System Configuration Utility
The CipherTrust Manager has a 'CLI based' System Configuration Utility (kscfg). The "ksadmin" user can remotely access the CipherTrust Manager kscfg utility in a private cloud deployment by accessing the Console, or in a physical appliance deployment, by directly connecting to the appliance's console port and using your ksadmin
password.
Logging in as ksadmin user
To log in as ksadmin
, you must first connect to the CipherTrust Manager console.
To connect and log in to the console (for private cloud deployments):
Using SSH, you can remotely connect to the console port of a CipherTrust Manager instance deployed in a private cloud (e.g. VMware vSphere and HyperV).
Using an SSH utility (e.g. PuTTY) select an SSH session and enter the IP address assigned to the CipherTrust Manager instance during deployment. This is the same IP address used to browse to the GUI.
If using PuTTY, make sure your SSH keys are in ppk format. If they are in PEM format, you can convert them to ppk (e.g., using PuTTYgen utility).
Using the SSH utility, select the path to your SSH Private Key you will use to authenticate the session.
Select Open to start the SSH session.
To connect and log in to the console (for physical appliance deployments):
Using a serial cable, you can directly connect your console device (e.g., laptop) to the console port of a physical appliance (k450, k460, k470 and k570).
Connect the serial cable from your console device to the physical appliance console port.
Log in to the physical appliance as
ksadmin
user using the password you created during Appliance Initialization; refer to Appliance Initialization.
Using the kscfg utility
The CipherTrust Manager kscfg utility can be used to retrieve network interfaces (NICs) configurations and values, and to perform a hard system reset.
All configurable network interfaces are always listed and are the same as those available from standard Linux network interfaces utilities such as ip
and ifconfignmcli
. The network interface names from kscfg match the network interface names from the operating system.
A network interface contains two configurable families: inet (IPv4 and inet6 (IPv6). Their methods are:
- "none"
For a disabled network family.
- "dhcp"
Use DHCP to automatically acquire a network address. ("auto" might be preferred for IPv6.)
"static"
Statically set a network address.
- "auto"
Automatically setup IPv6 from the network environment. (IPv6 only)
Commands
To view the available kscfg commands:
Example:
kscfg --help
Response:
Entropy Source
The kscfg system entropy-source
command can be used on physical appliances to configure entropy source.
This command sets entropy source to be used by CipherTrust Manager for random number generation. Entropy source can be one of AUTO, RDSEED, RDRAND, DEV_URANDOM, or RNGD_DEV_RANDOM. Default is AUTO, where CipherTrust Manager tries to use the best entropy source available on the system - RDSEED, RDRAND, RNGD_DEV_RANDOM, or DEV_URANDOM, in that order. If CipherTrust Manager is configured to use HSM, then AUTO defaults to use HSM as the entropy source.
The change won't take effect until the CipherTrust Manager appliance is rebooted or CipherTrust Manager services are restarted. You can restart CipherTrust Manager services through ksctl or the GUI.
RDSEED and RDRAND are CPU instructions and may not be available on all host CPUs. RNGD_DEV_RANDOM as well relies on RDRAND instruction being available on the host CPU. When entropy source is set to RDRAND (or RDSEED), CipherTrust Manager directly reads from RDRAND (or RDSEED) to seed the DRBG. When RNGD_DEV_RANDOM is set as entropy source, 'rngd' daemon reads from RDRAND and mixes it into the entropy pool in /dev/random to seed the DRBG.
Caution
If the configured entropy source is unavailable on the system, all the CipherTrust Manager services are unavailable. So, if the entropy source is not set to AUTO, make sure that the entropy source is available on the host. For example, if entropy source is set to RDSEED and RDSEED instruction is not available in the host CPU, you cannot access any CipherTrust Manager services.
Usage:
kscfg system entropy-source [flags]
Flags:
Example:
kscfg system entropy-source -s RDSEED
Response:
There is no response for successful execution of this command.
Network Configuration
To list the available network interfaces:
Example:
kscfg net interfaces list
Response:
To view information on a specific network interface:
Usage:
kscfg net interfaces get [flags]
Flags:
-h, --help help for get
-n, --name string A network interface name such as 'enp0s25'.
Example:
kscfg net interfaces get -n eth0
Response:
To modify the configuration of a specific network interface:
Caution
This operation has been deprecated. Please use NetworkManager's nmcli tool to modify a network interface's configuration; refer to: Network Configuration Bonding.
Usage:
kscfg net interfaces modify [flags]
Flags:
Example:
kscfg net interfaces modify --name eth0 --ipaddress 10.121.105.27 --netmask 255.255.252.0 --gateway 10.121.104.1 --dns 172.16.2.12
Response:
System Reset
The kscfg system reset
command can be used to perform a hard reset of the CipherTrust Manager.
Warning
This destructive operation wipes all data on the CipherTrust Manager and should be used with care.
Normally, the REST API or the CLI should be used for performing the reset. This method of performing the reset should be used as a last resort. This operation deletes all backup keys and the HSM configuration. It is good practice to do the following before running this command:
Create and download a backup of the database.
Download all the backup keys. Any backups downloaded from this device will not be useful without the backup keys.
Usage
kscfg system reset [flags]
Flags:
Examples
kscfg system reset [-f] [-y]
Response:
System Factory Reset
The kscfg system factory-reset
can be used on k470 and k570 appliance models to revert the system to its factory defaults.
Warning
This destructive operation wipes all data on the CipherTrust Manager, including keys, backups, backup keys, system configuration, and logs. It automatically reboots the appliance twice, before booting to the factory firmware version. The appliance's factory version may be below the currently running version. Several upgrades may be required to return to the currently running version. Do not manually power-off or reset the appliance while the factory-reset is in progress. This command must be used with care.
Note
This command expects the host-daemon system service to be up and running. However, if the host-daemon is not running or not in a good state, the factory-reset can be invoked from command line as ksadmin user by executing "sudo /opt/keysecure/ks_reset_to_factory.sh".
If you have a k570 appliance with embedded PCIe HSM, this command does not reset the HSM and the root of trust keys. This allows you to restore a previous CipherTrust Manager backup taken on the appliance. However, if you performed the factory reset to return the appliance to a fresh security state, and you don't intend to restore a backup, we strongly recommend resetting and re-initializing the HSM to create new root of trust keys. You reset the HSM using the lunaCM command “hsm factoryReset” and then re-initialize following the same HSM configuration process as used during first deployment.
Usage
kscfg system factory-reset [flags]
Flags:
Examples
kscfg system factory-reset [-y]
Response:
Adding Connector Licenses After System Reset
System reset changes the Connector Lock Code for the CipherTrust Manager. After system reset, any license files based on that earlier Connector Lock Code cannot be added. You can restore the earlier Connector Lock Code from a backup, or by adding the reset CipherTrust Manager node into a cluster with the earlier Connector Lock Code. Then, these license files can be added. As well, backup restore and cluster replication include previously installed licenses.