Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CipherTrust Manager Administration

System Properties

search

Please Note:

System Properties

The CipherTrust Manager allows Application Administrators, such as the admin user, to manage user configurable system properties. These settings are only accessible in the root domain.

Enable and Disable Activity Logs

You can enable or disable activity logs for NAE and KMIP interfaces, to include them in debug log downloads. They are not enabled by default. When enabled, they are included in the downloadable LTSV debug log file, and can be forwarded to configured log forwarders.

  1. Login to the root domain as an Application Administrator.

  2. Navigate to Admin Settings > Properties.

  3. In LOGS PROPERTIES, select the KMIP Activity Logs toggle button to enable/disable KMIP activity logs.

  4. In LOGS PROPERTIES, select the NAE Crypto Activity Logs toggle button to enable/disable NAE crypto activity logs.

Set a Load Balancer Address

You can configure a load balancer address, so that CTE agents can communicate with CipherTrust Manager cluster nodes which are behind a load balancer.

  1. Login to the root domain as an Application Administrator.

  2. Navigate to Admin Settings > Properties.

  3. In Load Balancer Address, add an IP address or hostname for the load balancer to the Value field.

  4. Click Update to update it.

Enable or Disable Data Key Caching for HSM-Anchored Domains

This caching can improve cryptographic and key export performance for HSM-anchored domains.

  1. Login to the root domain as an Application Administrator.

  2. Navigate to Admin Settings > Properties.

  3. In HSM-ANCHORED DOMAINS DATA KEY MATERIAL CACHING, select the Enable Key Caching toggle.

  4. Do a system restart. For clustered CipherTrust Managers, restart every cluster node. This is required to fully apply the change.

Set Cluster Certificate Renewal Threshold

This setting controls the number of days prior to certificate expiry that CipherTrust Manager auto-renews an internal certificate that is used for database access.

  1. Login to the root domain as an Application Administrator.

  2. Navigate to Admin Settings > Properties.

  3. In CLUSTER CERTIFICATE AUTO RENEW THRESHOLD, in the Value field, enter an integer value, 30 or higher.

  4. Click Update to apply the change.

Properties Configurable from ksctl or REST API

Property NameDefault ValueDescription
ALLOW_UNKNOWN_FIELDSfalseAllows unknown fields in the JSON body from the API calls. If you set this property to true, restart is required for changes to take effect.
ALLOW_USER_IMPERSONATION_ACROSS_DOMAINfalseUser impersonation is, by default, limited to impersonate users of the clients' domain only i.e. created users (users created in clients' domain) or assigned users (users created in clients' domain and assigned to some other domain). With this property enabled, clients belonging to the root domain can impersonate a user created inside a sub-domain only. The property is applicable to NAE and KMIP interfaces only.
CERT_REV_CHECK_TIMEOUT5secConfigures the revocation check request timeout for Web (cert user login) and NAE/KMIP clients. The timeout value must be in an integer from 0-600secs, where 0 refers to no timeout. This timeout is for each request.
For example if a certificate contains 3 URLs for the caIssuer and CRL/OCSP, and each URL gets failed in 5sec; then it will take 15sec to complete the authentication call.
CLUSTER CERTIFICATE AUTO RENEWAL THRESHOLD30Configures the number of days prior to certificate expiry that CipherTrust Manager auto-renews an internal certificate that is used for database access. Valid values are 30 or more, integers only.
ENABLE_CERT_REV_CHECKtrueChecks the client certificates on the NAE/KMIP interface for revocation status. This property is not applicable for user certificate login. For user certificate login, the CRL revocation status is always checked.
ENABLE_KEY_CACHEfalseAllows caching on CipherTrust Manager of key materials for HSM-anchored domains. A change to this property requires system restart on all cluster nodes to take effect.
ENABLE_KMIP_ACTIVITY_LOGSfalseEnables the activity logging for KMIP operations.
The NAE-KMIP service do not require system restart to reflect any changes made to the ENABLE_KMIP_ACTIVITY_LOGS property.
Setting this property on one node bring it into effect for an entire cluster.
ENABLE_NAE_ACTIVITY_LOGSfalseEnables the activity logging for NAE operations.
The NAE-KMIP service do not require system restart to reflect any changes made to the ENABLE_NAE_ACTIVITY_LOGS property.
Setting this property on one node bring it into effect for an entire cluster.
ENABLE_NAE_CRYPTO_RECORDSfalseEnables the logging for NAE crypto audit records.
ENABLE_RECORDS_DB_STOREtrueStores audit records in the database. If you set this property to false, it deletes the audit records. If syslog is added, it continues to push audit records to the syslog server.
ENFORCE_NAE_CLIENT_VALIDATIONfalseEnforces client validation on the NAE.
ENFORCE_NAE_CLIENT_REGISTRATIONfalseEnforces registered NAE clients to perform the NAE operations.
LOAD_BALANCER_ADDRESS IP address/URL/Hostname of load balancer configured with CipherTrust Manager. This is to allow CTE agent communication.
MAXIMUM_REFRESH_TOKEN_LIFETIME Describes the maximum lifetime of a refresh token. This can be an empty string (infinite lifetime) or a sequence of integers with a time unit as a suffix. The valid time units are m and h. For example, 300m, 3h, or 2h45m. The value of the maximum lifetime of a refresh token should be at least 5m.
DISABLE_TLS_SESSION_RESUMPTIONfalseDisables the session ticket and PSK (resumption) support on NAE and KMIP interfaces. Set it totrue to enable the property. Clients using OpenSSL version older than 1.0.2 may encounter 'ssl handshake error' on NAE and KMIP when making concurrent connections using TLS session resumption at client side. To mitigate this error, it is recommended for clients using OpenSSL version 1.0.2 or lower to upgrade to version 1.0.2b or higher. Alternatively, you can disable the TLS session resumption on NAE and KMIP interfaces using the DISABLE_TLS_SESSION_RESUMPTION system property.
The NAE-KMIP service must be restarted to reflect any changes made to the DISABLE_TLS_SESSION_RESUMPTION property.
Setting this property on one node bring it into effect for an entire cluster. However, the NAE-KMIP service needs to be restarted on every node in the cluster.
KEY_CACHE_EXPIRES_DURATION2Defines the NAE-KMIP key cache expiry duration in seconds. It's value ranges between 0 to 86400 seconds(24 hrs). If you set the value to 0, it disables the cache. Using a large value for KEY_CACHE_EXPIRES_DURATION improves the cryptographic and export operations' performance, but disables the Key Usage/Export audit events for the duration key is cached.
The NAE-KMIP service must be restarted to reflect any changes made to the KEY_CACHE_EXPIRES_DURATION property.
Setting this property on one node bring it into effect for an entire cluster. However, the NAE-KMIP service needs to be restarted on every node in the cluster.

Managing user configurable system properties using ksctl

The following operations can be performed:

  • Get details of a property

  • List all properties

  • Modify a property

  • Reset a property

Getting details of properties

To get details of a property, run:

Syntax

ksctl properties get  --name <name of the system configuration>

Example

ksctl properties get --name ENABLE_RECORDS_DB_STORE

Getting list of properties

To list all the configurable system properties, run:

Syntax

ksctl properties list

Updating properties

To modify the value of a property, run:

Syntax

ksctl properties modify --name <property name> --value <value to be set>

Example 1

ksctl properties modify --name ENABLE_RECORDS_DB_STORE --value false

**Example 2 ** 

ksctl properties modify --name CERT_REV_CHECK_TIMEOUT --value 10

Changes doesn't reflect immediately. It may take up to 60 seconds on the current node as well as on the clustered nodes.

Resetting properties

To reset the value of a property to default, run:

Syntax

ksctl properties reset --name <property name>

Examples

ksctl properties reset --name ENABLE_RECORDS_DB_STORE

On this page