Managing Client Groups
A client group is used to group one or more clients to simplify configuration and administration. GuardPoints created on a client group are applied to all members of the group. Additionally, you can apply client group configuration settings to all clients in a client group. A client can be a member of multiple client groups.
If you have created a group of one type of clients, then you should only add similar clients to the group. Same configuration settings can only be applied to clients of the type with which the client group is created. If a different type of client is added, configuration settings cannot be applied to that client.
Creating a Client Group
To create a client group:
Open the CTE application.
Click Clients > Client Groups.
Click Create Client Group. The Create Client Group dialog box is displayed.
Enter a unique Name for the client group.
(Optional, displayed if a profile already exists) From the Client Profile drop-down list, select the desired client profile. The default profile is
DefaultClientProfile
.(Optional) Provide Description to identify the client group. The maximum length can be 256 characters.
Click Create. The client group is created.
The newly created client group appears in the client groups list. Now, you can add clients to the group, if needed. Refer to Adding Clients to a Client Group for details.
As soon as the first client group is created, DefaultClientProfile
is also created, if it does not exist.
Adding Clients to a Client Group
Clients can be added a client group either manually or by specifying the group when registering clients with the CipherTrust Manager. If you specify a client group during client registration, the client automatically appears under the client group on the CipherTrust Manager GUI. Refer to the CTE Agent Clients Guide for information on the registration process.
To manually add clients to a client group:
Open the CTE application.
Click Clients > Client Groups.
Under Client Group Name, click the desired client group.
In the mini detail view, click Add Client. The Add Client To Client Group
dialog box is displayed with the list of available clients, if any. At least, one client must already exist. Select the desired clients.
Click Add. A dialog box is displayed asking you to confirm settings inheritance.
Confirm whether the selected clients should inherit settings from the client group. The options are:
Inherit Client Group Settings: This is the default and recommended option. Clients inherit the following properties of the group except the password:
- Client Settings
- Agent Lock
- System Lock
- Communication Enabled
- Profile Settings
- QoS Settings
- GuardPoints
Refer to Inheritance of Client Group Settings for details.
Do not Inherit Client Group Settings: Clients retain their individual settings. Selecting this option can introduce configuration conflicts. This is not the recommended option. Read the instructions carefully before selecting this option.
Click OK.
The selected clients are added to the group. They are displayed in the mini view of the client group. Also, the client group is now displayed on the Membership tab of the client. You can remove the client from the group by clicking Remove.
Displaying Client Groups
To view the list of client groups:
Open the CTE application.
Click Clients > Client Groups. The list of available client groups is displayed.
The client groups list shows the following details:
Column | Description |
---|---|
Client Group Name | Name link of the client group on CipherTrust Manager. Click the link to open client group details in edit mode. The edit mode shows additional details and configuration settings. In the edit mode, you can also view and add clients, GuardPoints, and Client Group Settings. |
Description | (Optional) Description to identify the client group. |
Modifying Client Groups
After you have created a client group, you can update group details and configuration settings. You can make the following changes:
- Enable or disable Agent communication for the clients in the group
- Lock or unlock the CTE Agent files on the clients in the group
- Change the CTE Agent password for the clients in the group
- Change the linked profile
- Add new clients to the group
- Remove clients from the group
To modify a client group:
Open the CTE application.
Click Clients > Client Groups.
Under Client Group Name, click the desired client group. The mini view of the client group is displayed.
In the mini detail view, modify the required details:
Unlock: Unlock Agent Lock and System Lock.
Agent Lock: Lock the contents of the CTE Agent directories on the clients.
System Lock: Apply an internal policy to the clients to lock system directories like
/var
,/bin
, and/etc
. Enabling System Lock automatically enables Agent Lock.Communication Enabled: Whether to enable clients' communication with the CipherTrust Manager. Select to enable, clear to disable communication.
Password Creation Method: Set the password creation method — Generate or Manual. Refer to Changing Client Group Password for details.
Client Profile: Select a profile for the client group. The default profile is
DefaultClientProfile
. To change the client profile, refer to Changing the Profile for details.
Click Apply.
Additionally, you can define GuardPoints for the clients in the group. Refer to Managing GuardPoints.
Changing the Profile
To change the profile:
Open the CTE application.
Under Client Group Name, click the desired client group.
Next to Client Profile, click the profile link (for example,
DefaultClientProfile
). The Select Profile dialog box shows the current client profile and Rekey Option, Rekey Rate, and Schedule of the selected profile.From the Profile drop-down list, select the desired profile.
Click OK. The selected profile is linked successfully.
Changing Client Group Password
The CipherTrust Manager allows for client password management using client groups. For large scale deployments where the CipherTrust Manager must manage several hundreds or thousands of agents, administering passwords on a per-client basis becomes untenable and burdensome. Using a common password across all the clients in a client group mitigates the administrative burden.
This feature is also useful for offline agent recovery. If a remote agent reboots (planned or unplanned) and cannot communicate with the CipherTrust Manager in the central office, it prompts the administrator at the remote site to enter the client password. The remote site administrator typically calls the corporate help desk for the password. Using the password provided by the help desk personnel, the remote site administrator enables offline agent recovery and the resumption of services. As the password is now known to the remote site administrator and the help desk personnel, it may result in a breach of security and/or render the IT operations non-compliant with respect to guaranteeing data privacy.
To remedy the compromised situation, the security administrators should change the password—rotate the password—according to existing security practices. The client group password management feature allows changing the password on all the clients in the client group when the password is compromised.
The use cases for client group password feature can be summarized as follows:
Set a common password for all clients in a client group.
Reset the common password for all clients in a client group (if the password is provided to a remote CTE Agent administrator for offline agent recovery).
This feature is best suited for large scale deployments when many agents are under the management of a CipherTrust Manager cluster.
Changing the Password Manually
Note
The manual password creation method is recommended for disaster recovery scenarios.
To change the password:
Open the CTE application.
Click Clients > Client Groups.
Under Client Group Name, click the desired group.
Alternatively, click the expand icon () to the left of the desired client group in the client groups list.
From the Password Creation Method drop-down list, select Manual. The Regenerate Password button is replaced by Change Password.
Click Change Password.
Enter the new password in the Password and Confirm Password fields. The password must match in both the fields.
The password must contain minimum eight characters including at least:
• One capital letter
• One number
• One of these special characters:! @ # $ % ^ & * ( ) { } [ ]
To cancel the password change, click Cancel Change Password.
Click Apply.
When the new password is applied, the server pushes the password to all clients in the client group. Clients that are removed from the client group retain the password set for the group. Clients added to the group later do not receive the new password.
Changing the Password Dynamically
To change the password:
Open the CTE application.
Click Clients > Client Groups.
Under Client Group Name, click the desired group.
Alternatively, click the expand icon () to the left of the desired client group in the client groups list.
From the Password Creation Method drop-down list, select Generate. This is the default method.
Click Regenerate Password.
Click Apply.
A new generated password is downloaded to the client.
Inheritance of Client Group Settings
Instead of specifying settings for applications running on multiple clients individually, configure them at the client group level. Those settings can be automatically applied to all clients in the group. Refer to Client Settings for details on client settings.
Caution
Take care when defining client settings at the client group level. If a group contains clients running different operating systems (for example, Linux and Windows) that inherit client settings from the group, conflicts and issues may be observed with file and user access permissions.
A client that joins a client group can opt to inherit client group configuration including the client settings.
- If the client settings are not defined at the group level, the client retains its own settings.
- If the client settings at the group level are modified later, the updated settings apply to all group members that inherit configuration from the group.
- Individual clients in the group have client settings overwritten by the group's client settings.
For example:
clientA
has client settings defined, joinsclientGroup1
and inherits its group configuration.clientB
also joinsclientGroup1
but does not inherit its group configuration.clientGroup1
, however, does not have any client settings defined. In this case, bothclientA
andclientB
retain their own client settings.- Now, client settings of
clientGroup1
are modified. This overwrites the client settings of all clients that inherit group configuration fromclientGroup1
. SoclientA
inherits the modified group confguration butclientB
does not, as it does not inherit client group configuration. clientB
is modified to inherit settings fromclientGroup1
. The next timeclientGroup1
updates its client settings, the changes apply to bothclientA
andclientB
.
A client can be a member of more than one client groups. If the client inherits client group configuration from the first client group it joins, and the next groups it joins subsequently, the client inherits the client settings from the last group that it joins.
For example:
clientC
joinsclientGroup2
and inherits the client group configuration.clientC
now hasclientGroup2
client settings.clientC
is added toclientGroup1
and set to inherit client group configuration. So,clientC
getsclientGroup1
client settings.
If client settings of a client group are emptied, member clients that inherit settings from the group retain the last defined client settings.
For example:
clientGroup1
deletes its client settings. All member clients (clientA
,clientB
, andclientC
) retain the last client settings defined forclientGgroup1
— blank client settings are not passed to members of the group.clientB
leavesclientGroup1
. Now,clientB
retains the client settings it last inherited fromclientGroup1
.
If the client settings of a member of a client group are modified, that client no longer inherits client settings from the client group.
For example, client settings on clientB
are modified. Then, the client settings for clientGroup1
are modified, all members except clientB
inherit the changes made to the client settings for clientGroup1
.
Configuring Client Group Settings
To configure client settings at group level:
Open the CTE application.
Click Clients > Client Groups.
Under Client Group Name, click the desired client group.
Click the Client Group Settings tab. Scroll down the screen, if needed.
In the Settings text box, add
|authenticator|
before the path of the binary. For example,|authenticator|/bin/su
to allowsu
to be a trusted method of authentication. For further consideration of authentication options, refer to Client Settings.(Optional, if you add another process to the set of trusted applications) Enable Re-sign Settings to ensure that the new process is signed and authenticated by the client. The next time the client settings are pushed to the CTE Agent, the updated client settings are re-signed and the Re-sign Settings toggle is disabled (or reset).
If, after adding a new process, you do not enable Re-sign Settings, the client ignores the newly added process. See Re-Sign Settings for more information.
Click Apply.
Deleting Client Groups
As part of CipherTrust Manager maintenance, you occasionally must remove client groups from the CipherTrust Manager.
When you delete a client group, only the group is removed from the CipherTrust Manager GUI. Individual clients that are members of the group remain intact.
If you configured a client group password, the individual clients retain the group password.
Deleting a Client Group
To remove a client group:
Make sure that no GuardPoints is applied on the group.
Open the CTE application.
Click Clients > Client Groups.
Under Client Group Name, click the overflow icon () corresponding to the desired group.
Click Delete. A dialog box appears prompting to confirm the action.
Click Delete.
The client group is removed from the client groups list. Also, the client group is removed from the Membership tab of the linked clients.