Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CLI Toolkit

Support CLI

search

Please Note:

Support CLI

The Support CLI provides root access to the appliance, and is intended for advanced troubleshooting in limited scenarios with customer support. If customer support indicates that the Support CLI is necessary, you use ks_support (the Support CLI tool) to request an admin support token and then use that token to start a shell as the support user. The Support CLI comes with the CipherTrust Manager appliance and does not require installation.

Warning

Only request an admin support token and open the support shell under direction from a Thales support engineer.

Customer Support can initiate a Support CLI shell with you:

  • To reset the GUI admin password.

  • To install Thales-approved scripts for issues that do not have any other workaround.

  • To increase PED timeout values to use multifactor quorum feature (previously called M of N) when initializing the Thales k570 appliance.

Request

  1. Connect to your CipherTrust Manager instance via: ssh ksadmin@ip.address

    The following prompt is displayed:

    ksadmin@keysecure:~$

  2. Start the ks_support tool, as follows:

    sudo ks_support request

    The following output is displayed:

    Copy the following request to KeySecure support:
U3BhY2U6IHRoZSBmaW5hbCBmcm9udGllci4gVGhlc2UgYXJlIHRoZSB2b3lhZ2VzIG9mIHRoZSB
zdGFyc2hpcCBFbnRlcnByaXNlLiBJdHMgZml2ZS15ZWFyIG1pc3Npb246IHRvIGV4cGxvcmUgc3
RyYW5nZSBuZXcgd29ybGRzLiBUbyBzZWVrIG91dCBuZXcgbGlmZSBhbmQgbmV3IGNpdmlsaXphd
GlvbnMuIFRvIGJvbGRseSBnbyB3aGVyZSBubyBtYW4gaGFzIGdvbmUgYmVmb3JlLgo=

  3. Select and copy all of the string after the support: (starting at U3BhY2U6... and ending with ...JlLgo= in this example) to the clipboard.

  4. Paste the string into an email that you send to your CipherTrust Manager support contact.

Shell

After you have received a response from the CipherTrust Manager support:

  1. Start the ks_support tool again:

    sudo ks_support shell

    The following prompt is displayed:

    Paste text here, then press <ENTER> :

  2. Copy the string you received from your CipherTrust Manager support contact.

  3. Paste the string immediately after the prompt, as follows:

    Paste text here, then press <ENTER>: SXQgaXMgYSBwZXJpb2Qgb2YgY2l2aWwgd2FyL
iBSZWJlbCBzcGFjZXNoaXBzLCBzdHJpa2luZyBmcm9tIGEgaGlkZGVuIGJhc2UsIGhhdmUgd29
uIHRoZWlyIGZpcnN0IHZpY3RvcnkgYWdhaW5zdCB0aGUgZXZpbCBHYWxhY3RpYyBFbXBpcmUuI
ER1cmluZyB0aGUgYmF0dGxlLCBSZWJlbCBzcGllcyBtYW5hZ2VkIHRvIHN0ZWFsIHNlY3JldCB
wbGFucyB0byB0aGUgRW1waXJl4oCZcyB1bHRpbWF0ZSB3ZWFwb24sIHRoZSBERUFUSCBTVEFSL
CBhbiBhcm1vcmVkIHNwYWNlIHN0YXRpb24gd2l0aCBlbm91Z2ggcG93ZXIgdG8gZGVzdHJveSB
hbiBlbnRpcmUgcGxhbmV0LiBQdXJzdWVkIGJ5IHRoZSBFbXBpcmXigJlzIHNpbmlzdGVyIGFnZ
W50cywgUHJpbmNlc3MgTGVpYSByYWNlcyBob21lIGFib2FyZCBoZXIgc3RhcnNoaXAsIGN1c3R
vZGlhbiBvZiB0aGUgc3RvbGVuIHBsYW5zIHRoYXQgY2FuIHNhdmUgaGVyIHBlb3BsZSBhbmQgc
mVzdG9yZSBmcmVlZG9tIHRvIHRoZSBnYWxheHkK

  4. Press Enter.

Success

If the string matches the necessary controls, the following support shell is displayed:

root@keysecure:~#

At this point, you can perform the steps as instructed by the CipherTrust Manager support personnel. When you log out from this shell, you are returned to the ksadmin shell prompt (as shown above). Note that the response that you receive can only be used once and is only valid for one day. Any attempted reuse or use after expiration results in an error message (as shown below).

Failure

If the string does not match the required controls, the following message is returned:

Error: The challenge response was not accepted. Here are some possible reasons why:
* bad input - check the input for missing leading or trailing characters, additional whitespace, etc.
* expired challenge - challenges expire 1 day after being requested
* replayed - a challenge response can only be used once

If this occurs, relay these issues to your support personnel so that they can be remedied.

Multiple Requests

In the event that you need support shell access multiple times in a single day (for example, if the appliance needs to be rebooted), then multiple requests may be generated and sent to your CipherTrust Manager support contact.

Cleanup

The Support CLI tool automatically cleans up the files that it no longer needs, as they are used. However, it is possible that a number of requests may have been created that were not needed. To clean all of these requests from your system, run the following command as the ksadmin user:

sudo ks_support cleanup

This command returns no output except in the case of error. Any errors should be reported to your CipherTrust Manager support contact.

On this page