Migrating CTE Configuration from Data Security Manager
This section describes steps to migrate configuration of CTE resources from a Data Security Manager (DSM) to a CipherTrust Manager.
Before proceeding with migration:
Note that the password generation method of all client groups will be set to Generate after migration. If required, you can change the password method after migration. However, every client (standalone or in a client group) will retain its password and the password generation method as it is on the DSM.
Ensure that no nested GuardPoints exist on the DSM. CipherTrust Manager doesn't support nested GuardPoints with different policies. As a result, client groups' GuardPoints can't be created during migration.
To avoid key version mismatch on GuardPoints concerning DSM and CipherTrust Manager:
It is recommended to complete the end-to-end migration process in one go. Also, it is advised to pause or suspend LDT key rotation during migration.
If you plan to complete the migration later, ensure to extend the expiration date of the existing keys on DSM appropriately.
Prerequisites
A sufficient number of CipherTrust Transparent Encryption (CTE) licenses is available on the CipherTrust Manager for clients to register successfully. For example, if you want to migrate 100 clients from the Data Security Manager (DSM), then at least 100 CTE licenses must be free on the CipherTrust Manager. Refer to CTE Licensing Model for details.
DSM is up and running at the supported version. Refer to DSM documentation for details.
A supported CTE version is configured with a supported DSM version. Refer to the CTE Agent Quick Start Guide specific to your platform for details.
Note
If you are running an unsupported version, upgrade your environment to the supported version before proceeding. Refer to the corresponding product documentation for upgrade instructions.
Supported Versions
Current Setup
Product | Version |
---|---|
CTE | 7.1 and higher |
DSM | 6.4.5 and higher |
Note
For the migration of LDT GuardPoints, the LDT clients must be running CTE Agent 7.1.1.55 or higher.
Target Setup
Product | Version |
---|---|
CTE | 7.1 and higher |
CipherTrust Manager | 2.8 and higher |
Supported Resources
CipherTrust Manager supports migration of the following CTE resources from a DSM backup file:
Clients and client GuardPoints
Client groups and client group GuardPoints
Clients and client group associations
User sets, resource sets, process sets, signature sets, and signatures
Standard, Cloud Object Storage (COS), In-place Data Transformation (IDT), and Live Data Transformation (LDT) policies
Client logging, upload logging, and Syslog settings
LDT Quality of Service (QoS) and QoS schedules
Tip
Clients on the CipherTrust Manager are equivalent to hosts on the DSM.
Steps
To migrate the CTE configuration from the DSM to the CipherTrust Manager:
Export and Import the Backup File
Export and import the backup file. Refer to Exporting and Importing the Backup File for details.
Caution
To minimize interruption of CTE client access to CTE keys, include the optional parameter auto-cte-groups
with the ksctl migrations apply
import command. This parameter automatically detects CTE keys and grants permission to access these keys to members of the CTE Clients
group on CipherTrust Manager.
After migration, verify that the DSM keys are successfully migrated into the CipherTrust Manager domain.
Verify Details of Migrated CTE Resources
On the CipherTrust Manager GUI, verify details of the migrated CTE resources.
The migrated resources can also be verified using the CTE reports available on the DSM and the CipherTrust Manager. Reports provide a comprehensive view of the migrated resources.
A number of reports are available for the combination of clients, policies, GuardPoints, and encryption keys. Use these reports to match and verify the number of resources and their types on the DSM and the CipherTrust Manager.
Both the DSM and the CipherTrust Manager provide options to download reports in the CSV format. So, if needed, you can automate resource verification to parse and compare the report content.
Here is a mapping of CTE reports on the DSM and CipherTrust Manager to help verify migrated resources.
Resource | DSM Report | CipherTrust Manager Report |
---|---|---|
Clients | Hosts | Clients Health Report |
Policies | Policy Key | Policies Keys Report |
Policy Host | Clients Policies Report | |
GuardPoints | GuardPoints | GuardPoints Report |
Hosts with GuardPoint Status | Client GuardPoint Status Report | |
Keys | Keys | Clients Keys Report |
Keys-Policy | Policies Keys Report |
Refer to Reports for details on CTE reports available on the CipherTrust Manager. Refer to the DSM online help for details on CTE reports available on the DSM.
Verifying GuardPoints Configuration
GuardPoints that are applied to a client using a client group are created in the background. The original request is returned after initial validation of request parameters and migration proceeds further for other operations.
In some cases, creation of certain GuardPoints might fail later in the background due to various reasons. Any errors observed in the background cannot be updated in the migration status. The status is updated in the audit records of the CipherTrust Manager. So it is recommended to verify migration of CTE resources using the CTE reports.
Verifying Profiles Configuration
Every migrated client is linked with a profile (named profile_<dsm-hostname>_<dsm-domain-id>
) on the CipherTrust Manager. The profile contains information related to client logs, Syslog settings, and QoS configuration. If multiple clients have the same configuration on the DSM, they are linked with a single profile on the CipherTrust Manager. The following mapping helps you verify migration of client logging, Syslog, and QoS configuration.
Resource | Location on DSM | Location on CipherTrust Manager |
---|---|---|
Message Type | Hosts > FS/VDE Agent Log | Not displayed on the CipherTrust Manager GUI. You can verify them using the /v1/transparent-encryption/profiles APIs. |
File Logging Settings | Hosts > FS/VDE Agent Log | Profiles > CLIENT LOGGING CONFIGURATION. Refer to Setting Client Log Configuration for details. |
Syslog Settings | Hosts > FS/VDE Agent Log | Profiles > SYSLOG LOGGING CONFIGURATION. Refer to Setting Client Syslog Configuration for details. |
Upload Logging Settings | Hosts > FS/VDE Agent Log | Profiles > CLIENT LOGGING CONFIGURATION. Refer to Setting Client Log Configuration for details. |
Duplicate Message Suppression Settings | Hosts > FS/VDE Agent Log | Profiles > CLIENT LOGGING CONFIGURATION. Concise Logging settings are also displayed here. Refer to Setting Client Log Configuration for details. |
LDT Quality of Service | Hosts > GuardPoints | Profiles > QUALITY OF SERVICE CONFIGURATION. Refer to Setting Quality of Service Configuration for details. |
QoS Schedules | Hosts > GuardPoints | Profiles > QUALITY OF SERVICE CONFIGURATION > QoS Settings. Refer to Setting Quality of Service Configuration for details. |
After you have successfully verified the CTE resources, proceed to the next step.
Register CTE Clients with the CipherTrust Manager
Ensure that the LDT GuardPoints, if any, are unguarded before reregistration of the migrated CTE clients.
Register your CTE clients with the CipherTrust Manager. Refer to CTE Agent Quick Start Guide specific to your platform for details.
Caution
When registering a CTE client with the CipherTrust Manager, you must provide exactly the same client name with which that client was registered with the DSM before migration.
Client names are case-sensitive, make sure that case-sensitivity is retained.
If a different name is provided, the CipherTrust Manager considers it as a new client. The configurations migrated from the DSM are not propagated to this new client on the CipherTrust Manager.
After the CTE clients are successfully registered with the CipherTrust Manager, the migrated configuration is propagated to the CTE clients.
Verify Access to GuardPoints
When the initialization of the CTE clients is successful and the configuration is pushed to them, verify whether the GuardPoints are accessible according to the enforced policies.
Limitations
CTE resources of Container policies on the DSM cannot be migrated to the CipherTrust Manager using the backup/restore method. The Container policies are supported only on the DSM.