Licensing
Overview
To provide the best customer experience, CipherTrust Manager (available as virtual and physical appliances) has transitioned to the new Entitlement Management System (EMS). The system allows you to activate new features and manage existing licenses for the CipherTrust Manager appliance and Connectors.
Changes in CipherTrust Manager
New Key Manager Lock Code and Connector Lock Code are introduced for server licenses.
The Connector Lock Code is applicable to all nodes of a cluster to enforce Connector licenses across the cluster nodes. Activation is required for every individual NextGen KeySecure appliance by using the Key Manager Lock Code.
To activate the purchased Connector license, you need to activate the license for the Connector Lock Code and add it to any one node of the cluster. The license is replicated to all nodes of the cluster.
CipherTrust Manager Licenses
Physical CipherTrust Manager appliances are licensed out of the box whereas virtual appliances require their own licenses. Apart from this, both physical and virtual CipherTrust Manager appliances follow the same licensing model.
CipherTrust Manager licenses are node locked. Every node in a CipherTrust Manager cluster requires a separate license.
Every clone of a CipherTrust Manager appliance requires a separate license.
Connector Licenses
CipherTrust Manager enforces Connector licenses through self-service License Portal on the Sentinel platform. Registering new clients, adding new cloud enforced entities, running new scans and generating new reports, and enabling KMIP client communications require active Connector licenses on the CipherTrust Manager appliance.
In a CipherTrust Manager cluster, the Connector Lock Code is applicable to all nodes of the cluster to enforce Connector licenses across the cluster nodes. When a Connector license is activated for one CipherTrust Manager appliance, the license is replicated to all nodes of the cluster.
Flex Connector Licenses
CipherTrust Manager simplifies Connector licensing by offering flexible (Flex) purchase options. A Connector license can be redeemed to purchase another Connector license of the same type. You can adjust or restructure licenses later according to your requirements. Moreover, new licensed features can be turned on by existing Flex Connectors.
Note
Flex licenses are available for the CipherTrust platform only. They are not supported for NextGen KeySecure and KeySecure Classic.
The following table lists the supported Flex licenses.
Flex Connector - Basic | Flex Connector - Advanced | Flex Connector - Premium | Flex Utilities | Flex Ability |
---|---|---|---|---|
CTE | CADP | CTE SAP | LDT | KMIP |
CTE UserSpace | CT-VL (VTS) | CTE Teradata | Efficient Storage | - |
CAKM for Oracle TDE (VKM/SafeNet TDE) | CT-V (TM) | CDP (PDB) | - | - |
CAKM for MS SQL Server EKM (VKM/SafeNet EKM) | DPG | CDP for Teradata (VTPD) | - | - |
CAKM for LUKS | - | BDT | - | - |
How Do Flex Connectors Work?
Suppose you want to buy 10 CTE Agents, with 10 LDT add-on licenses, 5 KMIP, 20 CAKM, and 12 CADP (ProtectApp) licenses. The following table lists the licenses you need:
Flex Connector Type | Quantity |
---|---|
Flex Connector - Basic | 30 (covers CTE and CAKM) |
Flex Connector - Advanced | 12 (covers CADP) |
Flex Utilities | 10 (covers LDT) |
Flex Ability | 5 (covers KMIP) |
You can redeem 10 CTE product licenses and 20 CAKM product licenses with the Flex Connector - Basic. Later, you can trade in 10 CAKM licenses for 10 CTE licenses. Similarly, you can trade 10 CTE licenses for 10 CAKM licenses.
Licensing Pages on GUI
On the CipherTrust Manager GUI, the Admin Settings > Licensing page shows the Installed licenses (features). The following image illustrates the CipherTrust Manager v2.0 GUI.
To view the CCKM Cloud Unit Usage, expand the CCKM feature. The usage is shown under Total Cloud Units and Used Cloud Units, as shown below.
To view the Client Usage of a connector, expand the feature. For example, the usage of CTE-TransparentEncryption is shown under Total Clients and Used Clients, as shown below.
For unlimited licenses (during the trial period), the total count shows a high number. When a license is activated and uploaded to the CipherTrust Manager, total count reflects the number of purchased and activated licenses. The used count indicates the number of active licenses used for currently registered clients/cloud units on the CipherTrust Manager appliance.
License Banners
30 days before a license expires, an orange banner appears on the CipherTrust Manager GUI, as a system message on every page to inform the administrator of the license status.
A red banner is displayed, when one or more licenses are expired. When an administrator navigates through the GUI, the red banner appears as a system message at the top of every page.
License Enforcement for CCKM
Expected behavior with CCKM licenses is explained in this section.
CipherTrust Manager appliance has activated Connector licenses: When CCKM licenses are activated and uploaded to a CipherTrust Manager, you can add clouds to the license capacity. This number cannot exceed the license count. Here is the list of clouds and related entities where the CCKM cloud licenses are enforced.
Cloud Enforced On AWS AWS Accounts Azure Azure Subscriptions Google Google Projects SFDC SFDC Organizations SAP SAP Applications Note
Google Workspace CSE consumes one CCKM license (cloud unit) per endpoint.
Note
The CipherTrust Manager acts as a Luna HSM client for root of trust (RoT) and CCKM Embedded (with Luna HSM as a key source). Separate client licenses for Luna HSMs are not required on the CipherTrust Manager. However, you need to apply usual partition licenses on the Luna HSM side.
Reaching license capacity: Additional accounts cannot be added because the license count has been exhausted. In this case, (for example, for AWS), users can delete currently configured AWS accounts or buy additional licenses to add more accounts.
License expires: The CipherTrust Manager GUI displays a red banner to inform the administrator of expired licenses. At this time, no new cloud license enforced entities can be added. However, users can still manage currently added accounts for 90 days from license expiry. After 90 days, the CCKM configurations on the CipherTrust Manager become read-only.
License Enforcement for DDC
Expected behavior with DDC licenses is explained in this section.
CipherTrust Manager virtual appliance has trial license activated: DDC is deployed with a trial license already installed and activated "out of the box". This allows you to enjoy a fully-functional product for 90 days and up to the 1 TB of data allowance.
Data allowance is used up: You can continue scanning but cannot generate reports. However, the data from scans is stored so after you install a new license, you can access the data and generate reports.
License expires: The DDC configuration on CipherTrust Manager becomes read-only. While you still have access to your old reports, you cannot generate new reports, add new targets, or create new scans. The data collected so far is not deleted, so you can access it when you install a new license.
License Enforcement for KMIP
License enforcement on KMIP client communication is explained in this section.
CipherTrust Manager appliance has activated KMIP license: Valid KMIP license will enable the KMIP feature on the CipherTrust Manager. Registered KMIP clients can communicate with the CipherTrust Manager.
Reaching license capacity: The number of KMIP client registrations can't exceed the number of KMIP licenses. If you exceed this limit, a warning appears indicating that the CipherTrust Manager is running in non-compliance mode.
License expires: A red banner appears on the CipherTrust Manager GUI to inform the administrator of expired licenses. KMIP feature (from API) will show as expired. Also, a warning indicates that the CipherTrust Manager is running in non-compliance mode.
License Enforcement for Other Connectors
Expected behavior with CTE, CTE LDT, CTE UserSpace, ProtectFile, and ProtectV Connector licenses is explained in this section.
CipherTrust Manager appliance has activated Connector licenses: When Connector licenses are activated and uploaded to a CipherTrust Manager, you can register clients to the license capacity. The number of clients that you can register cannot exceed the Connector license count.
Reaching license capacity: If you attempt to register additional clients, registration fails because the license count has been exhausted. In this case, users can delete currently configured clients or buy additional licenses to register new clients.
License expires: The CipherTrust Manager GUI displays a red banner to inform the administrator of expired licenses. At this time, no new client registration is allowed. However, the users can still manage currently registered clients for 90 days from the license expiry. After 90 days, changes on currently registered clients are restricted and only decryption of data is allowed.
Note
CipherTrust Intelligent Protection (CIP) is not a licensed product. However, you need the following licenses to use it:
• CipherTrust Manager: Refer to Virtual CipherTrust Manager Licensing Model for details.
• CipherTrust Data Discovery and Classification: Refer to DDC Licensing Model for details.
• CipherTrust Transparent Encryption: Refer to CTE Licensing Model for details.
License Enforcement Summary
Platform | License Type | License Enforcement | License Count Enforcement | Grace Period (90 Days) |
---|---|---|---|---|
NextGen KeySecure 1.10 | - | - | - | - |
- | DDC | Yes | Yes | Yes (DDC configuration becomes read only) |
- | KMIP | Yes | No | N/A |
- | ProtectFile | Yes | Yes | Yes |
- | ProtectV | Yes | Yes | Yes |
- | ProtectApp | No | No | N/A |
CipherTrust Manager 2.7 | - | - | - | - |
- | DDC | Yes | Yes | Yes (DDC configuration becomes read only) |
- | KMIP | Yes | Yes (Continues working in non-compliance mode) | N/A (Continues working in non-compliance mode) |
- | ProtectFile | Yes | Yes | Yes |
- | ProtectV | Yes | Yes | Yes |
- | ProtectApp | No | No | N/A |
- | TDE | No | No | N/A |
- | ProtectDB | No | No | N/A |
- | Tokenization | No | No | No |
- | CTE | Yes | Yes | Yes |
- | CTE LDT | Yes | Yes | Yes |
- | CTE UserSpace | Yes | Yes | Yes |
- | CTE Teradata | Yes (uses base CTE) | Yes (uses base CTE) | Yes (uses base CTE) |
- | CTE SAP HANA | Yes (uses base CTE) | Yes (uses base CTE) | Yes (uses base CTE) |
- | CCKM | Yes | Yes | Yes |