Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

CTE Administration

Migrating CTE Configuration from Data Security Manager

search

Please Note:

Migrating CTE Configuration from Data Security Manager

This section describes steps to migrate configuration of CTE resources from a Data Security Manager (DSM) to a CipherTrust Manager.

Before proceeding with migration, note that the password generation method of all clients and client groups will be set to Generate after migration. If required, you can change the password method after migration.

Prerequisites

  • A sufficient number of CipherTrust Transparent Encryption (CTE) licenses is available on the CipherTrust Manager for clients to register successfully. For example, if you want to migrate 100 clients from the Data Security Manager (DSM), then at least 100 CTE licenses must be free on the CipherTrust Manager. Refer to CTE Licensing Model for details.

  • DSM is up and running at the supported version. Refer to DSM documentation for details.

  • A supported CTE version is configured with a supported DSM version. Refer to the CTE Agent Quick Start Guide specific to your platform for details.

If you are running an unsupported version, upgrade your environment to the supported version before proceeding. Refer to the corresponding product documentation for upgrade instructions.

Supported Versions

Current Setup

ProductVersion
CTE7.1 and higher
DSM                           6.4.5 and higher       

Target Setup

ProductVersion
CTE7.1 and higher
CipherTrust Manager2.4 and higher           

Supported Resources

CipherTrust Manager supports migration of the following CTE resources from a DSM backup file:

  • Clients and client GuardPoints from the same domain

  • Client groups and client group GuardPoints from the same domain

  • Clients and client group associations

  • User sets, resource sets, process sets, signature sets, and signatures

  • Standard, Cloud Object Storage (COS), and In-place Data Transformation (IDT) policies

  • Client logging, upload logging, and Syslog settings

  • LDT Quality of Service (QoS) and QoS schedules

Clients on the CipherTrust Manager are equivalent to hosts on the DSM.

Steps

To migrate the CTE configuration from the DSM to the CipherTrust Manager:

  1. Export and Import the Backup File

  2. Verify Details of Migrated CTE Resources

  3. Register CTE Clients with the CipherTrust Manager

  4. Verify Access to GuardPoints

Export and Import the Backup File

Export and import the backup file. Refer to Exporting and Importing the Backup File for details.

To minimize interruption of CTE client access to CTE keys, include the optional parameter auto-cte-groups with the ksctl migrations apply import command. This parameter automatically detects CTE keys and grants permission to access these keys to members of the CTE Clients group on CipherTrust Manager.

After migration, verify that the DSM keys are successfully migrated into the CipherTrust Manager domain.

Verify Details of Migrated CTE Resources

On the CipherTrust Manager GUI, verify details of the migrated CTE resources.

The migrated resources can also be verified using the CTE reports available on the DSM and the CipherTrust Manager. Reports provide a comprehensive view of the migrated resources.

  • A number of reports are available for the combination of clients, policies, GuardPoints, and encryption keys. Use these reports to match and verify the number of resources and their types on the DSM and the CipherTrust Manager.

  • Both the DSM and the CipherTrust Manager provide options to download reports in the CSV format. So, if needed, you can automate resource verification to parse and compare the report content.

Here is a mapping of CTE reports on the DSM and CipherTrust Manager to help verify migrated resources.

ResourceDSM ReportCipherTrust Manager Report
ClientsHostsClients Health Report
PoliciesPolicy KeyPolicies Keys Report
Policy HostClients Policies Report
GuardPointsGuardPointsGuardPoints Report
Hosts with GuardPoint StatusClient GuardPoint Status Report
KeysKeysClients Keys Report
Keys-PolicyPolicies Keys Report

Refer to Reports for details on CTE reports available on the CipherTrust Manager. Refer to the DSM online help for details on CTE reports available on the DSM.

Verifying GuardPoints Configuration

GuardPoints that are applied to a client using a client group are created in the background. The original request is returned after initial validation of request parameters and migration proceeds further for other operations.

In some cases, creation of certain GuardPoints might fail later in the background due to various reasons. Any errors observed in the background cannot be updated in the migration status. The status is updated in the audit records of the CipherTrust Manager. So it is recommended to verify migration of CTE resources using the CTE reports.

Verifying Profiles Configuration

Every migrated client is linked with a profile (named profile_<dsm-hostname>_<dsm-domain-id>) on the CipherTrust Manager. The profile contains information related to client logs, Syslog settings, and QoS configuration. If multiple clients have the same configuration on the DSM, they are linked with a single profile on the CipherTrust Manager. The following mapping helps you verify migration of client logging, Syslog, and QoS configuration.

ResourceLocation on DSMLocation on CipherTrust Manager
Message TypeHosts > FS/VDE Agent LogNot displayed on the CipherTrust Manager GUI. You can verify them using the /v1/transparent-encryption/profiles APIs.
File Logging SettingsHosts > FS/VDE Agent LogProfiles > CLIENT LOGGING CONFIGURATION. Refer to Setting Client Log Configuration for details.
Syslog SettingsHosts > FS/VDE Agent LogProfiles > SYSLOG LOGGING CONFIGURATION. Refer to Setting Client Syslog Configuration for details.
Upload Logging SettingsHosts > FS/VDE Agent LogProfiles > CLIENT LOGGING CONFIGURATION. Refer to Setting Client Log Configuration for details.
Duplicate Message Suppression SettingsHosts > FS/VDE Agent LogProfiles > CLIENT LOGGING CONFIGURATION. Concise Logging settings are also displayed here. Refer to Setting Client Log Configuration for details.
LDT Quality of ServiceHosts > GuardPointsProfiles > QUALITY OF SERVICE CONFIGURATION. Refer to Setting Quality of Service Configuration for details.
QoS SchedulesHosts > GuardPointsProfiles > QUALITY OF SERVICE CONFIGURATION > QoS Settings. Refer to Setting Quality of Service Configuration for details.

After you have successfully verified the CTE resources, proceed to the next step.

Register CTE Clients with the CipherTrust Manager

Register your CTE clients with the CipherTrust Manager. Refer to CTE Agent Quick Start Guide specific to your platform for details.

• When registering a CTE client with the CipherTrust Manager, you must provide exactly the same client name with which that client was registered with the DSM before migration.
• Client names are case-sensitive, make sure that case-sensitivity is retained.
• If a different name is provided, the CipherTrust Manager considers it as a new client. The configurations migrated from the DSM are not propagated to this new client on the CipherTrust Manager.

After the CTE clients are successfully registered with the CipherTrust Manager, the migrated configuration is propagated to the CTE clients.

Verify Access to GuardPoints

When the initialization of the CTE clients is successful and the configuration is pushed to them, verify whether the GuardPoints are accessible according to the enforced policies.

Limitations

  • CTE resources of LDT, Efficient Storage, and Container policies on the DSM cannot be migrated to the CipherTrust Manager 2.5 using the backup/restore method. The Container policies are supported only on the DSM. Migration of LDT and Efficient Storage resources will be supported in a future release. However, the LDT resources can be manually created on the CipherTrust Manager.

  • Make sure that the GuardPoints and the clients on which they apply exist in the same domain. Migration of GuardPoints and clients residing in different domains is not supported.

  • If the SecureStart setting and status of a client group GuardPoint are modified on a client on the DSM, then they are not reflected correctly on the client after migration. For example, if a GuardPoint is enabled on a client group on the DSM, but disabled on a client, then after migration, status of the GuardPoint on the client becomes enabled.

    These settings need to be updated manually on the client after migration.