Managing Client Groups

A client group is used to group one or more clients to simplify configuration and administration. GuardPoints created on a client group are applied to all members of the group. Additionally, you can apply client group configuration settings to all clients in a client group. A client can be a member of multiple client groups.

CTE supports two types of client groups, clustered and non-clustered. A clustered client group contains clients that are members of a cluster with a cluster file system. A non-clustered client group contains members that are not members of a cluster. A client can be a member of multiple client groups. However, membership in a cluster group is exclusive, so a client that belongs to a cluster, cannot join another cluster group or client group.

If you have created a group of one type of clients, then you should only add similar clients to the group. Same configuration settings can only be applied to clients of the type with which the client group is created. If a different type of client is added, configuration settings cannot be applied to that client.

Creating a Client Group

To create a client group:

1. Open the Transparent Encryption application.

2. Click Clients > Client Groups.

3. Click Create Client Group. The General Info screen of the Create Client Group wizard is displayed.

Add General Info

On the General Info screen:

1. Specify a unique Name for the client group.

2. Select the Cluster Type. The options are:

   • NON CLUSTER: Create a non-clustered client group.

   • HDFS: Create a clustered client group. An HDFS client group is required to apply GuardPoints on CTE clients in an HDFS cluster.

3. Set the Password Generation Method. The options are:

   • Generate: A password is generated automatically by CipherTrust Manager. This is the default method.

   • Manual: Set the password manually.

     1. Select Manual.

     2. Enter the new password in the Password and Confirm Password fields. The password must match in both fields.

     Note

     The password must contain minimum eight characters including at least:

     • One capital letter

     • One number

     • One of these special characters: ! @ # $ % ^ & * ( ) { } [ ]

   Refer to Changing Client Group Password for details.

4. Select NON CLUSTER as the Cluster Type. CTE UserSpace does not support HDFS client groups.

5. (Optional, if a profile already exists) From the Client Profile drop-down list, select the desired client profile. The default profile is DefaultClientProfile.

   If the DefaultClientProfile does not exist, it is created as soon as the first client group is created.

6. (Optional) Provide Description to identify the client group. The maximum length can be 256 characters.

   

7. (Optional) Specify whether to enable the client's communication with the CipherTrust Manager. Select Communication Enabled to enable, clear to disable communication. By default, the communication is disabled.

8. Click Next. The Add Clients screen is displayed.

Add Clients (Optional)

Optionally, you can add clients to the group. The Add Clients screen shows the list of clients added to the CipherTrust Manager.

On the Add Clients screen:

1. Select the clients to be added to the group. Filter the clients by using the Client Name text box.

   If no client exists, you can add one by clicking Create Client. Refer to the Adding Clients Manually. The newly created client is added to the clients list.

2. Click Next. A dialog box is displayed asking you to confirm inheritance settings.

3. Confirm whether the selected clients should inherit settings from the client group. The options are:

   • Inherit Client Group Settings: This is the default and recommended option. Clients inherit the following properties of the group except the password:

     • Client Settings

     • Agent Lock

     • System Lock

     • Communication Enabled

     • Profile Settings

     • QoS Settings

     • GuardPoints

     Refer to Inheritance of Client Group Settings for details.

   • Do not Inherit Client Group Settings: Clients retain their individual settings. Selecting this option can introduce configuration conflicts. This is not the recommended option. Read the instructions carefully before selecting this option.

   Note

   When a client is added to a client group, the password generation method of the client remains unchanged. However, when the client group's password or password generation method is updated in the future, this change is applied to all the clients in the client group. This is true irrespective of whether the clients inherit settings from the client group or not.

4. Click OK. The Add GuardPoint screen is displayed.

Add GuardPoints (Optional)

Optionally, you can create GuardPoints on the manually added client. CTE supports creation of all types of supported GuardPoints on such clients.

On the Add GuardPoint screen:

1. Click Create GuardPoint. The Add GuardPoints > Create GuardPoints screen is displayed.

2. Select a Policy. The Select Policy dialog box displays the available policies.

3. Select the desired policy.

   If no policy exists, you can create one by clicking Create Policy. Refer to Creating Policies > Creating Policies for details.

4. Click Select. The selected policy appears in the Policy field.

5. Specify the Type of the GuardPoint. Refer to Automatic and Manual GuardPoints for details on types of GuardPoints.

6. (COS GuardPoints only) Select the Cloud Storage Type. CTE UserSpace does not support COS GuardPoints.

7. Specify the Path (or URL for a COS GuardPoint) to be protected. Refer to Managing GuardPoints for details.

8. Configure Preserve Sparse Region, Secure Start, and/or Auto Mount as appropriate. he options vary based on the selected policy.

   The Multifactor Authentication option is unavailable for manually added clients.

9. Click Create. The newly created GuardPoint appears in the list.

   To remove a GuardPoint, click Remove corresponding to it.

10. Click Next. The Confirmation screen is displayed.

Confirmation

On the Confirmation screen:

1. Verify the client group details. The Confirmation screen displays general information about the client group, the list of clients in it, and details of the GuardPoints added to the group.

   If the details are incorrect or you want to modify them, click Back and update the details.

2. Click Create.

The newly created client group appears in the client groups list.

Adding Clients to a Client Group

Clients can be added a client group either manually or by specifying the group when registering clients with the CipherTrust Manager. If you specify a client group during client registration, the client automatically appears under the client group on the CipherTrust Manager GUI. Refer to the CTE Agent Clients Guide for information on the registration process.

When protecting an HDFS cluster, the CTE clients with the HDFS configuration must be added to an HDFS client group on the CipherTrust Manager.

To manually add clients to a client group:

1. Open the Transparent Encryption application.

2. Click Clients > Client Groups.

3. Under Client Group Name, click the expand icon () to the left of the desired client group.

   Note

   Select an HDFS client group if the CTE client to be added is in an HDFS cluster.

   Alternatively, click the desired client group and click the Membership tab.

4. Click Add Client. The Add Client to Client Group <ClientGroupName> dialog box is displayed with the list of available clients, if any. At least, one client must already exist.

   

5. Select the desired clients.

6. Click Add. A dialog box is displayed asking you to confirm settings inheritance.

7. Confirm whether the selected clients should inherit settings from the client group. The options are:

   • Inherit Client Group Settings: This is the default and recommended option. Clients inherit the following properties of the group except the password:

     • Client Settings

     • Agent Lock

     • System Lock

     • Communication Enabled

     • Profile Settings

     • QoS Settings

     • GuardPoints

     Refer to Inheritance of Client Group Settings for details.

   • Do not Inherit Client Group Settings: Clients retain their individual settings. Selecting this option can introduce configuration conflicts. This is not the recommended option. Read the instructions carefully before selecting this option.

   Note

   When a client is added to a client group, the password generation method of the client remains unchanged. However, when the client group's password or password generation method is updated in the future, this change is applied to all the clients in the client group. This is true irrespective of whether the clients inherit settings from the client group or not.

8. Click OK.

The selected clients are added to the group. They are displayed in the mini view and on the Membership tab of the client.

Displaying Client Groups

To view the list of client groups:

1. Open the Transparent Encryption application.

2. Click Clients > Client Groups. The list of available client groups is displayed.

   

   The client groups list shows the following details:

   Column	Description
   Client Group Name	Name link of the client group on CipherTrust Manager. Click the link to open client group details in edit mode. The edit mode shows additional details and configuration settings. In the edit mode, you can also view and add clients, GuardPoints, and Client Group Settings.
   Created At	When the client group is created.
   Cluster Type	Cluster type of the client group. • NON CLUSTER: A non-clustered client group. • HDFS: A clustered client group.
   Description	(Optional) Description to identify the client group.
   Sharing	Sharing status of the client group. • External: The client group is external to the current domain. The client group is created and shared from another domain. • Shared: The client group is shared across other domains. The current domain is the native domain of the client group. • -: The client group is neither Shared nor External. The field is left blank for client groups that were created on a previous version of the CipherTrust Manager. Such client groups can also be shared across domains. Refer to Sharing a Client Group Across Domains for details.
   Native Domain	Name of the native domain of the client group. If the client group is not external, the current domain is the native domain of the client group.

Modifying Client Groups

After you have created a client group, you can update group details and configuration settings. You can make the following changes:

• Enable or disable Agent communication for the clients in the group

• Lock or unlock the CTE Agent files on the clients in the group

• Change the CTE Agent password for the clients in the group

• Change the linked profile

• Add new clients to the group

• Remove clients from the group

• Share the group across domains

• Remove the group sharing from a domain

The cluster type of a client group cannot be modified after it is created.

To modify a client group:

1. Open the Transparent Encryption application.

2. Click Clients > Client Groups.

3. Under Client Group Name, click the expand icon () to the left of the desired client group.

   

4. Modify the required details:

   • Unlock: Unlock Agent Lock and System Lock.

   • Agent Lock: Lock the contents of the CTE Agent directories on the clients.

   • System Lock: Apply an internal policy to the clients to lock system directories like /var, /bin, and /etc. Enabling System Lock automatically enables Agent Lock.

   • Communication Enabled: Whether to enable clients' communication with the CipherTrust Manager. Select to enable, clear to disable communication.

   • Live Data Transformation: Initiates the suspend/resume rekey operation on LDT protected GuardPoints on LDT clients in the group. By default, the rekey operation is initiated. However, to get the actual state of the rekey operation, check the status on individual clients.

     • To suspend the LDT rekey operations, click the Suspend Live Data Transformation icon (). The icon changes to Resume Live Data Transformation ().

     • To resume the LDT rekey operations, click the Resume Live Data Transformation () icon. The icon changes to Suspend Live Data Transformation icon ().

     Note

     When or is clicked, an error is generated on non-LDT clients in the client group. To view the error details, go to Records > Server Records on the CipherTrust Manager GUI.

   • Password Creation Method: Set the password creation method — Generate or Manual. Refer to Changing Client Group Password for details.

   • Client Profile: Select a profile for the client group. The default profile is DefaultClientProfile. To change the client profile, refer to Changing the Profile for details.

5. Click Apply.

Additionally, you can define GuardPoints for the clients in the group. Refer to Managing GuardPoints.

Removing Multiple Clients from a Client Group

As part of the CipherTrust Manager maintenance, you occasionally need to remove clients from their client groups.

To remove clients from a client group:

1. Open the Transparent Encryption application.

2. Click Clients > Client Groups.

3. Under Client Group Name, click the expand icon () to the left of the desired client group.

   Alternatively, click the desired client group and click the Membership tab.

4. Select the clients that you want to remove from the group.

   To select all clients visible on the page, select the top check box to the left of the Status heading.

5. Click the delete icon ().

   A warning message appears stating that deleting the selected clients is permanent and cannot be undone.

6. Click Delete.

The selected clients are removed from the client group. Also, the client group is removed from the Membership tab of the linked clients.

Removing a Client from a Client Group

As part of the CipherTrust Manager maintenance, you occasionally need to remove a client from its client group.

To remove an individual client from a client group:

1. Open the Transparent Encryption application.

2. Click Clients > Client Groups.

3. Under Client Group Name, click the expand icon () to the left of the desired client group.

   Alternatively, click the desired client group and click the Membership tab.

4. Select the client that you want to remove from the group.

5. Click the delete icon ().

   Alternatively, click the overflow icon (), and click Remove. When prompted, click Remove.

   A warning message appears stating that deleting the selected clients is permanent and cannot be undone.

6. Click Delete.

The selected client is removed from the client group. Also, the client group is removed from the Membership tab of the client.

Changing the Profile

To change the profile:

1. Open the Transparent Encryption application.

2. Click Clients > Client Groups.

3. Under Client Group Name, click the expand icon () to the left of the desired client group.

4. Next to Client Profile, click the profile link (for example, DefaultClientProfile). The Select Profile dialog box shows the current client profile, Log Level, Rekey Option, Rekey Rate, and Schedule of the selected profile.

   

5. From the Profile drop-down list, select the desired profile.

6. Click OK. The selected profile is linked successfully.

Changing Client Group Password

The CipherTrust Manager allows for client password management using client groups. For large scale deployments where the CipherTrust Manager must manage several hundreds or thousands of agents, administering passwords on a per-client basis becomes untenable and burdensome. Using a common password across all the clients in a client group mitigates the administrative burden.

This feature is also useful for offline agent recovery. If a remote agent reboots (planned or unplanned) and cannot communicate with the CipherTrust Manager in the central office, it prompts the administrator at the remote site to enter the client password. The remote site administrator typically calls the corporate help desk for the password. Using the password provided by the help desk personnel, the remote site administrator enables offline agent recovery and the resumption of services. As the password is now known to the remote site administrator and the help desk personnel, it may result in a breach of security and/or render the IT operations non-compliant with respect to guaranteeing data privacy.

To remedy the compromised situation, the security administrators should change the password (rotate the password) according to existing security practices. The client group password management feature allows changing the password on all the clients in the client group when the password is compromised.

The use cases for client group password feature can be summarized as follows:

1. Set a common password for all clients in a client group.

2. Reset the common password for all clients in a client group (if the password is provided to a remote CTE Agent administrator for offline agent recovery).

This feature is best suited for large scale deployments when many agents are under the management of a CipherTrust Manager cluster.

Changing the Password Manually

To change the password:

1. Open the Transparent Encryption application.

2. Click Clients > Client Groups.

3. Under Client Group Name, click the expand icon () to the left of the desired client group.

   

4. From the Password Creation Method drop-down list, select Manual. The Regenerate Password button is replaced by Change Password.

   

5. Click Change Password.

6. Enter the new password in the Password and Confirm Password fields. The password must match in both the fields.

   The password must contain minimum eight characters including at least:

   • One capital letter

   • One number

   • One of these special characters: ! @ # $ % ^ & * ( ) { } [ ]

   To cancel the password change, click Cancel Change Password.

7. Click Apply.

When the new password is applied, the server pushes the password to all clients in the client group. Clients that are removed from the client group retain the password set for the group. Clients added to the group later do not receive the new password.

Changing the Password Dynamically

To change the password:

1. Open the Transparent Encryption application.

2. Click Clients > Client Groups.

3. Under Client Group Name, click the expand icon () to the left of the desired client group.

   

4. From the Password Creation Method drop-down list, select Generate. This is the default method.

5. Click Regenerate Password.

6. Click Apply.

A new generated password is downloaded to the client.

Inheritance of Client Group Settings

Instead of specifying settings for applications running on multiple clients individually, configure them at the client group level. Those settings can be automatically applied to all clients in the group. Refer to Client Settings for details on client settings.

• A client that joins a client group can opt to inherit client group configuration including the client settings.

  • If the client settings are not defined at the group level, the client retains its own settings.

  • If the client settings at the group level are modified later, the updated settings apply to all group members that inherit configuration from the group.

  • Individual clients in the group have client settings overwritten by the group's client settings.

  For example:

  1. clientA has client settings defined, joins clientGroup1 and inherits its group configuration. clientB also joins clientGroup1 but does not inherit its group configuration. clientGroup1, however, does not have any client settings defined. In this case, both clientA and clientB retain their own client settings.

  2. Now, client settings of clientGroup1 are modified. This overwrites the client settings of all clients that inherit group configuration from clientGroup1. So clientA inherits the modified group configuration but clientB does not, as it does not inherit client group configuration.

  3. clientB is modified to inherit settings from clientGroup1. The next time clientGroup1 updates its client settings, the changes apply to both clientA and clientB.

• A client can be a member of more than one client groups. If the client inherits client group configuration from the first client group it joins, and the next groups it joins subsequently, the client inherits the client settings from the last group that it joins.

  For example:

  1. clientC joins clientGroup2 and inherits the client group configuration. clientC now has clientGroup2 client settings.

  2. clientC is added to clientGroup1 and set to inherit client group configuration. So, clientC gets clientGroup1 client settings.

• If client settings of a client group are emptied, member clients that inherit settings from the group retain the last defined client settings.

  For example:

  1. clientGroup1 deletes its client settings. All member clients (clientA, clientB, and clientC) retain the last client settings defined for clientGroup1— blank client settings are not passed to members of the group.

  2. clientB leaves clientGroup1. Now, clientB retains the client settings it last inherited from clientGroup1.

• If the client settings of a member of a client group are modified, that client no longer inherits client settings from the client group.

For example, client settings on clientB are modified. Then, the client settings for clientGroup1 are modified, all members except clientB inherit the changes made to the client settings for clientGroup1.

Configuring Client Group Settings

To configure client settings at group level:

1. Open the Transparent Encryption application.

2. Click Clients > Client Groups.

3. Under Client Group Name, click the desired client group.

4. Click the Client Group Settings tab. Scroll down the screen, if needed.

   

5. In the Settings text box, add |authenticator| before the path of the binary. For example, |authenticator|/bin/su to allow su to be a trusted method of authentication. For further consideration of authentication options, refer to Client Settings.

6. (Optional, if you add another process to the set of trusted applications) Enable Re-sign Settings to ensure that the new process is signed and authenticated by the client. The next time the client settings are pushed to the CTE Agent, the updated client settings are re-signed and the Re-sign Settings toggle is disabled (or reset).

   If, after adding a new process, you do not enable Re-sign Settings, the client ignores the newly added process. See Re-Sign Settings for more information.

7. Click Apply.

Deleting Client Groups

As part of the CipherTrust Manager maintenance, you occasionally should remove client groups from the CipherTrust Manager.

• When you delete a client group, only the group is removed from the CipherTrust Manager GUI. Individual clients that are members of the group remain intact.

• If you configured a client group password, the individual clients retain the group password.

Deleting a Client Group

To remove a client group:

1. Make sure that no GuardPoints is applied on the group.

2. Open the Transparent Encryption application.

3. Click Clients > Client Groups.

4. Under Client Group Name, click the overflow icon () corresponding to the desired group.

   Alternatively, select the check box corresponding to the desired group, click the delete icon (), and click Delete.

5. Click Delete. A dialog box appears prompting to confirm the action.

6. Click Delete.

The client group is removed from the client groups list. Also, the client group is removed from the Membership tab of the linked clients.

Deleting Multiple Client Groups

The CipherTrust Manager provides an option to delete multiple client groups.

To remove multiple client groups:

1. Make sure that no GuardPoints is applied on the group to be deleted.

2. Open the Transparent Encryption application.

3. Click Clients > Client Groups.

4. Under Client Group Name, select the check boxes corresponding to the desired groups.

   To select all client groups visible on the page, select the top check box to the left of the Client Group Name heading.

5. Click the delete icon ().

   A warning message appears stating that deleting the selected client groups is permanent and cannot be undone.

6. Click Delete.

The client groups are removed from the client groups list. Also, the client groups are removed from the Membership tab of the linked clients.

Sharing a Client Group Across Domains

A shared client group will be visible in read-only mode in all the domains where it is shared. The GuardPoints can be created on the shared client group from any of the linked domains. These GuardPoints will be visible in read-only mode in all the linked domains except their native domains (where the GuardPoints are created). All the valid operations on the GuardPoints will be allowed from the native domains.

Clients can be added to the shared client group from all the linked domains (including the native domain). All the GuardPoints added to the client group (from all the domains) will be propagated to the clients in the group.

Propagation of client settings and other configuration (like LDT suspend/resume) is passed on to all the clients in the group irrespective of the domain.

To share a client group across domains:

1. Open the Transparent Encryption application. The Clients page is displayed. This page lists the clients added to this CipherTrust Manager appliance.

2. Click Clients > Client Groups.

3. Under Client Group Name, click the desired client group.

4. In the mini detail view, select Domain Sharing.

   Alternatively, to enable domain sharing on a client group, click the expand icon () corresponding to the desired group, select Domain Sharing in the mini detail view, and click Apply.

5. Click Apply. Now, the Sharing tab is displayed.

6. On the Sharing tab, click Share With Other Domains. The Share With Other Domains dialog box is displayed.

7. Under Domain Name, select the domains with which you want to share the client group. The dialog box also provides an option to select all the domains, if required.

8. Click Share.

The client group is shared across selected domains of the CipherTrust Manager.

Removing Group Sharing from Domains

Removing Individual Domains

To remove group sharing from a domain:

1. Open the Transparent Encryption application. The Clients page is displayed.

2. Click Clients > Client Groups.

3. Under Client Group Name, click the desired client group. The detail view of the Client Groups page is displayed.

4. Click the Sharing tab.

5. Under Domain Name, select the check box corresponding to the desired domain.

6. Click Remove. A dialog box appears stating that deleting the selected domain is permanent and cannot be undone.

7. Click Delete.

The client group is no longer shared with the selected domain.

Removing Multiple Domains

To remove group sharing from multiple domains:

1. Open the Transparent Encryption application. The Clients page is displayed.

2. Click Clients > Client Groups.

3. Under Client Group Name, click the desired client group. The detail view of the Client Groups page is displayed.

4. Click the Sharing tab.

5. Under Domain Name, select the check box corresponding to the desired domains. To select all domains visible on the page, select the top check box to the left of the Domain Name heading.

6. Click the delete icon (). A dialog box appears stating that deleting the selected domains is permanent and cannot be undone.

7. Click Delete.

The client group is no longer shared with the selected domains.