Client Management
A client represents a machine where a supported product such as ProtectFile, ProtectV, and CTE is installed. A client needs to be registered with the CipherTrust Manager to retrieve and store encryption keys to encrypt and decrypt data. When successfully registered, the client is automatically added to the CipherTrust Manager.
A client can be registered with the CipherTrust Manager by using a registration token generated on the CipherTrust Manager. This token is called the client registration token. The fingerprint of the server’s web interface certificate is also required for registering clients with the CipherTrust Manager.
The CipherTrust Manager provides options to manage registration tokens and clients.
Tokens
A token is a string that is used to register clients having ProtectFile, ProtectV, CTE, and CTE UserSpace installed with the CipherTrust Manager. The CipherTrust Manager provides options to create tokens, view existing tokens, view and modify their details, and delete them when they are no longer required.
The following table lists the parameters that are required when creating or managing a registration token on the CipherTrust Manager:
Parameter | Description |
---|---|
Certificate Authority ID | ID of the trusted CA that will be used to sign a client certificate during the registration process. By default, a local CA will be used to issue certificates. A signed Local CA certificate is used to secure communication between the CipherTrust Manager and clients. To use an external CA certificate, specify the ID of the Local CA signed by the external CA. |
Lifetime | Duration (in minutes, hours, or days) for which this token can be used for registering clients. Specify m for minutes, h for hours, and d for days. For example, specify the lifetime as:
By default, there is no time limit; the token can be used forever. |
Certificate Duration | Duration (in days) for which the CipherTrust Manager client certificate is valid. The default duration is 730 days. |
Maximum Clients | Maximum number of clients that can be registered using this registration token. By default, there is no limit; any number of clients can be registered using this token. |
Name Prefix | Prefix for the client name. This prefix will be used to construct names for clients whose names will not be specified during registration with the CipherTrust Manager using this token.
However, if a client's name is specified during registration, this name prefix will not be used for that client. |
Revocation Reason | Reason for revoking the client registration. |
Creating a Registration Token
A registration token can be created on the CipherTrust Manager. It is used when registering CipherTrust Manager clients with the CipherTrust Manager. A CipherTrust Manager administrator creates registration tokens.
To create a registration token:
Log on to the CipherTrust Manager GUI as administrator.
Click Keys & Access Management.
In the left pane, click Registration Tokens.
On the right, click New Registration Token. The Create New Registration Token wizard is displayed. This is a three-step wizard.
Click Begin to start token creation. The Configure Token screen is displayed.
(Optional) Specify a Name Prefix. Prefix for the client name. This prefix is used to construct names for clients whose names are not specified during registration with the CipherTrust Manager using this token.
If the name prefix is specified as
ks_client
, client names will be constructed asks_client#
; for example,ks_client1
,ks_client2
,ks_client3
, and so on.If the name prefix is not specified, the CipherTrust Manager will construct a random name for clients.
However, if a client's name is specified during registration, this name prefix will not be used for that client.
Specify Token lifetime. This is the duration (in minutes, hours, or days) for which this token can be used for registering clients. For example, specify the lifetime as:
1 minutes
for 1 minute2 hours
for 2 hours3 days
for 3 daysunlimited
for a token that never expires.
By default, the token lifetime is
unlimited
. The token will never expire.Specify Certificate Duration. This is the duration (in days) for which the CipherTrust Manager client certificate is valid. The default duration is
730
days.Specify Client Capacity. This is the maximum number of clients that can be registered using this registration token. The default capacity is
100
clients.Click Next. The Select CA screen is displayed.
Select a CA from the given list as per your requirements.
Click Create Token. The Create Token screen is displayed. The created token is displayed on screen.
Click Copy next to the token. Save the copied token. This token will be used when migrating clients.
Click Done.
Getting the Fingerprint of the Server Certificate
The fingerprint of the server's "web" interface certificate is unique. It is used when registering ProtectFile and CTE UserSpace clients with the CipherTrust Manager. A CipherTrust Manager administrator can provide you the fingerprint.
Fingerprint of the server’s web interface certificate can be viewed on the GUI or the API playground.
On the API Playground
To get the fingerprint:
Acquire an authorization token.
In the left pane of the API playground, click Client-Management/Tokens.
Under Client-Management/Tokens, click Web Certificate Fingerprint. The Web Certificate Fingerprint section of the API playground is displayed in the right pane.
Click GET. View the fingerprint details in the response output.
The SHA256 and SHA512 fingerprints of the server’s web interface certificate are displayed.
On the UI
To get the fingerprint:
Log on to the CipherTrust Manager as administrator.
Click Keys & Access Management.
In the left pane, click Registration Tokens. The list of existing registration tokens with details such as their name, expiry, remaining usage count, and usage count is displayed.
On the right, under Web Server Certificate Fingerprint, the fingerprint is displayed.
The UI displays the SHA256 fingerprint. To get the SHA512 fingerprint, use the API playground.
Copy the fingerprint.
Save the fingerprint. This fingerprint will be used when migrating clients.
Clients
All clients with supported product installations (for example, ProtectFile, ProtectV, and CTE) can be managed on the CipherTrust Manager. A CipherTrust Manager Administrator can register clients (except ProtectFile clients) with the CipherTrust Manager, view registered clients, view and modify details, revoke registrations, and delete clients when they are no longer needed.
The following table lists the parameters that are required when managing a client on the CipherTrust Manager:
Parameter | Description |
---|---|
Name | Name for the client to display on the CipherTrust Manager. |
Registration Token | Registration token to register the client with the CipherTrust Manager. |
Certificate Signing Request (CSR) | CSR to be signed by the CipherTrust Manager. |
Warning
As soon as a client is deleted from the CipherTrust Manager, all communication between the CipherTrust Manager and the client will stop immediately. It is recommended that the clients are decrypted before deletion, otherwise the encrypted data will become inaccessible.