System Configuration Utility
The CipherTrust Manager has a 'CLI based' System Configuration Utility (kscfg). The "ksadmin" user can remotely access the CipherTrust Manager kscfg utility in a private cloud deployment by using SSH, or in a physical appliance deployment, by directly connecting to the appliance's console port and using your ksadmin
password.
Logging in as ksadmin user
To log in as ksadmin
, you must first connect to the CipherTrust Manager console.
To connect and log in to the console (for private cloud deployments):
Using SSH, you can remotely connect to the console port of a CipherTrust Manager instance deployed in a private cloud (e.g. VMware vSphere and HyperV).
Using an SSH utility (e.g. PuTTY) select an SSH session and enter the IP address assigned to the CipherTrust Manager instance during deployment. This is the same IP address used to browse to the GUI.
If using PuTTY, make sure your SSH keys are in ppk format. If they are in PEM format, you can convert them to ppk (e.g., using PuTTYgen utility).
Using the SSH utility, select the path to your SSH Private Key you will use to authenticate the session.
Select Open to start the SSH session.
To connect and log in to the console (for physical appliance deployments):
Using a serial cable, you can directly connect your console device (e.g., laptop) to the console port of a physical appliance (k450, k460, k470 and k570).
Connect the serial cable from your console device to the physical appliance console port.
Log in to the physical appliance as
ksadmin
user using the password you created during Appliance Initialization; refer to Appliance Initialization.
Using the kscfg utility
The CipherTrust Manager kscfg utility can be used to retrieve network interfaces (NICs) configurations and values, and to perform a hard system reset.
All configurable network interfaces are always listed and are the same as those available from standard Linux network interfaces utilities such as ip
and ifconfignmcli
. The network interface names from kscfg match the network interface names from the operating system.
A network interface contains two configurable families: inet (IPv4 and inet6 (IPv6). Their methods are:
- "none"
For a disabled network family.
- "dhcp"
Use DHCP to automatically acquire a network address. ("auto" might be preferred for IPv6.)
"static"
Statically set a network address.
- "auto"
Automatically setup IPv6 from the network environment. (IPv6 only)
Commands
To view the available kscfg commands:
Example:
kscfg --help
Response:
Command-line interface application for configuring the ${cm}.
Usage:
kscfg [command]
Available Commands:
help Help about any command
net ${cm} network configuration
system ${cm} system commands
Flags:
-h, --help help for kscfg
-v, --verbose Provide verbose output while executing command (optional)
Network Configuration
To list the available network interfaces:
Example:
kscfg net interfaces list
Response:
{
"skip": 0,
"limit": 0,
"total": 3,
"resources": [
{
"name": "eth0",
"inet": {
"method": "static",
"ip": "10.121.105.137",
"netmask": "255.255.252.0",
"gateway": "10.121.104.1",
"dns": [
"172.16.2.12"
]
},
"inet6": {
"method": "none"
}
},
{
"name": "eth1",
"inet": {
"method": "dhcp",
"ip": "10.121.105.81",
"netmask": "255.255.252.0",
"gateway": "10.121.104.1",
"dns": [
"172.16.2.12",
"10.121.8.7",
"172.16.2.13"
]
},
"inet6": {
"method": "none"
}
},
{
"name": "eth2",
"inet": {
"method": "none"
},
"inet6": {
"method": "none"
}
}
]
}
To view information on a specific network interface:
Usage:
kscfg net interfaces get [flags]
Flags:
-h, --help help for get
-n, --name string A network interface name such as 'enp0s25'.
Example:
kscfg net interfaces get -n eth0
Response:
{
"name": "eth0",
"inet": {
"method": "static",
"ip": "10.121.105.137",
"netmask": "255.255.252.0",
"gateway": "10.121.104.1",
"dns": [
"172.16.2.12"
]
},
"inet6": {
"method": "none"
}
}
To modify the configuration of a specific network interface:
Caution
This operation has been deprecated. Please use NetworkManager's nmcli tool to modify a network interface's configuration; refer to: Network Configuration Bonding.
Usage:
kscfg net interfaces modify [flags]
Flags:
-d, --dhcp Use DHCP for the network interface. Deprecated - use "method" instead.
-r, --dns string IP addresses of the DNS servers (comma separated), or "" to unset and use entries in /etc/resolv.conf.
--force-gateway string Force system default gateway update, i.e. overwrite system default gateway when this device is brought up. By
default a network interface will only set the system default gateway if is not already set. This feature can be
used to force a specific network interface to be used for outgoing traffic initiated from the machine itself. Set
to "yes" to enable and "no" to disable.
-g, --gateway string Default gateway, or "" to unset.
-h, --help help for modify
-4, --inet Use IPv4 for the network interface. (default true)
-6, --inet6 Use IPv6 for the network interface.
-i, --ipaddress string Static IP Address.
-e, --method string Method for obtaining an IP. Accepted inet values are dhcp, none, or static; inet6 values are auto, dhcp, none, or static. (default "static")
-n, --name string A network interface name such as 'enp0s25'.
-m, --netmask string Subnet mask. IPv4 must be an IP (e.g. 255.255.255.0). IPv6 must be the number of bits (e.g. 64).
Example:
kscfg net interfaces modify --name eth0 --ipaddress 10.121.105.27 --netmask 255.255.252.0 --gateway 10.121.104.1 --dns 172.16.2.12
Response:
{
"name": "eth0",
"inet": {
"method": "static",
"ip": "10.121.105.27",
"netmask": "255.255.252.0",
"gateway": "10.121.104.1",
"dns": [
"172.16.2.12"
]
},
"inet6": {
"method": "none"
}
}
System Reset
The kscfg system reset
command can be used to perform a hard reset of the CipherTrust Manager.
Warning
This destructive operation wipes all data on the CipherTrust Manager and should be used with care.
Normally, the REST API or the CLI should be used for performing the reset. This method of performing the reset should be used as a last resort. This operation deletes all backup keys and the HSM configuration. It is good practice to do the following before running this command:
Create and download a backup of the database.
Download all the backup keys. Any backups downloaded from this device will not be useful without the backup keys.
Usage
kscfg system reset [flags]
Flags:
-f, --force When this flag is set, any errors encountered during reset are ignored, and the reset procedure
continues to the end. This flag must be used with care as it could place the system in an unuseable state. It
should be used when all else fails.
-h, --help help for reset
-y, --yes When this flag is set, all user prompts during the reset process are skipped. A default value
of 'yes' is used as the automatic response to all prompts.
Examples
kscfg system reset [-f] [-y]
Response:
This will perform a full reset of the ${cm} services.
WARNING - This is a destructive operation and will wipe all data in the ${cm}.
It will delete all backupkeys and the HSM configuration.
Normally, the REST API or the CLI should be used for performing the reset.
THIS METHOD OF PERFORMING THE RESET SHOULD BE USED AS A LAST RESORT.
It is good practice to perform the following steps prior to running this command:
1. Create and download a backup of the database.
2. Download all the backupkeys; any backups downloaded from this device will not be useful without the backupkeys.
Do you want to continue? [y/N] y
This will take some time, please wait
Device reset has started. It will take a few minutes to complete.
System Factory Reset
The kscfg system factory-reset
can be used on k470 and k570 appliance models to revert the system to its factory defaults.
Warning
This destructive operation wipes all data on the CipherTrust Manager, including keys, backups, backup keys, system configuration, and logs. It automatically reboots the appliance twice, before booting to the factory firmware version. The appliance's factory version may be below the currently running version. Several upgrades may be required to return to the currently running version. Do not manually power-off or reset the appliance while the factory-reset is in progress. This command must be used with care.
Note
This command expects the host-daemon system service to be up and running. However, if the host-daemon is not running or not in a good state, the factory-reset can be invoked from command line as ksadmin user by executing "sudo /opt/keysecure/ks_reset_to_factory.sh".
If you have a k570 appliance with embedded PCIe HSM, this command does not reset the HSM and the root of trust keys. This allows you to restore a previous CipherTrust Manager backup taken on the appliance. However, if you performed the factory reset to return the appliance to a fresh security state, and you don't intend to restore a backup, we strongly recommend resetting and re-initializing the HSM to create new root of trust keys. You reset the HSM using the lunaCM command “hsm factoryReset” and then re-initialize following the same HSM configuration process as used during first deployment.
Usage
kscfg system factory-reset [flags]
Flags:
-h, --help help for factory-reset
-y, --yes When this flag is set, all user prompts during the reset process are skipped. A default value
of 'yes' is used as the automatic response to all prompts.
Examples
kscfg system factory-reset [-y]
Response:
WARNING: This operation will revert the appliance to its factory defaults !!!
(1) This is a destructive operation that erases all ${cm} data including keys, backups, backup keys, and logs.
(2) Ensure that you have a valid ${cm} backup of all the data.
(3) After completion, you must re-initialize the HSM.
(4) If remote PED was used, it must be re-connected after completion.
(5) This operation may take up to 15 minutes. Make sure you have power backup in place.
(6) Access to the appliance will be unavailable. DO NOT restart the appliance during this time.
(7) The operation erases all appliance logs.
(8) The Appliance Re-image procedure includes multiple appliance reboot.
(9) This operation CANNOT be undone.
Do you want to continue? [y/N] y
This will take some time, please wait
Factory reset has started. Rebooting...
Adding Connector Licenses After System Reset
System reset changes the Connector Lock Code for the CipherTrust Manager. After system reset, any license files based on that earlier Connector Lock Code cannot be added. You can restore the earlier Connector Lock Code from a backup, or by adding the reset CipherTrust Manager node into a cluster with the earlier Connector Lock Code. Then, these license files can be added. As well, backup restore and cluster replication include previously installed licenses.