Managing CRDP Applications
An application definition contains necessary configurations that are required for a client to function smoothly. The application definition includes:
Configuration parameters: required to initialize and configure the client.
CSR parameters: required to create or renew client certificates and keys.
CA parameters: required to issue and install digital certificates and CSR.
In this article, you will learn how to:
Defining Application
Log on to the CipherTrust Manager GUI as administrator.
Open Application Data Protection.
In the left pane, click Applications. The list of applications is displayed on the screen.
On the Applications page, click Add Application. The Add Application wizard is displayed. Follow the steps to complete the setup.
Add General Info
On the General Info screen of the Add Application Wizard, specify a unique Name for the application.
Select the Connector Type as CRDP from the drop-down list.
Click Next to go to the Settings screen.
Configure Parameters
On the Settings screen of the Add Application Wizard, configure the following parameters.
Client Configuration
These parameters are required to initialize CRDP clients.
Logging
Field Description Mandatory Default Log Level The level of logging to determine verbosity of clients logs.
Possible options
— INFO
— WARN
— ERROR
— DEBUGYes WARN Local Encryption
Field Description Mandatory Default Key Cache Expiry Determines the minimum amount of time a key can be cached. Yes 43200 seconds Connection Configuration
Field Description Mandatory Default Heartbeat Interval Time interval (in seconds) after which the client needs to send heartbeat notification to the CipherTrust Manager to get updated policies and configurations. Yes 300 seconds Heartbeat Timeout Count Number of continuously missed heartbeats after which a client marks itself as unhealthy. After this count, the CipherTrust Manager revokes the client and the client stops performing any cryptographic operations. Yes 5 minutes Note
If this parameter is set to -1, client will continue to send the heartbeats until it is alive and the CipherTrust Manager will not revoke the client. The container will never be marked as unhealthy.
The CipherTrust Manager updates status of all the clients after every 5 minutes based on the number of missed heartbeats.
Tip
To know more about the heartbeat parameters, refer to Heartbeat Configuration.
Note
To enable JWT verification, the Enable JWT Verification toggle must be turned on. By default, this toggle is off.
JWT can be verified either using the Public Key or JWKS URL. Click the desired tab for details.
Field Description Mandatory Default Public Key Verifies the JWT. Specify the public key in PKCS1 or PKCS8 format. Mandatory when Enable JWT Verification toggle is turned on. No default Issuer A string that identifies the principal that issued the JWT. No No default Username location in JWT Specify the location of username in the JWT. Access Policy will be applied based on username in this location.
If JWT verification is not enabled and theUsername location in JWT
field is not filled, username in request body of/v1/reveal
or/v1/revealbulk
is considered for access policy.No sub Field Description Mandatory Default JWKS URL Specify the JWKs URL through which the JWKs can be fetched and used for validation of the JWT. Mandatory when Enable JWT Verification toggle is turned on. By default, toggle is turned off Duration Specify the duration (in days) after which the JWKS will be refreshed. No 7 days Issuer A string that identifies the principal that issued the JWT. No No default Username location in JWT Specify the location of username in the JWT. Access Policy will be applied based on username in this location.
If JWT verification is not enabled and theUsername location in JWT
field is not filled, username in request body of/v1/reveal
or/v1/revealbulk
is considered for access policy.No sub Performance Metrics
Field Description Mandatory Default Enable Performance Metrics When the Enable Performance Metrics toggle is turned on, the administrators can generate metrics logs for CRDP. No By default, the toggle is on.
Server Configuration
These parameters are required to configure server settings such as CA, CSR, and Connection configurations.
Group Permissions
Field Description Mandatory Default Client Groups Clients associated with the application will get permissions based on the selected groups. Optional No Default CA Parameter
Field Description Mandatory Default Local CA Select a local CA from the available options. The CA issues digital certificates and signs CSR. Optional CipherTrust Root CA Note
Local CA should be added in the Local Trusted CAs of the Web interface on the CipherTrust Manager.
CSR Parameters
Field Description Mandatory Default Common Name Select the user. This is the CRDP user who will interact with CM. Optional No default City Name of the city. Optional No default Country Name of the country. Optional No default State Name of the state. Optional No default Organization Name Organization name. Optional No default Organization Unit Organization unit. Optional No default Email Valid email id. Optional No default Certificate Duration Validity period of a client certificate. Optional 730 days Certificate Auto Renewal Turn on the Certificate Auto Renewal toggle to automatically renew the client certificate before it expires in the user environment. The process of certificate auto renewal is explained here. Optional By default, the toggle is off.
Click Next to go to Confirmation page.
Confirmation
On the Confirmation screen, verify the application details. This screen displays general information and settings .
If you want to modify any detail, click Edit and update the details.
Click Save. A message stating Application is successfully created is displayed on the screen. At this step, a Registration Token is returned. The clients will use this token to get registered on the CipherTrust Manager.
Click Close to exit the wizard. The newly defined application is added to the list of Applications.
Viewing Application
The Applications page shows the unified view for all the applications defined on the CipherTrust Manager. Refer to Single Pane of Glass for details.
Viewing details of application
Click application name to view its details. The detailed view shows:
Clients tab: provides insight into details of clients registered within an application.
Settings tab: provides information about the parameters that were used to define application for a client.
Clients tab
The Clients tab displays the list of clients registered with an applications, their status, version, name, and so on. It provides the count of:
The Total Active clients.
The number of clients in Error state.
The number of clients in Warning state.
The number of clients in Healthy state.
The number of Revoked clients.
Click each tab to filter the clients by their status.
Client status
The CipherTrust Manager updates status of all the CRDP clients after every 5 minute based on the number of missed heartbeats. A client can be in one of the following states:
State | Description |
---|---|
Healthy | A healthy client sends heartbeat on regular heartbeat_interval . |
Errors | Client notifies the CipherTrust Manager that it is in error state and it can't process any request. |
Warnings | The CipherTrust Manager moves a client to warning whenever the client skips sending heartbeat based on the defined heartbeat_interval . The client can continue performing the cryptographic operations. |
Revoked | CipherTrust Manager will revoke a client if the number of missed heartbeat count = Heartbeat Timeout Count *heartbeat_interval . The client can no longer perform any cryptographic operations. |
The Clients tab also shows the following details:
Column | Description |
---|---|
Status | Health status of the clients. Click here for details. |
Name | Name of the client. |
Client Version | The version of the client protecting the application. |
Last Connection | Date and time when the CipherTrust Manager received the last heartbeat from the client. |
Creation Date | Date and time when the client was registered on the CipherTrust Manager. |
Settings tab
The Settings tab shows the configuration details for client. Refer to Managing CRDP Applications.
On the detailed view of applications page, you can also:
Refresh clients
Remove revoked clients
Modifying Application
To modify settings and of an application:
Open Application Data Protection.
In the left pane, click Applications. The list of applications is displayed on the screen.
Click the name of the application that you want to modify. The <Application-name> screen shows the clients, settings, and policy associated with the application.
Click the Settings tab. You can modify the client, server, and network configurations.
Click Update. A message Application updated successfully is displayed.
Deleting Application
Open Application Data Protection.
In the left pane, click Applications. The list of applications is displayed on the screen.
Click the overflow icon (
) corresponding to the application that you want to delete.
Click Delete. A dialog box appears prompting to confirm the action.
Click Delete. A message, <Application_name> has been deleted appears on screen.
Warning
Deleting an application also deletes all the associated clients. This action may impact the operations performed by the clients. So, before deleting an application, ensure all the mapped clients are not in use.
After the CRDP application is created, perform the following actions:
Create access policy
Create character set
Create masking format
Create protection policy