when prompted to confirm the request, click Set Primary.

PING a DNS server to test connection

Use this procedure to check whether CloudLink Center has network access to an external resource.

About this task

You can test the network configuration from CloudLink Center. The ping option returns the same information as using the ping
network utility from a command prompt.

Steps
1. Log in to CloudLink Center.
2. Click Server > DNS > Ping.
3. In the Ping dialog box, enter the IP address of the CloudLink Center, and then click Ping.

Delete a DNS associated with CloudLink Center

Use this procedure to delete any DNS server you have manually added.

Steps
1. Log in to CloudLink Center.
2. Click Server > DNS.
3. Select the check box next to the DNS server you added manually, and then click Delete.
4. In the Confirm DNS Server Deletion dialog box, when prompted to confirm the delete request, click Delete.

140 Configure CloudLink Center DNS properties

 24
Manage NTP servers associated with
CloudLink Center
This chapter provides information about managing NTP servers associated with CloudLink Center.
You can synchronize CloudLink Center with the date and time obtained from Network Time Protocol (NTP) servers. By default,
CloudLink Center is configured with four global NTP servers.
Topics:
• Force an NTP server time synchronization with CloudLink Center
• Add an NTP server for CloudLink Center
• Delete NTP server

Force an NTP server time synchronization with

CloudLink Center
Use this procedure to force synchronization with an NTP server if the time of CloudLink Center is incorrect.

Steps
1. Log in to CloudLink Center.
2. Click Server > Time.
3. Select the check box next to the NTP server address whose time you want to forcefully sync.
4. Click Force Sync With NTP Server.
5. In the Confirm Force Sync With NTP Server dialog box, when to confirm the request, click Sync.

Add an NTP server for CloudLink Center

Use this procedure to add an NTP server for CloudLink Center.

About this task

When you add an NTP server, you provide its IP address or hostname. To use a hostname, ensure that you have configured at
least one DNS server first. For more information, see Domain Name System servers in CloudLink.
If DNS servers have not been configured, the NTP servers do not work.

Steps
1. Log in to CloudLink Center.
2. Click Server > Time > Add.
The Add NTP Server dialog box is displayed.
3. In the NTP Server box, enter the hostname or IP address of the NTP server, and then click Add.

Manage NTP servers associated with CloudLink Center 141

Delete NTP server
Use this procedure to delete an NTP server.

Steps
1. Log in to CloudLink Center.
2. Click Server > Time.
3. Select the check box next to the NTP server you want to delete, and then click Delete NTP Server.
4. In the Confirm NTP Server Deletion dialog box, when prompted to confirm the delete request, click Delete.

142 Manage NTP servers associated with CloudLink Center

 25
Manage TLS certificates
This chapter provides information about the TLS certificates and managing them.
Topics:
• CloudLink Center Certificates
• Upload a new TLS certificate
• Generate a CSR certificate

CloudLink Center Certificates

This topic provides information about the TLS certificates, and the certificate formats for externally generated keys and
certificates
By default, the CloudLink Center uses a self-signed certificate. When connecting to CloudLink Center, the web browser may
display several security warnings. These warnings are displayed because self-signed certificates do not have the same level of
trust as certificates issued and signed by a trusted certification authority (CA).
To stop these warnings from being displayed, you can obtain and upload to CloudLink Center a certificate that has been signed
for CloudLink by a trusted CA.
You can upload an externally generated certificate and private key, or generate a certificate signing request for a private key
generated by CloudLink Center.
CloudLink supports two formats for externally generated keys and certificates:

Upload a new TLS certificate

Use this procedure to upload a new TLS certificate.

About this task

When you upload a new certificate and an optional private key, the web server restarts and the connection is terminated.
After uploading a certificate signed for CloudLink Center, verify the subject, fingerprint, and end date to ensure that it is the
certificate you want to use.

Manage TLS certificates 143

Steps
1. Log in to CloudLink Center.
2. Click Server > TLS > Upload.
The Upload Web TLS Certificate is displayed.
3. In the Upload Web TLS Certificate dialog box, enter the following information:
a. From the Certificate Format list, select the required certificate format.

b. In the Certificate box, click to select the certificate.

c. In the Key box, click to select the key.

4. Click Upload

Generate a CSR certificate

Use this procedure to generate a certificate signing request (CSR) certificate.

About this task

A certificate signing request (CSR) involves CloudLink Center generating a private key and signing the request. The request is
then fulfilled by a certificate authority (CA) and the final certificate is uploaded to CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click Server > TLS > Generate CSR.
3. In the Generate Certificate Signing Request dialog box, enter the name, organization, organization unit, city or locality,
state or province, and country.
4. Click Generate.

144 Manage TLS certificates

 26
Configure SNMP for CloudLink Center
This chapter provides information about SNMP traps and configuring them in CloudLink Center.
CloudLink Center can send Simple Network Management Protocol (SNMP) traps to a single target when CloudLink alarms are
raised, updated, or lowered.
Each server in a CloudLink cluster must be configured separately, because cluster members do not synchronize SNMP
configuration.
If a CloudLink alarm is set to Ignored, then SNMP traps are not sent for that alarm.
Topics:
• Add an SNMP configuration to the CloudLink Center
• Modify the SNMP configuration in the CloudLink Center
• Send a test SNMP trap in the CloudLink Center
• Download MIB files
• Delete the SNMP configuration in the CloudLink Center

Add an SNMP configuration to the CloudLink Center

Add an SNMP configuration to the CloudLink Center.

Steps
1. Log in to the CloudLink Center.
2. Select Server > SNMP > Add.
3. From the Add New SNMP Configuration, in the Target Version list select SNMPv2 or SNMPv3.
● If you select SNMPv2, then enter:
○ Host—The IP address or FQDN to where the SNMP traps are sent.
○ Port—The receiving host port number
○ Description—Description for the selected target.
○ Community—The SNMP trap community
● If you select SNMPv3, then enter:
○ Host—The IP address or FQDN to where the SNMP traps are sent.
○ Port—The receiving host port number
○ Description—Description for the selected target.
○ Engine ID (HEX)—The remote SNMP protocol engine identifier. This value must be between five and 32 octets in
length.
○ User Name—The username is required to communicate with the SNMP agent.
○ (Optional) Authentication Type—Specifies the type of authentication used
○ Authentication Password—Password used to authenticate a connection with an SNMP agent. Must be at least
eight characters in length.
○ (Optional) Privacy Type—Specifies the type of encryption used
○ Privacy Password—Password used to encrypt a connection with an SNMP agent. Must be at least eight characters
in length.
4. Click Add.

Configure SNMP for CloudLink Center 145

Modify the SNMP configuration in the CloudLink
Center
Modify the SNMP configuration in the CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Select Server > SNMP.
3. Select the SNMP and click Modify.
4. In the Modify SNMP Configuration dialog box, modify the required values, and then click Modify.

Send a test SNMP trap in the CloudLink Center

Test your SNMP configuration to ensure that the target receives SNMP traps from the CloudLink Center.

About this task

Following traps are sent from CloudLink Center:
● alarmUpTrap when a new alarm is raised on the CloudLink Center server.
● alarmDownTrap when the cause of the alarm is corrected or removed.
The information about the CloudLink alarm is contained in the alarmUpTrap, and the alarm identifier is contained in the
alarmDownTrap.
You can use the clAlarmId for unique value for each alarm instance to track the raising and lowering of a specific alarm on the
CloudLink Center server.

Steps
1. Log in to CloudLink Center.
2. Select Server > SNMP > Send Test Trap.
3. In the Confirm Sending Test SNMP Trap dialog box, when prompted to confirm the request, click Send.

Download MIB files

Import or upload the MIB file to the trap receiver or network management system application. CloudLink alarms use the Object
Identifier (OID) 1.3.6.1.4.1.1139 for traps.

About this task

To download MIB files:

Steps
1. Log in to CloudLink Center.
2. Select Server > SNMP > Download MIB.

146 Configure SNMP for CloudLink Center

Delete the SNMP configuration in the CloudLink
Center
Delete the SNMP configuration in the CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Select Server > SNMP.
3. Select the SNMP host, and click Delete.
4. In the Confirm SNMP Configuration Deletion dialog box, when prompted to confirm the request, click Delete.

Configure SNMP for CloudLink Center 147

 27
Linux commands for CloudLink Agent
When performing many tasks related to CloudLink Agent on Linux machines, you use the svm command. This command has
several subcommands that are used to perform actions including registering, encrypting, reloading machines, and removing
mount points.
The following table lists the actions for each svm subcommand and identifies the topic in the CloudLink documentation where it
is referenced.

Table 3. Command actions

Action Commands Procedure
About CloudLink Agent svm about Displays general information about
CloudLink Agent
Decrypt boot volumes Encrypted using CloudLink 6.7 and later For more information, see Decrypt a
volume.
svm decrypt / [-v ]

Decrypt mounted Encrypted using CloudLink 6.7 and later: For more information, see Decrypt a
volumes volume.
svm decrypt [mount_point]

Encrypt svm encrypt [mount_point] Encrypt a mount point or block

device.
svm encrypt [device_name]
For more information, see Encrypt a
volume.

Erase svm erase [device_name] Erases a device

Generate svm gentechsupport [script] Creates a tech support file with an
optional script file that runs more
commands
Manage svm manage [device_name] Take control of a self-encrypting
drive.
Network status svm netstat Displays the network connection
status
Recover svm recover [mount_point] For more information, see Move an
encrypted drive to another machine.
svm recover [device_name]

Refresh svm refresh For more information, see "Refresh

the CloudLink Agent service on
Linux machines" in the Dell EMC
CloudLink Deployment Guide.
Register svm [-v ] [-G group_regcode] -S clc_address For more information, see the topic
"Download, install, and configure
CloudLink Agent using Custom mode
on Linux Machines " in the Dell EMC
CloudLink Deployment Guide.
svm [-v ] [-G group_regcode] -S clc_address Use the -t option to set Trusted
-t Platform Module (TPM) mode on
a physical machine that has a
TPM version 2.0 chip installed.
This option is only available during
CloudLink Agent installation.

148 Linux commands for CloudLink Agent

Table 3. Command actions (continued)
Action Commands Procedure
svm -S [clc_address] [-v ] For more information, see Change
the CloudLink Center IP address on
a Linux machine.
svm -C <directory where the securevm.cer & See Assign third-party signed
securevm.key are saved>. certificate to a Linux agent when
upgrading CloudLink from 7.x.x.
Release svm release [device_name] Release control of a self-encrypting
drive.
Reload svm reload [-v ] Scan for new disks.
For more information, see the
topic "Refresh the CloudLink Agent
service on Linux machines" in the
Dell EMC CloudLink Deployment
Guide.

Remove svm removemp [mount_point] Remove a mount point without

saving any data.
Status svm status Shows the connection and mount
point statuses
For more information, see the topic
"Verify successful deployment" in
the Dell EMC CloudLink Deployment
Guide.

svm status connection Shows the CloudLink cluster nodes

statuses
or
svm status co

Uninstall svm uninstall For more information, see the

chapter "Uninstall CloudLink Agent"
in the Dell EMC CloudLink
Deployment Guide.

Topics:
• Command variables

Command variables
This topic provides information about the command variables that are used in CloudLink.
The following table lists the parameters that are used with one or more svm subcommands.

Table 4. Command options

Option Description
-f Force encryption or decryption.
The machine reboots when this option is used.

-h Help with the command.

-S Specify the server address (clc_address) for CloudLink
Center.
-v Use verbose mode.

Linux commands for CloudLink Agent 149

● mount_point—The mount point to be encrypted.
● device_name—The device must be identified when it is not mounted and listed in /etc/fstab.
● SED—The self-encrypting drive you want to control with CloudLink Center.

150 Linux commands for CloudLink Agent

 28
Command actions for Windows PowerShell
When performing many tasks related to CloudLink Agent on Windows machines, you use the svm command. This command
has several subcommands that are used to perform actions including encrypting, decrypting, setting dependencies, and showing
status.
The following table lists the actions for each svm subcommand and identifies the topic in the CloudLink documentation where it
is referenced.

Table 5. Command actions

Action Commands Procedure
Clear dependencies svm cleardeps <Microsoft SQL Server service name> For more information, see
the topic "CloudLink Agent
Example:
for Microsoft SQL Server"
svm cleardeps MSSQLServer in the Dell EMC CloudLink
Deployment Guide.
Decrypt svm decrypt [disk_volume] For more information, see
Decrypt a volume.
Encrypt svm encrypt [disk_volume] Encrypt a mount point or
block device.
For more information, see
Encrypt a volume.

Manage svm manage [device_name] Take control of a self-

encrypting drive.
Register clagent.bat /S [clc_address] [/g [group_regcode]] Use the /t option to set
[/t] Trusted Platform Module
(TPM) mode on a physical
machine that has a TPM
version 2.0 chip installed.
This option is only
available during CloudLink
Agent installation.
Svm CERTPATH=<folder where the securevm.cer & See Assign third-party
securevm.key are saved> signed certificate to
Windows agents during
upgradation of CloudLink
from earlier versions.
Release svm release [device_name] Release control of a self-
encrypting drive.
Set dependencies svm setdeps <Microsoft SQL Server service name> For more information,
see the topic "CloudLink
Example:
Agent for Microsoft SQL
svm setdeps MSSQLServer Server" in the Dell EMC
CloudLinkDeployment
Guide.
Show dependencies svm showdeps For more information, see
the topic "CloudLink Agent
for Microsoft SQL Server"
in the Dell EMC CloudLink
Deployment Guide.

Command actions for Windows PowerShell 151

Table 5. Command actions (continued)
Action Commands Procedure
Status svm status For more information,
see the topic "Verify
successful deployment" in
the Dell EMC CloudLink
Deployment Guide.

Topics:
• Command variables

Command variables
This topic provides information about the command variables that are used in CloudLink.
The following lists the parameters that are used with one or more svm subcommands.
● device_name—The device must be identified when it is not mounted and listed in /etc/fstab.
● disk_volume—C drive, and D drive
● mount_point—The mount point to be encrypted.
● SED—The self-encrypting drive you want to control with CloudLink Center.

152 Command actions for Windows PowerShell

 A
Role-Based Access Control for CloudLink
The following table lists the CloudLink permissions and the default roles to which they are assigned.
NOTE: The CloudLink Center 7.1.3 and later versions helps you to enable or disable usage of special characters in the
CloudLink Center password for a secadmin (GUI) and cloudlink (console) user. The policy that you set for using
special characters affects both the GUI and console. After you enable, it is mandatory to use special characters in a
password that you use for ClouldLink GUI and console.

Table 6. Permissions and roles

Name Role
SecAdmin Admin Observer
Users
View Users x x x
Add User x x
Delete User x x
Change User Roles x x
Change User Password x x
Change User Second Factor x x
Unlock User x x
Roles
View Roles x x x
Add Role x
Delete Role x
Modify Role x
Change Role Administration x
Backup and Restore
View Backup Configuration x x x
Generate Backup Key x
Generate Backup x x
Download Backup x x
Change Backup Configuration x x
Restore Backup x
Keystores and Keys
View Keystores x x
Add Keystore x
Delete Keystore x
Modify Keystore x
Move Keys x

Role-Based Access Control for CloudLink 153

Table 6. Permissions and roles (continued)
Machines
View Machines x x
Remove Machine x
Control Machine Boot x
Change VM Encryption Policy x
Change Machine Encryption x
Change Machine Keys x
Shred Machine x
Move Machine x
View Approved Networks x x
Add Approved Network x
Modify Approved Network x
Delete Approved Network x
Machine Groups
View Groups x x
Add Group x
Modify Group x
Delete Group x
View Machines Usage x x x
Reset Machines Usage x
CloudLink Vault
View Vault Mode x x x
Change Vault Mode x
Set Vault Unlock Passcodes x
Unlock Vault x x
Monitoring
View Actions x x x
View Alarms x x x
View Events x x x
View Security Events x x x
CloudLink Center Clusters
View Cluster Members x x x
Add Cluster Member x
Delete Cluster Member x
Join To Cluster x
Check cluster concurrent x
session
CloudLink Licenses
View Licenses x x x

154 Role-Based Access Control for CloudLink

Table 6. Permissions and roles (continued)
Upload License x
Assign License x
Delete License x
Configuration
View Syslog Configuration x x x
Change Syslog Configuration x
Update System x
View System Configuration x x x
Change System Configuration x x
View Server Specific x x x
Configuration
Change Server Specific x x
Configuration
View User Sessions x x x
Terminate User Session x x
View Server Logs x
View Server Performance x
KMIP
View KMIP Partitions x x
Add KMIP Partition x
Modify KMIP Partition x
Shred KMIP Partition x
View KMIP Objects x x
View KMIP Clients x x
Add KMIP Client x
Modify KMIP Client x
Delete KMIP Client x
Location
View Providers x x
Add Provider x
Modify Provider x
Delete Provider x
View Approved Locations x x
Add Approved Location x
Modify Approved Location x
Delete Approved Location x
View Licensed Hosts x
Add Licensed Host x
Delete Licensed Host x

Role-Based Access Control for CloudLink 155

 B
Configure Active Directory for the CloudLink
encryption keystore
You must deploy a Windows Server that is accessible by CloudLink Center to use Active Directory to store CloudLink encryption
keys. This procedure shows you how to configure Active Directory for the CloudLink encryption keystore on a Windows Server
that is configured as a domain controller.

About this task

You must provide the hostname of the Windows Server during configuration. You also must add your DNS server to CloudLink
Center. For more information, see Domain Name System servers in CloudLink.

Steps
1. Set up the Organization unit on Windows Server:
a. On the Windows taskbar, click Start > All Programs > Administrative Tools, and then select Active Directory Users
and Computers.
b. Create an organization unit by expanding your domain name, and then right-click New > Organizational Unit.
c. Enter a Name (for example, CloudLink_OU).
d. Right-click the Organization Unit (for example, CloudLink_OU), and select New > Group.
e. Enter the Group Name (for example, CloudLink_Group).
f. Select Global and Security.
2. Create a bind user:
a. Right-click the Organization Unit (for example, CloudLink_OU), and select New, User.
b. Enter the First Name (for example, Cloud), Last Name (for example, Link), and login name. Click Next.
c. Type the Password, and then click Finish.
d. Right-click the Organization Unit (for example, CloudLink_OU), and then select Delegate Control.
e. Click Next to follow setup wizard.
f. Click Add and enter the CloudLink group name (for example, CloudLink_Group).
g. Click OK, and then click Next.
h. Select Create a custom task to delegate, and then click Next.
i. Select This folder, existing objects in this folder, and creation of new objects in this folder, and then clickNext.
j. Select Full Control, and then click Next.
k. Click Finish.
3. Add the bind user to the security group:
a. Double-click Security Group.
b. Click the Members tab.
c. Click Add.
d. Type the bind user name.
e. Click OK.
4. Record the DN of CloudLink:
a. Click Start, and then select Run.
b. Type cmd, and then click OK.
c. Enter dsquery OU (Support tool is required) and record the DN (for example,
OU=CloudLink_OU,DC=company,DC=com).

156 Configure Active Directory for the CloudLink encryption keystore

 C
Upgrade Ubuntu OS by using REST API
Use this procedure to upgrade Ubuntu OS by using REST API when a Ubuntu security patch is released.

Prerequisites
● CloudLink requires access to Internet to download the Ubuntu security patch.
● Click Server > DNS, and then ping google.com to ensure that CloudLink has Internet access.

About this task

Steps
1. Log in to CloudLink Center.
2. Click About > REST Documentation > Open Documentation.
The CloudLink Center REST API page opens in a new window.
3. Click server : Server Configuration.

4. You must have the permission to access the REST API. To grant permission to access the REST API, click .
5. In the Select OAuth2.0 Scopes dialog box, select the checkbox next to all, and then click Authorize.
You are logged out of CloudLink Center.
6. Log in to CloudLink Center again.

7. Ensure that you are granted the permission to access the REST API by verifying that this button is in state.
8. Click PUT /cloudlink/rest/server/dist_upgrade > Try it out.
9. Click GET /cloudlink/rest/server/dist_upgrade > Try it out.
After the upgrade is completed, "is_upgrade_done":true is displayed.
10. Wait for ten minutes and repeat Step 9 till the upgrade is completed.

Upgrade Ubuntu OS by using REST API 157

 D
Update the Microsoft Azure Linux agent in a
CloudLink Center
Use this procedure to update the Microsoft Azure Linux agent in a CloudLink Center.

Steps
1. Log in to CloudLink Center.
2. Click About > REST Documentation > Open Documentation.
The CloudLink Center REST API page opens in a new window.
3. Click server : Server Configuration.
4. Click PUT /cloudlink/rest/server/azure_agent_install.

5. You must have the permission to access the REST API. To grant permission to access the REST API, click .
6. In the Select OAuth2.0 Scopes dialog box, select the checkbox next to all, and then click Authorize.
You are logged out of CloudLink Center.
7. Log in to CloudLink Center again.

8. Ensure that you are granted the permission to access the REST API by verifying that this button is in state,
and then click Try it out.
9. Ensure that the REST API call is succeeded.
The Response Code: 200 is displayed if the REST API call is succeeded.

158 Update the Microsoft Azure Linux agent in a CloudLink Center

 E
Restore VM agent connection to CloudLink
Center
If an encrypted VM uses an incorrect IPv4 address for CloudLink Center, the VM may not start. The boot screen displays the IP
address of the encrypted VM along with the hostname or the IP address that the VM is using for CloudLink. After few minutes,
the encrypted VM automatically searches all the IPs in the subnet the VM is located, and tries to identify the correct IP address
of the CloudLink Center.
If the encrypted VM is unable to locate the CloudLink Center, perform the following workarounds:
● Applies for IPv4 address—Deploy a new CloudLink cluster member on the subnet in which the encrypted VM failing to
restart is located.
If the VM restarts, ensure that the agent has the correct CloudLink Center hostname or IP address. If the correct hostname
or IP address is not displayed, decrypt the VM and reinstall the agent with the correct CloudLink Center hostname or IP
address.
● Applies for IPv4 and IPv6 addresses—If the VM does not restart using the preceding workaround, then:
○ Power off the VM and attach the encrypted boot drive as a data drive on a Windows VM that has the CloudLink Agent.
○ Use CloudLink Center to decrypt the data drive. The data drive displays the status as Pending. Manually accept the data
drive in CloudLink Center. After the drive is decrypted, remove the data drive from the Windows VM and power on the
VM.
NOTE: Do not attach a Windows boot drive to a Windows VM that has the same disk signature. Microsoft operating
system changes the disk signature which corrupts the data drive.
NOTE: If the preceding workarounds do not work, then contact Dell Technologies Support to Install the redirect application.

Restore VM agent connection to CloudLink Center 159

 F
Install the redirect application
The following procedure explains how to install the redirect application.

About this task

NOTE: Contact Dell Technologies Support to install the Redirect Application.

In certain circumstances, a machine that is registered with CloudLink Center may not start because the machine is unable to
connect to CloudLink Center. Following are the circumstances:
● The IP address of CloudLink Center changes and DNS is not configured for CloudLink Center.
● The IP address for CloudLink Center might change if a CloudLink Center server is replaced.
● The IP address might change if CloudLink Center is deployed in a cloud environment.
● The public IP address of a machine might change when it is shut down and restarted. A new IP address is typically assigned
from the same subnet as the previous address.
When a machine loses its connection to CloudLink Center, CloudLink Agent scans its subnet (/24 mask) to locate CloudLink
Center by hostname on port 1194. If CloudLink Center is found, CloudLink Agent reconnects automatically and updates its
configuration with the current connection information for CloudLink Center.
If CloudLink Agent cannot find CloudLink Center, it scans the same subnet for an Ubuntu server that is running the Redirect
application of the CloudLink. When contacted by a CloudLink Agent, the Redirect application sends CloudLink Agent to the
active CloudLink Center server. The configuration of the machine is updated with the connection information of the active
CloudLink Center.

Steps
1. On the Ubuntu server, enter the following:

wget https://clc_address/cloudlink/securevm/agenttools

2. Type the following:

chmod +x agenttools

3. Run the Redirect application by typing:

./agenttools

4. Type 1 to select Recovery.

Type the IP address of the active CloudLink Center server.

Results
After installation, the Redirect application runs as a console application, displaying a message each time it redirects a machine.
Machines are redirected to the new CloudLink Center to restart. However, the machine is assigned the disconnected state in
CloudLink Center. Manually change the CloudLink Center server address on the machine. For more information, see Change the
CloudLink Center IP address.

160 Install the redirect application

 G
Move an encrypted drive to another machine
In some circumstances, you may need to move an encrypted disk from one machine registered with CloudLink Center to another
registered machine. For example, if a machine cannot boot, you can move its encrypted disk to another machine.
After moving the disk, you must register the new machine with the same CloudLink Center instance as the original machine.
On startup, CloudLink Center determines whether to release keys for the moved disk based on the Moved Device or Moved
Volume key release policy. For information, see Change key release policies of a machine group on CloudLink Center.
If CloudLink Center cannot release keys for the moved volume based on the current Moved Volume or Moved Device key
release policy, it puts the machine in the pending state and locks the volume. You must manually accept the moved volume
or device. After it is accepted, CloudLink Center allows the machine to start up and puts it in the connected state. CloudLink
Center unlocks the volume or device and displays it as encrypted.
For the purposes of the following procedures, assume that VM-A is the machine with the encrypted disk (/data1/dir1) that you
want to move to VM-B.
Topics:
• Move an encrypted disk to Windows machine
• Move an encrypted disk to Linux machine

Move an encrypted disk to Windows machine

Use this procedure to move an encrypted disk to a Windows machine.

Steps
1. Detach the disk from VM-A.
2. Attach the disk to VM-B.
If the machine is put in the pending state because CloudLink Center cannot release keys for the moved volume, manually
accept the moved volume, as follows:

a. In CloudLink Center, select Machines.

b. Select the machine with the moved volume.
c. Select Actions > Pending Volumes.
d. Select the moved volume and click Accept.

Move an encrypted disk to Linux machine

Use this procedure to move an encrypted disk to a Linux machine.

Steps
1. Detach the disk from VM-A.
2. Attach the disk to VM-B.
3. Type the following command or reboot VM-B.

svm reload

4. Create a mount point on VM-B for the disk from VM-A.

Example:

mkdir -p /data1/dir

Move an encrypted drive to another machine 161

5. Type this command: svm recover /mount_point /device
Example:

svm recover /data1/dir /dev/sdb1

6. Restart the CloudLink Agent service. For more information, see Restart the CloudLink Agent service on Linux machines.
7. If the machine is put in the pending state because CloudLink Center cannot release keys for the moved volume, you need to
manually accept the moved volume, as follows:
a. In CloudLink Center, click Machines.
b. Select the machine with the moved volume or a moved device.
c. Click Actions > Pending Volumes.
d. Select the moved volume or a moved device, and then click Accept.
8. Verify that the encrypted volume or device is accessible.
9. In CloudLink Center, verify that the mount points attached to VM-B are identified as encrypted.

162 Move an encrypted drive to another machine

 H
Recover an encrypted Linux boot volume
Use this procedure to restore an encrypted Linux boot volume. This procedure can be used to restore Linux boot volumes
encrypted with CloudLink version 5.5 or higher.

Steps
1. Shut down the machine (CloudLinkVM-1) with the encrypted Linux boot volume that needs to be recovered.
2. Deploy a machine (CloudLinkVM-2) that uses a Linux distribution supported by CloudLink.
NOTE: When you create CloudLinkVM-2, use a template different from the one used for CloudLinkVM-1 to prevent
volumes from having the same root volume UUID.

3. Install CloudLink Agent on the new machine (CloudLinkVM-2).

4. Connect the new machine (CloudLinkVM-2) to the same CloudLink Center used by the old machine (CloudLinkVM-1).
5. Move the disk containing the encrypted root volume from the old machine (CloudLinkVM-1) and attach it to the new
machine (CloudLinkVM-2).
NOTE: For a root logical volume on LVM: before attaching the disk to CloudLinkVM-2 for recovery, ensure
CloudLinkVM-2 does not have an LVM group with the same name.

6. Ensure the root volume is detected by the operating system.

● Newer Linux distributions are configured to automatically detect block devices when attached. If this does not happen,
run the following command:

svm reload

● If the original machine has the root file system on an LVM volume, you may need to activate the volume so it appears as
a block device.
WARNING: DO NOT restart CloudLinkVM-2 because it can cause a Linux kernel panic.

7. When the attached root volume is available on CloudLinkVM-2, run the following command:

svm recover <existing empty directory> <root volume name>

Example commands for a root file system on LVM:

svm recover /mnt/recovery /dev/system/root

svm recover /mnt/recovery /dev/mapper/centos-root

svm recover /mnt/recovery /dev/ubuntu-vg/root

Example commands for a regular root partition:

svm recover /mnt/recovery /dev/sdb2

svm recover /mnt/recovery /dev/xvdc1

8. Run the following command to restart the svmd service to recognize and unlock the volume:

service svmd restart

Recover an encrypted Linux boot volume 163

9. Verify that the volume's status is locked when you run the following command:

svm status

10. Accept the pending volume to release the encryption keys. If the machine is put in the pending state because CloudLink
Center cannot release the keys for the recovered volume, you need to manually accept the recovered volume, as follows:
a. In CloudLink Center, go to Machines.
b. Select the machine with the recovered volume.
c. Select Actions > Pending Volumes.
d. Select the recovered volume and click Accept.
11. After the volume is accepted in CloudLink Center, verify that the volume's status is encrypted when you run the following
command:

svm status

Results
The data can now be copied from the volume or the volume can be decrypted.

164 Recover an encrypted Linux boot volume