Starting Services After Deployment
Physical appliances and private cloud instances include an initial SSH key for the System Admin "ksadmin" to use during launch. After launching, this key must be replaced in order for the CipherTrust Manager to start all of its services and become fully functional.
Replacing the SSH key is a one-time operation during deployment. You cannot replace the key a second time.
Note
If you launched a Virtual CipherTrust Manager from a public cloud such as AWS, Google Cloud, Microsoft Azure, or Oracle Cloud, the SSH key you provided at launch does not need to be replaced.
To replace the SSH key using the GUI
Create an SSH key pair outside of CipherTrust Manager. Your public key must be in the Linux SSH public key (pem) format. The corresponding private key must also be in Linux SSH public key (pem). OpenSSH private key format is not supported. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.
Browse to the CipherTrust Manager IP address.
If prompted to enter the a new SSH Public Key, paste in your SSH public key in the box provided and then select Add.
The Log In screen appears, verifying that the SSH key has been successfully replaced.
To replace the SSH key using the CLI
None of the CLI commands shown here require authentication.
Create an SSH key pair outside of CipherTrust Manager. Your public key must be in the Linux SSH public key (pem) format. The corresponding private key must also be in Linux SSH public key (pem). OpenSSH private key format is not supported. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.
Check if the existing SSH key needs replacement.
ksctl services status
Sample Response:
{"status": "bootstrap", "services":[] "messages": ["The SSH public key for the ksadmin user must be replaced before the ${cm} will be functional"] }
Upload the public key to CipherTrust Manager:
ksctl ssh keys add -k "A..."
CipherTrust Manager Upon successfully adding an authorized SSH key, the CipherTrust Manager services will start working momentarily.
Check that the services have started.
ksctl services status
Sample Response:
{"status": "started", "services":[]}
To replace the SSH key using the API
None of the API calls shown here require authentication.
Create an SSH key pair outside of CipherTrust Manager. Your public key must be in the Linux SSH public key (pem) format. The corresponding private key must also be in Linux SSH public key (pem). OpenSSH private key format is not supported. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.
Check if the default SSH key needs to be replaced.
GET https://{address}/system/services/status
Sample Response:
{"status": "bootstrap", "services":[] "messages": ["The SSH public key for the ksadmin user must be replaced before the ${cm} will be functional"]}
Upload the new SSH public key.
POST https://{addr|/system/ssh/keys {"key": "A..."}
Check that the services have started.
GET https://{addr}/system/services/status
Sample Response:
{"status": "started", "services":[]}
Accessing the System before Services are Started
If you want to access the system before the services have been has started, you can use the hard-coded SSH key. The default key is show below:
-----BEGIN RSA PRIVATE KEY-----
MIIJKgIBAAKCAgEAnwGtotjvpBAukGHp/Y2xCFcUyPrm9KiMFyjreIJUkYe3yWKw
cFdBMh8cn8slAo7B/tIN/tYUnO8u+okx3apQDne41miCYeARXlvq3F8V2rVVtEPk
7d2vQ4TMI9CXfYNeJyi1iyFlyMg4CDVnYM2bcJefFkoWZRDAnGG++ZHXKSc8Y/ge
nJH2RyLmCJYaYf6K6Y84ELtpTY1ty6Fd1t1MJanTIs4rAtz0cNbHI+1rK05ztiJO
/EOgywffogNXUs7lKHggk28KOggl9OgJztQ+tTerdFlVcKwAzXrDOsHv6KHWzr5r
QYtl9nmpGpHjGwNuXdx3fdgQLr/ZQzj5QU1VqZIcG6aMiMFLMVkP3dnTK5om7RDv
DgPmTkj5De1dagBJrrhYsDkU6UgQwosq7gQdGZqLuY8WtkKqBYTvP/GTPG7SBnJp
+muQu3E+7WHBvt+dPG1wiygFua5UtZcyldSditbUSDjYrPFeDW1aSQb6YsTHxklx
+AvuEoX6EBMA43yzFS9fEQZZpmdgAm0WXEZcQ0ZKcW322PJ2HEuAeclQuNzcUsiM
H+nLfBCKRQIaRpgRttKoqnzTkGtuDWPbxUDoq5N78XQ1CQDZNeNsBL9b8vpAGvxT
sSAC/dBOPbRUUlss3f9pf5vP3IHlpm/Vnbe+mLnwu8YNcW1U4DQf+m6SfTMCAwEA
AQKCAgBtwwLRv17tqh36nRyhYwYp87LtagW0LgVGl4C0l4M5Uq6T3gReCF2A8+kW
hWzu7w0LkoUGvVFNY+7SE5LQqZjJ4+s8VrhqR/q1YE4oAZtcdoDLB3MooDc0LJ+e
uYdZpS2BaqCngk54432KbRMHx+bdOk0fXdVHvuC3EuJ59SrJxcPyXn0DJ98SDA0v
MC7WJphN0gepxTVTy6VXQ/U7NVgzR5/wDtGyEETM//ZH3sR0CJvnxpcvnJ+Kh8zg
Ud4d06Rs4z/ZhnVQyf8pqGPc2rbO8bbxghlwxctoDK5oCShLNizKWrg/brLcCe+p
37seEqhFMsNpo5TIMLcRqGqnoXLXnO4B4cA9IM8wWmVvnyxndKGYz5aYn+t37Un+
G7q55wJYgZrpR6JSlhGdyQqiavLvMJP4cVmx9YpxuB87zir5m2xfq5L0TovukqJw
i1TRNNg8Ct25RtmmFsOrikDDccGo8LXiDrnwPQr6eDifp++tpsGvIwGFNohQNekg
U/F3FAiCtzbagsZtGHfK5EdGij0EWfpfyHXDginLlCpvIws010KJDyeDjSgVjrba
Qb03ogcP9ynRAevjdWSNi70pCCMs9kL3+q8tlEPO3dd/VrZIIHTROy7iXLj/a7cC
cffrR6mqoG7yEdO26yA3sASsFvrYkG8k/GNpRWJQZsherKO9wQKCAQEAy2xcEW8l
C52GtkSlSN2quxHKUlm+JbBWtE3OFewCd0MxQ6MgW2dohTGj7C8PgfqaNLDxhTiW
58MgZis4/vymPX73ybobG9ExKV59/fW9RA+TS7cxF594AP0kVmMeRXhleJCJuHiC
uOB/c5Kjduy4VyvPuyI4phXAfhZRU6yWp5RziP9uoy9quub4LCZWVXO9dXWEprrU
M9+TkNiBJomCRR2g4Pb4cfG4+GemVjcDqHR7D10vuYZJOSt2Orwif2zHE/kJb6Uo
KnLisUs/loFkpH98GM5StdKuT4EKPz6DCyz8NHzfdq2IBhYm/NAnbo17IgNM9k2+
GMTr3fm0HYZmTwKCAQEAyBp0qZwmoozW5pM2AUuoyxzYlgZk+Nn64ZI9xaW0TYRX
rbrMA9HXinyueRc83S/ip4XlHej37fVLgXK+8DIicnqa/sZq0vvPdgAySdO4wmL3
Yq0PbwqxfanDmtPTcTz84jt9SXx23jRbNdXRG+UpvD8U58K7O5O+djRKMc5gFhV+
ehdIm78rylK5D+X1F5f+9oxwLhnc3MC8+1uVJbrmisGLjTibjvZ+M1zUw+3NMZ/w
N8N9DO2MLhhh6/6EQmNfcUB13GmfuGDIzA3dBt6jB8UjWQpW+FybKtflIqK/9+wK
em0KnW2b+JQiJa0SiUEkxdUjPIeUUOujV8Zc1SFl3QKCAQEAuA0ywBNv0TKV0BQL
+AGXl+pgxGGuSStjR3+eFveSw5Vn3WqavBiz2M8xIWDzBwdWvpXZ8E9jOg6yIb65
svuk7b8TMtHP9Tsw390+4aiVth7hhoAZSuZeDYb8eaz0lqZ4KL2d3eorXFrC9i6W
9+L2Zuic6xPrbVoA8BQBQVPGe5k1b56s27jrOHAB2vBU7Lvrj3rkqnYfyU9glI1P
TS7dTuufw+uwnme2lAoz1Y2xIZlCPoRxycpWNgO81Sejjuc8uDV69CjaTo3jzcXn
oqUwCiXOgiMrcpdMX2LBgrdsmY/6IQNarGYVzGv+mn87LiuUXRHfcHqmpIKHZi+n
Z49SwQKCAQEAsRKILhcaMTnEaaHXZmoXYjWSi5/49iWe1sHcm+w4k2gLVpc4NiEZ
RVlz43/mwiy/u1LHHyKrUw1/1Xs+77rNtNQ+GDppCW7/dQJTffU3R/zfwZg3UiH6
UqNJjtboAwrfFStjgQX9AkD+fbNKKg8uUYDY9QXjPaNOJbe7+DsR2DkJBO1ZuUkA
bTeqwCDUNB6y5mX8Vy9XvJlqIlw2rX6oyBzhawSu02HY54a8WO00aTeJES+Sl0AW
jivRa058p2rcaJGMOpHVXwl2ZuvVrWCSkCupTf/SWlFIli8aev3eNnvQAepAPHNk
VCJx3Tk8b+0Pp2kml0e6vajnkKLeP1QgmQKCAQEAhwzJQZAL8Rzcpn6BNKzkXJ/c
OOCj/YR38Ka4wkU4BSflzZjfrWUDsPlM8AfcuOeJEqRK4KE0pZSiTHIe25y+WTMt
Ot+PCjJhTTFAnbH7M73sEYD0Urz3B+5/3pQpMIxIDlCSKGZWroMut6rH8HYyn4e6
K1OuVwKRWQR4LNmJvgU/xE6kyjiXdkfHFnEedjCYor2ROhHUP1uEzC223dYilqD3
+a2oVBdjOuEIUGap0DJ9zMCCArKjRCF5Rpf8/8/CVyVLeDL+vgEiiAP7Gv0Puw30
qXIklPUJAlSmm2rXjGim3DRNrnY1CwLH9pOfaRgtZ0inyOfoWAouRhtisxz6fQ==
-----END RSA PRIVATE KEY-----
Note
This default key can be replaced via cloud-init.