Operations
This section provides information on operations that the DDC Administrator performs on the CipherTrust Manager.
Reconfiguring DDC Agents
In some situations, for example, if the hostname or IP address of the CipherTrust Manager appliance changes, Agents' connection with DDC must be reconfigured with the new hostname or IP address.
Reconfiguring DDC Agents on Windows
To reconfigure a DDC Agent:
Log on to the host machine as administrator.
Open Enterprise Recon Configuration Tool (er2_config_cmd.exe).
By default, the tool is available at
C:\Program Files (x86)\Ground Labs\Enterprise Recon 2\.In the Master server IP address or host name field, specify the new hostname or IP address of the CipherTrust Manager.
Click Test Connection. A message stating "Connectivity test is successful" confirms successful reconfiguration.
Click Finish.
Reconfiguring DDC Agents on Debian
To reconfigure a DDC Agent:
Log on to the host machine as a user with root privileges.
Reconfigure connection with DDC on the CipherTrust Manager appliance.
Here,
<hostname|ip_address>represents the new IP address or hostname of the CipherTrust Manager appliance.Restart the Agent service. Configuration settings will be effective after the Agent restarts.
Reconfiguring DDC Agents on RHEL
To reconfigure a DDC Agent:
Log on to the host machine as a user with root privileges.
Reconfigure connection with DDC on the CipherTrust Manager appliance.
Here,
<hostname|ip_address>represents the new IP address or hostname of the CipherTrust Manager appliance.Restart the Agent service. Configuration settings will be effective after the Agent restarts.
Tuning Scan Settings
You can customize system parameters for all the DDC Agents by using the ksctl tool. The following system parameters can be modified this way:
- Agent Memory (in MB)
- CPU used
- Throughput
The ksctl command to use to this end is ksctl ddc settings scan modify.
Usage:
ksctl ddc settings scan modify [flags]
Flags:
| Flag | Usage |
|---|---|
| --agent-memory int | Setting for the maximum memory usage that the scanner service can use on the agent host, in MB. Default 1024. |
| -h, --help | help on the command's usage |
| --jsonfile string | JSON format to create resources in DDC endpoints. |
| --max-scan-throughput int | Max I/O rate the scanner service will use to read data from the data store, in MBps. Set to 0 for unlimited. Default 0. |
| --scan-cpu string | CPU priority set for the agent used in the scan. The possible values are 'low' and 'normal'. Default 'low'. |
Global Flags:
| Flag | Usage |
|---|---|
| --configfile string | Full path and name to a file that contains the configuration parameters (optional). |
| --connection string | The friendly name of the server you want to authenticate against. (default "local_account") |
| --domain string | The CipherTrust Manager Domain that the command will operate in. Can be used only with user/password and not with token. By default the command will operate in the root domain or the domain the user is logged-in. |
| --jwt string | The JSON Web Token (JWT) - access token can be passed instead of user/password (optional). 'ksctl tokens create' creates a JWT. |
| --nosslverify | Do not verify the certificate for SSL/HTTPS authentication (not recommended) |
| --password string | CipherTrust Manager Server User Password. Do not use this flag to enter the password (masked) from terminal. |
| --respfmt string | Response Output format (json is the only supported value at present, optional) (default "json") |
| --timeout int | Timeout in seconds for TCP connection attempts |
| --token string | The refresh token returned from the login command to be passed instead of user/password (optional). 'ksctl login' creates a token and writes it to the config file. |
| --url string | CipherTrust Manager Server URL |
| --user string | CipherTrust Manager Server User Name |
| -v, --verbose | Provide verbose output while executing command (optional) |
Examples:
ksctl ddc settings scan modify --agent-memory 1024 --scan-cpu normal --max-scan-throughput 2
ksctl ddc settings scan modify --jsonfile scansettings.json
Warning
The ksctl ddc settings scan command will be deprecated in the coming release.
Restarting DDC Agents
Restarting Agents on Windows
To restart a DDC Agent, run the following commands:
Here, <ARCH> represents the Windows architecture - x32 or x64.
Restarting Agents on Debian
To restart a DDC Agent, run:
Alternatively, restart the Agent service by stopping it and again starting it manually. Run the following commands:
Restarting Agents on RHEL
To restart a DDC Agent, run:
Alternatively, restart the Agent service by stopping it and again starting it manually. Run the following commands:
TDPaaS Retention Policy
A retention policy allows you to store data on the cloud TDP (TDPaaS) for a definite amount of time. This feature is useful if there is a need to delete the stored information after a definite amount of time to comply with some regulations and policies.
After the retention policy is enabled, information removal is automatically handled by DDC through scrub jobs. The scrub jobs operate automatically at regular intervals, and you can view the complete details on the Operations tab. The scrubbing process clears the scan executions and reports from the cloud storage and CipherTrust Manager database, ensuring they don't show up in the list of executions.
Note
The Operations tab will appear empty if TDPaaS is not onboarded.
After the scrub job is completed, scrubbed data is no longer accessible for report generation or scan executions, and it can't be restored.
Note
A retention policy is only available when TDPaaS is provisioned. Refer to TDPaaS Deployment Guide to learn how to provision TDPaaS.
Key Features
Enable/Disable Flexibility: Activate or deactivate the Retention Policy at any time.
Automatic Scrubbing Jobs: Scrubbing jobs operate automatically at regular intervals to effectively manage data.
Retention Period: Flexibility to select the retention duration in the range of 3 to 60 months. If the retention period exceeds 60 months, it's recommended to avoid enabling the retention policy.
Data Management: Scrubbing job eliminates scan executions and reports from the cloud storage and the CipherTrust Manager database, ensuring they are no longer visible in the execution list.
View Job Details: Access information about scrub jobs, including:
Execution ID - Displays the execution ID of the scrub job.
Execution Started - Displays the timestamp when scrub job execution started.
Duration - Displays the duration of the scrub job execution.
Status - Displays the current status.
Space Freed - Displays the amount of space freed from cloud storage and CipherTrust Manager databases in MBs.
Retention Period - Displays the retention period in months.
Filtering Options: Filter scrub job data based on the status of job executions and chosen date ranges.
Enabling Retention Policy
Log on to CipherTrust Manager.
Go to Settings > Cloud Management.
Select the Retention Policy tab.
Turn on the Retention Policy toggle.
Enter Retention Period in the range of 3 to 60 months. By default, it is set to 12 months.
Click Apply.
Note
If you enable Retention Policy and switch back to on-prem TDP, then Retention Policy doesn't disable automatically but remains ineffective.
Viewing Scrub Job Executions
After enabling the retention policy:
Go to the Operations tab.
This tab displays all scrub job executions up to the current date. Scrub jobs run automatically at a reasonable frequency.
Use the date filter to narrow down job executions to a specific date range.
Use the status filter to filter job executions as per Running, Completed, or Failed statuses.
