Using Proxy with ProtectV Clients
ProtectV 4.7.0 and earlier versions had a standalone ProtectV Manager that could work as Gateway for ProtectV clients. As the ProtectV Manager is now an integral part of the new key manager, CipherTrust Manager, the Gateway functionality is no longer available natively from ProtectV Manager.
This section describes how to achieve the external Gateway functionality using third party tools with ProtectV Clients and the CipherTrust Manager appliance. This document demonstrates the use of the SOcket CAT (socat) utility. Other similar proxy servers can also be used as Gateway.
This section covers the following information:
Solution
The external ProtectV Gateway functionality can be achieved with ProtectV for the CipherTrust Manager by using tools such as the SOcket CAT (socat) utility. Using the socat utility, Ubuntu machines will be configured as the CipherTrust Manager proxy (acting as external Gateways). These machines should be reachable from the CipherTrust Manager. ProtectV clients’ requests for encryption keys to the CipherTrust Manager will be forwarded through one of these proxies. For demonstration purpose, two Ubuntu machines are used, as shown in the image below. Configure as many proxies as required in your setup.
Configuring the CipherTrust Manager Proxy
To configure the CipherTrust Manager proxy:
Log on to the Ubuntu machine as root.
Install the socat utility by running:
sudo apt-get install socatConfigure the proxy by running:
socat TCP-LISTEN:443,fork,reuseaddr TCP:<keysecure ip>:443
Here,
Proxy is now configured on the Ubuntu machine.
Verifying the Proxy Configuration
After configuring the proxy, verify whether it works correctly. On a Windows machine, try browsing the CipherTrust Manager using a proxy machine's IP address. For example, entering https://<Proxy Machine's IP address>/ in the Internet browser should open the CipherTrust Manager console. This confirms that the CipherTrust Manager proxy is configured successfully.
After the proxy is configured, you can register ProtectV clients with it instead of the CipherTrust Manager.
Registering Clients with the Proxy
To register a client with the proxy:
Log on to the ProtectV client as root/administrator.
Install the ProtectV client.
Register the client with the proxy.
pvreg <registration token> <keysecure ip> <server fingerprint>Here,
<keysecure ip>is the IP address of the proxy machine.Refer to "Registering ProtectV Linux Clients" and "Registering ProtectV Windows Clients" sections in the ProtectV Clients Administrator Guide for details on
pvregparameters.On Windows, after
pvreg.exeis run and the client is registered with the CipherTrust Manager, volume encryption starts. All partitions of the client will be encrypted. Encryption of your partitions might take some time.(Linux) Verify the registration. Check whether the
reginfofile exists at/boot/pvstore. If it exists, the client registration is successful. By default, all volumes/partitions except the boot partition, which cannot be encrypted, are designated for encryption.(Linux) Reboot the client after successful registration. All partitions (except the boot partition) of the client will be encrypted.
Check the encryption status, as described in Verifying the Encryption Status.
Verifying the Encryption Status
On Linux, after the ProtectV client is installed, registered, and the instance is rebooted, it takes some time for each partition to encrypt. Verify the encryption status by running the pvinfo command.
On Windows, as soon as the client is registered with the proxy, encryption of partitions starts. It takes some time for each partition to encrypt. Verify the encryption status by using the local management console (LocalMC.exe).
