Support CLI
The Support CLI provides root access to the appliance, and is intended for advanced troubleshooting in limited scenarios with customer support. If customer support indicates that the Support CLI is necessary, you use ks_support (the Support CLI tool) to request an admin support token and then use that token to start a shell as the support user. The Support CLI comes with the CipherTrust Manager appliance and does not require installation.
Warning
Only request an admin support token and open the support shell under direction from a Thales support engineer.
Customer Support can initiate a Support CLI shell with you:
To reset the GUI admin password.
To install Thales-approved scripts for issues that do not have any other workaround.
To increase PED timeout values to use multifactor quorum feature (previously called M of N) when initializing the Thales k570 appliance.
Request
Connect to your CipherTrust Manager instance via:
ssh ksadmin@ip.address
The following prompt is displayed:
ksadmin@keysecure:~$
Start the
ks_support
tool, as follows:sudo ks_support request
The following output is displayed:
Copy the following request to KeySecure support: U3BhY2U6IHRoZSBmaW5hbCBmcm9udGllci4gVGhlc2UgYXJlIHRoZSB2b3lhZ2VzIG9mIHRoZSB zdGFyc2hpcCBFbnRlcnByaXNlLiBJdHMgZml2ZS15ZWFyIG1pc3Npb246IHRvIGV4cGxvcmUgc3 RyYW5nZSBuZXcgd29ybGRzLiBUbyBzZWVrIG91dCBuZXcgbGlmZSBhbmQgbmV3IGNpdmlsaXphd GlvbnMuIFRvIGJvbGRseSBnbyB3aGVyZSBubyBtYW4gaGFzIGdvbmUgYmVmb3JlLgo=
Select and copy all of the string after the
support:
(starting atU3BhY2U6...
and ending with...JlLgo=
in this example) to the clipboard.Paste the string into an email that you send to your CipherTrust Manager support contact.
Shell
After you have received a response from the CipherTrust Manager support:
Start the
ks_support
tool again:sudo ks_support shell
The following prompt is displayed:
Paste text here, then press <ENTER> :
Copy the string you received from your CipherTrust Manager support contact.
Paste the string immediately after the prompt, as follows:
Paste text here, then press <ENTER>: SXQgaXMgYSBwZXJpb2Qgb2YgY2l2aWwgd2FyL iBSZWJlbCBzcGFjZXNoaXBzLCBzdHJpa2luZyBmcm9tIGEgaGlkZGVuIGJhc2UsIGhhdmUgd29 uIHRoZWlyIGZpcnN0IHZpY3RvcnkgYWdhaW5zdCB0aGUgZXZpbCBHYWxhY3RpYyBFbXBpcmUuI ER1cmluZyB0aGUgYmF0dGxlLCBSZWJlbCBzcGllcyBtYW5hZ2VkIHRvIHN0ZWFsIHNlY3JldCB wbGFucyB0byB0aGUgRW1waXJl4oCZcyB1bHRpbWF0ZSB3ZWFwb24sIHRoZSBERUFUSCBTVEFSL CBhbiBhcm1vcmVkIHNwYWNlIHN0YXRpb24gd2l0aCBlbm91Z2ggcG93ZXIgdG8gZGVzdHJveSB hbiBlbnRpcmUgcGxhbmV0LiBQdXJzdWVkIGJ5IHRoZSBFbXBpcmXigJlzIHNpbmlzdGVyIGFnZ W50cywgUHJpbmNlc3MgTGVpYSByYWNlcyBob21lIGFib2FyZCBoZXIgc3RhcnNoaXAsIGN1c3R vZGlhbiBvZiB0aGUgc3RvbGVuIHBsYW5zIHRoYXQgY2FuIHNhdmUgaGVyIHBlb3BsZSBhbmQgc mVzdG9yZSBmcmVlZG9tIHRvIHRoZSBnYWxheHkK
Press Enter.
Success
If the string matches the necessary controls, the following support shell is displayed:
root@keysecure:~#
At this point, you can perform the steps as instructed by the CipherTrust Manager support personnel. When you log out from this shell, you are returned to the ksadmin
shell prompt (as shown above). Note that the response that you receive can only be used once and is only valid for one day. Any attempted reuse or use after expiration results in an error message (as shown below).
Failure
If the string does not match the required controls, the following message is returned:
Error: The challenge response was not accepted. Here are some possible reasons why:
* bad input - check the input for missing leading or trailing characters, additional whitespace, etc.
* expired challenge - challenges expire 1 day after being requested
* replayed - a challenge response can only be used once
If this occurs, relay these issues to your support personnel so that they can be remedied.
Multiple Requests
In the event that you need support shell access multiple times in a single day (for example, if the appliance needs to be rebooted), then multiple requests may be generated and sent to your CipherTrust Manager support contact.
Cleanup
The Support CLI tool automatically cleans up the files that it no longer needs, as they are used. However, it is possible that a number of requests may have been created that were not needed. To clean all of these requests from your system, run the following command as the ksadmin
user:
sudo ks_support cleanup
This command returns no output except in the case of error. Any errors should be reported to your CipherTrust Manager support contact.