Managing Clients
A client is a computer system where the data needs to be protected. A compatible CTE Agent software is installed on the client. The CTE Agent can protect data on the client or devices connected to it. A client can be associated with multiple GuardPoints for encryption of various paths (refer to Managing GuardPoints for details).
The Clients page of the CipherTrust Manager GUI displays all clients protected by encryption Agents. CipherTrust Manager Administrators can manage clients on this page.
Registering Clients
Note
Before proceeding, make sure that:
• A compatible CTE Agent is installed on the client.
• The client is registered with the CipherTrust Manager.
Refer to the CTE Agent Quick Start Guide specific to your platform for information on installing and configuring CTE Agents.
Note
When CTE clients are restored on the CipherTrust Manager from the backup file of another CipherTrust Manager, you must unenroll the client before proceeding with reregistration.
When CTE clients are registered, they are automatically added to the CipherTrust Manager GUI. Refer to the CTE Agent Quick Start Guide specific to your platform for information on installing and configuring CTE Agents.
Adding Clients Manually
Optionally, the CipherTrust Manager administrator can manually add a client to the CipherTrust Manager GUI - even before the CTE Agent is installed on it.
To add the client manually:
Log on to the CipherTrust Manager GUI as administrator.
Open the Transparent Encryption application. The Clients page is displayed.
Click Create Client. The Create Client wizard is displayed.
Add General Info
On the General Info tab:
Specify a unique Name for the client.
Set the Password Generation Method. The options are:
Generate: A password is generated automatically by CipherTrust Manager. This is the default method.
Manual: Set the password manually.
Select Manual.
Enter the new password in the Password and Confirm Password fields. The password must match in both fields.
Note
The password must contain minimum eight characters including at least:
• One capital letter
• One number
• One of these special characters:! @ # $ % ^ & * ( ) { } [ ]
Refer to Changing Client Password for details.
Provide a Description for the client.
Specify the following, as appropriate:
Registration Allowed: Whether to allow client's registration with the CipherTrust Manager. Select to allow, clear to deny registration. By default, the registration is not allowed.
Communication Enabled: Whether to enable the client's communication with the CipherTrust Manager. Select to enable, clear to disable communication. By default, the communication is disabled. This can only be enabled when Registration Allowed is enabled.
Click Next.
Add GuardPoint (Optional)
Optionally, you can create GuardPoints on the manually added client. CTE supports creation of all types of GuardPoints on such clients.
On the Add GuardPoint screen:
Click Create GuardPoint.
Select a Policy. Refer to Policy Type under Creating Policies > Step 1: Specify General Information for details.
Specify the Type of the GuardPoint. Refer to Automatic and Manual GuardPoints for details on types of GuardPoints.
(COS GuardPoints only) Select the Cloud Storage Type.
Specify the Path (or URL for a COS GuardPoint) to be protected. Refer to Managing GuardPoints for details.
Configure Preserve Sparse Region, Secure Start, and/or Auto Mount as appropriate. The options vary based on the selected policy.
Click Create.
The newly created GuardPoint appears in the list.
Confirmation
On the Confirmation screen:
Verify the client details. The Confirmation screen displays general information about the client and details of the GuardPoints added to the client.
If the details are incorrect or you want to modify them, click Back and update the details.
Click Save.
The newly created client appears in the clients list.
Searching Clients
The Clients page on the CipherTrust Manager GUI shows the list of registered clients.
To search for a registered client:
Log on to the CipherTrust Manager GUI as administrator.
Open the Transparent Encryption application. The Clients page is displayed. This page lists the clients added to this CipherTrust Manager appliance.
In the Search box, enter the client name. Search is case-insensitive. You can enter all or part of a client name. A partial client name displays every client with a name that contains the specified string.
Viewing Clients
The Clients page shows the total number of clients, clients with errors, clients with warnings, healthy clients, unregistered clients. The Status Bar contains the following tabs:
Total Clients : Shows the total number of registered and unregistered clients with all types of health status.Errors : Shows the number of clients with errors.Warnings : Shows the number of clients with warnings.Healthy : Shows the number of healthy clients.Unregistered : Shows the number of unregistered clients.Expunged : Shows the number of expunged clients.
Refer to Client States for details.
Click each tab to filter the clients. The clients list displays names of clients in the CipherTrust Manager database and details about their configuration.
To view the clients added to the CipherTrust Manager:
Open the Transparent Encryption application.
Click Clients > Clients. The clients list shows the following details:
Column Description Status Health status of the client:
• Healthy
• Error
• Warning
• Unregistered
• Expunged
Refer to Client States for details.Client Name Name link of the client on the CipherTrust Manager. OS Type OS running on the client:
• AIX
• LINUX
• WINDOWS
For unregistered or manually added clients,UNKNOWN
is displayed.Details Versions of the platform and kernel installed on the client, for example, RHEL7.8 - 3.10.0-1127.el7.x86_64. For unregistered or manually added clients, hyphen ( -
) is displayed. For Windows clients, the field is empty.Agent Version Version of the CTE Agent installed on the client. For unregistered or manually added clients, the field is empty. Description Description to identify the client. Encryption Modes Encryption mode(s) used to protect GuardPoints on the client, for example, CBC, CBC_CS1, and XTS. Upgrade On Reboot When the next upgrade of the CTE Agent is scheduled. None is displayed if the upgrade is not scheduled. For unregistered clients, the field remains blank. LDT Enabled Whether LDT is enabled on the client. Profile Profile linked to the client. The Encryption Modes, Upgrade On Reboot, LDT Enabled, and Profile columns are hidden by default. To show/hide a column, click the custom view icon (), select/clear the desired column, and click OK.
Client States
Healthy: Client is registered with the CipherTrust Manager without any errors, that is,
init
is received from Agent without any issues.Error: Client's communication is broken with the CipherTrust Manager for more than five minutes.
Warning: Client's communication is broken with the CipherTrust Manager or a GuardPoint is inactive due to any reasons.
Unregistered: Client is unenrolled from the CipherTrust Manager.
Expunged: Client's delete operation is triggered, but its confirmation is not yet received from the Agent.
Unenrolling Clients
A registered CTE client can be unenrolled from the CipherTrust Manager. When the client is unenrolled (unregistered), the communication between the CTE Agent and the CipherTrust Manager is removed. The CTE Agent can no longer communicate with the CipherTrust Manager. However, the CipherTrust Manager still maintains the client configuration to allow re-registration.
Important Notes
A CTE client with Active LDT GuardPoints cannot be unenrolled (unregistered).
After unenrolling, the client's GuardPoints will still be displayed on the CipherTrust Manager. However, their status will be displayed as Unknown.
The status of the client capabilities, for example, LDT and ESG, will not change on the CipherTrust Manager. They will be displayed the same as they were before unenrolling the client.
The associated client under the Client-Management section of the API playground is deleted after unenrolling. If the client is not deleted automatically, you can delete it manually.
The status of the unenrolled client will be displayed as Unregistered on the CipherTrust Manager.
Note
An unenrolled client requires re-registration to enroll with the CipherTrust Manager again.
To unenroll a client from the CipherTrust Manager:
Open the Transparent Encryption application.
Click Clients > Clients.
Under Client Name, click the overflow icon () corresponding to the desired client.
Click UnEnroll. A dialog box appears prompting to confirm the action.
An unenrolled client requires re-registration to enroll with the CipherTrust Manager again.
Click UnEnroll.
The selected client is unenrolled from the CipherTrust Manager. It status on the CipherTrust Manager becomes Unregistered.
Reregistering Clients
An unenrolled client requires re-registration to enroll with the CipherTrust Manager again.
When you try to reregister a client, you must enable the same set of capabilities that were enabled on the client before reregistration. Also, specify name of at least one client group (if the client was associated with any groups). Refer to Reregistering CTE Clients for details.
Deleting Clients
A CTE client can be deleted when it is no longer required to be associated with the CipherTrust Manager.
Clients with the Healthy, Unregistered, Warning, and Error states can be deleted from the CipherTrust Manager.
After you initiate the client deletion operation, the operation:
Waits for confirmation from the CTE Agent before deleting anything from the CipherTrust Manager.
Changes the client status to Expunged on the CipherTrust Manager.
After receiving confirmation from the Agent:
Deletes all entries, capabilities, and GuardPoints associated with the client.
Removes the client record from the CipherTrust Manager.
However, in some cases, due to network issues or any other reasons, the CipherTrust Manager does not receive confirmation from the CTE Agent. In such cases, the client configurations cannot be deleted from the CipherTrust Manager and the client remains stuck at the Expunged state. Such clients need to be deleted manually. Refer to Deleting Expunged Clients Manually for details.
Deletes the associated client from the Client-Management section of the API playground.
Before proceeding with client deletion, read and understand the additional information provided on client deletion, Agent uninstallation, clients with System and Agent locks, and deletion indicators in Deleting Clients.
Deleting Individual Clients
To delete a client from the CipherTrust Manager GUI:
Open the Transparent Encryption application.
Click Clients > Clients.
Under Client Name, click the overflow icon (Overflow Icon) corresponding to the client you want to delete.
Click Delete. A dialog box appears prompting to confirm the action.
Click Delete.
The selected client is deleted and its entry is removed from the Clients page after the CipherTrust Manager receives confirmation from the CTE Agent.
Refer to Deleting Expunged Clients Manually for details on deleting Expunged clients.
Deleting Multiple Clients
The CipherTrust Manager provides an option to delete multiple clients. A maximum of 200 clients can be deleted at once.
To delete multiple clients from the CipherTrust Manager GUI:
Open the Transparent Encryption application.
Click Clients > Clients.
Select the desired clients.
To select all clients visible on the page, select the top check box to the left of the Status heading.
Click the delete icon (). A dialog box appears prompting to confirm the action.
Click Delete.
The selected clients are deleted and their entries are removed from the Clients page after the CipherTrust Manager receives confirmation from the CTE Agents.
Refer to Deleting Expunged Clients Manually for details on deleting Expunged clients.
Deleting Expunged Clients Manually
If due to any reasons, the CipherTrust Manager does not receive the deletion confirmation from the CTE Agent, the client remains stuck in the Expunged state. The client cannot be deleted automatically from the CipherTrust Manager.
To manually delete an Expunged client and its configurations from the CipherTrust Manager, run the /v1/transparent-encryption/clients/{id}/delete
API with the force delete option ("force_del_client").
When running the API, set "force_del_client": true
. Refer to the API playground documentation for details.