Changing Client Password

Offline Password

CTE supports the offline password feature. This feature is designed to enable retrieval of the keys being used to protect data in a GuardPoint. When communication between the CipherTrust Manager and the CTE Agent are lost, the GuardPoint continues to encrypt/decrypt data with the current last known key and policy. However, if the communication is lost and the protected client is rebooted, the CTE Agent attempts to validate it using the latest keys and policies, but fails. Therefore, a password can be used by the isolated CTE Agent to retrieve the last known key and policy to enable the GuardPoint to continue with encryption/decryption operations. After the communication is re-established, any policy or key changes can be applied.

The offline password feature enables access to encryption keys that are stored locally on a client. This keeps the data secure when the CipherTrust Manager is inaccessible. To access the data, provide the offline password. Then, the CTE Agent encrypts/decrypts the guarded data according to the applied policy.

Password Types

The client password is initially set when the client is added to the CipherTrust Manager. Passwords can be set on a client-by-client or client group basis. The CipherTrust Manager supports two types of offline passwords:

• Manual (Static): A password is specified manually.

• Generate (Dynamic): A password is generated automatically by the CipherTrust Manager.

Changing the Password

You can change the password manually or dynamically. To change the password:

1. Open the Transparent Encryption application.

2. Click Clients > Clients.

3. Under Client Name, click the desired client.

   Alternatively, click the expand icon () to the left of the desired client in the clients list.

4. Click the desired tab to view the instructions.

   Change Password Manually

   1. From the Password Creation Method drop-down list, select Manual. The Regenerate Password button is replaced by Change Password.

      

   2. Click Change Password.

   3. Enter the new password in the Password and Confirm Password fields. The password must match in both the fields.

      Note

      The password must contain minimum eight characters including at :

      • One capital letter

      • One number

      • One of these special characters: ! @ # $ % ^ & * ( ) { } [ ]

      To cancel the password change, click Cancel Change Password.

   4. Click Apply.

   When changing a static password or modifying a client to use a static password instead of a dynamic password, provide the new static password to the client users. Without the password, they cannot access encrypted data when there is no network connection between the client and the CipherTrust Manager.

   The users can access the data stored in GuardPoints on the client by either running the vmsec password command or using the challenge-response method.

   Change Password Dynamically

   1. From the Password Creation Method drop-down list, select Generate. This is the default method.

   2. Click Regenerate Password.

   A new generated password is downloaded to the client.

   Note

   When modifying a client to use a dynamic password instead of a static password, inform the client users that challenge-response authentication is enabled and they need to run vmsec challenge on UNIX/Linux clients or select Password... on the Windows etray when the client cannot connect to the CipherTrust Manager.

Accessing GuardPoints in Offline Mode

This section is applicable to the CTE client administrators. This information is given here to show the end-to-end flow of the challenge-response process.

When the CipherTrust Manager is unreachable from a protected client, the data stored in GuardPoints on the client cannot be accessed without the challenge-response.

To access the GuardPoints in offline mode:

1. Log on to the offline CTE client.

2. Depending on your platform, do the following:

   • On UNIX/Linux, run the command, vmsec challenge.

     vmsec challenge
     Contact your CM administrator for assistance.
     Your hostname is 10.164.14.207
     Your challenge is: FHEH-ICPL-2MCZ-2AHI
     Response (part 1) ->
     

   • On Windows, select Password... on the Windows etray, then select Challenge... > Response.... The CipherTrust Transparent Encryption Challenge/Response dialog box is displayed, as shown below.

     

   Your CipherTrust Manager administrator will need the hostname of your client and the challenge shown above in the command output (for Linux/AIX) and in the screenshot (for Windows).

3. Contact your CipherTrust Manager administrator.

4. Provide the challenge (for example, FHEH-ICPL-2MCZ-2AHI) to the administrator.

   The CipherTrust Manager administrator generates responses in four parts on the CipherTrust Manager. Refer to Generating Response for a Challenge for details. Contact the CipherTrust Manager administrator for the response codes.

5. Enter the response (part 1 through 4) on the vmsec challenge command prompt (on Linux/AIX) or on the CipherTrust Transparent Encryption Challenge/Response dialog box (on Windows). The responses must be entered in the given order. For example:

   Response (part 1) -> STYB-JAZE-C2PB-6FLU
   Response (part 2) -> F7ME-R3MG-BQB5-5MXB
   Response (part 3) -> QN26-OA6F-5ZKA-T5LG
   Response (part 4) -> BI4Y-53AI-3OXZ-N2EC
   Success!
   

The client users can now access protected GuardPoints on the client.

Generating Response for a Challenge

To generate a response for a challenge:

1. Log on to the CipherTrust Manager GUI.

2. Open the Transparent Encryption application.

3. Click Clients > Clients.

4. Click the desired client.

5. Click the Challenge Response tab.

6. In the Challenge From the Client box, enter the challenge provided by the client administrator.

7. Click Submit.

A set of four responses (part 1 through 4) for the provided challenge is shown on the GUI. Provide those to the client administrator.