Panzura
Quicksilver Cloud Storage Controller
Secured by RSA Implementation Guide
Last Modified: <October 10, 2013>
Partner Information
Product Information
Partner Name
Web Site
Product Name
Version & Platform
Product Description
Product Category
Panzura
www.panzura.com
Quicksilver Cloud Storage Controller
5.2.1.0 and later
Panzura’s Global Cloud Storage System enables enterprise-class cloud
storage with NAS-like functionality for a globally-distributed workforce.
This storage system enables true global file and workflow sharing, active
archiving of infrequently used files, backup of structured data sets like
databases and Exchange files, and seamless disaster recovery.
Directories and Data Stores
Panzura
Quicksilver Cloud Controller
Solution Summary
The Panzura Quicksilver Cloud Storage Controller (Quicksilver controller) is the core of the Panzura
storage architecture. The Quicksilver controller is a reliable, high performance, optimized cloud storage
appliance that can manage massive data densities within its scalable file system. The resilient storage
subsystem protects data using military grade encryption, multiple RAID parity protection schemes,
efficient user managed snapshots, and cloud storage.
The Quicksilver controller provides local and cloud storage for widely‐used file storage protocols, file
management technologies, and directory services integration. The supported file systems are (NFS)
Network File System used by Unix/Linux clients, (CIFS) Common Internet File System used by Microsoft
Windows clients servers and (AD ) Microsoft Active Directory.
The Quicksilver controller virtualizes and attaches to multiple types of disk media within the same file
system. Supported media include spinning hard disk drives (HDDs), solid state drives (SSD), networked
WAN‐addressable cloud storage, and LAN‐addressable NAS filer volumes. PZOS (Panzura OS) serves
data to clients by way of the CIFS and NFS protocols.
RSA Data Protection Manager and Panzura Quicksilver Cloud Storage Controller integrate seamlessly to
provide a DPM solution that addresses customer issues involving secure key generation, storage, and
retrieval. Keys are permanently kept in the Panzura appliance. By utilizing the RSA Data Protection
Manager KMIP (Key Management Interoperability Protocol) API’s, the Panzura Quicksilver Cloud Storage
Controller is able to securely transfer certificates and private keys. Administrators have a central location
to store and backup keys.
The Quicksilver Controller generates X.509 certificates and associated private keys to be used for
encryption and decryption of data. The certificates and private keys can be registered or exported to the
DPM as a password type of a secret data object. The secret data object is registered with Name and xName attributes to allow other Quicksilver Controllers and other KMIP compliant clients to search keys
based on a name in addition to a unique identifier (UUID). You can generate or upload up to 9 keys for
encrypting data. Encryption is at a block level. It is possible for a file to have multiple keys if is updated
after a new certificate is activated.
Note: The word “keys” generally refers to pieces of information that are used
to encrypt and decrypt data. The Quicksilver Controller specifically uses
certificates and associated private keys. This document will use the word “keys”
interchangeably with “certificates” and “private keys”
Page: 2
Panzura
Quicksilver Cloud Controller
Page: 3
Panzura
Quicksilver Cloud Controller
Product Configuration for Interoperability
RSA Key Manager Configuration
1.
Create a Identity Group for your product Panzura in this case
Page: 4
Panzura
Quicksilver Cloud Controller
2.
Create an Identity (partner Identity)



In the Panzura Identity Group
Role = Operational User
Upload Client_1 .cer Certificate
Page: 5
Panzura
Quicksilver Cloud Controller
3.
Create a (partner Security Class)



4.
In the Panzura Identity Group
Enter Class Attribute Name = Kmip_Template
Enter Value = true
Proceed to Step 5 and Finish
Result
Page: 6
Panzura
Quicksilver Cloud Controller
Panzura Quicksilver Cloud Controller Configuration
5.
Log into the Panzura Appliance
Page: 7
Panzura
Quicksilver Cloud Controller
Result
Page: 8
Panzura
Quicksilver Cloud Controller
6.
Enter Cloud Controller System Information by clicking on the configuration tab at the top of the page
7.
Click on Advanced Settings on the left
Page: 9
Panzura
Quicksilver Cloud Controller
8.
Click KMIP on the left
Page: 10
Panzura
Quicksilver Cloud Controller
9.
Enter the KMIP Settings





KMIP Server Host Name = DPM IP address
KMIP Server port
= 443
KMIP Protocol Type
= HTTP TTLV (RSA DPM)
Security Class
= Partner Security Class
Click the Save Configuration button to save the changes
Page: 11
Panzura
Quicksilver Cloud Controller
Note: This message will come up even if it is the first key server being
registered.
Page: 12
Panzura
Quicksilver Cloud Controller
Communication with the KMIP server requires a mutually authenticated SSL session. The CA certificate
that signed the DPM's server certificate must be uploaded. Additionally, a client certificate that is
recognized by the DPM must also be uploaded.
10. Upload New KMIP Certificates

Choose certificate type, browse and upload the CA and Client certificates
Note: Client certificates must be .pem format
Page: 13
Panzura
Quicksilver Cloud Controller
KMIP server configuration is then complete. The next steps will show how to create and register data
encryption certificates.
11. Click the Encryption and Certs field on the left
12. Create and Register Encryption Certificate and enter

Certificate Name
= (partner-certificate)
13. Click Create & Register
Note: One temporary certificate ships with the Appliance to use for testing
purposes only. Customers must create new certificates for production.
Page: 14
Panzura
Quicksilver Cloud Controller
14. Click OK
Result: Certificate listed
Page: 15
Panzura
Quicksilver Cloud Controller
Note: If you try to reregister a key that is already in the DPM you will get an
error indicating it is registered. If for some reason a certificate object in the
DPM is deleted you must re register with a different certificate name.
Page: 16
Panzura
Quicksilver Cloud Controller
Note: It is possible to upload certificates if you do not want to create them
on the Panzura Appliance.
Note: Click the Activate button to use this certificate
Page: 17
Panzura
Quicksilver Cloud Controller
15. Go to DPM Security Objects

Ensure an Object is created
Page: 18
Panzura
Quicksilver Cloud Controller
In multiple master controllers environments use the Retrieve Certificate button to make sure all master
controllers have the same certificate.
16. Go to Encryption and Keys and enter

Certificate and Private Key name listed on the Primary server
17. Click Retrieve Certificate.
Page: 19
Panzura
Quicksilver Cloud Controller
Testing
The solution can be tested by mounting a CIFS drive to your Windows host.
18. Map a network drive from you host.
Page: 20
Panzura
Quicksilver Cloud Controller
Enter the IP and root folder (cloudfs) with the host name of the Panzura Appliance.
19. Write and read as if you would do to any network drive
Page: 21
Panzura
Quicksilver Cloud Controller
Certification Checklist for 3rd Party Applications
Date Tested: September 27 2013
Product
DPM Manager Server
DPM Manager Client type and
version
Panzura Quicksilver Cloud
Controller
Operating System
SUSE Linux Enterprise Server 11
SP2 (x86_64)
Tested Version
N/A (KMIP)
N/A
PZOS
5.2.1.0
3.5
RSA KMIP Integration
KMIP TLS requests
Create
Register
Locate
Check
Get
Functions and Tests
N/A
Partner Product Registers with DPM
Partner Product Creates keys and certs
and DPM archives them
DPM archives keys and certs
Partner product successfully encrypts
and decrypts data with keys
Partner Product cannot read data when
keys deleted.
Get Attributes
Get Attributes List
Add Attribute
Modify Attribute
Delete Attribute
Delete Attribute
Activate
Revoke
FAL
= Pass
= Fail N/A = Not Applicable to Integration
Page: 22
Panzura
Quicksilver Cloud Controller
Known Issues
The object in the security class will show its state to be pre activate
Page: 23
Panzura
Quicksilver Cloud Controller
Appendix
Document Title
Quicksilver
Cloud Storage
Controller
Administration
Guide
Description
Location
Describes how
to implement
the Panzura
solution.
www.panzura.com
Term
PZOS
CloudFS
DEK
Keys
meaning
Panzura OS, provides CloudFS
Panzura's highly scalable, high performance global file system that is
natively integrated with object‐ based cloud storage systems
Data Encryption key
Refers to X.509 certificates and associated private keys used to encrypt
and decrypt data
Page: 24