System Properties
The CipherTrust Manager allows Application Administrators, such as the admin user, to manage user configurable system properties. These settings are only accessible in the root domain.
Enable and Disable Activity Logs
You can enable or disable activity logs for NAE and KMIP interfaces, to include them in debug log downloads. They are not enabled by default. When enabled, they are included in the downloadable LTSV debug log file, and can be forwarded to configured log forwarders.
Login to the root domain as an Application Administrator.
Navigate to Admin Settings > Properties.
In LOGS PROPERTIES, select the KMIP Activity Logs toggle button to enable/disable KMIP activity logs.
In LOGS PROPERTIES, select the NAE Crypto Activity Logs toggle button to enable/disable NAE crypto activity logs.
Set a Load Balancer Address
You can configure a load balancer address, so that CTE agents can communicate with CipherTrust Manager cluster nodes which are behind a load balancer.
Login to the root domain as an Application Administrator.
Navigate to Admin Settings > Properties.
In Load Balancer Address, add an IP address or hostname for the load balancer to the Value field.
Click Update to update it.
Enable or Disable Data Key Caching for HSM-Anchored Domains
This caching can improve cryptographic and key export performance for HSM-anchored domains.
Login to the root domain as an Application Administrator.
Navigate to Admin Settings > Properties.
In HSM-ANCHORED DOMAINS DATA KEY MATERIAL CACHING, select the Enable Key Caching toggle.
Do a system restart. For clustered CipherTrust Managers, restart every cluster node. This is required to fully apply the change.
Properties Configurable from ksctl or REST API
| Property Name | Default Value | Description |
|---|---|---|
| CERT_REV_CHECK_TIMEOUT | 5sec | Configures the revocation check request timeout for Web (cert user login) and NAE/KMIP clients. The timeout value must be in an integer from 0-600secs, where 0 refers to no timeout. This timeout is for each request.For example if a certificate contains 3 URLs for the caIssuer and CRL/OCSP, and each URL gets failed in 5sec; then it will take 15sec to complete the authentication call. |
| ALLOW_UNKNOWN_FIELDS | false | Allows unknown fields in the JSON body from the API calls. If you set this property to true, restart is required for changes to take effect. |
| ENABLE_RECORDS_DB_STORE | true | Stores audit records in the database. If you set this property to false, it deletes the audit records. If syslog is added, it continues to push audit records to the syslog server. |
| ENFORCE_NAE_CLIENT_VALIDATION | false | Enforces client validation on the NAE. |
| ENFORCE_NAE_CLIENT_REGISTRATION | false | Enforces registered NAE clients to perform the NAE operations. |
| ENABLE_KEY_CACHE | false | Allows caching on CipherTrust Manager of key materials for HSM-anchored domains. A change to this property requires system restart on all cluster nodes to take effect. |
| ENABLE_NAE_CRYPTO_RECORDS | false | Enables the logging for NAE crypto audit records. |
| ENABLE_NAE_ACTIVITY_LOGS | false | Enables the activity logging for NAE operations. |
| ENABLE_KMIP_ACTIVITY_LOGS | false | Enables the activity logging for KMIP operations. |
| ENABLE_CERT_REV_CHECK | true | Checks the client certificates on the NAE/KMIP interface for revocation status. This property is not applicable for user certificate login. For user certificate login, the CRL revocation status is always checked. |
| ALLOW_USER_IMPERSONATION_ACROSS_DOMAIN | false | User impersonation is, by default, limited to impersonate users of the clients' domain only i.e. created users (users created in clients' domain) or assigned users (users created in clients' domain and assigned to some other domain). With this property enabled, clients belonging to the root domain can impersonate a user created inside a sub-domain only. The property is applicable to NAE and KMIP interfaces only. |
| LOAD_BALANCER_ADDRESS | IP address/URL/Hostname of load balancer configured with CipherTrust Manager. This is to allow CTE agent communication. | |
| MAXIMUM_REFRESH_TOKEN_LIFETIME | Describes the maximum lifetime of a refresh token. This can be an empty string (infinite lifetime) or a sequence of integers with a time unit as a suffix. The valid time units are m and h. For example, 300m, 3h, or 2h45m. The value of the maximum lifetime of a refresh token should be at least 5m. |
Managing user configurable system properties using ksctl
The following operations can be performed:
Get details of a property
List all properties
Modify a property
Reset a property
Getting details of properties
To get details of a property, run:
Syntax
ksctl properties get --name <name of the system configuration>
Example
ksctl properties get --name ENABLE_RECORDS_DB_STORE
Getting list of properties
To list all the configurable system properties, run:
Syntax
ksctl properties list
Updating properties
To modify the value of a property, run:
Syntax
ksctl properties modify --name <property name> --value <value to be set>
Example 1
ksctl properties modify --name ENABLE_RECORDS_DB_STORE --value false
**Example 2 **
ksctl properties modify --name CERT_REV_CHECK_TIMEOUT --value 10
Changes doesn't reflect immediately. It may take up to 60 seconds on the current node as well as on the clustered nodes.
Resetting properties
To reset the value of a property to default, run:
Syntax
ksctl properties reset --name <property name>
Examples
ksctl properties reset --name ENABLE_RECORDS_DB_STORE
