Migrating CTE Configuration from Data Security Manager
This section describes steps to migrate configuration of CTE resources from a Data Security Manager (DSM) to a CipherTrust Manager.
Before proceeding with migration, note that the password generation method of all clients and client groups will be set to Generate after migration. If required, you can change the password method after migration.
A sufficient number of CipherTrust Transparent Encryption (CTE) licenses is available on the CipherTrust Manager for clients to register successfully. For example, if you want to migrate 100 clients from the Data Security Manager (DSM), then at least 100 CTE licenses must be free on the CipherTrust Manager. Refer to CTE Licensing Model for details.
If you are running an unsupported version, upgrade your environment to the supported version before proceeding. Refer to the corresponding product documentation for upgrade instructions.
|CTE||7.1 and higher|
|DSM||6.4.5 and higher|
|CTE||7.1 and higher|
|CipherTrust Manager||2.4 and higher|
Clients and client GuardPoints from the same domain
Client groups and client group GuardPoints from the same domain
Clients and client group associations
User sets, resource sets, process sets, signature sets, and signatures
Standard, Cloud Object Storage (COS), and In-place Data Transformation (IDT) policies
Client logging, upload logging, and Syslog settings
LDT Quality of Service (QoS) and QoS schedules
Clients on the CipherTrust Manager are equivalent to hosts on the DSM.
To migrate the CTE configuration from the DSM to the CipherTrust Manager:
Export and Import the Backup File
Export and import the backup file. Refer to Exporting and Importing the Backup File for details.
To minimize interruption of CTE client access to CTE keys, include the optional parameter
auto-cte-groups with the
ksctl migrations apply import command. This parameter automatically detects CTE keys and grants permission to access these keys to members of the
CTE Clients group on CipherTrust Manager.
After migration, verify that the DSM keys are successfully migrated into the CipherTrust Manager domain.
Verify Details of Migrated CTE Resources
On the CipherTrust Manager GUI, verify details of the migrated CTE resources.
The migrated resources can also be verified using the CTE reports available on the DSM and the CipherTrust Manager. Reports provide a comprehensive view of the migrated resources.
A number of reports are available for the combination of clients, policies, GuardPoints, and encryption keys. Use these reports to match and verify the number of resources and their types on the DSM and the CipherTrust Manager.
Both the DSM and the CipherTrust Manager provide options to download reports in the CSV format. So, if needed, you can automate resource verification to parse and compare the report content.
Here is a mapping of CTE reports on the DSM and CipherTrust Manager to help verify migrated resources.
|Resource||DSM Report||CipherTrust Manager Report|
|Clients||Hosts||Clients Health Report|
|Policies||Policy Key||Policies Keys Report|
|Policy Host||Clients Policies Report|
|Hosts with GuardPoint Status||Client GuardPoint Status Report|
|Keys||Keys||Clients Keys Report|
|Keys-Policy||Policies Keys Report|
Refer to Reports for details on CTE reports available on the CipherTrust Manager. Refer to the DSM online help for details on CTE reports available on the DSM.
Verifying GuardPoints Configuration
GuardPoints that are applied to a client using a client group are created in the background. The original request is returned after initial validation of request parameters and migration proceeds further for other operations.
In some cases, creation of certain GuardPoints might fail later in the background due to various reasons. Any errors observed in the background cannot be updated in the migration status. The status is updated in the audit records of the CipherTrust Manager. So it is recommended to verify migration of CTE resources using the CTE reports.
Verifying Profiles Configuration
Every migrated client is linked with a profile (named
profile_<dsm-hostname>_<dsm-domain-id>) on the CipherTrust Manager. The profile contains information related to client logs, Syslog settings, and QoS configuration. If multiple clients have the same configuration on the DSM, they are linked with a single profile on the CipherTrust Manager. The following mapping helps you verify migration of client logging, Syslog, and QoS configuration.
|Resource||Location on DSM||Location on CipherTrust Manager|
|Message Type||Hosts > FS/VDE Agent Log||Not displayed on the CipherTrust Manager GUI. You can verify them using the |
|File Logging Settings||Hosts > FS/VDE Agent Log||Profiles > CLIENT LOGGING CONFIGURATION. Refer to Setting Client Log Configuration for details.|
|Syslog Settings||Hosts > FS/VDE Agent Log||Profiles > SYSLOG LOGGING CONFIGURATION. Refer to Setting Client Syslog Configuration for details.|
|Upload Logging Settings||Hosts > FS/VDE Agent Log||Profiles > CLIENT LOGGING CONFIGURATION. Refer to Setting Client Log Configuration for details.|
|Duplicate Message Suppression Settings||Hosts > FS/VDE Agent Log||Profiles > CLIENT LOGGING CONFIGURATION. Concise Logging settings are also displayed here. Refer to Setting Client Log Configuration for details.|
|LDT Quality of Service||Hosts > GuardPoints||Profiles > QUALITY OF SERVICE CONFIGURATION. Refer to Setting Quality of Service Configuration for details.|
|QoS Schedules||Hosts > GuardPoints||Profiles > QUALITY OF SERVICE CONFIGURATION > QoS Settings. Refer to Setting Quality of Service Configuration for details.|
After you have successfully verified the CTE resources, proceed to the next step.
Register CTE Clients with the CipherTrust Manager
Register your CTE clients with the CipherTrust Manager. Refer to CTE Agent Quick Start Guide specific to your platform for details.
• When registering a CTE client with the CipherTrust Manager, you must provide exactly the same client name with which that client was registered with the DSM before migration.
• Client names are case-sensitive, make sure that case-sensitivity is retained.
• If a different name is provided, the CipherTrust Manager considers it as a new client. The configurations migrated from the DSM are not propagated to this new client on the CipherTrust Manager.
After the CTE clients are successfully registered with the CipherTrust Manager, the migrated configuration is propagated to the CTE clients.
Verify Access to GuardPoints
When the initialization of the CTE clients is successful and the configuration is pushed to them, verify whether the GuardPoints are accessible according to the enforced policies.
CTE resources of LDT, Efficient Storage, and Container policies on the DSM cannot be migrated to the CipherTrust Manager 2.5 using the backup/restore method. The Container policies are supported only on the DSM. Migration of LDT and Efficient Storage resources will be supported in a future release. However, the LDT resources can be manually created on the CipherTrust Manager.
Make sure that the GuardPoints and the clients on which they apply exist in the same domain. Migration of GuardPoints and clients residing in different domains is not supported.
If the SecureStart setting and status of a client group GuardPoint are modified on a client on the DSM, then they are not reflected correctly on the client after migration. For example, if a GuardPoint is enabled on a client group on the DSM, but disabled on a client, then after migration, status of the GuardPoint on the client becomes enabled.
These settings need to be updated manually on the client after migration.