Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CTE-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Widows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

CipherTrust Manager Deployment

System Configuration Utility

search

Please Note:

You are not viewing the most recent version of this page. 2.19 is the latest version available.

print

System Configuration Utility

The CipherTrust Manager has a 'CLI based' System Configuration Utility (kscfg). The "ksadmin" user can remotely access the CipherTrust Manager kscfg utility in a private cloud deployment by accessing the Console, or in a physical appliance deployment, by directly connecting to the appliance's console port and using your ksadmin password.

copy link to clipboardLogging in as ksadmin user

To log in as ksadmin, you must first connect to the CipherTrust Manager console.

copy link to clipboardTo connect and log in to the console (for private cloud deployments):

Using SSH, you can remotely connect to the console port of a CipherTrust Manager instance deployed in a private cloud (e.g. VMware vSphere and HyperV).

  1. Using an SSH utility (e.g. PuTTY) select an SSH session and enter the IP address assigned to the CipherTrust Manager instance during deployment. This is the same IP address used to browse to the GUI.

  2. If using PuTTY, make sure your SSH keys are in ppk format. If they are in PEM format, you can convert them to ppk (e.g., using PuTTYgen utility).

  3. Using the SSH utility, select the path to your SSH Private Key you will use to authenticate the session.

    Putty Authentication Menu

  4. Select Open to start the SSH session.

copy link to clipboardTo connect and log in to the console (for physical appliance deployments):

Using a serial cable, you can directly connect your console device (e.g., laptop) to the console port of a physical appliance (k450, k460, k470 and k570).

  1. Connect the serial cable from your console device to the physical appliance console port.

  2. Log in to the physical appliance as ksadmin user using the password you created during Appliance Initialization; refer to Appliance Initialization.

copy link to clipboardUsing the kscfg utility

The CipherTrust Manager kscfg utility can be used to retrieve network interfaces (NICs) configurations and values, and to perform a hard system reset.

All configurable network interfaces are always listed and are the same as those available from standard Linux network interfaces utilities such as ip and ifconfignmcli. The network interface names from kscfg match the network interface names from the operating system.

A network interface contains two configurable families: inet (IPv4 and inet6 (IPv6). Their methods are:

  • "none"

For a disabled network family.

  • "dhcp"

Use DHCP to automatically acquire a network address. ("auto" might be preferred for IPv6.)

"static"

Statically set a network address.

  • "auto"

Automatically setup IPv6 from the network environment. (IPv6 only)

copy link to clipboardCommands

copy link to clipboardTo view the available kscfg commands:

Example:

kscfg --help

Response:

Command-line interface application for configuring the ${cm}.

    Usage:
      kscfg [command]

    Available Commands:
      help        Help about any command
      net         ${cm} network configuration
      system      ${cm} system commands

    Flags:
      -h, --help      help for kscfg
      -v, --verbose   Provide verbose output while executing command (optional)

copy link to clipboardEntropy Source

The kscfg system entropy-source command can be used on physical appliances to configure entropy source.

This command sets entropy source to be used by CipherTrust Manager for random number generation. Entropy source can be one of AUTO, RDSEED, RDRAND, DEV_URANDOM, or RNGD_DEV_RANDOM. Default is AUTO, where CipherTrust Manager tries to use the best entropy source available on the system - RDSEED, RDRAND, RNGD_DEV_RANDOM, or DEV_URANDOM, in that order. If CipherTrust Manager is configured to use HSM, then AUTO defaults to use HSM as the entropy source.

The change won't take effect until the CipherTrust Manager appliance is rebooted or CipherTrust Manager services are restarted. You can restart CipherTrust Manager services through ksctl or the GUI.

RDSEED and RDRAND are CPU instructions and may not be available on all host CPUs. RNGD_DEV_RANDOM as well relies on RDRAND instruction being available on the host CPU. When entropy source is set to RDRAND (or RDSEED), CipherTrust Manager directly reads from RDRAND (or RDSEED) to seed the DRBG. When RNGD_DEV_RANDOM is set as entropy source, 'rngd' daemon reads from RDRAND and mixes it into the entropy pool in /dev/random to seed the DRBG.

Caution

If the configured entropy source is unavailable on the system, all the CipherTrust Manager services are unavailable. So, if the entropy source is not set to AUTO, make sure that the entropy source is available on the host. For example, if entropy source is set to RDSEED and RDSEED instruction is not available in the host CPU, you cannot access any CipherTrust Manager services.

Usage:

kscfg system entropy-source [flags]

Flags:

-h, --help    help for factory-reset
-s, --source  Entropy source. Can be one of AUTO(default), RDSEED, RDRAND, RNGD_DEV_RANDOM, or DEV_URANDOM.

Example:

kscfg system entropy-source -s RDSEED

Response:

There is no response for successful execution of this command.

copy link to clipboardNetwork Configuration

copy link to clipboardTo list the available network interfaces:

Example:

kscfg net interfaces list

Response:

{
    "skip": 0,
        "limit": 0,
        "total": 3,
        "resources": [
        {
            "name": "eth0",
            "inet": {
                "method": "static",
                "ip": "10.121.105.137",
                "netmask": "255.255.252.0",
                "gateway": "10.121.104.1",
                "dns": [
                    "172.16.2.12"
                ]
            },
            "inet6": {
                "method": "none"
            }
        },
        {
            "name": "eth1",
            "inet": {
                "method": "dhcp",
                "ip": "10.121.105.81",
                "netmask": "255.255.252.0",
                "gateway": "10.121.104.1",
                "dns": [
                    "172.16.2.12",
                    "10.121.8.7",
                    "172.16.2.13"
                ]
            },
            "inet6": {
                "method": "none"
            }
        },
        {
            "name": "eth2",
            "inet": {
                "method": "none"
            },
            "inet6": {
                "method": "none"
            }
        }
    ]
}
copy link to clipboardTo view information on a specific network interface:

Usage:

kscfg net interfaces get [flags]

Flags:

-h, --help help for get

-n, --name string A network interface name such as 'enp0s25'.

Example:

kscfg net interfaces get -n eth0

Response:

{
    "name": "eth0",
        "inet": {
            "method": "static",
            "ip": "10.121.105.137",
            "netmask": "255.255.252.0",
            "gateway": "10.121.104.1",
            "dns": [
                "172.16.2.12"
            ]
        },
        "inet6": {
            "method": "none"
        }
}
copy link to clipboardTo modify the configuration of a specific network interface:

Caution

This operation has been deprecated. Please use NetworkManager's nmcli tool to modify a network interface's configuration; refer to: Network Configuration Bonding.

Usage:

kscfg net interfaces modify [flags]

Flags:

-d, --dhcp                   Use DHCP for the network interface. Deprecated - use "method" instead.
-r, --dns string             IP addresses of the DNS servers (comma separated), or "" to unset and use entries in /etc/resolv.conf.
--force-gateway string       Force system default gateway update, i.e.      overwrite system default gateway when this device is brought up. By
                             default a network interface will only set the system default gateway if is not already set. This feature can be
                             used to force a specific network interface to be used for outgoing traffic initiated from the machine itself. Set
                             to "yes" to enable and "no" to disable.
-g, --gateway string         Default gateway, or "" to unset.
-h, --help                   help for modify
-4, --inet                   Use IPv4 for the network interface. (default true)
-6, --inet6                  Use IPv6 for the network interface.
-i, --ipaddress string       Static IP Address.
-e, --method string          Method for obtaining an IP. Accepted inet values are dhcp, none, or static; inet6 values are auto, dhcp, none, or static. (default "static")
-n, --name string            A network interface name such as 'enp0s25'.
-m, --netmask string         Subnet mask. IPv4 must be an IP (e.g. 255.255.255.0). IPv6 must be the number of bits (e.g. 64).

Example:

kscfg net interfaces modify --name eth0 --ipaddress 10.121.105.27 --netmask 255.255.252.0 --gateway 10.121.104.1 --dns 172.16.2.12

Response:

{
        "name": "eth0",
            "inet": {
                "method": "static",
                "ip": "10.121.105.27",
                "netmask": "255.255.252.0",
                "gateway": "10.121.104.1",
                "dns": [
                    "172.16.2.12"
                ]
            },
            "inet6": {
                "method": "none"
            }
}

copy link to clipboardSystem Reset

The kscfg system reset command can be used to perform a hard reset of the CipherTrust Manager.

Warning

This destructive operation wipes all data on the CipherTrust Manager and should be used with care.

Normally, the REST API or the CLI should be used for performing the reset. This method of performing the reset should be used as a last resort. This operation deletes all backup keys and the HSM configuration. It is good practice to do the following before running this command:

  1. Create and download a backup of the database.

  2. Download all the backup keys. Any backups downloaded from this device will not be useful without the backup keys.

copy link to clipboardUsage

kscfg system reset [flags]

Flags:

-f, --force   When this flag is set, any errors encountered during reset are ignored, and the reset procedure
              continues to the end. This flag must be used with care as it could place the system in an unuseable state. It
              should be used when all else fails.

-h, --help    help for reset

-y, --yes     When this flag is set, all user prompts during the reset process are skipped. A default value
              of 'yes' is used as the automatic response to all prompts.

copy link to clipboardExamples

kscfg system reset [-f] [-y]

Response:

This will perform a full reset of the ${cm} services.
WARNING - This is a destructive operation and will wipe all data in the ${cm}.
It will delete all backupkeys and the HSM configuration.
Normally, the REST API or the CLI should be used for performing the reset.
THIS METHOD OF PERFORMING THE RESET SHOULD BE USED AS A LAST RESORT.
It is good practice to perform the following steps prior to running this command:
   1. Create and download a backup of the database.
   2. Download all the backupkeys; any backups downloaded from this device will not be useful without the backupkeys.
Do you want to continue? [y/N] y
This will take some time, please wait
Device reset has started. It will take a few minutes to complete.

copy link to clipboardSystem Factory Reset

The kscfg system factory-reset can be used on k470 and k570 appliance models to revert the system to its factory defaults.

Warning

This destructive operation wipes all data on the CipherTrust Manager, including keys, backups, backup keys, system configuration, and logs. It automatically reboots the appliance twice, before booting to the factory firmware version. The appliance's factory version may be below the currently running version. Several upgrades may be required to return to the currently running version. Do not manually power-off or reset the appliance while the factory-reset is in progress. This command must be used with care.

Note

This command expects the host-daemon system service to be up and running. However, if the host-daemon is not running or not in a good state, the factory-reset can be invoked from command line as ksadmin user by executing "sudo /opt/keysecure/ks_reset_to_factory.sh".

If you have a k570 appliance with embedded PCIe HSM, this command does not reset the HSM and the root of trust keys. This allows you to restore a previous CipherTrust Manager backup taken on the appliance. However, if you performed the factory reset to return the appliance to a fresh security state, and you don't intend to restore a backup, we strongly recommend resetting and re-initializing the HSM to create new root of trust keys. You reset the HSM using the lunaCM command “hsm factoryReset” and then re-initialize following the same HSM configuration process as used during first deployment.

copy link to clipboardUsage

kscfg system factory-reset [flags]

Flags:

-h, --help    help for factory-reset

-y, --yes     When this flag is set, all user prompts during the reset process are skipped. A default value
              of 'yes' is used as the automatic response to all prompts.

copy link to clipboardExamples

kscfg system factory-reset [-y]

Response:

WARNING: This operation will revert the system to its factory defaults !!!

    (1) This is a destructive operation that erases all CipherTrust Manager data including but not limited to keys, backups, backup keys, and system logs.
    (2) Ensure that you have a valid CipherTrust Manager backup of all the data and backup key.
    (3) If embedded HSM is available, it will not be reset as part of this operation.
    Re-initialization of embedded HSM is highly recommended after this operation to configure it as the root of trust.
    (4) If remote PED was used, it must be re-connected after completion.
    (5) This operation may take up to 15 minutes. Make sure you have power backup in place.
    (6) Access to the system will be unavailable. DO NOT restart the system during this time.
    (7) This operation includes multiple system reboot.
    (8) This operation CANNOT be undone.

Do you want to continue?

[y/N]

copy link to clipboardAdding Connector Licenses After System Reset

System reset changes the Connector Lock Code for the CipherTrust Manager. After system reset, any license files based on that earlier Connector Lock Code cannot be added. You can restore the earlier Connector Lock Code from a backup, or by adding the reset CipherTrust Manager node into a cluster with the earlier Connector Lock Code. Then, these license files can be added. As well, backup restore and cluster replication include previously installed licenses.

On this page