System Configuration Utility
The CipherTrust Manager has a 'CLI based' System Configuration Utility (kscfg). The "ksadmin" user can remotely access the CipherTrust Manager kscfg utility in a private cloud deployment by accessing the Console, or in a physical appliance deployment, by directly connecting to the appliance's console port and using your ksadmin password.
Logging in as ksadmin user
To log in as ksadmin, you must first connect to the CipherTrust Manager console.
To connect and log in to the console (for private cloud deployments):
Using SSH, you can remotely connect to the console port of a CipherTrust Manager instance deployed in a private cloud (e.g. VMware vSphere and HyperV).
Using an SSH utility (e.g. PuTTY) select an SSH session and enter the IP address assigned to the CipherTrust Manager instance during deployment. This is the same IP address used to browse to the GUI.
If using PuTTY, make sure your SSH keys are in ppk format. If they are in PEM format, you can convert them to ppk (e.g., using PuTTYgen utility).
Using the SSH utility, select the path to your SSH Private Key you will use to authenticate the session.
Select Open to start the SSH session.
To connect and log in to the console (for physical appliance deployments):
Using a serial cable, you can directly connect your console device (e.g., laptop) to the console port of a physical appliance (k450, k460, k470 and k570).
Connect the serial cable from your console device to the physical appliance console port.
Log in to the physical appliance as
ksadminuser using the password you created during Appliance Initialization; refer to Appliance Initialization.
Using the kscfg utility
The CipherTrust Manager kscfg utility can be used to retrieve network interfaces (NICs) configurations and values, and to perform a hard system reset.
All configurable network interfaces are always listed and are the same as those available from standard Linux network interfaces utilities such as ip and ifconfignmcli. The network interface names from kscfg match the network interface names from the operating system.
A network interface contains two configurable families: inet (IPv4 and inet6 (IPv6). Their methods are:
- "none"
For a disabled network family.
- "dhcp"
Use DHCP to automatically acquire a network address. ("auto" might be preferred for IPv6.)
"static"
Statically set a network address.
- "auto"
Automatically setup IPv6 from the network environment. (IPv6 only)
Commands
To view the available kscfg commands:
Example:
kscfg --help
Response:
Command-line interface application for configuring the ${cm}.
Usage:
kscfg [command]
Available Commands:
help Help about any command
net ${cm} network configuration
system ${cm} system commands
Flags:
-h, --help help for kscfg
-v, --verbose Provide verbose output while executing command (optional)
Entropy Source
The kscfg system entropy-source command can be used on physical appliances to configure entropy source.
This command sets entropy source to be used by CipherTrust Manager for random number generation. Entropy source can be one of AUTO, RDSEED, RDRAND, DEV_URANDOM, or RNGD_DEV_RANDOM. Default is AUTO, where CipherTrust Manager tries to use the best entropy source available on the system - RDSEED, RDRAND, RNGD_DEV_RANDOM, or DEV_URANDOM, in that order. If CipherTrust Manager is configured to use HSM, then AUTO defaults to use HSM as the entropy source.
RDSEED and RDRAND are CPU instructions and may not be available on all host CPUs. RNGD_DEV_RANDOM as well relies on RDRAND instruction being available on the host CPU. When entropy source is set to RDRAND (or RDSEED), CipherTrust Manager directly reads from RDRAND (or RDSEED) to seed the DRBG. When RNGD_DEV_RANDOM is set as entropy source, 'rngd' daemon reads from RDRAND and mixes it into the entropy pool in /dev/random to seed the DRBG.
Caution
If the configured entropy source is unavailable on the system, all the CipherTrust Manager services are unavailable. So, if the entropy source is not set to AUTO, make sure that the entropy source is available on the host. For example, if entropy source is set to RDSEED and RDSEED instruction is not available in the host CPU, you cannot access any CipherTrust Manager services.
The change won't take effect until the CipherTrust Manager appliance is rebooted or CipherTrust Manager services are restarted. Run "sudo systemctl restart keysecure" to restart CipherTrust Manager services.
Usage:
kscfg system entropy-source [flags]
Flags:
-h, --help help for entropy-source
-s, --source Entropy source. Can be one of AUTO(default), RDSEED, RDRAND, RNGD_DEV_RANDOM, or DEV_URANDOM.
Example:
kscfg system entropy-source -s RDSEED
Response:
There is no response for successful execution of this command.
Local Hostname Configuration
You can list or set the local hostname which local applications use to connect to CipherTrust Manager. The default hostname is ciphertrust.
To list the local hostname
Usage:
kscfg system hostname get
Flags:
-h, --help help for get
Example Response:
ciphertrust
To set the local hostname
Note
The change won't take effect until the CipherTrust Manager appliance is rebooted or CipherTrust Manager services are restarted. Run "sudo systemctl restart keysecure" to restart CipherTrust Manager services.
Usage:
kscfg system hostname set [flags]
Flags:
-h, --help help for set
-n, --host-name this command can set the hostname, updating /etc/hostname file.
Example:
kscfg system hostname set -n newhostname
Response:
Note: please run "sudo systemctl restart keysecure" to have new hostname effective in CipherTrust Manager
Network Configuration
To list the available network interfaces:
Example:
kscfg net interfaces list
Response:
{
"skip": 0,
"limit": 0,
"total": 3,
"resources": [
{
"name": "eth0",
"inet": {
"method": "static",
"ip": "10.121.105.137",
"netmask": "255.255.252.0",
"gateway": "10.121.104.1",
"dns": [
"172.16.2.12"
]
},
"inet6": {
"method": "none"
}
},
{
"name": "eth1",
"inet": {
"method": "dhcp",
"ip": "10.121.105.81",
"netmask": "255.255.252.0",
"gateway": "10.121.104.1",
"dns": [
"172.16.2.12",
"10.121.8.7",
"172.16.2.13"
]
},
"inet6": {
"method": "none"
}
},
{
"name": "eth2",
"inet": {
"method": "none"
},
"inet6": {
"method": "none"
}
}
]
}
To view information on a specific network interface:
Usage:
kscfg net interfaces get [flags]
Flags:
-h, --help help for get
-n, --name string A network interface name such as 'enp0s25'.
Example:
kscfg net interfaces get -n eth0
Response:
{
"name": "eth0",
"inet": {
"method": "static",
"ip": "10.121.105.137",
"netmask": "255.255.252.0",
"gateway": "10.121.104.1",
"dns": [
"172.16.2.12"
]
},
"inet6": {
"method": "none"
}
}
To modify the configuration of a specific network interface:
Caution
This operation has been deprecated. Please use NetworkManager's nmcli tool to modify a network interface's configuration; refer to: Network Configuration Bonding.
Usage:
kscfg net interfaces modify [flags]
Flags:
-d, --dhcp Use DHCP for the network interface. Deprecated - use "method" instead.
-r, --dns string IP addresses of the DNS servers (comma separated), or "" to unset and use entries in /etc/resolv.conf.
--force-gateway string Force system default gateway update, i.e. overwrite system default gateway when this device is brought up. By
default a network interface will only set the system default gateway if is not already set. This feature can be
used to force a specific network interface to be used for outgoing traffic initiated from the machine itself. Set
to "yes" to enable and "no" to disable.
-g, --gateway string Default gateway, or "" to unset.
-h, --help help for modify
-4, --inet Use IPv4 for the network interface. (default true)
-6, --inet6 Use IPv6 for the network interface.
-i, --ipaddress string Static IP Address.
-e, --method string Method for obtaining an IP. Accepted inet values are dhcp, none, or static; inet6 values are auto, dhcp, none, or static. (default "static")
-n, --name string A network interface name such as 'enp0s25'.
-m, --netmask string Subnet mask. IPv4 must be an IP (e.g. 255.255.255.0). IPv6 must be the number of bits (e.g. 64).
Example:
kscfg net interfaces modify --name eth0 --ipaddress 10.121.105.27 --netmask 255.255.252.0 --gateway 10.121.104.1 --dns 172.16.2.12
Response:
{
"name": "eth0",
"inet": {
"method": "static",
"ip": "10.121.105.27",
"netmask": "255.255.252.0",
"gateway": "10.121.104.1",
"dns": [
"172.16.2.12"
]
},
"inet6": {
"method": "none"
}
}
System Reset
The kscfg system reset command can be used to perform a hard reset of the CipherTrust Manager.
Warning
This destructive operation wipes all data on the CipherTrust Manager and should be used with care.
Normally, the REST API or the CLI should be used for performing the reset. This method of performing the reset should be used as a last resort. This operation deletes all backup keys and the HSM configuration. It is good practice to do the following before running this command:
Create and download a backup of the database.
Download all the backup keys. Any backups downloaded from this device will not be useful without the backup keys.
Usage
kscfg system reset [flags]
Flags:
-f, --force When this flag is set, any errors encountered during reset are ignored, and the reset procedure
continues to the end. This flag must be used with care as it could place the system in an unuseable state. It
should be used when all else fails.
-h, --help help for reset
-y, --yes When this flag is set, all user prompts during the reset process are skipped. A default value
of 'yes' is used as the automatic response to all prompts.
Examples
kscfg system reset [-f] [-y]
Response:
This will perform a full reset of the ${cm} services.
WARNING - This is a destructive operation and will wipe all data in the ${cm}.
It will delete all backupkeys and the HSM configuration.
Normally, the REST API or the CLI should be used for performing the reset.
THIS METHOD OF PERFORMING THE RESET SHOULD BE USED AS A LAST RESORT.
It is good practice to perform the following steps prior to running this command:
1. Create and download a backup of the database.
2. Download all the backupkeys; any backups downloaded from this device will not be useful without the backupkeys.
Do you want to continue? [y/N] y
This will take some time, please wait
Device reset has started. It will take a few minutes to complete.
System Factory Reset
The kscfg system factory-reset can be used on k470 and k570 appliance models to revert the system to its factory defaults.
Warning
This destructive operation wipes all data on the CipherTrust Manager, including keys, backups, backup keys, system configuration, and logs. It automatically reboots the appliance twice, before booting to the factory firmware version. The appliance's factory version may be below the currently running version. Several upgrades may be required to return to the currently running version. Do not manually power-off or reset the appliance while the factory-reset is in progress. This command must be used with care.
Note
This command expects the host-daemon system service to be up and running. However, if the host-daemon is not running or not in a good state, the factory-reset can be invoked from command line as ksadmin user by executing "sudo /opt/keysecure/ks_reset_to_factory.sh".
If you have a k570 appliance with embedded PCIe HSM, this command does not reset the HSM and the root of trust keys. This allows you to restore a previous CipherTrust Manager backup taken on the appliance. However, if you performed the factory reset to return the appliance to a fresh security state, and you don't intend to restore a backup, we strongly recommend resetting and re-initializing the HSM to create new root of trust keys. You reset the HSM using the lunaCM command “hsm factoryReset” and then re-initialize following the same HSM configuration process as used during first deployment.
Usage
kscfg system factory-reset [flags]
Flags:
-h, --help help for factory-reset
-y, --yes When this flag is set, all user prompts during the reset process are skipped. A default value
of 'yes' is used as the automatic response to all prompts.
Examples
kscfg system factory-reset [-y]
Response:
WARNING: This operation will revert the system to its factory defaults !!!
(1) This is a destructive operation that erases all CipherTrust Manager data including but not limited to keys, backups, backup keys, and system logs.
(2) Ensure that you have a valid CipherTrust Manager backup of all the data and backup key.
(3) If embedded HSM is available, it will not be reset as part of this operation.
Re-initialization of embedded HSM is highly recommended after this operation to configure it as the root of trust.
(4) If remote PED was used, it must be re-connected after completion.
(5) This operation may take up to 15 minutes. Make sure you have power backup in place.
(6) Access to the system will be unavailable. DO NOT restart the system during this time.
(7) This operation includes multiple system reboot.
(8) This operation CANNOT be undone.
Do you want to continue?
[y/N]
Adding Connector Licenses After System Reset
System reset changes the Connector Lock Code for the CipherTrust Manager. After system reset, any license files based on that earlier Connector Lock Code cannot be added. You can restore the earlier Connector Lock Code from a backup, or by adding the reset CipherTrust Manager node into a cluster with the earlier Connector Lock Code. Then, these license files can be added. As well, backup restore and cluster replication include previously installed licenses.
