Microsoft Azure Stack Deployments
Azure Stack offers hybrid cloud platforms, which allows you to deploy Virtual CipherTrust Manager instances to be accessible to both private and public networks. You can deploy Virtual CipherTrust Manager on Azure Stack hyperconverged architecture (HCI) or Azure Stack Hub.
Prerequisites
The Virtual CipherTrust Manager VHDX image file available from Thales customer support portal.
A Microsoft account with Azure Stack HCI or Azure Stack Hub software.
For Azure Stack HCI Deployments, a configured cluster is necessary.
Minimum Requirements
To deploy a CipherTrust Manager instance, the following minimum requirements apply:
System volume: 100 GB
Memory: 16 GB
vCPUs: 2
NICs: 1
Note
These minimum system requirements are for a system with light to moderate load. For applications that heavily load the system, additional memory and CPU allocation are required. The system volume holds all data as well as backups.
Where applicable, we provide some recommended starting values in the deployment steps.
Azure Stack HCI Deployment
Download and install the Windows Desktop Client.
In the Desktop Client main page, select Subscribe and enter your Microsoft account name.
Select Jump Box to start the remote connection. Enter your Microsoft account credentials when prompted.
In a browser, login to the Windows Admin Center with your Microsoft account.
On the Windows Admin Center home screen, under All connections, select the desired cluster.
Navigate to Volumes > Files & file sharing and upload the Virtual CipherTrust Manager VDHX file.
From the home screen, navigate to Tools > Virtual machines.
Select the Inventory tab, select Add and New.
Provide the necessary values for the new virtual machine (VM).
Enter a Name.
Ensure Generation 1 is selected for the Generation.
Under Host, select the desired host server.
Under Path, choose a folder on the Jump Box file system to save the VM configuration and virtual hard disk files to.
Under Virtual processors, select the number of virtual processors. We recommend 4 processors.
Virtual CipherTrust Managers launch in Community Edition, a trial mode which only allows up to four processors. You must purchase and apply a k470 license to use more than four processors.
Under Memory, select the amount of startup memory, and a minimum and maximum range of dynamic memory. We recommend 4 GB as a minimum for startup memory.
Under Network, select a virtual switch.
Under Storage, click Add and Browse. Navigate to the Virtual CipherTrust Manager VDHX file, and select it.
Select Create to create the VM.
Start the VM. In the Virtual Machines list, hover over the new VM, enable the checkbox for it on the left, and select Start. Watch the State column to verify that the VM is Running.
Proceed to connect to the launched Virtual CipherTrust Manager.
Azure Stack Hub Deployment
In a browser, login to Azure Stack Hub portal with your Microsoft account.
Select Storage Account. Choose an appropriate storage account.
Under Blob service, select Containers. Create a new container or select an existing one.
Select Upload.
The Upload blob box opens on the right side of the browser.
Navigate to the Virtual CipherTrust Manager VHDX file on your local system, select it, and click Upload.
Search for "images" to navigate to the Images page.
Select Add.
Provide the necessary values for the new image:
Select a Subscription.
Select a Resource group.
Enter a Name.
Select a Region.
For the OS Type, select Linux.
For Storage blob, browse in Storage accounts > Containers to the Virtual CipherTrust Manager VDHX file, and select it.
For the Account Type select Standard HDD.
Select Review + Create, and then Create.
Once the deployment is complete, select Go to resource.
Select + Create VM.
Note
If you wish to use cloud-init to apply settings before launch, you must use REST, PowerShell, or Azure CLI to deploy the VM, as described in Azure Stack Hub documentation. A cloud-init deployment is recommended to encrypt Virtual CipherTrust Manager instances be encrypted at launch time to ensure secrets are never exposed.
Provide the necessary values for the new virtual machine (VM), keeping the default values for other fields:
Provide a Name
Select a Size. We recommend 4 CPUs and 16 GB RAM.
For OS disk type, select Standard HDD.
Under Administrator account, keep the Authentication type as SSH Public Key. Change the Username to
ksadmin, and paste in an SSH key.Note
We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. The supported key algorithm is RSA. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security. You can generate this key using 'PuTTYgen' or similar utility. Save this SSH Public Key at a safe location. You will need this key for future SSH access.
For Select inbound ports, enable HTTP (80), HTTPS (443), and SSH(22).
Select Review + Create, and then Create.
Proceed to connect to the launched Virtual CipherTrust Manager.
Connect to the Launched Virtual CipherTrust Manager
In the Azure Stack HCI or Azure Stack Hub interface, use the Connect option to navigate to the launched VM. You can see the CipherTrust Manager web console GUI, and the IP/Hostname.
If you have not provided an SSH key before launching, you are prompted to replace the default SSH Public Key.
As the initial KeySecure admin (ksadmin) you must paste in your SSH Public Key in the box provided and then select Add.
Note
We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. The supported key algorithm is RSA. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security. You can generate this key using 'PuTTYgen' or similar utility. Save this SSH Public Key at a safe location. You will need this key for future SSH access.
After replacing the default SSH Public Key, the Log In screen appears. For more options to replace the default SSH Public Key, see Starting Services After Deployment.
Log in using the initial default credentials: Username = admin, Password = admin
The following notice is displayed:
Note
If the default credentials do not work, you may need to retrieve an autogenerated password, as described in Changing the Initial Password.
Enter a new password using this default Password Policy:
Min length: 8 Max length: 30 Min number of upper cases: 1 Min number of lower cases: 1 Min number of digits: 1 Min number of other characters: 1A new Login screen appears.
Using your new password, log in again. The CipherTrust Manager Web Page appears.
At this point, it's strongly recommended to configure an NTP server.
Navigate to Admin Settings > NTP.
Enter in an NTP Server hostname.
For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.
Click the +Add NTP Server button.
See Network Time Protocol Server Configuration for more details.
Congratulations! You have successfully deployed your Virtual CipherTrust Manager.
If you did not apply disk encryption with cloud-init, it is available after first launch with ksctl. Because installation specific secrets are generated the first time a Virtual CipherTrust Manager instance is launched, it is recommended that the instance be encrypted at launch time to ensure these secrets are never exposed.
Note
Virtual CipherTrust Manager launches in Community Edition, with some restrictions on functionality. You can activate a 90 day trial evaluation for full functionality. To activate your instance with a trial evaluation, or a term or perpetual license, see Licensing.
