Please Note:

Starting Services After Deployment

Physical appliances and private cloud instances include an initial SSH key for the System Admin "ksadmin" to use during launch. After launching, this key must be replaced in order for the CipherTrust Manager to start all of its services and become fully functional.

Replacing the SSH key is a one-time operation during deployment. You cannot replace the key a second time.

Note

If you launched a Virtual CipherTrust Manager from a public cloud such as AWS, Google Cloud, Microsoft Azure, or Oracle Cloud, the SSH key you provided at launch does not need to be replaced.

To replace the SSH key using the GUI

Create an SSH key pair outside of CipherTrust Manager. Your public key must be an RSA key in the OpenSSH format. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security. The corresponding private key can be OpenSSH, PKCS1, or PKCS8 format.
Browse to the CipherTrust Manager IP address.
If prompted to enter the a new SSH Public Key, paste in your SSH public key in the box provided and then select Add.
The Log In screen appears, verifying that the SSH key has been successfully replaced.

To replace the SSH key using the CLI

None of the CLI commands shown here require authentication.

Create an SSH key pair outside of CipherTrust Manager. Your public key must be an RSA key in the OpenSSH format. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security. The corresponding private key can be OpenSSH, PKCS1, or PKCS8 format.

Check if the existing SSH key needs replacement.

ksctl services status

Sample Response:

{"status": "bootstrap", "services":[] "messages":
  ["The SSH public key for the ksadmin user must be replaced before the ${cm} will be functional"]
}

Upload the public key to CipherTrust Manager:
```
ksctl ssh keys add -k "A..."
```
CipherTrust Manager Upon successfully adding an authorized SSH key, the CipherTrust Manager services will start working momentarily.

Check that the services have started.

ksctl services status

Sample Response:

{"status": "started", "services":[]}

To replace the SSH key using the API

None of the API calls shown here require authentication.

Create an SSH key pair outside of CipherTrust Manager. Your public key must be an RSA key in the OpenSSH format. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security. The corresponding private key can be OpenSSH, PKCS1, or PKCS8 format.

Check if the default SSH key needs to be replaced.

GET https://{address}/system/services/status

Sample Response:

{"status": "bootstrap", "services":[] "messages": ["The SSH public key for the ksadmin user must be replaced before the ${cm} will be functional"]}

Upload the new SSH public key.

POST https://{addr|/system/ssh/keys {"key": "A..."}

Check that the services have started.

GET https://{addr}/system/services/status

Sample Response:

{"status": "started", "services":[]}

Accessing the System before Services are Started

If you want to access the system before the services have been has started, you can use the hard-coded SSH key. The default key is show below:

This default key can be replaced via cloud-init.

Suggest A Change

Starting Services After Deployment

To replace the SSH key using the GUI

To replace the SSH key using the CLI

To replace the SSH key using the API

Accessing the System before Services are Started

On this page