Private Cloud Deployment
You can deploy a CipherTrust Manager instance in a private cloud. Support is currently provided for VMware vSphere, Microsoft Hyper-V, Nutanix AHV, and OpenStack.
As part of private cloud deployment, you make decisions on disk encryption, setting a static IP, and disabling IPv6. For each of these options, you can apply them before launch, after launch, or not at all. In addition, you can use nmcli
after first launch to set static routes, bond network interfaces, disable IPv6, or configure VLAN, if needed for your network.
The following flowchart demonstrates the decisions you make during virtual private cloud deployment.
Minimum Requirements
To deploy a CipherTrust Manager instance, the following minimum requirements apply:
System volume: 50 GB for evaluation, 100 GB for production
Memory: 16 GB
vCPUs: 2
NICs: 1
Note
These minimum system requirements are for a system with light to moderate load. For applications that heavily load the system, additional memory and CPU allocation are required. The system volume holds all data as well as backups.
Deploying on VMware vSphere
This section guides you through the steps needed to deploy a Virtual CipherTrust Manager on VMware vSphere.
Refer to the VMware vSphere documentation for general information on launching a VM.
Prerequisite
- OVA file: If your vSphere Client does not support deployment of OVA files directly, see Decompressing an OVA file.
To launch the Virtual CipherTrust Manager
Virtual CipherTrust Manager supports VMware vSphere/ESXi v5.1 and higher versions. To launch Virtual CipherTrust on vSphere/ESXi v5.0 or lower versions, you need to change the virtual machine’s hardware version from vmx-09 to vmx-08 or vmx-07. Use the VMware OVF Tool to make this change.
In vSphere Client, select Deploy OVF Template....
Note
You will need sufficient privileges to access this selection.
In the Deploy OVF Template dialog box, enter the location of the OVA file in the Source field and launch the VM. After successful launch, the Virtual CipherTrust Manager appears under the inventory folder in the left pane.
In the left pane, select the newly launched Virtual CipherTrust Manager.
In the middle pane, select the Summary tab and click on the Web console.
The window opens in your browser. IP information is displayed along with the ciphertrust login: prompt.
If an IP address is not displayed, you likely do not have DHCP configured and you are not using Cloud-init configuration. You do not have access to a static IP for the CipherTrust Manager GUI. In this case:
At the ciphertrust login: prompt, enter "ksadmin" to log in and follow the prompts to create a secure password.
Use the nmcli utility to configure a static IP address.
nmcli
can also be used to set static routes, bond network interfaces, disable IPv6, or configure VLAN, if needed for your network.
Access the GUI by browsing to the Virtual CipherTrust Manager's IP address in a web browser.
The initial CipherTrust Manager Web Page screen is displayed:
The Error displayed is normal and simply requires the default SSH Public Key to be replaced. As the initial KeySecure admin (ksadmin) you must paste in your SSH Public Key in the box provided and then select Add.
Note
We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. The supported key algorithm is RSA. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security. You can generate this key using 'PuTTYgen' or similar utility. Save this SSH Public Key at a safe location. You will need this key for future SSH access.
After replacing the default SSH Public Key, the Log In screen appears. For more options to replace the default SSH Public Key, see Starting Services After Deployment.
Log in using the initial default credentials: Username = admin, Password = admin
The following notice is displayed:
Note
If the default credentials do not work, you may need to retrieve an autogenerated password, as described in Changing the Initial Password.
Enter a new password using this default Password Policy:
Min length: 8 Max length: 30 Min number of upper cases: 1 Min number of lower cases: 1 Min number of digits: 1 Min number of other characters: 1
A new Login screen appears.
Using your new password, log in again. The CipherTrust Manager Web Page appears.
At this point, it's strongly recommended to configure an NTP server.
Navigate to Admin Settings > NTP.
Enter in an NTP Server hostname.
For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.
Click the +Add NTP Server button.
See Network Time Protocol Server Configuration for more details.
Congratulations! You have successfully deployed your Virtual CipherTrust Manager.
If you did not apply disk encryption with cloud-init, it is available after first launch with ksctl. Because installation specific secrets are generated the first time a Virtual CipherTrust Manager instance is launched, it is recommended that the instance be encrypted at launch time to ensure these secrets are never exposed.
Note
Virtual CipherTrust Manager launches in Community Edition, with some restrictions on functionality. You can activate a 90 day trial evaluation for full functionality. To activate your instance with a trial evaluation, or a term or perpetual license, see Licensing.
Decompressing an OVA File
The Virtual CipherTrust Manager package includes an Open Virtual Appliance (OVA) file for launching Virtual CipherTrust Manager on VMware vSphere. Some versions of the vSphere Client do not support deployment of OVA files directly. In this case it is recommended to extract the .ovf
, .vmdk
, and .mf
files using the VMware OVF Tool. You can then launch Virtual CipherTrust Managers using these files.
Example: To decompress the .ovf
file, execute this operation:
ovftool.exe --lax <source_OVA_file> <destination_OVF_file>
<source_OVA_file>
: represents the OVA file included in the Virtual CipherTrust Manager package.
<destination_OVF_file>
: represents a name for the OVF file.
Using Cloud-init with VMware vSphere
Virtual CipherTrust Manager uses Cloud-init to inject configuration information prior to first boot. Cloud-init is a standard configuration mechanism that is supported in vSphere.
Below is an example of setting a static IP address using Cloud-init and vSphere.
To setup a static IP address using Cloud-init
Create your Cloud-init configuration file. This is a text file containing the specific configuration you want to use. Refer to "Plan Configuration Settings for Deployment with Cloud Init" for other available configuration parameters. Here is a simple configuration file for a static IP:
#cloud-config keysecure: netcfg: iface: name: ens32 type: static address: 10.121.107.103 netmask: 255.255.252.0 gateway: 10.121.104.1 dns1: 172.16.2.12
The configuration parameters that save deployment steps after first launch are disk encryption, static IP, and disabling IPv6. Because installation specific secrets are generated the first time a Virtual CipherTrust Manager instance is launched, it is recommended that the instance be encrypted at launch time to ensure these secrets are never exposed.
VMware requires this file to be converted to base64. To convert to base64, use the
openssl
command:openssl base64 -in <infile> -out <outfile>
The above file converted to base64 is below:
I2Nsb3VkLWNvbmZpZw0Ka2V5c2VjdXJlOg0KICBuZXRjZmc6DQogICAgaWZhY2U6DQogICAgICBuYW1lOiBldGgwDQogICAgICB0eXBlOiBzdGF0aWMNCiAgICAgIGFkZHJlc3M6IDEwLjEyMS4xMDcuMTAzDQogICAgICBuZXRtYXNrOiAyNTUuMjU1LjI1Mi4wDQogICAgICBnYXRld2F5OiAxMC4xMjEuMTA0LjENCiAgICAgIGRuczE6IDE3Mi4xNi4yLjEy
Create a Virtual CipherTrust Manager in VMware, but do not boot it.
Configure the VM with the following:
Note
The vSphere web client should be used since some configuration parameters are not available with the Windows client.
Add an empty CD/DVD drive to the VM, no configuration of it is necessary.
Under vApp Options > OVF Settings > OVF Environment Transport, select ISO Image.
Under vApp Options > Properties create a property with the Key "user-data", and a default value of the base64 encoded file.
Boot up your system.
Note
Due to a bug, some versions of Virtual CipherTrust Manager may not apply the static IP on the initial boot. After a reboot, the IP address will be applied correctly.
If you did not apply disk encryption with cloud-init, it is available after first launch with ksctl. Because installation specific secrets are generated the first time a Virtual CipherTrust Manager instance is launched, it is recommended that the instance be encrypted at launch time to ensure these secrets are never exposed.
Deploying in Hyper-V
The CipherTrust Manager Private Cloud Image supports Microsoft Hyper-V in the form of a Virtual Hard Disk (VHDX) image. This image has been tested as a Generation 1 Hyper-V virtual machine.
Refer to the Microsoft Hyper-V Manager documentation for general information on launching a VM using an existing disk on Hyper-V.
This section guides you through the steps needed to deploy a Virtual CipherTrust Manager on Microsoft Hyper-V.
Prerequisites
- Virtual CipherTrust Manager Virtual Hard Disk (VHDX) image.
To decompress the zipped image file you received from Thales Sales
Locate the image file you received from Thales sales; e.g. k170v-1.x.x.xxxx.vhdx.zip.
Decompress this file by right-clicking on the file and selecting Extract All....
This is a large file and will take some time. A single decompressed file will result, which is a Hard Disk Image File; e.g. k170v-1.x.x.xxxx.vhdx.
Note the location of this file as you will need it below when creating the virtual machine.
Launch the Hyper-V Manager on your Windows System
If needed, install Hyper-V on your Windows system.
For example, for Windows 10, refer to: Install Hyper-V on Windows 10
Open Hyper-V Manager on your Windows system.
Create a Virtual CipherTrust Manager instance
In the Hyper-V Manager UI, select Action > New > Virtual Machine.
The 'New Virtual Machine Wizard' begins with the 'Before You Begin' screen.
Here you have the choice to either 'create a virtual machine with default values' and then modify them later, or you can 'create a virtual machine with custom configuration'. This procedure uses the option to 'create a virtual machine with custom configuration'. Select Next.
In the 'Select Name and Location' screen,
Enter a descriptive name of the virtual machine you are creating.
Enter the folder path of where the virtual machine will reside, or use the specified default folder path.
Select Next.
In the 'Specify Generation' screen, select Generation 1 and then select Next.
In the 'Assign Memory' screen, select the desired amount of memory for you new virtual machine. Note the Private Cloud minimum requirement for this setting in Minimum Requirements.
Enter the value.
If you wish to 'use Dynamic Memory' for this virtual machine, leave the box checked (default).
Select Next.
In the 'Configure Networking' screen drop down box, choose Default Switch and then select Next.
In the 'Connect Virtual Hard Disk' screen,
Select the button for Use an existing virtual hard disk,
Enter the location of the 'vhdx' file you decompresses earlier, e.g. c:/k170v-1.x.x.xxxx.vhdx
Select Next.
In the 'Completing the New Virtual Machine Wizard screen,
Review the Summary description of the virtual machine your are about to create.
To make a change, select 'Previous' to go back to change setting(s).
When ready, select Finish.
Your new virtual machine is created within a few seconds.
Connect to you new virtual machine
In the Hyper-V Manager, right-click on the new virtual machine and select Connect to connect to the new Virtual CipherTrust Manager instance.
The initial screen shows that the VM is turned off.
Click on Start.
Access the Console Window of you newly created virtual machine,
The window opens in your browser. IP information is displayed along with the ciphertrust login: prompt.
If an IP address is not displayed, you likely do not have DHCP configured and you are not using Cloud-init configuration. You do not have access to a static IP for the CipherTrust Manager GUI. In this case:
At the ciphertrust login: prompt, enter "ksadmin" to log in and follow the prompts to create a secure password.
Use the nmcli utility to configure a static IP address.
nmcli
can also be used to set static routes, bond network interfaces, disable IPv6, or configure VLAN, if needed for your network.
Access the GUI by browsing to the Virtual CipherTrust Manager's IP address in a web browser.
The initial CipherTrust Manager Web Page screen is displayed:
The Error displayed is normal and simply requires the default SSH Public Key to be replaced. As the initial KeySecure admin (ksadmin) you must paste in your SSH Public Key in the box provided and then select Add.
Note
We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security. You can generate this key pair using 'PuTTYgen' or similar utility. Save the SSH public and private keys. The SSH Private key, used to access the System Administrative account "ksadmin", is extremely sensitive and should be kept in a secure environment.
After replacing the default SSH Public Key, the Log In screen appears. For more options to replace the default SSH Public Key, see Starting Services After Deployment.
Log in using the initial default credentials: Username = admin, Password = admin
The following notice is displayed:
Note
If the default credentials do not work, you may need to retrieve an autogenerated password, as described in Changing the Initial Password.
Enter a new password using this default Password Policy:
Min length: 8 Max length: 30 Min number of upper cases: 1 Min number of lower cases: 1 Min number of digits: 1 Min number of other characters: 1
A new Login screen appears.
Using your new password, log in again. The CipherTrust Manager Web Page appears.
Congratulations! You have successfully deployed your CipherTrust Manager virtual machine.
At this point, it's strongly recommended to configure an NTP server.
Navigate to Admin Settings > NTP.
Enter in an NTP Server hostname.
For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.
Click the +Add NTP Server button.
See Network Time Protocol Server Configuration for more details.
If you did not apply disk encryption with cloud-init, it is available after first launch with ksctl. Because installation specific secrets are generated the first time a Virtual CipherTrust Manager instance is launched, it is recommended that the instance be encrypted at launch time to ensure these secrets are never exposed.
Note
Virtual CipherTrust Manager launches in Community Edition, with some restrictions on functionality. You can activate a 90 day trial evaluation for full functionality. To activate your instance with a trial evaluation, or a term or perpetual license, see Licensing.
Using Cloud-init with Hyper-V
The Virtual CipherTrust Manager uses cloud-init to inject configuration information prior to first boot. Cloud-init is a standard configuration mechanism that is supported in Hyper-V. Cloud-init is supported as an ISO image for Hyper-V, mounted as media to use with the virtual CD/DVD drive. The ISO image must have two text files named user-data and meta-data.
The configuration parameters that save deployment steps after first launch are disk encryption, static IP, and disabling IPv6. Because installation specific secrets are generated the first time a Virtual CipherTrust Manager instance is launched, it is recommended that the instance be encrypted at launch time to ensure these secrets are never exposed.
Below is an example of setting up disk encryption and the user's ssh key using cloud-init and Hyper-V.
Example: To setup disk encryption and the user's SSH key
Prepare the user-data file. This is a text file containing the specific configuration you want to use. Refer to "Plan Configuration Settings for Deployment with Cloud Init" for other available configuration parameters. Here is a simple user-data configuration file for setting up disk encryption and the user's SSH key.
#cloud-config diskenc: encrypt: true ssh_authorized_keys: - <replace with your OpenSSH format ssh public key>
Note
You must provide the SSH key in OpenSSH format. The corresponding private key can be OpenSSH, PKCS1, or PKCS8 format. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.
Create the meta-data file. This is a text file containing user provided instance parameters, for example:
instance-id: <some instance id>` local-hostname: <host name for the instance>
Create the ISO image file:
Make sure genisoimage utility is installed.
Create the ISO file:
genisoimage -o config.iso -volid cidata -joliet -rock user-data meta-data
Create a Virtual CipherTrust Manager in Hyper-V, but do not boot it.
In Hyper-V manager:
Right click on the instance and go to "Settings...".
Under IDE Controller 1 > DVD Drive > Specify the media to use with your virtual CD/DVD drive, select Image File
Browse to the config.iso file generated in step 3 above.
Select OK.
Boot up your Virtual CipherTrust Manager.
Deploying on the Nutanix AHV
This section guides you through the steps needed to deploy a Virtual CipherTrust Manager on Nutanix AHV.
Prerequisites
- OVA file: It is mandatory to decompress the OVA file before deployment to generate a VMDK file. For steps, see Decompressing an OVA file
Creating a CipherTrust Manager Virtual Machine
Perform the following steps to create a CipherTrust Manager virtual machine on a Nutanix Cluster:
Caution
Do not host a CipherTrust Manager virtual machine on the encrypted cluster where it is being used. This can lead to complete data loss if there is an issue with the VM while it is hosted in that cluster.
Go to the Prism Element.
Create a Storage Container.
Go to the Storage page and click Storage Container.
The Create Storage Container window appears.
Specify the Name and select a Storage Pool.
(Optional Step) If required, click Advanced Settings for the settings related to compression, cache, duplication, and so on.
Click Save.
The New Storage Container will be added.
Create/Upload an image on the Nutanix Cluster.
Go to Settings > Image Configuration. Click Upload Image.
The Create Image page appears.
Specify/select the following fields/options:
Name
Annotations
Image Type
Select the Storage Container
Image Source
Click Save.
The application will start uploading the image. This can take some time depending on the network speed. After the uploading process is complete, the new image is created, and the image activation process is initiated. You can use the image after it becomes active. This image can be accessed from Settings > Image Configuration.
Go to the VM page and click Create VM.
Specify/select the following fields/options:
General Configuration
Name
Description
Timezone
Minimum Requirements
Refer to Minimum Requirements.
Disks
Remove any existing disk and click Add New Disk. Specify the following fields:
Type: DISK
Operation: Clone from Image Service
Bus Type: SCSI
Image: Select image created in the previous step
Index: Next Available
Click Add. The disk will be added.
Set Boot configuration to Legacy BIOS or UEFI.
Network Adapter
Click Add New NIC and specify the following details:
Network Name: Select a pre-configured network
VLAN ID: Specify the required value
Network Connection State: Set to Connected
Network Address/Prefix: Set to the required value
Click Add to add the Network Adapter.
Go to VM Host Affinity and select the Host(s) as required. Click Save.
Click Save after completing all configurations.
The new VM will be created.
Booting the CipherTrust Manager VM
Go to the VM page and locate the newly added VM in the VM Name column. You can use search option, if required.
Click on the VM name and scroll down.
Click Power On.
Access the CipherTrust Manager in a web browser using its IP Address.
Access the GUI by browsing to the Virtual CipherTrust Manager's IP address in a web browser.
The initial CipherTrust Manager Web Page screen is displayed:
The Error displayed is normal and simply requires the default SSH Public Key to be replaced. As the initial KeySecure admin (ksadmin) you must paste in your SSH Public Key in the box provided and then select Add.
Note
We support OpenSSH for the public key format. The corresponding private key can be OpenSSH, PKCS1, or PKCS8 format. You can generate this key pair using 'PuTTYgen' or similar utility. Save this SSH Public Key at a safe location. You will need this key for future SSH access.
After replacing the default SSH Public Key, the Log In screen appears. For more options to replace the default SSH Public Key, see Starting Services After Deployment.
Log in using the initial default credentials: Username = admin, Password = admin
The following notice is displayed:
Note
If the default credentials do not work, you may need to retrieve an auto-generated password, as described in Changing the Initial Password.
Enter a new password using this default Password Policy:
Min length: 8 Max length: 30 Min number of upper cases: 1 Min number of lower cases: 1 Min number of digits: 1 Min number of other characters: 1
A new Login screen appears.
Using your new password, log in again. The CipherTrust Manager Web Page appears.
At this point, it's strongly recommended to configure an NTP server.
Navigate to Admin Settings > NTP.
Enter in an NTP Server hostname.
For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.
Click the +Add NTP Server button.
See Network Time Protocol Server Configuration for more details.
Congratulations! You have successfully deployed your Virtual CipherTrust Manager.
Note
Virtual CipherTrust Manager launches in Community Edition, with some restrictions on functionality. You can activate a 90 day trial evaluation for full functionality. To activate your instance with a trial evaluation, or a term or perpetual license, see Licensing.