Proxy Configuration
The proxy configuration on the CipherTrust Manager allows you to configure what traffic should be forwarded through the proxy to the external network.
If you want to forward https traffic through a proxy, you need to set up the https_proxy environment on the CipherTrust Manager. Similarly, to forward the http traffic through a proxy, set up the http_proxy environment on the CipherTrust Manager.
Let's discuss some of the scenarios based on the proxy configuration settings on the CipherTrust Manager and the actual proxy servers.
Scenario 1 - Same proxy servers for different traffic
When you don't have different proxy servers for different traffic, for example, having the same proxy server for http and https traffic. In such a scenario, it is recommended to configure both the CipherTrust Manager environment and proxy server environment to the same value.
Example
http_proxy=http://test.com
https_proxy=http://test.com
Scenario 2 - HTTP proxy server supports HTTP tunneling
When you have an http proxy server that supports HTTP tunneling (For example, HTTP CONNECT), in such scenarios, you can set the https_proxy environment on the CipherTrust Manager to the same http proxy server.
Example
https_proxy=http://test.com
Scenario 3 - Protocol is not specified explicitly on the CipherTrust Manager
When you don't specify the protocol explicitly on the CipherTrust Manager, by default, the CipherTrust Manager assumes the protocol to be the same as specified in the proxy environment. However, both environments may not be identical every time and lead to non-functional configurations.
For example, if you set https_proxy=test.com, it is assumed by the CipherTrust Manager that the proxy server (test.com) supports https. In such a scenario, if the proxy server works on http only, then this configuration won't work.
Therefore, it is recommended to be explicit about the protocol your proxy server supports while configuring the CipherTrust Manager environment.
Example
https_proxy=https://test.com
http_proxy=http://test.com
The following connections use the configured proxy:
CipherTrust Cloud Key Manager external connections to cloud services and key sources.
CipherTrust Manager root of trust connection to the Thales DPoD HSM on Demand Service. Consult the DPoD Client Network Connectivity page or the
Chrystoki.conffile in the client package for the FQDNs to whitelist on the proxy.Data Discovery and Classification connections to Hadoop Services, including Thales Data Platform. Configure the proxy server directly to access TDP, to resolve its name, and to allow HTTPS connections to port 8443.
DDC Agent connections are inbound, and so the CipherTrust Manager proxy configuration is not applied to them. If desired, you can set up a proxy outside of CipherTrust Manager for this connection, in keeping with the broader network.
Note
A system restart is required after adding a new proxy or changing proxy settings.
If a proxy host is added using the proxy hostname, then IP mapping is required in the DNS. For details, refer to Configuring DNS Hosts.
For
httpsproxy, the CipherTrust Manager allows you to add the ca-certificates to the list of trusted ca-certificates.
Note
• For CCKM, configure an HTTPS proxy.
• If your proxy server does not support HTTP CONNECT, then CCKM GCP connections from the CipherTrust Manager will not work using proxy with a certificate. Instead, add an exception (cloudkms.googleapis.com) with no-proxy or use proxy with username and password.
In the subsequent sections, let's learn to configure proxy using GUI and CLI.
Configuring proxy using GUI
To set up a proxy host:
Log on to the CipherTrust Manager GUI.
Navigate to Admin Settings > Proxy. The list of available Proxy hosts is displayed, if available.
On the Proxy page, click Add Proxy Host.
On the Add Proxy Host screen:
Select Protocol type as HTTP or HTTPS.
In the Hostname field, enter the proxy server IP address or URL.
In the Port field, enter proxy server's Port.
Add CA certificate. This field will appear on the UI if HTTPS proxy is selected. You can either upload the CA certificate file or paste the file content. This is an optional field.
Select the proxy server required password checkbox to authenticate the proxy server. Enter Username, Password, and Test URL. It is an optional step required only when proxy server is not already authenticated.
Note
If the proxy server password contains special characters, then replace these characters with encoded value. For example, if password is tmp^123# then the updated password is tmp%5E123%23.
Click Test Credentials to check whether the Proxy configuration is successful. If the test is successful, the status is
OKelse the status isFailed.Click Add Proxy Host.
Configuring proxies using ksctl
The following operations can be performed:
Add proxies
Get/list proxies
Delete proxies
Update proxies
Test proxies
Adding proxies
To add a proxy, run:
Syntax
ksctl proxy add --http-proxy <HTTP-proxy-address> --https-proxy <HTTPS-proxy-address> --no-proxy <List-of-noproxy-addresses> --ca-cert-file <ca-certificate-file>
http-proxy- proxy server URL capable of handling http network traffic.https-proxy- HTTPS proxy server URL for proxy configurations.no-proxy- Server URL to which the network traffic will be redirected bypassing the proxy.ca-cert-file- CA certificate to trust for proxy. This field is applicable only for https proxy. It is an optional field.
Note
If the proxy server password contains special characters, then replace these characters with encoded value. For example, if password is tmp^123# then the updated password is tmp%5E123%23.
Example Request 1
ksctl proxy add --https-proxy https://my.proxy.server:8081 --no-proxy localhost, 127.0.0.1 --ca-cert-file cacertfile
Example Response 2
{
"http_proxy": "http://username:xxxxxx@my.proxy.server:8080",
"https_proxy": "https://username:xxxxxx@my.proxy.server:8081",
"no_proxy":
[
"localhost",
"127.0.0.1"
]
}
Getting List of proxies
To get a list of proxies, run:
Syntax
ksctl proxy list
Example Request
ksctl proxy list
Example Response
{
"http_proxy": "http://username:xxxxxx@my.proxy.server:8080",
"https_proxy": "https://username:xxxxxx@my.proxy.server:8081",
"no_proxy":
[
"localhost",
"127.0.0.1"
],
"certificate":"-----BEGIN CERTIFICATE-----\nMIIEuDCCAqCgAwIBAgIQOivQNtvy1bsD+ZtTiktSbjANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUQxEDAOBgNVBAcTB0JlbGNhbXAxEDAO\nBgNVBAoTB0dlbWFsdG8xGjAYBgNVBAMTEUtleVNlY3VyZSBSb290IENBMB4XDTIx\nMDUwOTE1MTMwOFoXDTIzMDUwOTE1MTMwOFowJTEOMAwGA1UEAxMFYWRtaW4xEzAR\nBgoJkiaJk/IsZAEBEwMxMjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQDf0/l5sDKlmZ940mc3YAmpdEHmAPf6kDZgtqpuN9ftXji65WIHywZ5VN/5YYVD\nREdbs96kAdNMNyec8As0E0lbgirxaW2HFOzVcdfUyh8FnQWq4kAcGBdL19gvdEm6\noZOaX6XlKZq3REfvFXjPg3YkhOvmaiF/9WFoVafCplpgpib3kiijd3m1ZUHP+uxW\nkfJ6ddxMs3Qe3gltfmpnjoHY433rzh2CFr/W5wufRKZWmlu2OBwTKJsixJbcRJR1\n93+XVELt6r7UmrycZjmi3RIMkJ0WC+KpkL0ZetYtXL/7IykRkzlqAwKI4mpyJjAS\n/3yQgJKCdSBz80BzmbnDevQ9AgMBAAGjga4wgaswDgYDVR0PAQH/BAQDAgOIMBMG\nA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUl4YP\nF8V39/lnMb8i5iDOPtXjQ4owVQYDVR0fBE4wTDBKoEigRoZEaHR0cDovL2tleXNl\nY3VyZS5sb2NhbC9jcmxzL2Y4YWFiZDRmLTY0NTktNGNiMC1hMjZhLWRmZDg4MTI5\nYmQ1ZS5jcmwwDQYJKoZIhvcNAQELBQADggIBAAYsYXivy9vD+WMqs4ceC+W3O8Tx\nIW/jaCHfWZKXr4fk01n1Mh020T67wIKqQXUoTKgp9U7vmNMd/RKrj1NS19lEh8sm\nHxy7/bvcSDXajw2LpsmIRaWeqYgO0qOTluMQMMnSBiLbdgSAXKEAjRMQQvQfzqUV\neTSPWaWzyFbnfhSEfU0s46Xs61gWTfvwclvB40Xk7HKFTNUP/xPIfLlhT4H9J3Bx\nyrWz5bJY1z6Cx95/gXsQptccmYik+WGY7IJofvNJD8ugc1t6SeVG2aEl8fNiuS5a\np9O6ThUcM3MqHcL0cOlqm9+jzs5j8pUWbJ+7lsDS17Y+uFvHEJN8XGXQLhFf3p/4\nvNgyMAmB9uvC5rbqEsCKUgpxkNa0sm0WflVoIQ1h2ku01yqtG8krma9qr4zy+bML\nO6Zk37Vn1/8pUjGYWHIPhjX6e+/wlRIMufyqKg7M/OHlg0S6eOpaX13tXxYNnaVm\ngN2mKfvmN3W6sMdtCKifRNeTcuF5R7ZRWXKqHp00Y6N2Tk2FyZjgWAxUtg7VnLPW\nRfuQBQ/Jud7zVDWxtftv6nmrV1nlqErPPDnRt3D49AD5lj4+JhdzKz47F094T++8\n+rauAODq6i+FZe/05RwSCB1fqWJ8ja9gwAWaBVXfQpIDIY3KFTC2tZhjUUOii++d\nP6WaJc1NqTcWns8H\n-----END CERTIFICATE-----\n"
}
Deleting proxies
To delete proxy configurations, run:
Syntax
ksctl proxy delete
Example Request
ksctl proxy delete
No response is displayed if the proxy is deleted successfully. The ca-certificate of the HTTPS proxy is also deleted.
Updating proxies
To update a proxy configuration, run:
Syntax
ksctl proxy update --http-proxy <HTTP-proxy-address> --https-proxy <HTTPS-proxy-address> --no-proxy <List-of-noproxy-addresses> --ca-cert-file <ca-certificate-file>
Example Request
ksctl proxy update --http-proxy http://dummyproxy:3000 --https-proxy https://dummyproxy:3000
Example Response
{
"http_proxy": "http://dummyproxy:3000",
"https_proxy": "https://dummyproxy:3000",
"no_proxy": [
"localhost",
"127.0.0.1"
],
"certificate":"-----BEGIN CERTIFICATE-----\nMIIEuDCCAqCgAwIBAgIQOivQNtvy1bsD+ZtTiktSbjANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUQxEDAOBgNVBAcTB0JlbGNhbXAxEDAO\nBgNVBAoTB0dlbWFsdG8xGjAYBgNVBAMTEUtleVNlY3VyZSBSb290IENBMB4XDTIx\nMDUwOTE1MTMwOFoXDTIzMDUwOTE1MTMwOFowJTEOMAwGA1UEAxMFYWRtaW4xEzAR\nBgoJkiaJk/IsZAEBEwMxMjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQDf0/l5sDKlmZ940mc3YAmpdEHmAPf6kDZgtqpuN9ftXji65WIHywZ5VN/5YYVD\nREdbs96kAdNMNyec8As0E0lbgirxaW2HFOzVcdfUyh8FnQWq4kAcGBdL19gvdEm6\noZOaX6XlKZq3REfvFXjPg3YkhOvmaiF/9WFoVafCplpgpib3kiijd3m1ZUHP+uxW\nkfJ6ddxMs3Qe3gltfmpnjoHY433rzh2CFr/W5wufRKZWmlu2OBwTKJsixJbcRJR1\n93+XVELt6r7UmrycZjmi3RIMkJ0WC+KpkL0ZetYtXL/7IykRkzlqAwKI4mpyJjAS\n/3yQgJKCdSBz80BzmbnDevQ9AgMBAAGjga4wgaswDgYDVR0PAQH/BAQDAgOIMBMG\nA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUl4YP\nF8V39/lnMb8i5iDOPtXjQ4owVQYDVR0fBE4wTDBKoEigRoZEaHR0cDovL2tleXNl\nY3VyZS5sb2NhbC9jcmxzL2Y4YWFiZDRmLTY0NTktNGNiMC1hMjZhLWRmZDg4MTI5\nYmQ1ZS5jcmwwDQYJKoZIhvcNAQELBQADggIBAAYsYXivy9vD+WMqs4ceC+W3O8Tx\nIW/jaCHfWZKXr4fk01n1Mh020T67wIKqQXUoTKgp9U7vmNMd/RKrj1NS19lEh8sm\nHxy7/bvcSDXajw2LpsmIRaWeqYgO0qOTluMQMMnSBiLbdgSAXKEAjRMQQvQfzqUV\neTSPWaWzyFbnfhSEfU0s46Xs61gWTfvwclvB40Xk7HKFTNUP/xPIfLlhT4H9J3Bx\nyrWz5bJY1z6Cx95/gXsQptccmYik+WGY7IJofvNJD8ugc1t6SeVG2aEl8fNiuS5a\np9O6ThUcM3MqHcL0cOlqm9+jzs5j8pUWbJ+7lsDS17Y+uFvHEJN8XGXQLhFf3p/4\nvNgyMAmB9uvC5rbqEsCKUgpxkNa0sm0WflVoIQ1h2ku01yqtG8krma9qr4zy+bML\nO6Zk37Vn1/8pUjGYWHIPhjX6e+/wlRIMufyqKg7M/OHlg0S6eOpaX13tXxYNnaVm\ngN2mKfvmN3W6sMdtCKifRNeTcuF5R7ZRWXKqHp00Y6N2Tk2FyZjgWAxUtg7VnLPW\nRfuQBQ/Jud7zVDWxtftv6nmrV1nlqErPPDnRt3D49AD5lj4+JhdzKz47F094T++8\n+rauAODq6i+FZe/05RwSCB1fqWJ8ja9gwAWaBVXfQpIDIY3KFTC2tZhjUUOii++d\nP6WaJc1NqTcWns8H\n-----END CERTIFICATE-----\n"
}
Testing proxies
To test proxy with a given URL, run:
Syntax
ksctl proxy test --http-proxy <HTTP-proxy-address> --test-url <Test-url> --https-proxy <HTTPS-proxy-address> --ca-cert-file <ca-certificate-file>
Example Request 1
ksctl proxy test --https-proxy https://my.proxy.server:8081 --test-url https://www.thalesdocs.com --ca-cert-file cacertfile
Example Response 1
{
connection_ok: true
}
Example Request 2
ksctl proxy test --http-proxy http://my.proxy.server:8081 --test-url https://www.thalesdocs.com
Example Response 2
{
connection_ok: true
}
