System Configuration Utility
The CipherTrust Manager has a 'CLI based' System Configuration Utility (kscfg). The "ksadmin" user can remotely access the CipherTrust Manager kscfg utility in a private cloud deployment by accessing the Console, or in a physical appliance deployment, by directly connecting to the appliance's console port and using your ksadmin
password.
Logging in as ksadmin user
To log in as ksadmin
, you must first connect to the CipherTrust Manager console.
To connect and log in to the console for public cloud deployments
Consult public cloud documentation on SSH access to images. An SSH key for ksadmin login was provided during Virtual CipherTrust Manager launch on a supported public cloud.
To connect and log in to the console for private cloud deployments
Using SSH, you can remotely connect to the console port of a CipherTrust Manager instance deployed in a private cloud (e.g. VMware vSphere and HyperV).
Using an SSH utility (e.g. PuTTY) select an SSH session and enter the IP address assigned to the CipherTrust Manager instance during deployment. This is the same IP address used to browse to the GUI.
If using PuTTY, make sure your SSH keys are in ppk format. If they are in PEM format, you can convert them to ppk (e.g., using PuTTYgen utility).
Using the SSH utility, select the path to your SSH Private Key you will use to authenticate the session.
Select Open to start the SSH session.
To connect and log in to the console (for physical appliance deployments)
Using a serial cable, you can directly connect your console device (e.g., laptop) to the console port of a physical appliance (k470 and k570).
Connect the serial cable from your console device to the physical appliance console port.
Log in to the physical appliance as
ksadmin
user using the password you created during Appliance Initialization; refer to Appliance Initialization.
Using the kscfg utility
The CipherTrust Manager kscfg utility can be used to retrieve network interfaces (NICs) configurations and values, and to perform a hard system reset or a factory reset.
All configurable network interfaces are always listed and are the same as those available from standard Linux network interfaces utilities such as ip
, ifconfig
, and nmcli
. The network interface names from kscfg match the network interface names from the operating system.
A network interface contains two configurable families: inet (IPv4 and inet6 (IPv6). Their methods are:
- "none"
For a disabled network family.
- "dhcp"
Use DHCP to automatically acquire a network address. ("auto" might be preferred for IPv6.)
"static"
Statically set a network address.
- "auto"
Automatically setup IPv6 from the network environment. (IPv6 only)
Commands
To view the available kscfg commands
Example:
kscfg --help
Response:
Command-line interface application for configuring the CipherTrust Manager.
Usage:
kscfg [command]
Available Commands:
cluster Cluster configuration
cluster-report Cluster report generation, used for analyzing/diagnosing cluster issues
help Help about any command
hsm Manage HSM configurations
net CipherTrust Manager network configuration
syslog Manage syslog forward configurations
system CipherTrust Manager system commands
Flags:
-h, --help Help for kscfg
-v, --verbose Provide verbose output while executing command (optional)
SSH Port Configuration
To get the current SSH port
Example:
kscfg system ssh get
Response:
{
"Port":"22"
}
To set the SSH port
Usage
kscfg system ssh set [flags]
Flags:
-h,--help Help for set
--port string Specify the SSH port
Example:
kscfg system ssh set --port 9001
Response:
{
"Port":"9001"
}
Generate a Cluster Report
Generate a cluster report for detailed information about the current cluster node's health and activity to help troubleshoot issues. A tar.bz2 file is returned, which you can then move to a different system to unpack. You cannot unpack the resulting tar.bz2 file locally.
For routine monitoring, we recommend cluster status displays available in CipherTrust Manager's GUI, CLI, and REST API.
Usage:
kscfg cluster-report [flags]
Flags:
-h, --help Help for cluster-report
Example:
kscfg cluster-report
Response:
Cluster data collection completed:
/home/ksadmin/edb-lasso-report-f9fff38b311a-5432-20241018-182049-70056a8ec058bf145174a2efaec6b6e3.tar.bz2
Cluster Allowlist Configuration
To configure the list of IPs that are allowed to the cluster port 5432, refer to Cluster Allowlist.
Network Configuration
To list the available network interfaces
Example:
kscfg net interfaces list
Response:
{
"skip": 0,
"limit": 0,
"total": 3,
"resources": [
{
"name": "eth0",
"inet": {
"method": "static",
"ip": "10.121.105.137",
"netmask": "255.255.252.0",
"gateway": "10.121.104.1",
"dns": [
"172.16.2.12"
]
},
"inet6": {
"method": "none"
}
},
{
"name": "eth1",
"inet": {
"method": "dhcp",
"ip": "10.121.105.81",
"netmask": "255.255.252.0",
"gateway": "10.121.104.1",
"dns": [
"172.16.2.12",
"10.121.8.7",
"172.16.2.13"
]
},
"inet6": {
"method": "none"
}
},
{
"name": "eth2",
"inet": {
"method": "none"
},
"inet6": {
"method": "none"
}
}
]
}
To view information on a specific network interface
Usage:
kscfg net interfaces get [flags]
Flags:
-h, --help Help for get
-n, --name string Name for the network interface, for example, 'enp0s25'
Example:
kscfg net interfaces get -n eth0
Response:
{
"name": "eth0",
"inet": {
"method": "static",
"ip": "10.121.105.137",
"netmask": "255.255.252.0",
"gateway": "10.121.104.1",
"dns": [
"172.16.2.12"
]
},
"inet6": {
"method": "none"
}
}
To modify the configuration of a specific network interface
Caution
This operation has been deprecated. Please use NetworkManager's nmcli tool to modify a network interface's configuration; refer to: Network Configuration Tutorial.
Usage:
kscfg net interfaces modify [flags]
Flags:
-d, --dhcp Use DHCP for the network interface. Deprecated - use "method" instead.
-r, --dns string IP addresses of the DNS servers (comma separated), or "" to unset and use entries in /etc/resolv.conf.
--force-gateway string Force system default gateway update, i.e. overwrite system default gateway when this device is brought up. By
default a network interface will only set the system default gateway if is not already set. This feature can be
used to force a specific network interface to be used for outgoing traffic initiated from the machine itself. Set
to "yes" to enable and "no" to disable.
-g, --gateway string Default gateway, or "" to unset.
-h, --help Help for modify
-4, --inet Use IPv4 for the network interface. (default true)
-6, --inet6 Use IPv6 for the network interface.
-i, --ipaddress string Static IP Address.
-e, --method string Method for obtaining an IP. Accepted inet values are dhcp, none, or static; inet6 values are auto, dhcp, none, or static. (default "static")
-n, --name string A network interface name such as 'enp0s25'.
-m, --netmask string Subnet mask. IPv4 must be an IP (e.g. 255.255.255.0). IPv6 must be the number of bits (e.g. 64).
Example:
kscfg net interfaces modify --name eth0 --ipaddress 10.121.105.27 --netmask 255.255.252.0 --gateway 10.121.104.1 --dns 172.16.2.12
Response:
{
"name": "eth0",
"inet": {
"method": "static",
"ip": "10.121.105.27",
"netmask": "255.255.252.0",
"gateway": "10.121.104.1",
"dns": [
"172.16.2.12"
]
},
"inet6": {
"method": "none"
}
}
Forward Host Logs to an External Syslog Server
Note
This is a different connection than the syslog server configuration used to forward audit records.
The host logs available to forward include:
Messages in the
auth.log
andauthpriv.log
syslog facilities.Messages with the
CLOUDINIT
tag.Messages from the
host-daemon
,sshd
,smartd
,ipmievd
,ks_support
, andsudo
programsA subset of messages from
kernel
. Messages fromiptables
,apparmor
,usb
,usbcore
,usbhid
,usb-storage
, andIPMI
are sent.
The displayed log filenames and destination directory on the syslog server depend on the server's configuration.
The host logs are also included as part of the downloadable debug logs tar.gz.zip.
You can also use kscfg syslog forwarder
commands to forward the host logs to a remote syslog.
To add a remote syslog server
The only required flag is server
.
We recommend setting TLS for the new syslog forwarder configuration transport protocol. A trusted certificate authority (CA) certificate is required for TLS transport. This is a CA which directly or indirectly signs the syslog server certificate. If you desire mutual authentication, where the syslog server verifies CipherTrust Manager, you can provide a client certificate and client key.
If you do not specify a transport protocol, the value udp
is applied. With udp
, log messages are limited to a size of 1024 bytes. After this size, the log message is truncated.
Usage:
kscfg syslog forwarder add [flags]
Flags:
--client-cert string Syslog client certificate.
--client-cert-file string Syslog client certificate file Alternative way to provide client certificate.
--client-key string Syslog client key.
--client-key-file string Syslog client key file. Alternative way to provide client key.
-h, --help Help for add
-p, --port int Syslog remote server port. Default value for 'udp', 'tcp' and 'tls' are 514, 601 and 6514 respectively.
-q, --queue int Syslog size of queue for messages for forwarding to remote server, default 10000.
-r, --retry int Syslog send retry count for forwarding to remote server, default 120 times.
-s, --server string Syslog remote server hostname or IP address. Required.
-t, --transport string Syslog remote server transport protocol. Supported transport protocols are 'udp', 'tcp' and 'tls'.
--trusted-ca string Syslog remote server trusted CA certificate. Required for tls transport.
--trusted-ca-file string Syslog remote server trusted CA certificate file. Alternative way to provide CA certificate.
Example:
kscfg syslog forwarder add --server 1.1.1.1 --client-cert-file client-cert.pem --client-key-file client-key --trusted-ca-file ca-file.pem --transport tls
Response:
{
"id": "c7619208-860e-4f78-ab34-859e496090ac",
"server-host": "1.1.1.1",
"port": 6514,
"transport": "tls",
"retry-count": 120,
"queue-size": 10000,
"trusted-ca": "-----BEGIN CERTIFICATE-----\nMIIEwTCCAymgAwIBAgIIYmLF5CG+O/4wDQYJKoZIhvcNAQELBQAwbDEgMB4GA1UE\nAxMXcnN5c2xvZy50aGFsZXNncm91cC5jb20xDDAKBgNVBAsTA0NQTDEPMA0GA1UE\nChMGVGhhbGVzMQ8wDQYDVQQHEwZBdXN0aW4xCzAJBgNVBAgTAlRYMQswCQYDVQQG\nEwJVUzAeFw0yMjA0MjIxNTEyMzdaFw0zMjA0MjAxNTEyNDVaMGwxIDAeBgNVBAMT\nF3JzeXNsb2cudGhhbGVzZ3JvdXAuY29tMQwwCgYDVQQLEwNDUEwxDzANBgNVBAoT\nBlRoYWxlczEPMA0GA1UEBxMGQXVzdGluMQswCQYDVQQIEwJUWDELMAkGA1UEBhMC\nVVMwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDEGGVs3IpvFcGk7E75\nGD8GbWh3y8QrRWDSkGbjtYA/UDFESgd2cYK8tAimXYxYaCqYQ8Pk3n4YCzeYdtWr\nmMuDvlrOZzNChkMtnuBfDq2xxaLV1sw7ideSbhRs7b7wST0s2ZaaTZlBUm98kLa4\nfomhA21XfecKwIduN3mVYz8tv2wvGnz5LUA/VwQelMINJimnRFqjSlIdDnss4vZb\nMXJIUBcjGeCwHBKMx6iO+W8t4tVP2LHNEHal6+P1bYYP47SA4AaZKcCrajpDMJDh\nDAes0rFIhl4mr2s/F+OFOUWEPKWTzE9hgZJoOAyu+fjINR6nMim1rppnO56kLG3o\nLjWWR1CCwStHVL00RaQSShlGFwKEDym86sp4lb4Wq7YgAE2BM5F0QhqpSAsnp8sn\nKRYmgOuuak/YZXSSN6DBLdDAvlU7nnh9l4QVvmV+arzlRKarpSDGusThQfHxmAGe\nYLT2e6ImAkaT3qidweVFvVroAzlxVTcd0YWoqkhO389MsxECAwEAAaNnMGUwDwYD\nVR0TAQH/BAUwAwEB/zAiBgNVHREEGzAZghdyc3lzbG9nLnRoYWxlc2dyb3VwLmNv\nbTAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBTMv+bTbkR0nBUoO7o0fazL6X4h\njzANBgkqhkiG9w0BAQsFAAOCAYEAIjRlWUC9eTKkCR9k7mIwE6sjLkQqQo9CEEqX\nJhT5FChvxK/TlLb427a3B1glpo0DXXcOt/lA71zz69vg3FOlDNhP8ggIucl6qV+c\nG5eDIzV1XLPOIeyXmImg++/jojtofMJEciYyU0IGQ+3+2rKl3+4F8+yZQBRopP0b\nao9BD/IKH913NSKodkrivn5LSZqdOYi+yiFYUTPe1XA1OnI89E2xH4ZaX0g5Sxxw\nqWFu3LXrJUd9HQp6I7hvSHPtByPEWnj1WEVpdlXNuTRZl9Qewp+F2/4xiA0idftU\nySQlgX9teCgOwn4/TTxgy6v/kWhWJncMus0T71hUatgATQhqvkz/RH8ucNoKIDKl\nYezuXywR6To5/9SyhU4/z4etCMp+PJH8DQmiYQJB6xRvrNgS6dCbcYL4pWXuXCkv\nivzyv/K/G+7PHhgNLLxUZcKzpdxlaSTmtkxhgqwZ7nl/xX+ocrZLjohKHBFbFWLR\nSN09lRQcs7RbEpX/HDlIoOzok4KO\n-----END CERTIFICATE-----\n",
"client-cert": "-----BEGIN CERTIFICATE-----\nMIIEbTCCAtWgAwIBAgIIYmL8wAp4ZjgwDQYJKoZIhvcNAQELBQAwbDEgMB4GA1UE\nAxMXcnN5c2xvZy50aGFsZXNncm91cC5jb20xDDAKBgNVBAsTA0NQTDEPMA0GA1UE\nChMGVGhhbGVzMQ8wDQYDVQQHEwZBdXN0aW4xCzAJBgNVBAgTAlRYMQswCQYDVQQG\nEwJVUzAeFw0yMjA0MjIxOTA2NDFaFw0yNTAxMTYxOTA2NDVaMGsxHzAdBgNVBAMT\nFmNsaWVudC50aGFsZXNncm91cC5jb20xDDAKBgNVBAsTA0NQTDEPMA0GA1UEChMG\nVGhhbGVzMQ8wDQYDVQQHEwZBdXN0aW4xCzAJBgNVBAgTAlRYMQswCQYDVQQGEwJV\nUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKfb1Oz+tul2Grxz/J2x\n1MBIOjiHJj+d74Bi0VfTZ/xHMCw5pf6xI3AXVw+hukh/qHM0qAZ1yyOm8PZ155oP\nTuN62c1ZwkV2c0XvHrjpbK9iIF4zP0y+X23B3eQt7XE3zIiaPmF5+CAMWgPXM1ZR\nHyE5qhT7wpGGtNsRVWYepz0XTbPwRdFZe8IeMXIrfiLlONJCLX9ueqR1Ec73QK/e\n4SVDJHvNwuzXo1BFRnVh+mLjQFmA+GVsYw61cbn2tT5T+1lrpPd7ZhZ7AI2XX6T9\nua3oZXwHNJ9m8Zh+H+qOj4IR/zKZjKszHn8wVBJlSZZ8ieXoVpzp+VHbMG1wVqJo\nBLECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMC\nBggrBgEFBQcDATAhBgNVHREEGjAYghZjbGllbnQudGhhbGVzZ3JvdXAuY29tMB0G\nA1UdDgQWBBS/vJGs7udewv1Lz2/G8T4hbjQn5TAfBgNVHSMEGDAWgBTMv+bTbkR0\nnBUoO7o0fazL6X4hjzANBgkqhkiG9w0BAQsFAAOCAYEAnPvw1qon5fusz+HJpXf8\nD0f4XzEcQf3MWGl1KyoTv43w+4cFH+32pi67fTb0Yu3F8AwbzM0G7WilIuIbfaDU\nh+Sy/XuczdAH2mJ2bhffRqaUD9/53WuMcuqLWj1TIQaUuf39nO6e9AGHTPLvT6ce\nJ0IAi4MR3Y00a+gJ6MeN/GFhbr3eHPveDSMVrKkaPemxO4cpz05SeTDtRobioPSq\nyBUtAYwr4g76mtHZGVvYP2+xgMC6vIuxMOZGfWuS78YT2tJ6Ubdsch5m86ZhkvTD\nGVYHKAHrMnIStzEI0r4+BodKm+zMnRsW0pHQMES9brB457GNXU8tl36K+v11n98F\nxX8jn8g//xX7ughI8mhtrmuHhlR9LIDUqW6fjeSym0dU24c1/n3/gfgRNgVAXCY+\n1Hh7oIYU/fvTzH7GFFOzBdbTmefKLJQ44M0BBZL9w9TSVzgRPPNDuihw+6L5X0cZ\nj9UYX/4b1RLVk9yC+NfgBbiiD6NU49vF6kNnjrvgDE5L\n-----END CERTIFICATE-----\n"
}
To delete a remote syslog server
Usage:
kscfg syslog forwarder delete [flags]
Flags:
-h, --help Help for delete
-i, --id string Syslog forwarder ID. Required.
Example:
kscfg syslog forwarder delete --id 3ac704de-0701-401b-a742-d6e262673505
Response:
There is no response for successful execution of this command.
View a syslog forward configuration
To view a remote syslog server
Usage:
kscfg syslog forwarder get [flags]
Flags:
-h, --help Help for get
-i, --id string Syslog forwarder ID. Required.
Example:
kscfg syslog forwarder get --id 3ac704de-0701-401b-a742-d6e262673505
Response:
{
"id": "3ac704de-0701-401b-a742-d6e262673505",
"server-host": "1.1.1.1",
"port": 514,
"transport": "tcp",
"retry-count": 120,
"queue-size": 10000
}
To view all syslog forward configurations
Usage:
kscfg syslog forwarder list [flags]
Flags:
-h, --help Help for list
Example:
kscfg syslog forwarder list
Response:
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "3ac704de-0701-401b-a742-d6e262673505",
"server-host": "1.1.1.1",
"port": 514,
"transport": "tcp",
"retry-count": 120,
"queue-size": 10000
}
]
}
To update a remote syslog server
Usage:
kscfg syslog forwarder modify [flags]
Flags:
--client-cert string Syslog client certificate.
--client-cert-file string Syslog client certificate file Alternative way to provide client certificate.
--client-key string Syslog client key.
--client-key-file string Syslog client key file. Alternative way to provide client key.
-h, --help Help for add
-i, --id string Syslog forwarder ID. Required.
-p, --port int Syslog remote server port. Default value for 'udp', 'tcp' and 'tls' are 514, 601 and 6514 respectively.
-q, --queue int Syslog size of queue for messages for forwarding to remote server, default 10000.
-r, --retry int Syslog send retry count for forwarding to remote server, default 120 times.
-s, --server string Syslog remote server hostname or IP address. Required.
-t, --transport string Syslog remote server transport protocol. Supported transport protocols are 'udp', 'tcp' and 'tls'.
--trusted-ca string Syslog remote server trusted CA certificate. Required for tls transport.
--trusted-ca-file string Syslog remote server trusted CA certificate file. Alternative way to provide CA certificate.
Example:
kscfg syslog forwarder modify --id 3ac704de-0701-401b-a742-d6e262673505 --transport tcp
Response:
{
"id": "3ac704de-0701-401b-a742-d6e262673505",
"server-host": "1.1.1.1",
"port": 514,
"transport": "tcp",
"retry-count": 120,
"queue-size": 10000
}
Entropy Source
The kscfg system entropy-source
command can be used to configure entropy source.
This command sets entropy source to be used by CipherTrust Manager for random number generation. Entropy source can be one of AUTO, RDSEED, RDRAND, DEV_URANDOM, or RNGD_DEV_RANDOM. Default is AUTO, where CipherTrust Manager tries to use the best entropy source available on the system - RDSEED, RDRAND, RNGD_DEV_RANDOM, or DEV_URANDOM, in that order. If CipherTrust Manager is configured to use HSM, then AUTO defaults to use HSM as the entropy source.
RDSEED and RDRAND are CPU instructions and may not be available on all host CPUs. RNGD_DEV_RANDOM as well relies on RDRAND instruction being available on the host CPU. When entropy source is set to RDRAND (or RDSEED), CipherTrust Manager directly reads from RDRAND (or RDSEED) to seed the DRBG. When RNGD_DEV_RANDOM is set as entropy source, 'rngd' daemon reads from RDRAND and mixes it into the entropy pool in /dev/random to seed the DRBG.
Caution
If the configured entropy source is unavailable on the system, all the CipherTrust Manager services are unavailable. So, if the entropy source is not set to AUTO, make sure that the entropy source is available on the host. For example, if entropy source is set to RDSEED and RDSEED instruction is not available in the host CPU, you cannot access any CipherTrust Manager services.
The change won't take effect until the CipherTrust Manager appliance is rebooted or CipherTrust Manager services are restarted. Run "sudo systemctl restart keysecure" to restart CipherTrust Manager services.
Usage:
kscfg system entropy-source [flags]
Flags:
-h, --help Help for entropy-source
-s, --source Entropy source. Can be one of AUTO(default), RDSEED, RDRAND, RNGD_DEV_RANDOM, or DEV_URANDOM.
Example:
kscfg system entropy-source -s RDSEED
Response:
There is no response for successful execution of this command.
Local Hostname Configuration
You can list or set the local hostname which local applications use to connect to CipherTrust Manager. The default hostname is ciphertrust
.
Note
The local hostname affects clustering. To successfully join a cluster, a CipherTrust Manager's hostname can consist only of lowercase letters, numbers, and hyphens.
To list the local hostname
Usage:
kscfg system hostname get
Flags:
-h, --help Help for get
Example Response:
ciphertrust
To set the local hostname
Note
The change won't take effect until the CipherTrust Manager appliance is rebooted or CipherTrust Manager services are restarted. Run "sudo systemctl restart keysecure" to restart CipherTrust Manager services.
Usage:
kscfg system hostname set [flags]
Flags:
-h, --help Help for set
-n, --host-name this command can set the hostname, updating /etc/hostname file.
Example:
kscfg system hostname set -n newhostname
Response:
Note: please run "sudo systemctl restart keysecure" to have new hostname effective in CipherTrust Manager
System Reset
Consult Effects of Reset Methods for details on what data is cleared for the different reset methods.
The kscfg system reset
command can be used to perform a hard reset of the CipherTrust Manager.
Warning
This destructive operation wipes all data on the CipherTrust Manager and should be used with care.
Note
This command requires the host-daemon system service to be up and running.
Normally, the REST API or the CLI should be used for performing the reset. This method of performing the reset should be used as a last resort. This operation deletes all backup keys and the HSM configuration. It is good practice to do the following before running this command:
Create and download a backup of the database.
Download all the backup keys. Any backups downloaded from this device will not be useful without the backup keys.
ksfcg reset commands do not reset the HSM and the root of trust keys. This allows you to restore a previous CipherTrust Manager backup taken on the appliance. However, if you performed the factory reset to return the appliance to a fresh security state, and you don't intend to restore a backup, we strongly recommend resetting and re-initializing the HSM to create new root of trust keys. On a k570 device with an embedded PCIe HSM, you reset the HSM using the lunaCM command “hsm factoryReset” and then re-initialize following the same HSM configuration process as used during first deployment. For external HSMs used as the root of trust, consult their product documentation to delete the root of trust keys and perform any applicable reset operations.
Usage
kscfg system reset [flags]
Flags:
-f, --force When this flag is set, any errors encountered during reset are ignored, and the reset procedure
continues to the end. This flag must be used with care as it could place the system in an unuseable state. It
should be used when all else fails.
-h, --help help for reset
-y, --yes When this flag is set, all user prompts during the reset process are skipped. A default value
of 'yes' is used as the automatic response to all prompts.
Examples
kscfg system reset [-f] [-y]
Response:
This will perform a full reset of the CipherTrust Manager services.
WARNING - This is a destructive operation and will wipe all data in the CipherTrust Manager.
It will delete all backupkeys and the HSM configuration.
Normally, the REST API or the CLI should be used for performing the reset.
THIS METHOD OF PERFORMING THE RESET SHOULD BE USED AS A LAST RESORT.
It is good practice to perform the following steps prior to running this command:
1. Create and download a backup of the database.
2. Download all the backupkeys; any backups downloaded from this device will not be useful without the backupkeys.
Do you want to continue? [y/N] y
This will take some time, please wait
Device reset has started. It will take a few minutes to complete.
System Factory Reset
Consult Effects of Reset Methods for details on what data is cleared for the different reset methods.
The kscfg system factory-reset
can be used on k470 and k570 appliance models to revert the system to its factory defaults.
Warning
This destructive operation wipes all data on the CipherTrust Manager, including keys, backups, backup keys, system configuration, and logs. It automatically reboots the appliance twice, before booting to the factory firmware version. The appliance's factory version may be below the currently running version. Several system upgrades may be required to return to the currently running version. Do not manually power-off or reset the appliance while the factory-reset is in progress. This command must be used with care.
Note
This command expects the host-daemon system service to be up and running. However, if the host-daemon is not running or not in a good state, the factory-reset can be invoked from command line as ksadmin user by executing "sudo /opt/keysecure/ks_reset_to_factory.sh".
ksfcg reset commands do not reset the HSM and the root of trust keys. This allows you to restore a previous CipherTrust Manager backup taken on the appliance. However, if you performed the factory reset to return the appliance to a fresh security state, and you don't intend to restore a backup, we strongly recommend resetting and re-initializing the HSM to create new root of trust keys. On a k570 device with an embedded PCIe HSM, you reset the HSM using the lunaCM command “hsm factoryReset” and then re-initialize following the same HSM configuration process as used during first deployment. For external HSMs used as the root of trust, consult their product documentation to delete the root of trust keys and perform any applicable reset operations.
Usage
kscfg system factory-reset [flags]
Flags:
-h, --help help for factory-reset
-y, --yes When this flag is set, all user prompts during the reset process are skipped. A default value
of 'yes' is used as the automatic response to all prompts.
Examples
kscfg system factory-reset [-y]
Response:
WARNING: This operation will revert the system to its factory defaults !!!
(1) This is a destructive operation that erases all CipherTrust Manager data including but not limited to keys, backups, backup keys, and system logs.
(2) Ensure that you have access to serial console to configure the network interface.
(3) Ensure that you have a valid CipherTrust Manager backup of all the data and backup key.
(4) If embedded HSM is available, it will not be reset as part of this operation.
Re-initialization of embedded HSM is highly recommended after this operation to configure it as the root of trust.
(5) If remote PED was used, it must be re-connected after completion.
(6) This operation may take up to 15 minutes. Make sure you have power backup in place.
(7) Access to the system will be unavailable. DO NOT restart the system during this time.
(8) This operation includes multiple system reboot.
(9) This operation CANNOT be undone.
Do you want to continue?
[y/N]
Adding Connector Licenses After System Reset
System reset changes the Connector Lock Code for the CipherTrust Manager. After system reset, any license files based on that earlier Connector Lock Code cannot be added. You can restore the earlier Connector Lock Code from a backup, or by adding the reset CipherTrust Manager node into a cluster with the earlier Connector Lock Code. Then, these license files can be added. As well, backup restore and cluster replication include previously installed licenses.