Licensing
Overview
CipherTrust Manager (available as virtual and physical appliances) uses the Entitlement Management System (EMS) to manage license purchases. The system allows you to activate new features and manage existing licenses for the CipherTrust Manager appliance and Connectors.
Important points to review before proceeding:
- CipherTrust Manager release v2.8.0 introduces licensing support for CTE Kubernetes (K8s) clients.
CipherTrust Manager Licenses
Physical CipherTrust Manager appliances are licensed out of the box whereas virtual appliances require their own licenses.
Virtual CipherTrust Manager instances start in Community Edition when first launched, without a Virtual CipherTrust Manager license. You require the Virtual CipherTrust Manager license to access some administrative features. You can apply a 90-day trial evaluation or purchased license to access all features.
CipherTrust Manager licenses are node locked. Every node in a CipherTrust Manager cluster requires a separate license.
Every clone of a CipherTrust Manager appliance requires a separate license.
If you redeploy a CipherTrust Manager, the license can be recovered with assistance from customer support. Virtual CipherTrust Managers restored from snapshots do not need new licenses.
Licenses are activated with the the Key Manager Lock Code.
The k170v model is limited to 4 or fewer CPUs. The k470v license allows for more than 4 CPUs.
Consult Virtual CipherTrust Manager Licensing Model for more information on license management.
Connector Licenses
Virtual CipherTrust Manager instances start without any Connector licenses. You can apply a 90-day trial evaluation to test most Connectors.
CipherTrust Manager enforces Connector licenses through self-service License Portal on the Sentinel platform. Registering new clients, adding new cloud enforced entities, running new scans and generating new reports, and enabling KMIP client communications require active Connector licenses on the CipherTrust Manager appliance.
For details about what operations add to the license count for a particular connector, consult the licensing model page for that product:
In a CipherTrust Manager cluster, the Connector Lock Code is applicable to all nodes of the cluster to enforce Connector licenses across the cluster nodes. When a Connector license is activated for one CipherTrust Manager appliance, the license is replicated to all nodes of the cluster.
To move a Connector license from one CipherTrust Manager cluster to another, revoke the Connector license on one cluster by contacting Thales Customer Support. Then, reactivate the license using the second cluster's Connector Lock Code. The new license string should be uploaded to the second CipherTrust Manager cluster.
If you redeploy a Virtual CipherTrust Manager, Connector licenses can be recovered. Virtual CipherTrust Managers restored from snapshots do not need new licenses.
Community Edition and Trial Evaluation
Every new Virtual CipherTrust Manager instance is deployed as Community Edition. This is a free mode without any Virtual CipherTrust Manager license applied. Virtual CipherTrust Managers also do not have any connector licenses at time of launch.
Community Edition has some limitations on administration features, mostly limiting creation of new resources and configurations. As well, you require licenses for individual client Connector applications to perform Connector operations.
You can start a 90 day trial evaluation of all administration features and most Connectors, or apply purchased licenses.
Customer Support for Community Edition and Trial Licenses
Customers with a valid Virtual CipherTrust Manager license and support contract can contact the Thales Customer Support Channel for specific questions about Community Edition. Prospective customers can also arrange Sales Engineering support.
In addition, there is a public Community Forum where Thales product management, sales engineering, and engineering groups can answer questions about Community Edition and CipherTrust Manager in general.
Note
Questions posted through Community Forum are not subject to any Service Level Agreement (SLA) or response time from Thales.
Community Edition Behavior with Firmware Upgrade, Downgrade, Restoring a Backup, and System Reset
Community Edition CipherTrust Managers respond to state changes in the following ways:
Upgrading or downgrading a CipherTrust Manager in Community Edition results in a CipherTrust Manager with no Virtual CipherTrust Manager license. If the version after upgrade or downgrade is 2.8 or higher, the CipherTrust Manager displays as Community Edition.
Resetting a CipherTrust Manager in Community Edition, wipes all data, and the CipherTrust Manager remains in Community Edition mode.
You can freely exchange backups between licensed and Community Edition CipherTrust Managers. Restoring a backup from a licensed CipherTrust Manager to a Community Edition CipherTrust Manager results in limited resources being imported and available to edit.
Community Edition generally restricts creating certain new resources, and allows restoring existing resources. Restoring a backup can be a good strategy to bring production resources from a fully licensed CipherTrust Manager into a test Community Edition environment.
You cannot add a Community Edition CipherTrust Manager into a cluster. If a licensed CipherTrust Manager is in a cluster and later goes into Community Edition, the CipherTrust Manager remains in the cluster and all resources continue to replicate.
Applying a Purchased License
If you want to apply a purchased license,
Contact a Thales sales representative to purchase the licenses which are right for you.
There are different options available for term license or perpetual licenses. As well, some licenses apply counts for operations such as registering clients, generating reports or assigning more CPUs to the Virtual CipherTrust Manager. Consult the licensing model page of your desired product for license enforcement details.
When you receive one or more Entitlement IDs for your purchase, visit the License Portal to view available licenses.
Activate your licenses to apply them to your Virtual CipherTrust Manager.
Lock Codes
Key Manager Lock Code and Connector Lock Code present on a Virtual CipherTrust Manager instance are used to license the Virtual CipherTrust Manager platform and Connector features.
The Key Manager Lock Code is used for the Virtual CipherTrust Manager license. This license is unique to each CipherTrust Manager appliance, and is not replicated across a cluster.
The Connector Lock Code is used for Connector licenses. Connector licenses are applicable to all nodes of a cluster to enforce Connector licenses across the cluster nodes.
Viewing and Managing Installed Licenses
On the CipherTrust Manager web console, the Admin Settings > Licensing page shows the Installed licenses (features). You can view and delete installed licenses from this page.
Flex Connector Licenses
CipherTrust Manager simplifies Connector licensing by offering flexible (Flex) purchase options. A Connector license can be redeemed to purchase another Connector license of the same type. You can adjust or restructure licenses later according to your requirements. Moreover, new licensed features can be turned on by existing Flex Connectors.
The following table lists the supported Flex licenses.
| Flex Connector - Basic | Flex Connector - Advanced | Flex Connector - Premium | Flex Utilities | Flex Ability |
|---|---|---|---|---|
| CTE | CADP | CTE SAP | LDT | KMIP |
| CTE UserSpace | CT-VL (VTS) CTE-K8s | CTE Teradata | Efficient Storage | - |
| CAKM for Oracle TDE (VKM/SafeNet TDE) | CT-V (TM) | CDP (PDB) | CTE-Ransomware Protection | - |
| CAKM for MS SQL Server EKM (VKM/SafeNet EKM) | DPG | CDP for Teradata (CTP/VTPD) | - | - |
| CAKM for LUKS | CRDP | BDT | - | - |
How Do Flex Connectors Work?
Suppose you want to buy 10 CTE Agents, with 10 LDT add-on licenses, 5 KMIP, 20 CAKM, and 12 CADP (ProtectApp) licenses. The following table lists the licenses you need:
| Flex Connector Type | Quantity |
|---|---|
| Flex Connector - Basic | 30 (covers CTE and CAKM) |
| Flex Connector - Advanced | 12 (covers CADP) |
| Flex Utilities | 10 (covers LDT) |
| Flex Ability | 5 (covers KMIP) |
You can redeem 10 CTE product licenses and 20 CAKM product licenses with the Flex Connector - Basic. Later, you can trade in 10 CAKM licenses for 10 CTE licenses. Similarly, you can trade 10 CTE licenses for 10 CAKM licenses.
License Expiration
If an existing license has time remaining before expiration, or if a new license starts on a date later than the expiration date of the existing license, the existing license remains effective until it expires, and the new license will become effective on its designated start date.
Leading up to the license expiry, you will be notified of the pending action through the warnings displayed on the Management Console banner and messages generated in the activity log file.
89 days before a license expires, a system alarm is triggered. It is then triggered once a day for every CipherTrust Manager node until a new license is applied.
30 days before a license expires, an orange banner appears on the CipherTrust Manager GUI, as a system message on every page to inform the administrator of the license status.
A red banner is displayed, when one or more licenses are expired. The existing licenses continue to work. Warning messages appear on the Management Console, which indicates that you are out of compliance with your license term. When an administrator navigates through the GUI, the red banner appears as a system message at the top of every page.
These banners are displayed when any license expires, even if other licenses are still valid. For example, if the Virtual CipherTrust Manager license expires before Connector licenses, the expiration does not affect currently registered Connectors.
License expiration is based on the CipherTrust Manager’s date. Please note the default time zone on the appliance is UTC if no NTP server is configured.
Renewing a Connector Term License
Term licenses come with an expiry date. It is recommended to renew a term license before it expires.
To renew a connector term license:
Generate a Connector license. Refer to Generate a Connector License for details.
Add the license to the CipherTrust Manager. Refer to Add the License to the CipherTrust Manager for details.
Revoke the old license for the new license to take over.
Thales TCT k160 Licensing
The Thales TCT k160 appliance is being released with v2.8-TCT installed at the factory. There will be no upgrade to v2.9 for this appliance.
The TCT k160 also has a limited suite of supported connectors. These are:
| Feature | CM Tile | CM License | Price List Bundle | Protocol |
|---|---|---|---|---|
| Key Management using KMIP Protocol | KMIP | KMIP | Flex Ability | KMIP |
| HPE iLo Key Management | -none- | Integrators | Flex Connector Basic | NAE-XML |
| CAKM Oracle TDE | -none- | CKM | Flex Connector Basic | NAE-XML |
| CAKM MS SQL EKM | -none- | CKM | Flex Connector Basic | NAE-XML |
| CipherTrust Transparent Encryption (CTE) | Transparent Encryption | CTE - TransparentEncryption | Flex Connector Basic | CTE |
| CTE Live Data Transformation (LDT) | Transparent Encryption | CTE - LiveDataTransformation | Flex Connector Basic Bundle | CTE |
Contact Thales Technical Support for any questions about Thales TCT k160 licensing.
License Management Summary
The following table summarizes license management for the license types.
| License Type | License Enforcement | License Count Enforcement | Grace Period (90 Days) |
|---|---|---|---|
| DDC | Yes | Yes | Yes (DDC configuration becomes read only) |
| KMIP | Yes | Yes (Continues working in non-compliance mode) | N/A (Continues working in non-compliance mode) |
| ProtectFile | Yes | Yes | Yes |
| ProtectApp | No | No | N/A |
| TDE | No | No | N/A |
| ProtectDB | No | No | N/A |
| Tokenization | No | No | No |
| CTE | Yes | Yes | Yes |
| CTE-KubernetesProtection | Yes | Yes | Yes |
| CTE LDT | Yes | Yes | Yes |
| CTE UserSpace | Yes | Yes | Yes |
| CTE Teradata | Yes (uses base CTE) | Yes (uses base CTE) | Yes (uses base CTE) |
| CTE SAP HANA | Yes (uses base CTE) | Yes (uses base CTE) | Yes (uses base CTE) |
| CCKM | Yes | Yes | Yes |
Note
CipherTrust Intelligent Protection (CIP) is not a licensed product. However, you need the following licenses to use it:
CipherTrust Manager: Refer to Virtual CipherTrust Manager Licensing Model for details.
CipherTrust Data Discovery and Classification: Refer to DDC Licensing Model for details.
CipherTrust Transparent Encryption: Refer to CTE Licensing Model for details.
Connector licenses are enforced through CipherTrust Manager, so the enforcement behaves the same regardless of client software version.
For details about the license management for a particular product, consult the licensing model page for that product:
