Connections
Users in the Connection Admins and 'admins' group can add, edit, delete, or test a connection through Connection Manager menus.
The tabular view lists all the currently configured connections. You can arrange the list in different orders, by clicking on the column headers to sort it by that column. The table has the following columns:
Name - name of the connection
Creation - date when the connection was created
Type - type of connection
Products - name of the product that uses the connection
State - state that the connection is in. It is one of these states:
Not tested - connection has not been tested
Fail - connection has been tested and the test failed. The date when the connection failed is displayed to the right
Ready - connection is properly configured and ready
The last column contains an ellipsis icon (...). When clicked, it displays a menu that allows you to perform the following operations on the existing connections:
View/Edit - view and edit the connection
Test Connection - test the connection
Delete - delete the connection
Use the filters in the column headers to filter through multiple connections and display only those that you wish to display.
Use the Search box to search for a specific connection.
Refer to Adding a New Connection to add a New connection.
External Certificate for Azure and Salesforce Connections
If you want to add an Azure or SFDC connection using external certificate, you first need to create and sign a Connection CSR using the CSR generator in CA.
To create a valid external certificate for connections through CipherTrust Manager GUI:
Sign in as a user in the CA Admin or admin group, such as the root
admin
account.Navigate to CA > CSR Generator.
Select Connection CSR.
Enter a Common Name as required.
Select a Size.
Azure Connections support 2048 and 4096.
Salesforce connections support 1024, 2048, and 4096.
Enter in any desired optional settings:
Display Names
Subject Alternative Names
DNS Names (comma separated)
IP Addresses (comma separated)
Email Addresses (comma separated)
If desired, enable Encrypt Private Key.
In Private Key Encryption, select a key algorithm,
AES256
,AES192
,AES128
, orTDES
. CipherTrust Manager will generate a new key with this algorithm to encrypt the private key.In Private Key Encryption Password, enter a password.
Click Generate CSR.
The Certificate Signing Request is displayed at the bottom of the page.
Click Download CSR to export the CSR contents to a file
CSR.pem
.Have a Local CA or well-known External CA sign the certificate.
Note
As the purpose of the external certificate is authentication to a cloud service and not to CipherTrust Manager itself, there is no need to add the external CA to CipherTrust Manager.
Upload the external certificate to the cloud portal, Azure or Salesforce portal.
Store the external certificate in an accessible place. You will have to upload the certificate file to CipherTrust Manager when you create the Azure or Salesforce connection.
Adding a New Connection
Click the + Add Connection button to open the Add Connection wizard. The wizard consists of the following steps:
1. Select Connection Type
In the Select Category section, click the Cloud, TDP, HSM, File-Share, Key Manager, SCP, Log forwarder, or OIDC tile and select a desired connection type from the Select Type menu:
Cloud: Amazon Web Services (AWS), Microsoft Azure, Salesforce, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), or Akeyless Gateway. AWS, Microsoft Azure, Salesforce, GCP and OCI are cloud computing platforms and CipherTrust Cloud Key Manager (CCKM) manages cloud keys for these cloud services. The Akeyless Gateway is part of Secrets Management, and connects to the Akeyless Vault Platform.
TDP: Hadoop Knox. It provides a single point of authentication and access for Hadoop services in a cluster.
HSM: Luna Network HSM. It allows CCKM to manage and perform operations on the keys stored on HSM.
File-Share: CIFS/SMB. It provides access to the shared files available in the network for CipherTrust Transparent Encryption (CTE).
Key Manager: DSM or CM Connection. The DSM connection provides a single point of authentication and access for DSMs in a cluster. The CM connection allows the CipherTrust Manager to act as an external key source in the connection manager.
SCP: SCP. It helps to securely transfer system backup from CipherTrust Manager to the external servers.
Log Forwarder: Loki, Elasticsearch, or Syslog. It helps forward server and client audit records and KMIP and NAE activity logs to Elasticsearch, Loki, or Syslog server.
OIDC/LDAP: OIDC or LDAP. OIDC is used to configure external identity providers for CTE agents. LDAP is used to configure LDAP connections, which can be used for LDAP browsing.
Note
OIDC connections to authenticate CipherTrust Manager users are configured outside of connection manager.
Click Next to move to the next step.
2. General Info
In this step, provide a Name and Description (optional) for the new connection.
Click Next to move to the next step.
3. Configure Connection
The following table lists the available connections. Click the connection to know the configuration details.
4. Add Products
Use the check boxes in the Products list to select a product associated with the connection.
Note
The Akeyless Gateway connection is not associated with a product, so there is no Add Products selection.
Data Discovery
CTE
Cloud Key Manager
Backup/Restore
HSM-anchored Domains
Click Add Connection to save your connection. The new connection is now listed in the CONNECTIONS list.