Basic Interface Configuration
Interfaces are services the CipherTrust Manager hosts. Most interfaces are listening on a particular port, but may also represent other input channels, like local shell access or serial port access. To view the Interfaces page in the UI, go to Admin Settings > Interfaces.
The CipherTrust Manager currently supports five interfaces:
web: The HTTP server on port 80 and 443. This interface serves both the GUI and the REST API.
ssh: The SSH server on port 22.
nae: The NAE-XML server on port 9000.
kmip: The KMIP server on port 5696.
SNMP: The SNMP Agent on port 161.
Note
The Web, KMIP, and NAE interfaces have several options to control authentication to those interfaces. The Authentication Settings for NAE, KMIP, and Web interfaces page describes these settings in detail.
Effect of updating interface settings
Warning
If you have active NAE, KMIP, or web connections, we recommend that you plan for connection downtime before updating interface settings, especially for updates to the initial default interfaces.
Note
When you update the port of the default interface of NAE, KMIP, and WEB, all nodes in the cluster restart. However, if you update any other setting apart from the port, no node in the cluster restarts.
If you update any setting on the non-default interfaces of NAE, KMIP, and WEB, no node in the cluster restarts.
There are some interface changes that are applied immediately and trigger an automatic services restart. This restart can disrupt running NAE, KMIP, and web connections and cause an immediate downtime of a few minutes. If your CipherTrust Manager is part of a cluster, the interface settings change can also replicate to other nodes, and disrupt running NAE, KMIP, and web connections to those nodes. Therefore, plan for some downtime before updating interfaces.
Interface settings changes that are known to cause an immediate loss of connection are:
Updating the port for NAE, KMIP, or web interface
Enabling the Hard Delete option for the KMIP interface
Other interface changes require a manual Services Restart.
View the initial set of interfaces using ksctl
ksctl interfaces list
Response
{
"skip": 0,
"limit": 10,
"total": 4,
"resources": [
{
"id": "ee242373-2555-48c7-923b-86ed3e785504",
"name": "kmip",
"mode": "tls-cert-pw-opt",
"cert_user_field": "CN",
"auto_gen_ca_id": "kylo:kylo:naboo:localca:9d13d43a-381e-481a-80a1-9463acfff84a",
"trusted_cas": {
"local": [
"kylo:kylo:naboo:localca:9d13d43a-381e-481a-80a1-9463acfff84a"
]
},
"createdAt": "2020-07-20T12:59:14.776939Z",
"updatedAt": "2020-07-20T12:59:24.703806Z",
"default_connection": "local_account",
"port": 5696,
"network_interface": "all",
"interface_type": "kmip",
"local_auto_gen_attributes": {
"cn": "kmip.keysecure.local",
"email_addresses": [
"support@gemalto.com"
],
"names": [
{
"C": "US",
"ST": "MD",
"L": "Belcamp",
"O": "Gemalto",
"OU": ""
}
],
"generated": false
},
"enabled": true
},
{
"id": "a4db15b4-64fc-40d3-8465-9935866bbe09",
"name": "nae",
"mode": "no-tls-pw-req",
"cert_user_field": "CN",
"auto_gen_ca_id": "kylo:kylo:naboo:localca:9d13d43a-381e-481a-80a1-9463acfff84a",
"trusted_cas": {
"local": [
"kylo:kylo:naboo:localca:9d13d43a-381e-481a-80a1-9463acfff84a"
]
},
"createdAt": "2020-07-20T12:59:14.770938Z",
"updatedAt": "2020-07-20T16:21:43.427252Z",
"default_connection": "local_account",
"port": 9000,
"network_interface": "all",
"interface_type": "nae",
"local_auto_gen_attributes": {
"cn": "nae.keysecure.local",
"email_addresses": [
"support@gemalto.com"
],
"names": [
{
"C": "US",
"ST": "MD",
"L": "Belcamp",
"O": "Gemalto",
"OU": ""
}
],
"generated": false
},
"enabled": true
},
{
"id": "c8c6e4c1-30d7-4317-9d37-a9ec217ffb17",
"name": "ssh",
"trusted_cas": {},
"createdAt": "2020-07-20T12:59:14.7787Z",
"updatedAt": "2020-07-20T12:59:14.7787Z",
"port": 22,
"network_interface": "all",
"interface_type": "ssh",
"local_auto_gen_attributes": {
"cn": "ssh.keysecure.local",
"email_addresses": [
"support@gemalto.com"
],
"names": [
{
"C": "US",
"ST": "MD",
"L": "Belcamp",
"O": "Gemalto",
"OU": ""
}
],
"generated": false
},
"enabled": true
},
{
"id": "e64d84b0-e952-4fa3-83c9-e1d1bc52a996",
"name": "web",
"mode": "tls-cert-opt-pw-opt",
"cert_user_field": "CN",
"auto_gen_ca_id": "kylo:kylo:naboo:localca:9d13d43a-381e-481a-80a1-9463acfff84a",
"trusted_cas": {
"local": [
"kylo:kylo:naboo:localca:9d13d43a-381e-481a-80a1-9463acfff84a"
]
},
"createdAt": "2020-07-20T12:59:14.774618Z",
"updatedAt": "2020-07-20T12:59:23.37516Z",
"port": 443,
"network_interface": "all",
"interface_type": "web",
"local_auto_gen_attributes": {
"cn": "web.keysecure.local",
"email_addresses": [
"support@gemalto.com"
],
"names": [
{
"C": "US",
"ST": "MD",
"L": "Belcamp",
"O": "Gemalto",
"OU": ""
}
],
"generated": false
},
"enabled": true
}
]
}
Updating interface ports
You can change ports for the following interfaces:
WEB
NAE
KMIP
Syntax
ksctl interfaces modify --name <interface-name> --port <port-number>
Note
You can find
<Interface-Name>
using the commandksctl interfaces list
.Port 9100 is used for an internal service and is not available for CipherTrust Manager interfaces.
Example 1: Changing the default WEB interface port to 8443
ksctl interfaces modify --name web --port 8443
Response
{
"id": "f1af6f94-43af-4350-84d0-ec6b08639e5b",
"name": "web",
"mode": "tls-cert-opt-pw-opt",
"cert_user_field": "CN",
"auto_gen_ca_id": "kylo:kylo:naboo:localca:a9319f59-5914-41a2-886e-32b8930d082c",
"trusted_cas": {
"local": [
"kylo:kylo:naboo:localca:a9319f59-5914-41a2-886e-32b8930d082c"
]
},
"createdAt": "2020-12-09T14:25:14.596482Z",
"updatedAt": "2020-12-09T14:29:50.246509Z",
"port": 8443,
"network_interface": "all",
"interface_type": "web",
"local_auto_gen_attributes": {
"cn": "web.keysecure.local",
"email_addresses": [
"support@gemalto.com"
],
"names": [
{
"C": "US",
"ST": "MD",
"L": "Belcamp",
"O": "Gemalto",
"OU": ""
}
],
"generated": false
},
"enabled": true
}
Example 2: Changing the default NAE interface port to 443
ksctl interfaces modify --name nae --port 443
Response
{
"id": "2228f2aa-f973-4fda-b633-ead376db3e19",
"name": "nae",
"mode": "unauth-tls-pw-opt",
"cert_user_field": "CN",
"auto_gen_ca_id": "kylo:kylo:naboo:localca:a9319f59-5914-41a2-886e-32b8930d082c",
"trusted_cas": {
"local": [
"kylo:kylo:naboo:localca:a9319f59-5914-41a2-886e-32b8930d082c"
]
},
"createdAt": "2020-12-09T14:25:14.594319Z",
"updatedAt": "2020-12-09T14:35:22.75339Z",
"default_connection": "local_account",
"port": 443,
"network_interface": "all",
"interface_type": "nae",
"minimum_tls_version": "tls_1_2",
"local_auto_gen_attributes": {
"cn": "nae.keysecure.local",
"email_addresses": [
"support@gemalto.com"
],
"names": [
{
"C": "US",
"ST": "MD",
"L": "Belcamp",
"O": "Gemalto",
"OU": ""
}
],
"generated": false
},
"enabled": true
}
Enabling/disabling interfaces
You can enable or disable the following interfaces:
SSH
NAE
KMIP
To enable/disable an interface using the GUI, click Action Button > Enable/Disable.
Note
After the user has enabled/disabled an interface, it remains in same state even after restarting the device and it will get replicated if the device is part of a cluster.
After an interface has been disabled, the CipherTrust Manager drops all incoming and existing connections on that interface.
Enable or disable an interface using ksctl
When using ksctl:
To enable an interface:
ksctl interfaces enable --name <interface-name>
To disable an interface:
ksctl interfaces disable --name <interface-name>
Note
Only the SSH, KMIP, and NAE interfaces can be enabled or disabled. Replace
<interface-name>
in the above commands withssh
,kmip
, ornae
for these interfaces.
Example: Disabling the SSH interface
ksctl interfaces disable --name ssh
Response
{
"id": "2e8d2344-c40b-466c-8202-d05d2cb6738a",
"name": "ssh",
"trusted_cas": {},
"createdAt": "2020-08-13T10:22:32.792266Z",
"updatedAt": "2020-08-14T11:11:28.564276Z",
"port": 22,
"network_interface": "all",
"interface_type": "ssh",
"local_auto_gen_attributes": {
"cn": "ssh.keysecure.local",
"email_addresses": [
"support@gemalto.com"
],
"names": [
{
"C": "US",
"ST": "MD",
"L": "Belcamp",
"O": "Gemalto",
"OU": ""
}
],
"generated": false
},
"enabled": false
}
Adding and removing interfaces (NAE, KMIP, and SNMP)
You can add and remove interfaces other than default interfaces (NAE, KMIP, and WEB). Currently, the Create and Delete commands are supported only for the NAE, KMIP, and SNMP interfaces.
Adding the SNMP interface
To configure SNMP agent, you must add the SNMP interface.
Adding the SNMP interface in the GUI
Navigate to Admin Settings > Interfaces
Select + Add Interface.
Select SNMP and click Next.
Provide the following values:
A friendly name.
A port for the SNMP interface to listen on. 161 is the default recommended port.
A network interface.
Select Save.
Adding the SNMP interface using ksctl
The following command adds the SNMP interface:
ksctl interfaces create --type snmp --name <friendly_name_for_the_interface> --port <port_to_listen_on> --network-interface <network_interface_on_host>
The default, recommended port is 161. Valid network interfaces are all
or a particular network interface name such as ens32
. You can use ksctl network interfaces list
to view available network interfaces.
Creating a new NAE interface
Example
ksctl interfaces create -o 9009 -y nae
Response
{
"id": "456eb374-ec5c-40e8-bc89-4ab485c20c6c",
"name": "nae_all_9009",
"mode": "unauth-tls-pw-opt",
"cert_user_field": "CN",
"auto_gen_ca_id": "kylo:kylo:naboo:localca:61476734-4778-40ec-a3be-06654d123513",
"trusted_cas": {
"local": [
"kylo:kylo:naboo:localca:61476734-4778-40ec-a3be-06654d123513"
],
"external": []
},
"createdAt": "2019-01-21T05:52:57.657447Z",
"updatedAt": "2019-01-21T05:52:57.657447Z",
"default_connection": "local_account",
"custom_uid_size": 0,
"port": 9009,
"network_interface": "all",
"interface_type": "nae"
}
Creating a new KMIP interface
Example
ksctl interfaces create -o 5697 -y kmip
Response
{
"id": "90b3b131-d6d8-4985-abdd-539162c136c3",
"name": "kmip_all_5697",
"mode": "tls-cert-pw-opt",
"cert_user_field": "CN",
"auto_gen_ca_id": "kylo:kylo:naboo:localca:c729ffe0-f6ad-49ad-8558-2db435b112c7",
"trusted_cas": {
"local": [
"kylo:kylo:naboo:localca:c729ffe0-f6ad-49ad-8558-2db435b112c7"
]
},
"createdAt": "2019-08-22T10:10:28.05794Z",
"updatedAt": "2019-08-22T10:10:28.05794Z",
"default_connection": "local_account",
"port": 5697,
"network_interface": "all",
"interface_type": "kmip"
}
Deleting an interface
You can delete an NAE, KMIP, or SNMP interface.
Delete all SNMP configurations, including communities, users, and management stations, before deleting the SNMP interface.
Example
ksctl interfaces delete -n nae_all_9009