Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

CTE Administration

Managing Client Groups

search

Please Note:

Managing Client Groups

A client group is used to group one or more clients to simplify configuration and administration. GuardPoints created on a client group are applied to all members of the group. Additionally, you can apply client group configuration settings to all clients in a client group. A client can be a member of multiple client groups.

CTE supports two types of client groups, clustered and non-clustered. A clustered client group contains clients that are members of a cluster with a cluster file system. A non-clustered client group contains members that are not members of a cluster. A client can be a member of multiple client groups. However, membership in a cluster group is exclusive, so a client that belongs to a cluster, cannot join another cluster group or client group.

If you have created a group of one type of clients, then you should only add similar clients to the group. Same configuration settings can only be applied to clients of the type with which the client group is created. If a different type of client is added, configuration settings cannot be applied to that client.

Creating a Client Group

To create a client group:

  1. Open the Transparent Encryption application.

  2. Click Clients > Client Groups.

  3. Click Create Client Group. The Create Client Group dialog box is displayed.

  4. Enter a unique Name for the client group.

  5. Select the Cluster Type. The options are:

    • NON CLUSTER: Create a non-clustered client group.

    • HDFS: Create a clustered client group. An HDFS client group is required to apply GuardPoints on CTE clients in an HDFS cluster.

  6. (Optional, displayed if a profile already exists) From the Client Profile drop-down list, select the desired client profile. The default profile is DefaultClientProfile.

  7. (Optional) Provide Description to identify the client group. The maximum length can be 256 characters.

  8. Click Create. The client group is created.

The newly created client group appears in the client groups list. Now, you can add clients to the group, if needed. Refer to Adding Clients to a Client Group for details.

As soon as the first client group is created, DefaultClientProfile is also created, if it does not exist.

Adding Clients to a Client Group

Clients can be added a client group either manually or by specifying the group when registering clients with the CipherTrust Manager. If you specify a client group during client registration, the client automatically appears under the client group on the CipherTrust Manager GUI. Refer to the CTE Agent Clients Guide for information on the registration process.

When protecting an HDFS cluster, the CTE clients with the HDFS configuration must be added to an HDFS client group on the CipherTrust Manager.

To manually add clients to a client group:

  1. Open the Transparent Encryption application.

  2. Click Clients > Client Groups.

  3. Under Client Group Name, click the desired client group.

    Select an HDFS client group if the CTE client to be added is in an HDFS cluster.

  4. In the top right corner, click Expand Icon to expand the mini detail view.

  5. Click Add Client. The Add Client to Client Group dialog box is displayed with the list of available clients, if any. At least, one client must already exist.

  6. Select the desired clients.

  7. Click Add. A dialog box is displayed asking you to confirm settings inheritance.

  8. Confirm whether the selected clients should inherit settings from the client group. The options are:

    • Inherit Client Group Settings: This is the default and recommended option. Clients inherit the following properties of the group except the password:

      • Client Settings

      • Agent Lock

      • System Lock

      • Communication Enabled

      • Profile Settings

      • QoS Settings

      • GuardPoints

      Refer to Inheritance of Client Group Settings for details.

    • Do not Inherit Client Group Settings: Clients retain their individual settings. Selecting this option can introduce configuration conflicts. This is not the recommended option. Read the instructions carefully before selecting this option.

  9. Click OK.

The selected clients are added to the group. They are displayed in the mini view of the client group. Also, the client group is now displayed on the Membership tab of the client. You can remove the client from the group by clicking Remove.

Displaying Client Groups

To view the list of client groups:

  1. Open the Transparent Encryption application.

  2. Click Clients > Client Groups. The list of available client groups is displayed.

The client groups list shows the following details:

ColumnDescription
Client Group NameName link of the client group on CipherTrust Manager. Click the link to open client group details in edit mode. The edit mode shows additional details and configuration settings. In the edit mode, you can also view and add clients, GuardPoints, and Client Group Settings.
Cluster TypeCluster type of the client group.
NON CLUSTER: A non-clustered client group.
HDFS: A clustered client group.
Description(Optional) Description to identify the client group.

Modifying Client Groups

After you have created a client group, you can update group details and configuration settings. You can make the following changes:

  • Enable or disable Agent communication for the clients in the group

  • Lock or unlock the CTE Agent files on the clients in the group

  • Change the CTE Agent password for the clients in the group

  • Change the linked profile

  • Add new clients to the group

  • Remove clients from the group

The cluster type of a client group cannot be modified after it is created.

To modify a client group:

  1. Open the Transparent Encryption application.

  2. Click Clients > Client Groups.

  3. Under Client Group Name, click the desired client group.

  4. In the top right corner, click Expand Icon to expand the mini detail view.

  5. Modify the required details:

    • Unlock: Unlock Agent Lock and System Lock.

    • Agent Lock: Lock the contents of the CTE Agent directories on the clients.

    • System Lock: Apply an internal policy to the clients to lock system directories like /var, /bin, and /etc. Enabling System Lock automatically enables Agent Lock.

    • Communication Enabled: Whether to enable clients' communication with the CipherTrust Manager. Select to enable, clear to disable communication.

    • Password Creation Method: Set the password creation method — Generate or Manual. Refer to Changing Client Group Password for details.

    • Client Profile: Select a profile for the client group. The default profile is DefaultClientProfile. To change the client profile, refer to Changing the Profile for details.

  6. Click Apply.

Additionally, you can define GuardPoints for the clients in the group. Refer to Managing GuardPoints.

Removing Multiple Clients from a Client Group

As part of the CipherTrust Manager maintenance, you occasionally need to remove clients from their client groups.

To remove clients from a client group:

  1. Open the Transparent Encryption application.

  2. Click Clients > Client Groups.

  3. Under Client Group Name, click the desired client group.

  4. In the top right corner, click Expand Icon to expand the mini detail view.

  5. Select the desired clients that you want to remove from the group.

    To select all clients visible on the page, select the top check box to the left of the Status heading.

  6. Click the delete icon (Delete Icon).

    A warning message appears stating that deleting the selected clients is permanent and cannot be undone.

  7. Click Delete.

The selected clients are removed from the client group. Also, the client group is removed from the Membership tab of the linked clients.

Removing a Client from a Client Group

As part of the CipherTrust Manager maintenance, you occasionally need to remove a client from its client group.

To remove an individual client from a client group:

  1. Open the Transparent Encryption application.

  2. Click Clients > Client Groups.

  3. Under Client Group Name, click the desired client group.

  4. In the top right corner, click Expand Icon to expand the mini detail view.

  5. Select the desired client that you want to remove from the group.

  6. Click the delete icon (Delete Icon).

    Alternatively, click the overflow icon (Overflow Icon), and click Remove. When prompted, click Remove.

    A warning message appears stating that deleting the selected clients is permanent and cannot be undone.

  7. Click Delete.

The selected client is removed from the client group. Also, the client group is removed from the Membership tab of the client.

Changing the Profile

To change the profile:

  1. Open the Transparent Encryption application.

  2. Under Client Group Name, click the desired client group.

  3. Next to Client Profile, click the profile link (for example, DefaultClientProfile). The Select Profile dialog box shows the current client profile, Log Level, Rekey Option, Rekey Rate, and Schedule of the selected profile.

  4. From the Profile drop-down list, select the desired profile.

  5. Click OK. The selected profile is linked successfully.

Changing Client Group Password

The CipherTrust Manager allows for client password management using client groups. For large scale deployments where the CipherTrust Manager must manage several hundreds or thousands of agents, administering passwords on a per-client basis becomes untenable and burdensome. Using a common password across all the clients in a client group mitigates the administrative burden.

This feature is also useful for offline agent recovery. If a remote agent reboots (planned or unplanned) and cannot communicate with the CipherTrust Manager in the central office, it prompts the administrator at the remote site to enter the client password. The remote site administrator typically calls the corporate help desk for the password. Using the password provided by the help desk personnel, the remote site administrator enables offline agent recovery and the resumption of services. As the password is now known to the remote site administrator and the help desk personnel, it may result in a breach of security and/or render the IT operations non-compliant with respect to guaranteeing data privacy.

To remedy the compromised situation, the security administrators should change the password—rotate the password—according to existing security practices. The client group password management feature allows changing the password on all the clients in the client group when the password is compromised.

The use cases for client group password feature can be summarized as follows:

  1. Set a common password for all clients in a client group.

  2. Reset the common password for all clients in a client group (if the password is provided to a remote CTE Agent administrator for offline agent recovery).

This feature is best suited for large scale deployments when many agents are under the management of a CipherTrust Manager cluster.

Changing the Password Manually

The manual password creation method is recommended for disaster recovery scenarios.

To change the password:

  1. Open the Transparent Encryption application.

  2. Click Clients > Client Groups.

  3. Under Client Group Name, click the desired group.

    Alternatively, click the expand icon (Expand Icon) to the left of the desired client group in the client groups list.

  4. From the Password Creation Method drop-down list, select Manual. The Regenerate Password button is replaced by Change Password.

  5. Click Change Password.

  6. Enter the new password in the Password and Confirm Password fields. The password must match in both the fields.

    The password must contain minimum eight characters including at least:
    • One capital letter
    • One number
    • One of these special characters: ! @ # $ % ^ & * ( ) { } [ ]

    To cancel the password change, click Cancel Change Password.

  7. Click Apply.

When the new password is applied, the server pushes the password to all clients in the client group. Clients that are removed from the client group retain the password set for the group. Clients added to the group later do not receive the new password.

Changing the Password Dynamically

To change the password:

  1. Open the Transparent Encryption application.

  2. Click Clients > Client Groups.

  3. Under Client Group Name, click the desired group.

    Alternatively, click the expand icon (Expand Icon) to the left of the desired client group in the client groups list.

  4. From the Password Creation Method drop-down list, select Generate. This is the default method.

  5. Click Regenerate Password.

  6. Click Apply.

A new generated password is downloaded to the client.

Inheritance of Client Group Settings

Instead of specifying settings for applications running on multiple clients individually, configure them at the client group level. Those settings can be automatically applied to all clients in the group. Refer to Client Settings for details on client settings.

Take care when defining client settings at the client group level. If a group contains clients running different operating systems (for example, Linux and Windows) that inherit client settings from the group, conflicts and issues may be observed with file and user access permissions.

  • A client that joins a client group can opt to inherit client group configuration including the client settings.

    • If the client settings are not defined at the group level, the client retains its own settings.

    • If the client settings at the group level are modified later, the updated settings apply to all group members that inherit configuration from the group.

    • Individual clients in the group have client settings overwritten by the group's client settings.

    For example:

    1. clientA has client settings defined, joins clientGroup1 and inherits its group configuration. clientB also joins clientGroup1 but does not inherit its group configuration. clientGroup1, however, does not have any client settings defined. In this case, both clientA and clientB retain their own client settings.

    2. Now, client settings of clientGroup1 are modified. This overwrites the client settings of all clients that inherit group configuration from clientGroup1. So clientA inherits the modified group configuration but clientB does not, as it does not inherit client group configuration.

    3. clientB is modified to inherit settings from clientGroup1. The next time clientGroup1 updates its client settings, the changes apply to both clientA and clientB.

  • A client can be a member of more than one client groups. If the client inherits client group configuration from the first client group it joins, and the next groups it joins subsequently, the client inherits the client settings from the last group that it joins.

    For example:

    1. clientC joins clientGroup2 and inherits the client group configuration. clientC now has clientGroup2 client settings.

    2. clientC is added to clientGroup1 and set to inherit client group configuration. So, clientC gets clientGroup1 client settings.

  • If client settings of a client group are emptied, member clients that inherit settings from the group retain the last defined client settings.

    For example:

    1. clientGroup1 deletes its client settings. All member clients (clientA, clientB, and clientC) retain the last client settings defined for clientGgroup1— blank client settings are not passed to members of the group.

    2. clientB leaves clientGroup1. Now, clientB retains the client settings it last inherited from clientGroup1.

  • If the client settings of a member of a client group are modified, that client no longer inherits client settings from the client group.

For example, client settings on clientB are modified. Then, the client settings for clientGroup1 are modified, all members except clientB inherit the changes made to the client settings for clientGroup1.

Configuring Client Group Settings

To configure client settings at group level:

  1. Open the Transparent Encryption application.

  2. Click Clients > Client Groups.

  3. Under Client Group Name, click the desired client group.

  4. Click the Client Group Settings tab. Scroll down the screen, if needed.

  5. In the Settings text box, add |authenticator| before the path of the binary. For example, |authenticator|/bin/su to allow su to be a trusted method of authentication. For further consideration of authentication options, refer to Client Settings.

  6. (Optional, if you add another process to the set of trusted applications) Enable Re-sign Settings to ensure that the new process is signed and authenticated by the client. The next time the client settings are pushed to the CTE Agent, the updated client settings are re-signed and the Re-sign Settings toggle is disabled (or reset).

    If, after adding a new process, you do not enable Re-sign Settings, the client ignores the newly added process. See Re-Sign Settings for more information.

  7. Click Apply.

Deleting Client Groups

As part of the CipherTrust Manager maintenance, you occasionally should remove client groups from the CipherTrust Manager.

  • When you delete a client group, only the group is removed from the CipherTrust Manager GUI. Individual clients that are members of the group remain intact.

  • If you configured a client group password, the individual clients retain the group password.

Deleting a Client Group

To remove a client group:

  1. Make sure that no GuardPoints is applied on the group.

  2. Open the Transparent Encryption application.

  3. Click Clients > Client Groups.

  4. Under Client Group Name, click the overflow icon (Overflow Icon) corresponding to the desired group.

  5. Click Delete. A dialog box appears prompting to confirm the action.

  6. Click Delete.

The client group is removed from the client groups list. Also, the client group is removed from the Membership tab of the linked clients.

Deleting Multiple Client Groups

The CipherTrust Manager provides an option to delete multiple client groups.

To remove multiple client groups:

  1. Make sure that no GuardPoints is applied on the group to be deleted.

  2. Open the Transparent Encryption application.

  3. Click Clients > Client Groups.

  4. Under Client Group Name, select the check boxes corresponding to the desired groups.

    To select all client groups visible on the page, select the top check box to the left of the Client Group Name heading.

  5. Click the delete icon (Delete Icon).

    A warning message appears stating that deleting the selected client groups is permanent and cannot be undone.

  6. Click Delete.

The client groups are removed from the client groups list. Also, the client groups are removed from the Membership tab of the linked clients.