Changing Client Password
Offline Password
CTE supports the offline password feature. This feature is designed to enable retrieval of the keys being used to protect data in a GuardPoint. When communication between the CipherTrust Manager and the CTE Agent are lost, the GuardPoint continues to encrypt/decrypt data with the current last known key and policy. However, if the communication is lost and the protected client is rebooted, the CTE Agent attempts to validate it using the latest keys and policies, but fails. Therefore, a password can be used by the isolated CTE Agent to retrieve the last known key and policy to enable the GuardPoint to continue with encryption/decryption operations. After the communication is re-established, any policy or key changes can be applied.
The offline password feature enables access to encryption keys that are stored locally on a client. This keeps the data secure when the CipherTrust Manager is inaccessible. To access the data, provide the offline password. Then, the CTE Agent encrypts/decrypts the guarded data according to the applied policy.
Password Types
The client password is initially set when the client is added to the CipherTrust Manager. Passwords can be set on a client-by-client or client group basis. The CipherTrust Manager supports two types of offline passwords:
Manual (Static): A password is specified manually.
Generate (Dynamic): A password is generated automatically by the CipherTrust Manager.
Changing the Password Manually
To change the password:
Open the Transparent Encryption application.
Click Clients > Clients.
Under Client Name, click the desired client.
Alternatively, click the expand icon () to the left of the desired client in the clients list.
From the Password Creation Method drop-down list, select Manual. The Regenerate Password button is replaced by Change Password.
Click Change Password.
Enter the new password in the Password and Confirm Password fields. The password must match in both the fields.
Note
The password must contain minimum eight characters including at least:
One capital letter
One number
One of these special characters:
! @ # $ % ^ & * ( ) { } [ ]
To cancel the password change, click Cancel Change Password.
Click Apply.
When changing a static password or modifying a client to use a static password instead of a dynamic password, provide the new static password to the client users. Without the password, they cannot access encrypted data when there is no network connection between the client and the CipherTrust Manager.
The users can access the data stored in GuardPoints on the client by either running the vmsec password
command or using the challenge-response method.
Changing the Password Dynamically
To change the password:
Open the Transparent Encryption application.
Click Clients > Clients.
Under Client Name, click the desired client.
Alternatively, click the expand icon () to the left of the desired client in the clients list.
From the Password Creation Method drop-down list, select Generate. This is the default method.
Click Regenerate Password.
A new generated password is downloaded to the client.
Note
When modifying a client to use a dynamic password instead of a static password, inform the client users that challenge-response authentication is enabled and they need to run vmsec challenge
on UNIX/Linux clients or select Password... on the Windows etray when the client cannot connect to the CipherTrust Manager.
Accessing GuardPoints in Offline Mode
This section is applicable to the CTE client administrators. This information is given here to show the end-to-end flow of the challenge-response process.
When the CipherTrust Manager is unreachable from a protected client, the data stored in GuardPoints on the client cannot be accessed without the challenge-response.
To access the GuardPoints in offline mode:
Log on to the offline CTE client.
Depending on your platform, do the following:
On UNIX/Linux, run the command,
vmsec challenge
.vmsec challenge Contact your CM administrator for assistance. Your hostname is 10.164.14.207 Your challenge is: FHEH-ICPL-2MCZ-2AHI Response (part 1) ->
On Windows, select Password... on the Windows etray, then select Challenge... > Response.... The CipherTrust Transparent Encryption Challenge/Response dialog box is displayed, as shown below.
Your CipherTrust Manager administrator will need the hostname of your client and the challenge shown above in the command output (for Linux/AIX) and in the screenshot (for Windows).
Contact your CipherTrust Manager administrator.
Provide the challenge (for example,
FHEH-ICPL-2MCZ-2AHI
) to the administrator.The CipherTrust Manager administrator generates responses in four parts on the CipherTrust Manager. Refer to Generating Response for a Challenge for details. Contact the CipherTrust Manager administrator for the response codes.
Enter the response (part 1 through 4) on the
vmsec challenge
command prompt (on Linux/AIX) or on the CipherTrust Transparent Encryption Challenge/Response dialog box (on Windows). The responses must be entered in the given order. For example:Response (part 1) -> STYB-JAZE-C2PB-6FLU Response (part 2) -> F7ME-R3MG-BQB5-5MXB Response (part 3) -> QN26-OA6F-5ZKA-T5LG Response (part 4) -> BI4Y-53AI-3OXZ-N2EC Success!
The client users can now access protected GuardPoints on the client.
Generating Response for a Challenge
To generate a response for a challenge:
Log on to the CipherTrust Manager GUI.
Open the Transparent Encryption application.
Click Clients > Clients.
Click the desired client.
Click the Challenge Response tab.
In the Challenge From the Client box, enter the challenge provided by the client administrator.
Click Submit.
A set of four responses (part 1 through 4) for the provided challenge is shown on the GUI. Provide those to the client administrator.