Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Install Virtual CipherTrust Manager

Amazon Web Services Deployment

search

Please Note:

Amazon Web Services Deployment

You can deploy a CipherTrust Manager image within Amazon Web Services (AWS).

Minimum Requirements

To deploy a CipherTrust Manager instance, the following minimum requirements apply:

  • System volume: 50 GB for evaluation, 100 GB for production

  • Memory: 16 GB

  • vCPUs: 2

  • NICs: 1

Note

These minimum system requirements are for a system with light to moderate load. For applications that heavily load the system, additional memory and CPU allocation are required. The system volume holds all data as well as backups.

Provisioning the AMI

AWS region-specific, and confidential Virtual CipherTrust Manager images (AMI) are obtained by provisioning. Provisioning places a CipherTrust Manager AMI in your target AWS account in the target region(s).

Use the SafeNet Cloud Provisioning System, to customize a CipherTrust Manager AMI for a specific region.

Note

Only authorized Customer Support Portal users can make provisioning requests.

  1. Login to the Thales Customer Support Portal.

  2. Navigate to the My Provisioning Requests page, through the Tools > Provisioning Requests menu.

  3. Click Create Provisioning Request.

  4. Select CipherTrust Manager from the Product Name dropdown.

  5. Select the desired Product Version from the dropdown.

    Note

    We recommend deploying the most recent version for the latest security fixes and most current features.

  6. Select the desired AWS Region from the dropdown.

  7. Provide your AWS Account Number.

  8. (Optional) If desired, type in the names of Additional Regions in the text field, to deploy AMIs in more than one region.

  9. (Optional) If desired, adjust the Priority. The default priority is 3-Medium.

  10. Click Submit.

    A Thales client services engineer will receive and work on the request.

    When your provisioning request is completed, you will an email notification with the subject line Cloud Provisioning Request Complete. Alternatively, you can periodically check the provisioning request status directly on the My Provisioning Requests page.

  11. Retrieve the AMI ID from the completed provisioning request.

    1. Navigate to the My Provisioning Requests page, through the Tools > Provisioning Requests menu.

    2. Click on the name of the completed provisioning request. The Status column indicates requests that are completed.

  12. Proceed to deploy the Virtual CipherTrust Manager image.

Deploying in AWS

This section provides the steps for deploying a Virtual CipherTrust Manager instance in AWS.

Prerequisites

  • A provisioned Virtual CipherTrust Manager AMI.

  • If using a Windows client use PuTTY or similar utility to SSH to your CipherTrust Manager instance as KeySecure Administrator (ksadmin).

    If needed, use PuTTYgen or similar utility to format the SSH Key Pair. We support OpenSSH format and RSA key algortihm for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.

  • If using a Linux client use SSH to login as KeySecure Administrator (ksadmin).

To launch a CipherTrust Manager instance in AWS

  1. Sign in to your AWS account at the AWS portal at: https://aws.amazon.com

  2. In the Compute group, select EC2 service.

  3. On the AWS top bar and to the right, make sure you select the AWS Region you provisioned for your AMI.

    AWS Region

  4. In the left pane, under the Images, select AMIs and search for the provisioned AMI (e.g. ami-1f6b5b60).

    Launch AMI

  5. Select your image and then click on Launch.

  6. In the Choose an Instance Type screen, choose a size that meets the minimum requirements and then select Next: Configure Instance Details.

  7. In the Configure Instance Details screen,

    1. Create a new Network and Subnet or select one that you have already created.

    2. At the bottom of the screen there is a section Advanced Details.

      Any information that you need configured before the first boot must be entered here in the user data area. See Plan Configuration Settings for Cloud Init.

    3. Select Next: Add Storage.

  8. In the Add Storage screen, select the desired Size (GiB).

    • Enter 100 GiB if this is for Production.

    • Enter 30 GiB if this is for lab use.

    Select Next: Add Tags.

  9. In the Add Tags screen, select Add Tag

    1. Enter Tag: Name

    2. Value: Something meaningful to the operator; for example "CipherTrust Manager for lab use"

    3. Select Next: Configure Security Group.

  10. In the Configure Security Group screen:

    1. Create a new security group or re-use a previously created group.

    2. Refer to Network Security Groups. Consider adding all of the recommended rules.

      Note

      To launch the CipherTrust Manager, you need at a minimum Port 22 inbound/outbound for ksadmin's SSH connection and Port 443 for an HTTPS connection to the GUI.

    3. Select the Review and Launch screen.

  11. In the Review Instance Launch screen:

    1. Review your launch configuration settings.

    2. Make any changes by selecting the Edit ... at the right of each section.

    3. After your review, select Launch.

      You are presented with this dialog box to select a key pair.

      Key Pair Screen

    4. Select which Key Pair option to use. We support OpenSSH for the public key format, and OpenSSH, PKCS1 or PKCS8 for the corresponding private key format. Valid options are:

      • Choose an existing key pair from the drop-down list. If your key pair is not on this list, you can import it here:

        Services > EC2 > Network and Security > Key Pairs

      • Create a new key pair. (This option allows you to download your own key pair.)

    5. After selecting the Key Pair, check off the acknowledge statement at the bottom of the dialog box, confirming that you have access to the selected private key file.

      Warning

      It is important that you have access to the key pair you select, otherwise you will not have permissions to perform administrator operations like performing upgrades, advanced logging or an appliance reset.

  12. Select Launch Instances.

    The Launch Status screen appears. You can review the launch process on this screen.

    Note

    It can take a several minutes for your instance to launch.

  13. Select View Instances to view the state of your instance as it is being launched. You may need to search for the name of your instance in the Instances table if it is among many others.

    At this point, if you wish to connect as System Administrator (ksadmin) to perform system level duties, duties such as performing network configurations, system upgrades, continue with the next step.

    Note

    Refer to Groups for a more detailed list of ksadmin duties.

    Otherwise, browse to step 18 to connect to the CipherTrust Manager Web Page.

  14. Select your instance in the table and then select Connect.

    Connect to Instance

    The Connect To Your Instance dialog box appears:

    Connect to your instance

  15. Copy the instance Public DNS string, for example: ec2-54-89-148-184.compute-1.amazonaws.com

  16. If using PuTTY, begin a new session.

    1. Paste the Public DNS in the Host Name (or IP address) field and preface this string with "ksadmin@".

    2. Set the Connection Type to SSH.

      Putty Configuration

  17. In the Category pane:

    1. Select Connection > SSH > Auth.

    2. Select Browse and navigate to the folder with your Private Key.

    3. Select your Public Key file name. The file name and path is automatically places in the Private key file for authentication field.

    Private key Putty config

    1. Select Open. The following ksadmin screen appears:

      KS Admin Screen

      Note

      If you are unable to connect to your instance using PuTTY, go to: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html for further assistance.

  18. Connect to the CipherTrust Manager Web Page.

    1. Copy the IPv4 Public IP or IPv6 IP address shown in the Instances > Description tab of your AWS instance.

      Instance IP

    2. Browse to HTTPS://. The Log In screen appears.

      AWS Login

  19. Log in using the initial default credentials: Username = admin, Password = admin

    The following notice is displayed:

    Password change

    Note

    If the default credentials do not work, you may need to retrieve an autogenerated password, as described in Changing the Initial Password.

  20. Enter a new password using this default Password Policy:

    Min length: 8
Max length: 30
Min number of upper cases: 1
Min number of lower cases: 1
Min number of digits: 1
Min number of other characters: 1

    A new Login screen appears.

  21. Using your new password, log in again. The CipherTrust Manager Web Page appears.

    Home Screen

Congratulations! You have successfully deployed your Virtual CipherTrust Manager instance.

Virtual CipherTrust Manager includes a 90 day trial license. To activate your instance with a term or perpetual license, see Licensing.

Enhanced Networking

The CipherTrust Manager AMI ships with Elastic Network Adapter (ENA) enabled. ENA provides high-performance networking on supported EC2 instance types. For more information visit https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html.

On this page