Configure basic network, host, and user settings before you install a Tanium Appliance role.
Requirements
| License |
Contact Tanium Support to obtain a valid license. Tanium Support must know the fully qualified domain name (FQDN) for each Tanium Server Appliance in your deployment to generate your license file.
|
| Network |
Be ready to specify the static IP address in CIDR format (such as 192.168.2.0/24), default gateway IP address, host name, domain name, primary and secondary DNS servers, and NTP servers. |
If LACP is configured on the network switch, set the switch to enable LACP when an LACP device is detected. When NIC teaming is enabled, the Tanium appliance supports active-backup bonding for fault tolerance. A user with the tanadmin role can configure NIC teaming after full initial configuration is complete.
In rare circumstances, a Tanium Physical Appliance might fail to boot and hang at the TanOS boot screen. In this situation, it is best to disable LLDP at the switch or in the Appliance BIOS. LLDP is not supported or required by TanOS. Contact Tanium Support for more information.
Configuration options
Configure iDRAC
Use these steps to configure the iDRAC interface. With these steps, you set up the tanremote user account, which can be used to complete the initial configuration later.
For the best results, configure the iDRAC interface for access to the Tanium Physical Appliance. This significantly reduces the need to re-enter the data center for Tanium Appliance maintenance in the future.
Before you begin
You must use a cable to connect the iDRAC interface to your network.
Configure the iDRAC
- Sign in to the TanOS console as the tanadmin user.
- Enter I to go to the Manage iDRAC menu.
View screen>>> Initial Config -> Manage iDRAC <<<
After executing some iDRAC commands it can take up to three minutes
before valid status is available or further commands will succeed.
iDRAC User tanremote: Disabled
Current iDRAC configuration settings:
IPv4 Address:
IPv4 Gateway:
IPv6 Address:
IPv6 Gateway: ::
N: iDRAC Network Configuration
P: Set tanremote Password
E: Enable tanremote User
D: Disable tanremote User
C: Close all iDRAC sessions
K: Reset iDRAC
R: Return to previous menu RR: Return to top
- Enter N to go to the Configure iDRAC Network.
- Follow the prompts to configure the iDRAC network. View screen
>>> Initial Config -> Manage iDRAC - > Configure iDRAC Network <<< >
These configuration settings will be applied to the iDRAC interface.
iDRAC user configuration can be performed in the user administration
menu.
Current iDRAC settings:
IPv4 Address:
IPv4 Gateway:
IPv6 Address: ::/64
IPv6 Gateway:
Would you like to continue with iDRAC IP configuration? [Yes|No]: yes
Enter the IPv4 address/prefix (e.g. 10.2.3.4/24): 10.10.10.65/24
Enter the IPv4 gateway address (e.g. 10.2.3.1): 10.10.10.2
Would you like to accept default IPv6 settings? [Yes|No]: yes
New settings:
IPv4 Address: 10.10.10.65/24
Default IPv4 Gateway: 10.10.10.2
Manual IPv6 settings: No
Are these settings correct? [Yes|No]: yes
Configuring iDRAC interface, can take a minute or two ...
Press enter to continue
- Enter P and follow the prompts to change the password of the tanremote user. View screen
>>> Appliance Configuration -> Manage iDRAC -> Set iDRAC Password <<<
This will change the iDRAC user tanremote password.
Access to the iDRAC is via the specific iDRAC IP.
Would you like to change the tanremote password? [YES/NO]: yes
The password policy requires meeting these rules:
- Minimum 10 characters long
- Maximum 20 characters long
- At least 1 upper case character
- At least 1 lower case character
- At least 1 numeric character
- At least 1 other character
- Must not be based on a dictionary word
- Must not contain part of the username
Please enter password (will not be displayed):
- Access the iDRAC virtual console at http://<iDRAC interface IP address>.
- Sign in with user name tanremote and the password that was set with this procedure and then proceed with initial configuration. See Perform full initial configuration.
Configure IP address only
Use these steps to assign only an IP address to the appliance. After these steps, you can sign out of the console and connect through SSH later to resume the full initial configuration.
- Power on the appliance.
The boot and start-up processes take a few minutes.
- When prompted to sign in, specify the user name tanadmin and the default password Tanium1 or the password set by your data center team when the Tanium Appliance was racked. View screen
------------------------------------------------------
>>> Initial Configuration <<<
Initial configuration workflow for a new TanOS appliance.
All items must be complete before the appliance can be used.
IP Address:
Hostname: initial-tanos-347587.localdomain
P: Set Password (INCOMPLETE)
I: Configure iDRAC
Set the password to continue configuration
F: [DISABLED] Finish Initial Configuration
S: Shutdown
Z: Log out
------------------------------------------------------
TanOS Version: 1.7.4
Please select:
- Enter P and then follow the prompts to change the password. View screen
------------------------------------------------------
>>> Initial Config -> Set Password <<<
Preparing to change the password for tanadmin
The password policy requires meeting these rules:
- Minimum of 10 characters long
- At least 1 upper case character
- At least 1 lower case character
- At least 1 numeric character
- At least 1 other character
- Must not match any of recent 4 passwords
- Must not be based on a dictionary word
- Must not contain part of the username
Please enter password (will not be displayed):
Password score: 55 out of 100 (strong)
Please enter password again:
The password change was successful.
Press enter to continue
Follow the password policy guidelines closely. Note the password score that appears and aim for a strong password.
- Press Enter to return to the Initial Configuration menu. View screen
------------------------------------------------------
>>> Initial Configuration <<<
Initial configuration workflow for a new TanOS appliance.
All items must be complete before the appliance can be used.
IP Address:
Hostname: initial-tanos-347587.localdomain
P: Set Password (complete)
A: Set IP Address (INCOMPLETE)
N: Set FQDN (hostname) (INCOMPLETE)
D: Set DNS Nameservers (INCOMPLETE)
T: Set NTP (time) (INCOMPLETE)
E: View and Accept EULA (INCOMPLETE)
F: [DISABLED] Finish Initial Configuration
S: Shutdown
Z: Log out
------------------------------------------------------
TanOS Version: 1.7.4
Please select:
- Enter A, and then follow the prompts to set the static IP address, IPv6 settings, and gateway. The TanOS console confirms that the settings are applied. View screen
>>> Network Configuration <<< >
Note: any existing IP address listed below is NOT persistent/DHCP assigned.
Please provide a static IP address below regardless of the current
configuration. At the end of the initial configuration routine you will be
logged out. If the IP address is changed then you will need to modify your
connection settings to reach the TanOS menu.
Available interfaces:
#: Interface State Link MAC IP Location
1: ens160 UP UP 00:0c:29:35:f4:fa 10.10.10.60/24 virtual
Please select: 1
Current settings:
Interface: ens160
IPv4 Address: 10.10.10.60/24
Default IPv4 Gateway: 10.10.10.2
IPv6 Address: fe80::20c:29ff:fec3:4afa/64
IPv6 Gateway:
Enter the IPv4 address/prefix (e.g. 10.2.3.4/24): 10.10.10.60/24
Enter the IPv4 gateway address (e.g. 10.2.3.1): 10.10.10.2
Would you like to accept default IPv6 settings? [Yes|No]: yes
New settings:
Interface: ens160
IPv4 Address: 10.10.10.60/24
Default IPv4 Gateway: 10.10.10.2
Manual IPv6: No
IPv6 Address: fe80::20c:29ff:fec3:4afa/64
IPv6 Gateway:
Are these settings correct? [Yes|No]: yes
The IP address setting changes from incomplete to complete.
- When ready, follow the steps in Perform full initial configuration.
Perform full initial configuration
You can perform initial configuration in the order that you prefer. As you finish configuring settings, the status changes from incomplete to complete.
You may have already completed some of these steps from the data center.
Before you begin
Connect a keyboard, video, and mouse (KVM) to the console port.
Complete the initial configuration
- Power on the appliance.
The boot and start-up processes take a few minutes.
- When prompted to sign in, specify the user name tanadmin and the default password Tanium1 or the password set by your data center team when the Tanium Appliance was racked. View screen
------------------------------------------------------
>>> Initial Configuration <<<
Initial configuration workflow for a new TanOS appliance.
All items must be complete before the appliance can be used.
IP Address:
Hostname: initial-tanos-347587.localdomain
P: Set Password (INCOMPLETE)
I: Configure iDRAC
Set the password to continue configuration
F: [DISABLED] Finish Initial Configuration
S: Shutdown
Z: Log out
------------------------------------------------------
TanOS Version: 1.7.4
Please select:
- Enter P and then follow the prompts to change the password. View screen
------------------------------------------------------
>>> Initial Config -> Set Password <<<
Preparing to change the password for tanadmin
The password policy requires meeting these rules:
- Minimum of 10 characters long
- At least 1 upper case character
- At least 1 lower case character
- At least 1 numeric character
- At least 1 other character
- Must not match any of recent 4 passwords
- Must not be based on a dictionary word
- Must not contain part of the username
Please enter password (will not be displayed):
Password score: 55 out of 100 (strong)
Please enter password again:
The password change was successful.
Press enter to continue
Follow the password policy guidelines closely. Note the password score that appears and aim for a strong password.
- Press Enter to return to the Initial Configuration menu. View screen
------------------------------------------------------
>>> Initial Configuration <<<
Initial configuration workflow for a new TanOS appliance.
All items must be complete before the appliance can be used.
IP Address:
Hostname: initial-tanos-347587.localdomain
P: Set Password (complete)
A: Set IP Address (INCOMPLETE)
N: Set FQDN (hostname) (INCOMPLETE)
D: Set DNS Nameservers (INCOMPLETE)
T: Set NTP (time) (INCOMPLETE)
E: View and Accept EULA (INCOMPLETE)
F: [DISABLED] Finish Initial Configuration
S: Shutdown
Z: Log out
------------------------------------------------------
TanOS Version: 1.7.4
Please select:
- If necessary, enter A, and then follow the prompts to set the static IP address, IPv6 settings, and gateway. View screen
>>> Network Configuration <<< >
Note: any existing IP address listed below is NOT persistent/DHCP assigned.
Please provide a static IP address below regardless of the current
configuration. At the end of the initial configuration routine you will be
logged out. If the IP address is changed then you will need to modify your
connection settings to reach the TanOS menu.
Available interfaces:
#: Interface State Link MAC IP Location
1: ens160 UP UP 00:0c:29:35:f4:fa 10.10.10.60/24 virtual
Please select: 1
Current settings:
Interface: ens160
IPv4 Address: 10.10.10.60/24
Default IPv4 Gateway: 10.10.10.2
IPv6 Address: fe80::20c:29ff:fec3:4afa/64
IPv6 Gateway:
Enter the IPv4 address/prefix (e.g. 10.2.3.4/24): 10.10.10.60/24
Enter the IPv4 gateway address (e.g. 10.2.3.1): 10.10.10.2
Would you like to accept default IPv6 settings? [Yes|No]: yes
New settings:
Interface: ens160
IPv4 Address: 10.10.10.60/24
Default IPv4 Gateway: 10.10.10.2
Manual IPv6: No
IPv6 Address: fe80::20c:29ff:fec3:4afa/64
IPv6 Gateway:
Are these settings correct? [Yes|No]: yes
- After the initial configuration screen appears with the updated IP address configuration, enter N and then follow the prompts to configure the fully qualified domain name (FQDN). View screen
>>> Initial Config -> Set FQDN <<<
Current hostname (FQDN):
New FQDN: fqdn.example.com
Setting new hostname (FQDN):
fqdn.example.com
Do you want to continue? [Yes|No]: Yes
-
After the initial configuration screen appears with the updated FQDN configuration, enter D and then follow the prompts to set the DNS name servers. View screen
>>> Initial Config -> Set Nameservers <<<
Currently configured nameserver(s):
Enter the first DNS server address: 10.10.10.10
Enter the second DNS server address:
Setting nameserver 1: 10.10.10.10
Setting nameserver 2:
Do you want to continue? [Yes|No]: Yes
- After the initial configuration screen appears with the updated DNS configuration, enter T and then follow the prompts to set the NTP servers. View screen
>>> NTP Configuration <<<
Timezone will be automatically set to UTC.
Enter the NTP server information for up to two NTP servers. Each entry consist
of a server name or IP address.
Optionally each server may indicate authentication information using
colons as a separator: >server<:>key-id<:>SHA1|MD5<:key
1.2.3.4
pool.ntp.org
ntp.secret.corp:999:SHA1:0123456789abcdef0123456789abcdef01234567
Please provide the NTP server address: pool.ntp.org
Please provide the second NTP server address (enter blank value for none):
The following settings will be used:
NTP Server 1: pool.ntp.org
NTP Server 2:
Are these settings correct? [Yes|No]: Yes
-
After the initial configuration screen appears with the updated NTP configuration, enter E and then use the spacebar to page through the end-user license agreement (EULA). When complete, press the Q key, enter your email address, and enter YES to accept.
The email address is stored locally only. It is not used externally for any reason.
- (Optional) Configure the iDRAC. This can also be done later from the TanOS menus.
- Enter F to finish initial configuration.
The appliance reboots, and when you sign in, the initial configuration menu is replaced by the tanadmin menu.
Access TanOS remotely
To access your Tanium Appliances remotely, note the following requirements.
- Your local
management computer
must be connected to a subnet that can reach the appliance IP address.
- Your management computer must have an SSH client application or terminal emulator that can make a client connection to the appliance.
- You must have an SSH client such as PuTTY to sign in to the TanOS console. For PuTTY, use version 0.71 or later.
- You must have an SSH key generator such as ssh-keygen to generate keys for the tancopy user.
- You must have an SFTP client such as WinSCP to copy files to and from the appliance. For WinSCP, use version 5.15.2 or later.
Watch the tutorial about how to configure WinSCP for the Tanium Appliance.
Configure SSH keys
TanOS has built-in and customer-created user accounts to access the appliance operating system and perform tasks.
Before you install a Tanium Appliance role, you must add SSH keys to authenticate access for the tancopy built-in user. tancopy can make an SFTP connection with SSH key authentication to TanOS and copy files to and from the /incoming and /outgoing directories.
TanOS does not support self-service password reset methods. If you forget your password, you must ask a user with the tanadmin role to reset it for you. You can avoid this risk by setting up SSH key authentication.
Watch the tutorial about how to configure SSH key authentication for the Tanium Appliance.
Before you begin
- You must have an SSH client to sign in to the TanOS console, and an SFTP client to copy files to and from the appliance.
- You must have an SSH key generator to generate keys for the tancopy user.
Add SSH keys
You must set up an SSH key for the tancopy user. For the best results, set up SSH key authentication for TanOS user accounts.
Add SSH keys for the tancopy user
You must set up an SSH key for the tancopy user. The SSH key is used when you transfer files through SFTP to the /incoming and /outgoing directories.
- Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
- Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
- Specify a passphrase that is easy to remember.
- Save the private key to a location that you can access when you set up your SFTP client.
- Copy the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.
In an SSH key exchange, the keys must match exactly, including line endings.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter C to go to the User Administration menu.
- Enter U to manage TanOS users.
- Enter the line number for the tancopy user to go to the user administration menu for this user. View screen
>>> User Administration -> TanOS -> tancopy <<<
Username: tancopy
Account Enabled: Yes
Authentication: SSH Key Only
SSH Lockout: No (0)
Multi-Factor: Not configured
Notes:
* This user account cannot be deleted
* This user account cannot have a password
* This user account cannot use multi-factor
A: Manage SSH Authorized Keys
P: Manage SSH Key Pair
L: Reset SSH Lockout
C: [DISABLED] Change Password
N: [DISABLED] Disable Password Access
M: [DISABLED] Multi-Factor Authentication
E: Enable Account
D: Disable Account
X: [DISABLED] Delete User
F: Edit known hosts file
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter A to go to the Authorized Keys menu. View screen
>>> User Administration -> TanOS -> tancopy -> Authorized Keys <<<
Account: tancopy
Select an entry to view or delete.
1: 2048 SHA256:m/0rT0o+rDfKLWQQULUQqbOUdMkojZhco60dCuu3elY
2: 2048 SHA256:8OV4S5V30aFu9pZKexRVaElF3BgJNEx+Y91fgbnzxIU
A: Add key
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter A and follow the prompts to add the contents of the public key generated in Step 1. View screen
>>> User Administration -> TanOS -> tancopy -> Authorized Keys -> Add <<<
Account: tancopy
Please paste the public key and press enter:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA1ClmgkMrbbxB7jND/Y4/Giupck35xAuGNKfZWqVLM5F0CNXuTScf6v2z
MDxW5TO5tm/U8P9sqh19RDEzTn2RayXzsoZmXyB8abCCpHG4+03Zv05RHiX4i5QomAMBnbZejdA9/fGTxO1rPo1rdtTq
Z+KCgzbEhHLWUD44+If5RtG+U4kgyzlYsyjgwhfho+BrRY6e7QYBsXVbuBQ9ROGV6PCTB80jXZVAKrAbsTQ1DVkpuBue
mftv7vOn3b8MKzJ/IY/LLL1tIgpSGvgvjr2mOJJ+JoZF2XnPVUFmYiDSCkPAzhCyFHILHfOVAfws9n1G6p3fwILqNhvB
oPeaCFaApQ== rsa-key-20200123
Validating input
Adding key to authorized keys after validation
Finished adding authorized keys for tancopy
Press enter to continue
- To test, on your management computer, set up an SFTP client such as WinSCP to connect to the Tanium Server appliance:
- Specify tancopy for user name.
- Click Advanced.
- Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
- Save the configuration and click Login to initiate the connection.
You should be able to connect to the appliance and see the /incoming and /outgoing directories.
Add SSH keys for TanOS users
It is a best practice to also set up SSH key authentication for TanOS user accounts.
As an alternative to the following procedure, you can use ssh-copy-id to add an SSH public key to any TanOS user with the tanadmin profile.
- Use an SSH key generator such as ssh-keygen to generate a public/private key pair. Note:
- Specify an RSA key with 2048 bits (such as ssh-keygen -t rsa -b 2048).
- Specify a passphrase that is easy to remember.
- Save the private key to a location that you can access when you set up your SFTP client.
- Copy all of the text in the public key file to the clipboard. If you use ssh-keygen, copy the contents of the .pub file that you created.
In an SSH key exchange, the keys must match exactly, including line endings.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter C to go to the User Administration menu. View screen
------------------------------------------------------
>>> User Administration <<<
U: TanOS User Management
I: Recent Login Information
M: Multi-Factor Global Settings
A: AD/LDAP TanOS Authentication
L: Local Tanium User Management
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter U to manage TanOS users.
- Enter the line number of the user account that you want to manage. View screen
>>> User Administration -> TanOS -> tanadmin <<<
Username: tanadmin
Account Enabled: Yes
Authentication: SSH Key or Password
SSH Lockout: No (0)
Notes:
* This user account must always have a password
* This user account cannot be deleted
* This user account cannot be disabled
A: Manage SSH Authorized Keys
P: Manage SSH Key Pair
L: Reset SSH Lockout
C: Change/Enable Password (Chosen)
N: [DISABLED] Disable Password Access
M: Multi-Factor Authentication
E: [DISABLED] Enable Account
D: [DISABLED] Disable Account
X: [DISABLED] Delete User
F: Edit known hosts file
R: Return to previous menu RR: Return to top
- Enter A to go to the Authorized Keys menu. View screen
>>> User Administration -> TanOS -> tanadmin -> Authorized Keys <<<
Account: tanadmin
Select an entry to view or delete.
1: 2048 SHA256:m/0rT0o+rDfKLWQQULUQqbOUdMkojZhco60dCuu3elY
A: Add key
R: Return to previous menuRR: Return to top
- Enter A and follow the prompts to paste the public key generated in Step 1. View screen
>>> User Administration -> TanOS -> tanadmin -> Authorized Keys -> Add <<<
Account: tanadmin
Please paste the public key and press enter:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqXUnoyrg4opYQp4DGZoasYy8ud5oJEar9BqRr2RVHMm/Sxcl4T1sthsN
WS0ECo0j32mCSM3ynYZn2AdJTU6HbKnFM30gtQL7+tpmGrgbkaVEJ9OXoA47JP0o5hbI16UUpuEKJrEBOYovIsrN2gtwKbz
YdOVCxVq5amzqg7/UrQyUO3rmt54qStiqNIiHI3UjzPWYJwUxz90vU7LWsXYz1CAWBTXnh51kg0lBPFgbRmUZJb0DwLb4Sw
lFZAe5P0RO4RwdmZVgTfsqy+MVuyzaBzGD1z4MlIZ83R6sW+nXtipbzqhFTLykLRLIXobuHjuf0Yy1H7/ZDJh/qlojce4TC
g/+5e2h1RQ8ZKgECZDJoCdrkAM6y9arHCoZwqEP9MXugQXCO6EMrP39vXajnV3YrDKKLYP1pxWZGOA4ylNqY5mG1+AofVdG
vAUBztjXfXgC3bgL0Qgp+d3E8JvLRHXfkmRijppvj+BCJUawXJfkMtBEgrxQP9PoDwHrqJj6ey80v8P7DgojQw83JumsG3S
+7l0e0Ia02q/05s2EpOv9jE9aJiLRGKbb4WkjvUSpK1VmDK54qfeSKj6yp3IIt13GBKmkVqKbbZS6gaZ3UTpzq3dj+53YeP
eOe8XMECuxl6aH4nLT4u3CqrCqxTfTa5y1Fi3/e9zI5/AKJlTXWF3ISCQ== [email protected]
Validating input
Adding key to authorized keys after validation
Finished adding authorized keys for tanadmin
Press enter to continue
- To test, on your management computer, set up an SSH client such as PuTTY to connect to the Tanium Server appliance:
- Specify the Tanium Server IP address, port 22, and SSH connection type.
- Under SSH, browse and select the private key that pairs with the public key uploaded to the appliance.
- Open the SSH session and enter the tanadmin user name.
- You are prompted for the SSH key passphrase instead of the tanadmin password. View screen
login as: tanadmin
######################## WARNING ########################
Unauthorized access is strictly prohibited.
#########################################################
Authenticating with public key "rsa-key-20200119"
Passphrase for key "rsa-key-20200119":
Add TanOS system users
Create additional TanOS system users based on tanadmin (privileged) and tanuser (restricted) profiles. It is useful to have more than one privileged user in case you forget the password for the initial tanadmin user.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter C to go to the User Administration menu. View screen
------------------------------------------------------
>>> User Administration <<<
U: TanOS User Management
I: Recent Login Information
M: Multi-Factor Global Settings
A: AD/LDAP TanOS Authentication
L: Local Tanium User Management
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter U to manage TanOS users. View screen
------------------------------------------------------
>>> User Administration -> TanOS <<<
#: User ID Role Auth Name
1: tanadmin tanadmin Key+Pwd Tanium Privileged User
2: tancopy tanuser Key Tanium Copy User
A: Add System User
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter A and follow the prompts to add a system user. View screen
>>> User Administration -> System Users -> Add System User <<<
Adding a system user requires first name, last name, user name and user role.
Attention:
TanUser Role: Monitor/Check the status of the appliance, no changes are allowed
TanAdmin Role: Full administrative role to manage the appliance
A temporary password will be generated and the new user is required to change
their password upon first login!
The password policy requires meeting these rules:
- Minimum of 10 characters long
- At least 1 upper case character
- At least 1 lower case character
- At least 1 numeric character
- At least 1 other character
- Must not match any of recent 4 passwords
- Must not be based on a dictionary word
- Must not contain part of the username
Please enter first name: John
Please enter last name: Doe
Please enter desired user name (max 30 chars): john.doe
Which role should be assigned to john.doe?
1: TanUser (Monitoring)
2: TanAdmin (Administrative)
Please select: 2
The temporary password for john.doe is: proudbrownwildfowl
Adding local user john doe ...
Successfully added user john doe (username: john.doe) with role tanadmin.
Press enter to continue
Export the RAID controller security key
The RAID controller security key is used by the controller to lock and unlock access to encryption-capable physical disks. You can export the key and store it in a safe location. During recovery from controller failure, you will need to provide the key. When you run a Health Check, you might see messages alerting you to export the RAID controller security key.
Boot Check: Pass (EFI Boot)
Active partition: pass (VolGroup1-root)
>>> Hardware health (will take 1-12 seconds) <<<
hardware type: pass (TV-220)
RAID controller RAID.Integrated.1-1 Security Key: pass
disk encryption: pass
>>> RAID Controller Security Key <<<
RAID Security key check: fail (key has NOT been exported) <--------
>>> Tanium Application file Permissions <<<
executed checks: 48
failed checks: 4
new health status setting: warning
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<
1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
I: iDRAC Management
X: Advanced Configuration
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter X to go to the Advanced Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Advanced Menu <<<
Attention: The options in this menu can affect performance
and emergency recovery.
Please consult your TAM before utilizing the below options.
1: Auto-Disable
2: TanOS Log
3: Change Active Partition
4: Change RAID Controller Key
5: Export RAID Controller Key
6: Export Grub Key
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 5 to go to the Export Security Key menu.
- Follow the prompts to export the RAID controller security key to the /outgoing directory. View screen
>>> Appliance Configuration -> Advanced Menu -> Export Security Key <<<
Once the security key has been placed in the outgoing directory it
will remain until the nightly cleanup job is run. After this time it
will be deleted and must be exported again.
Please be sure to download it and save in a secure location.
Would you like to export the security key? [Yes|No]: yes
The security key has been placed in the sftp outgoing directory.
This location will be cleaned daily at 02:00am appliance time!
Press enter to continue
- Use SFTP to copy the file from the /outgoing directory to your local computer.
Files copied to the /outgoing directory that are older than 24 hours are deleted every day at 02:00 AM UTC. You should copy the RAID controller security key file from the /outgoing directory to your local computer immediately after you have used the TanOS menu to export it and save it in a protected location. If you lose the RAID controller key file, you can return to the Advanced Menu and export the key file again.
The default name of the RAID controller key file is TanOS-key-controller-Cfg.tgz. It is recommended to change the name to include the host name or serial number of the appliance it came from before you store it. You likely have more than one appliance, so a name based on a unique host name or serial number is useful if you later need to locate the correct file.
Export the grub key
The grub key can be used during the boot sequence to diagnose and recover from failure conditions. You can export the key and store it in a safe location. During recovery, you need to provide the key to Tanium Support for a technician to extract the grub password.
- Sign in to the TanOS console as a user with the tanadmin role.
- Enter A to go to the Appliance Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration <<<
1: Hostname/DNS Configuration
2: Networking Configuration
3: NTP Configuration
4: Syslog Configuration
5: SNMP Configuration
6: Module File Share Configuration
7: Reset all NICs to DHCP (VM only)
A: Security
I: iDRAC Management
X: Advanced Configuration
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter X to go to the Advanced Configuration menu. View screen
------------------------------------------------------
>>> Appliance Configuration -> Advanced Menu <<<
Attention: The options in this menu can affect performance
and emergency recovery.
Please consult your TAM before utilizing the below options.
1: Auto-Disable
2: TanOS Log
3: Change Active Partition
4: Change RAID Controller Key
5: Export RAID Controller Key
6: Export Grub Key
R: Return to previous menu RR: Return to top
------------------------------------------------------
- Enter 6 and follow the prompts to export the grub key to the /outgoing folder. View screen
>>> Appliance Configuration -> Advanced Menu -> Export Security Key <<<
Once the security key has been placed in the outgoing directory it
will remain until the nightly cleanup job is run. After this time it
will be deleted and must be exported again.
Please be sure to download it and save in a secure location.
Would you like to export the security key? [Yes|No]: yes
The security key has been placed in the sftp outgoing directory.
This location will be cleaned daily at 02:00am appliance time!
Press enter to continue
-
Use SFTP to copy the file from the /outgoing directory to your local computer.
What to do next
- It is a best practice to complete iDRAC configuration before you install Tanium servers. See Manage the iDRAC interface.
- When these steps are completed, you can continue with the installation of an Appliance Array.
