Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

CTE Administration

Migrating CTE Configuration from Data Security Manager

search

Please Note:

printsuggest an editpdf paneldownload

Migrating CTE Configuration from Data Security Manager

This section describes steps to migrate configuration of CTE resources from a Data Security Manager (DSM) to a CipherTrust Manager.

Before proceeding with migration:

  • Note that the password generation method of all client groups will be set to Generate after migration. If required, you can change the password method after migration. However, every client (standalone or in a client group) will retain its password and the password generation method as it is on the DSM.

  • Ensure that no nested GuardPoints exist on the DSM. CipherTrust Manager doesn't support nested GuardPoints with different policies. As a result, client groups' GuardPoints can't be created during migration.

  • To avoid key version mismatch on GuardPoints concerning DSM and CipherTrust Manager:

    • It is recommended to complete the end-to-end migration process in one go. Also, it is advised to pause or suspend LDT key rotation during migration.

    • If you plan to complete the migration later, ensure to extend the expiration date of the existing keys on DSM appropriately.

copy link to clipboardPrerequisites

  • A sufficient number of CipherTrust Transparent Encryption (CTE) licenses is available on the CipherTrust Manager for clients to register successfully. For example, if you want to migrate 100 clients from the Data Security Manager (DSM), then at least 100 CTE licenses must be free on the CipherTrust Manager. Refer to CTE Licensing Model for details.

  • DSM is up and running at the supported version. Refer to DSM documentation for details.

  • A supported CTE version is configured with a supported DSM version. Refer to the CTE Agent Quick Start Guide specific to your platform for details.

Note

If you are running an unsupported version, upgrade your environment to the supported version before proceeding. Refer to the corresponding product documentation for upgrade instructions.

copy link to clipboardSupported Versions

copy link to clipboardCurrent Setup

ProductVersion
CTE7.1 and higher
DSM                           6.4.5 and higher       

Note

For the migration of LDT GuardPoints, the LDT clients must be running CTE Agent 7.1.1.55 or higher.

copy link to clipboardTarget Setup

ProductVersion
CTE7.1 and higher
CipherTrust Manager2.8 and higher           

copy link to clipboardSupported Resources

CipherTrust Manager supports migration of the following CTE resources from a DSM backup file:

  • Clients and client GuardPoints

  • Client groups and client group GuardPoints

  • Clients and client group associations

  • User sets, resource sets, process sets, signature sets, and signatures

  • Standard, Cloud Object Storage (COS), In-place Data Transformation (IDT), and Live Data Transformation (LDT) policies

  • Client logging, upload logging, and Syslog settings

  • LDT Quality of Service (QoS) and QoS schedules

Tip

Clients on the CipherTrust Manager are equivalent to hosts on the DSM.

copy link to clipboardSteps

To migrate the CTE configuration from the DSM to the CipherTrust Manager:

  1. Export and Import the Backup File

  2. Verify Details of Migrated CTE Resources

  3. Register CTE Clients with the CipherTrust Manager

  4. Verify Access to GuardPoints

copy link to clipboardExport and Import the Backup File

Export and import the backup file. Refer to Exporting and Importing the Backup File for details.

Caution

To minimize interruption of CTE client access to CTE keys, include the optional parameter auto-cte-groups with the ksctl migrations apply import command. This parameter automatically detects CTE keys and grants permission to access these keys to members of the CTE Clients group on CipherTrust Manager.

After migration, verify that the DSM keys are successfully migrated into the CipherTrust Manager domain.

copy link to clipboardVerify Details of Migrated CTE Resources

On the CipherTrust Manager GUI, verify details of the migrated CTE resources.

The migrated resources can also be verified using the CTE reports available on the DSM and the CipherTrust Manager. Reports provide a comprehensive view of the migrated resources.

  • A number of reports are available for the combination of clients, policies, GuardPoints, and encryption keys. Use these reports to match and verify the number of resources and their types on the DSM and the CipherTrust Manager.

  • Both the DSM and the CipherTrust Manager provide options to download reports in the CSV format. So, if needed, you can automate resource verification to parse and compare the report content.

Here is a mapping of CTE reports on the DSM and CipherTrust Manager to help verify migrated resources.

ResourceDSM ReportCipherTrust Manager Report
ClientsHostsClients Health Report
PoliciesPolicy KeyPolicies Keys Report
Policy HostClients Policies Report
GuardPointsGuardPointsGuardPoints Report
Hosts with GuardPoint StatusClient GuardPoint Status Report
KeysKeysClients Keys Report
Keys-PolicyPolicies Keys Report

Refer to Reports for details on CTE reports available on the CipherTrust Manager. Refer to the DSM online help for details on CTE reports available on the DSM.

copy link to clipboardVerifying GuardPoints Configuration

GuardPoints that are applied to a client using a client group are created in the background. The original request is returned after initial validation of request parameters and migration proceeds further for other operations.

In some cases, creation of certain GuardPoints might fail later in the background due to various reasons. Any errors observed in the background cannot be updated in the migration status. The status is updated in the audit records of the CipherTrust Manager. So it is recommended to verify migration of CTE resources using the CTE reports.

copy link to clipboardVerifying Profiles Configuration

Every migrated client is linked with a profile (named profile_<dsm-hostname>_<dsm-domain-id>) on the CipherTrust Manager. The profile contains information related to client logs, Syslog settings, and QoS configuration. If multiple clients have the same configuration on the DSM, they are linked with a single profile on the CipherTrust Manager. The following mapping helps you verify migration of client logging, Syslog, and QoS configuration.

ResourceLocation on DSMLocation on CipherTrust Manager
Message TypeHosts > FS/VDE Agent LogNot displayed on the CipherTrust Manager GUI. You can verify them using the /v1/transparent-encryption/profiles APIs.
File Logging SettingsHosts > FS/VDE Agent LogProfiles > CLIENT LOGGING CONFIGURATION. Refer to Setting Client Log Configuration for details.
Syslog SettingsHosts > FS/VDE Agent LogProfiles > SYSLOG LOGGING CONFIGURATION. Refer to Setting Client Syslog Configuration for details.
Upload Logging SettingsHosts > FS/VDE Agent LogProfiles > CLIENT LOGGING CONFIGURATION. Refer to Setting Client Log Configuration for details.
Duplicate Message Suppression SettingsHosts > FS/VDE Agent LogProfiles > CLIENT LOGGING CONFIGURATION. Concise Logging settings are also displayed here. Refer to Setting Client Log Configuration for details.
LDT Quality of ServiceHosts > GuardPointsProfiles > QUALITY OF SERVICE CONFIGURATION. Refer to Setting Quality of Service Configuration for details.
QoS SchedulesHosts > GuardPointsProfiles > QUALITY OF SERVICE CONFIGURATION > QoS Settings. Refer to Setting Quality of Service Configuration for details.

After you have successfully verified the CTE resources, proceed to the next step.

copy link to clipboardRegister CTE Clients with the CipherTrust Manager

  1. Ensure that the LDT GuardPoints, if any, are unguarded before re-registration of the migrated CTE clients.

  2. Register your CTE clients with the CipherTrust Manager. Refer to CTE Agent Quick Start Guide specific to your platform for details.

Caution

  • When registering a CTE client with the CipherTrust Manager, you must provide exactly the same client name with which that client was registered with the DSM before migration.

  • Client names are case-sensitive, make sure that case-sensitivity is retained.

  • If a different name is provided, the CipherTrust Manager considers it as a new client. The configurations migrated from the DSM are not propagated to this new client on the CipherTrust Manager.

After the CTE clients are successfully registered with the CipherTrust Manager, the migrated configuration is propagated to the CTE clients.

copy link to clipboardVerify Access to GuardPoints

When the initialization of the CTE clients is successful and the configuration is pushed to them, verify whether the GuardPoints are accessible according to the enforced policies.

copy link to clipboardLimitations

CTE resources of Container policies on the DSM cannot be migrated to the CipherTrust Manager using the backup/restore method. The Container policies are supported only on the DSM.

On this page