Return Material Authorization (RMA) Guidance
Thales ensures that all of its products are designed, manufactured, and tested to the highest level of quality. On occasion, a product may fail in the field after use by the customer. Products that fail in the field, when covered by a maintenance agreement or during the warranty period, may be eligible for an RMA (Return Material Authorization).
The first step to obtain an RMA is to contact customer support for your product.
For RMA of Thales CipherTrust Manager k570 or Thales CipherTrust Manger k470 appliances, contact Thales Customer Support for assistance.
For RMA of Thales TCT CipherTrust Manager k570 or Thales TCT CipherTrust Manager k160 appliances, contact Thales TCT Technical Support for assistance.
CipherTrust Manager physical appliances may contain sensitive customer key material. Thales recognizes that and assures the customers that our appliances are hardened. Follow the steps for your appliance to fully ensure data is protected before the appliance is sent for RMA.
This page covers the following appliance models:
To Prepare a Thales CipherTrust Manager k570 or Thales CipherTrust Manger k470 Appliance for RMA
Ensure that all the sensitive information such as keys, backup keys, certificates, NAE users, and authorization policies are backed up at all times.
Login to the CipherTrust Manager as ksadmin via serial console or SSH.
Do one of the following:
Perform a factory reset of the CipherTrust Manager using the system configuration utility. This command erases all configuration information, log files and any keys stored on the appliance.
kscfg system factory-resetPerform a hard reset of the CipherTrust Manager using the system configuration utility. This command resets the appliance and removes data associated with CipherTrust Manager. such as keys and certificates. All log information and appliance configuration information remains intact. This remaining information can help us determine the possible cause of the failure.
kscfg system reset
For k570 devices, reset the on-board PCIe HSM card which stores the root keys. Do one of the following:
Login to the CipherTrust Manager as ksadmin via serial console or SSH, and run the lunaCM factory reset command.
lunacm:> hsm factoryResetShort circuit the decommission jumper header on the PCI card. You can use the blade of a screwdriver, or other conductive tool to short-circuit the two pins of the decommission header, or you can connect a switch to the decommission header if desired. Power is not required to decommission the HSM, that is, you can decommission the HSM after removing it from the chassis. The following image shows the two-pin decommission jumper header location on the PCI card:
To Prepare a Thales TCT CipherTrust Manager k570 or Thales TCT CipherTrust Manager k160 Appliance for RMA
Ensure that all the sensitive information such as keys, backup keys, certificates, NAE users, and authorization policies are backed up at all times.
Login to the CipherTrust Manager as ksadmin via serial console or SSH.
Do the following:
Use the following command to delete a Root of Trust key from the Token HSM:
ksctl rot-keys delete --id <key_id> --forceRemove the HSM from the CipherTrust Manager GUI interface. From Admin Settings, go into HSM and remove the HSM. This will remove all key material, etc. from the device.
For k160 devices, be sure to include all the Token HSMs that are associated with the device in your package when shipping the k160 unit to Thales TCT. These Tokens are keyed to the device and cannot be used on another device.
