Managing Clients
A client is a computer system where the data needs to be protected. A compatible CTE Agent software is installed on the client. The CTE Agent can protect data on the client or devices connected to it. A client can be associated with multiple GuardPoints for encryption of various paths (refer to Managing GuardPoints for details).
The Clients page of the CipherTrust Manager GUI displays all clients protected by encryption Agents.
The K8s Clients page of the CipherTrust Manager GUI displays all the registered Kubernetes Clients.
Registering Clients
Note
Before proceeding, make sure that:
A compatible CTE Agent is installed on the client.
The client is registered with the CipherTrust Manager.
Refer to the CTE Agent Quick Start Guide specific to your platform for information on installing and configuring CTE Agents.
Note
When CTE clients are restored on the CipherTrust Manager from the backup file of another CipherTrust Manager, you must unenroll the client before proceeding with reregistration.
When CTE clients are registered, they are automatically added to the CipherTrust Manager GUI. Refer to the CTE Agent Quick Start Guide specific to your platform for information on installing and configuring CTE Agents.
Similarly, all the registered Kubernetes Clients are displayed on the K8s Clients page of the CipherTrust Manager GUI.
Adding Clients Manually
Optionally, the CipherTrust Manager administrator can manually add a client to the CipherTrust Manager GUI - even before the CTE Agent is installed on it.
Note
CTE for Kubernetes clients cannot be added manually. They are automatically added to the CipherTrust Manager on registration.
To add the client manually:
Log on to the CipherTrust Manager GUI as administrator.
Open the Transparent Encryption application. The Clients page is displayed.
Click Create Client. The Create Client wizard is displayed.
Add General Info
On the General Info tab:
Specify a unique Name for the client.
Set the Password Generation Method. The options are:
Generate: A password is generated automatically by CipherTrust Manager. This is the default method.
Manual: Set the password manually.
Select Manual.
Enter the new password in the Password and Confirm Password fields. The password must match in both fields.
Note
The password must contain minimum eight characters including at least:
One capital letter
One number
One of these special characters:
! @ # $ % ^ & * ( ) { } [ ]
Refer to Changing Client Password for details.
Provide a Description for the client.
Specify the following, as appropriate:
UserSpace Client: Ensure that the check box is clear. This check box specifies whether the client will be a CTE UserSpace client.
Registration Allowed: Whether to allow client's registration with the CipherTrust Manager. Select to allow, clear to deny registration. By default, the registration is not allowed.
Communication Enabled: Whether to enable the client's communication with the CipherTrust Manager. Select to enable, clear to disable communication. By default, the communication is disabled. This can only be enabled when Registration Allowed is enabled.
Click Next.
Add GuardPoint (Optional)
Optionally, you can create GuardPoints on the manually added client. CTE supports creation of all types of GuardPoints on such clients.
On the Add GuardPoints screen:
Click Create GuardPoint.
Select a Policy. Refer to Policy Type under Creating Policies > Step 1: Specify General Information for details.
Specify the Type of the GuardPoint. Refer to Automatic and Manual GuardPoints for details on types of GuardPoints.
(COS GuardPoints only) Select the Cloud Storage Type.
Specify the Path (or Cloud Object Storage URL for a COS GuardPoint) to be protected. Refer to Managing GuardPoints for details.
Configure Preserve Sparse Region, Secure Start, and/or Auto Mount as appropriate. The options vary based on the selected policy.
The Multifactor Authentication option is unavailable for manually added clients.
Click Create.
The newly created GuardPoint appears in the list.
Confirmation
On the Confirmation screen:
Verify the client details. The Confirmation screen displays general information about the client and details of the GuardPoints added to the client.
If the details are incorrect or you want to modify them, click Back and update the details.
Click Save.
The newly created client appears in the clients list.
Searching Clients
The Clients page on the CipherTrust Manager GUI shows the list of registered clients.
To search for a registered client:
Log on to the CipherTrust Manager GUI as administrator.
Open the Transparent Encryption application. The Clients page is displayed. This page lists the clients added to this CipherTrust Manager appliance.
In the Search box, enter the client name. Search is case-insensitive. You can enter all or part of a client name. A partial client name displays every client with a name that contains the specified string.
Viewing Clients
The Clients page shows the total number of clients, clients with errors, clients with warnings, healthy clients, unregistered clients. The Status Bar contains the following tabs:
Total Clients : Shows the total number of registered and unregistered clients with all types of health status.Errors : Shows the number of clients with errors.Warnings : Shows the number of clients with warnings.Healthy : Shows the number of healthy clients.Unregistered : Shows the number of unregistered clients.Expunged : Shows the number of expunged clients.
Note
The Unregistered and Expunged states are not applicable to the CTE for Kubernetes clients.
Refer to Client States for details.
Click each tab to filter the clients. The clients list displays names of clients in the CipherTrust Manager database and details about their configuration.
To view the clients added to the CipherTrust Manager:
Open the Transparent Encryption application.
Click Clients > Clients. The clients list shows the following details:
Column Description Status Health status of the client:
• Healthy
• Error
• Warning
• Unregistered
• Expunged
The Unregistered and Expunged states are not applicable to the CTE for Kubernetes clients. Refer to Client States for details.Client Name Name link of the client on the CipherTrust Manager. Client Type The type of the client:
• FS (a CTE client)
• CTE-U (a CTE UserSpace client)OS Type OS running on the client:
• AIX
• LINUX
• WINDOWS
For unregistered or manually added clients,UNKNOWN
is displayed.Agent Version Version of the CTE Agent installed on the client. For unregistered or manually added clients, the field is empty. Description Description to identify the client. Encryption Modes Encryption mode(s) used to protect GuardPoints on the client, for example, CBC, CBC_CS1, and XTS. LDT Enabled Whether LDT is enabled on the client. Profile Profile linked to the client. Domain Sharing Enabled Whether the client is shared across domains - Yes or No. Refer to Sharing a Client Across Domains for details. Sharing Sharing status of the client.
• External: The client is external to the current domain. The client is created and shared from another domain.
• Shared: The client is shared across other domains. The current domain is the native domain of the client.
• -: The client is neither Shared nor External.
The field is left blank for clients that were registered with a previous version of the CipherTrust Manager. Such clients can also be shared across domains.
Refer to Sharing a Client Across Domains for details.The Encryption Modes, LDT Enabled, Profile, Domain Sharing Enabled, and Sharing columns are hidden by default. To show/hide a column, click the custom view icon (), select/clear the desired column, and click OK.
Client States
Healthy: Client is registered with the CipherTrust Manager without any errors, that is,
init
is received from Agent without any issues.Error: Client's communication is broken with the CipherTrust Manager for more than five minutes.
Warning: Client's communication is broken with the CipherTrust Manager or a GuardPoint is inactive due to any reasons.
Unregistered: Client is unenrolled from the CipherTrust Manager.
Expunged: Client's delete operation is triggered, but its confirmation is not yet received from the Agent.
Note
The Unregistered and Expunged states are not applicable to the CTE for Kubernetes clients. When a CTE for Kubernetes client is deleted or unenrolled (from the client), its entry is automatically removed from the CipherTrust Manager.
Unenrolling Clients
A registered CTE client can be unenrolled from the CipherTrust Manager. When the client is unenrolled (unregistered), the communication between the CTE Agent and the CipherTrust Manager is removed. The CTE Agent can no longer communicate with the CipherTrust Manager. However, the CipherTrust Manager still maintains the client configuration to allow re-registration.
Important Notes
A CTE client with Active LDT GuardPoints cannot be unenrolled (unregistered).
After unenrolling, the client's GuardPoints will still be displayed on the CipherTrust Manager. However, their status will be displayed as Unknown.
The status of the client capabilities, for example, LDT and ESG, will not change on the CipherTrust Manager. They will be displayed the same as they were before unenrolling the client.
The associated client under the Client-Management section of the API playground is deleted after unenrolling. If the client is not deleted automatically, you can delete it manually.
The status of the unenrolled client will be displayed as Unregistered on the CipherTrust Manager.
Note
An unenrolled client requires re-registration to enroll with the CipherTrust Manager again.
Note
When deleting a pod running on a registered CTE for Kubernetes client, you might notice some unwanted error messages. To avoid such messages, it is recommended to unenroll the CTE for Kubernetes client before attempting to delete the pod.
To unenroll a client from the CipherTrust Manager:
Open the Transparent Encryption application.
Click Clients > Clients.
Click the overflow icon () corresponding to the desired client.
Click UnEnroll. A dialog box appears prompting to confirm the action.
An unenrolled client requires re-registration to enroll with the CipherTrust Manager again.
Click UnEnroll.
The selected client is unenrolled from the CipherTrust Manager. It status on the CipherTrust Manager becomes Unregistered.
Reregistering Clients
An unenrolled client requires reregistration to enroll with the CipherTrust Manager again.
When you try to reregister a client, you must enable the same set of capabilities that were enabled on the client before reregistration. Also, specify name of at least one client group (if the client was associated with any groups). Refer to Reregistering CTE Clients for details.
Deleting Clients
A CTE client can be deleted when it is no longer required to be associated with the CipherTrust Manager.
Clients with the Healthy, Unregistered, Warning, and Error states can be deleted from the CipherTrust Manager.
After you initiate the client deletion operation, the operation:
Waits for confirmation from the CTE Agent before deleting anything from the CipherTrust Manager.
Changes the client status to Expunged on the CipherTrust Manager.
After receiving confirmation from the Agent:
Deletes all entries, capabilities, and GuardPoints associated with the client.
Removes the client record from the CipherTrust Manager.
However, in some cases, due to network issues or any other reasons, the CipherTrust Manager does not receive confirmation from the CTE Agent. In such cases, the client configurations cannot be deleted from the CipherTrust Manager and the client remains stuck at the Expunged state. Such clients need to be deleted manually. Refer to Deleting Expunged Clients Manually for details.
Deletes the associated client from the Client-Management section of the API playground.
Before proceeding with client deletion, read and understand the additional information provided on client deletion, Agent uninstallation, clients with System and Agent locks, and deletion indicators in Deleting Clients.
Deleting Individual Clients
To delete a client from the CipherTrust Manager GUI:
Open the Transparent Encryption application.
Click Clients > Clients.
Under Client Name, click the overflow icon () corresponding to the client you want to delete.
Click Delete. A dialog box appears prompting to confirm the action.
Click Delete.
The selected client is deleted and its entry is removed from the Clients page after the CipherTrust Manager receives confirmation from the CTE Agent.
Refer to Deleting Expunged Clients Manually for details on deleting Expunged clients.
Deleting Multiple Clients
The CipherTrust Manager provides an option to delete multiple clients. A maximum of 200 clients can be deleted at once.
To delete multiple clients from the CipherTrust Manager GUI:
Open the Transparent Encryption application.
Click Clients > Clients.
Select the desired clients.
To select all clients visible on the page, select the top check box to the left of the Status heading.
Click the delete icon (). A dialog box appears prompting to confirm the action.
Click Delete.
The selected clients are deleted and their entries are removed from the Clients page after the CipherTrust Manager receives confirmation from the CTE Agents.
Refer to Deleting Expunged Clients Manually for details on deleting Expunged clients.
Deleting Expunged Clients Manually
If due to any reasons, the CipherTrust Manager does not receive the deletion confirmation from the CTE Agent, the client remains stuck in the Expunged state. The client cannot be deleted automatically from the CipherTrust Manager.
To manually delete an Expunged client and its configurations from the CipherTrust Manager, run the /v1/transparent-encryption/clients/{id}/delete
API with the force delete option ("force_del_client").
When running the API, set "force_del_client": true
. Refer to the API playground documentation for details.
Sharing a Client Across Domains
A shared client will be visible in read-only mode in all the domains where it is shared. The GuardPoints can be created on the shared client from any of the linked domains. These GuardPoints will be visible in read-only mode in all the linked domains except their native domains (where the GuardPoints are created). All the valid operations on the GuardPoints will be allowed from the native domains.
This functionality is transparent to the CTE client, that is, the client will receive a single security configuration having GuardPoint details of all the domains.
The following diagram shows the client-sharing workflow:
To share a client across domains:
Open the Transparent Encryption application. The Clients page is displayed. This page lists the clients added to this CipherTrust Manager appliance.
Under Client Name, click the desired client.
In the mini detail view, select Domain Sharing.
Alternatively, to enable domain sharing on a client, click the expand icon () corresponding to the desired client, select Domain Sharing in the mini detail view, and click Apply.
Click Apply. Now, the Sharing tab is displayed.
On the Sharing tab, click Share With Other Domains. The Share With Other Domains dialog box is displayed.
Under Domain Name, select the domains with which you want to share the client. The dialog box also provides an option to select all the domains, if required.
Click Share.
The client is shared across selected domains of the CipherTrust Manager.
Removing Client Sharing from Domains
Removing Individual Domains
To remove client sharing from a domain:
Open the Transparent Encryption application. The Clients page is displayed.
Click Clients > Clients.
Under Client Name, click the desired client. The detail view of the Clients page is displayed.
Click the Sharing tab.
Under Domain Name, select the check box corresponding to the desired domain.
Click Remove. A dialog box appears prompting to confirm the action. Deleting this domain is permanent and cannot be undone.
Click Delete.
The client is no longer shared with the selected domain.
Removing Multiple Domains
To remove client sharing from multiple domains:
Open the Transparent Encryption application. The Clients page is displayed.
Click Clients > Clients.
Under Client Name, click the desired client. The detail view of the Clients page is displayed.
Click the Sharing tab.
Under Domain Name, select the check box corresponding to the desired domains. To select all domains visible on the page, select the top check box to the left of the Domain Name heading.
Click the delete icon (). A dialog box appears stating that deleting the selected domains is permanent and cannot be undone.
Click Delete.
The client is no longer shared with the selected domains.