Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CTE-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Widows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Install Virtual CipherTrust Manager

Deploying with Cloud-init

search

Please Note:

printsuggest an editpdf paneldownload

Deploying with Cloud-init

The Virtual CipherTrust Manager supports initial boot time configuration using cloud-init. On first boot, the appliance can be passed a configuration text file, known as a user-data file. The Virtual CipherTrust Manager reads this file to retrieve various configuration settings. To plan your configuration settings in the user-data file, see Plan Configuration Settings for Deploying with Cloud-Init.

How a cloud-init configuration file is passed to the Virtual CipherTrust Manager appliance depends on the environment in which it runs. Below are examples for each of the supported environments.

Note

Cloud-init configuration (user-data) files uses YAML syntax; indentation is important and tabs can not be used.

copy link to clipboardPassing the cloud-init file in AWS

When launching the instance from AWS web , at Step 3 - Configure Instance Details, select 'As file' in the 'User data' section and browse to 'config.dat' file. Then continue with the rest of the launch steps.

If launching the instance using AWS CLI, then use the '--user-data' parameter with the run-instances command. Use the 'file://' prefix to pass in the user data from 'config.dat' file.

Note

Verify the user data is 16KB or less, otherwise it will be ignored by AWS. If it is larger then remove unnecessary whitespace (e.g. ident lines with a single space) and comments.

copy link to clipboardPassing the cloud-init file in Azure

When launching the Azure instance using Azure CLI, use the '-d' or '--custom-data' flag with the vm create command to pass in the user data from 'config.dat' file.

copy link to clipboardPassing the cloud-init file for a Private Cloud Image

When using the disk image, how the cloud-init data is passed to CipherTrust Manager depends on the virtualization platform - please refer to documentation or notes for your specific cloud environment.

The following are two examples of passing cloud-init data when using a disk image, one using 'libvirt' and one using VMware/vSphere.

copy link to clipboardExample using 'libvirt'

When launching a virtual machine with the Qcow2 image using 'libvirt', the cloud-init data has to be passed in as an ISO file. The ISO can be generated as follows:

  1. Prepare the user-data file as follows:

    1. Rename the file config.data to user-data.

    2. Because the user's SSH key is used for wrapping a layer of encryption keys, it must be added to the cloud-init config. So, the 'user-data' file should look like:

      #cloud-config
hostname: <host name for the instance>
diskenc:
  encrypt: true
ssh_authorized_keys:
  - <replace with user ssh public key>

      Note

      'ssh_authorized_keys' can be configured with multiple ssh public keys.

  2. Create a meta-data file and provide instance parameters, for example:

    instance-id: <some instance id>

  3. Create an ISO image file:

    1. Make sure genisoimage utility is installed.

    2. Create the ISO file.

      genisoimage -o config.iso -volid cidata -joliet -rock user-data meta-data

  4. Launch instance using virt-install. OpenStack example:

    virt-install --virt-type kvm --name <virtual_image_name> --ram 2048 --disk path=<path_to_qcow2_image>,size=16,format=qcow2 --disk path=<path_to_config.iso> --network network=default --graphics vnc,listen=0.0.0.0 --noautoconsole --os-type=linux --os-variant= ubuntu16.04 --import

copy link to clipboardExample using VMware/vSphere

This example describes how to deploy CipherTrust Manager on VMware with a static IP configuration. In general, if you have virtual machines you intend to use frequently or for extended periods of time, it can be convenient to assign a static IP address, or configure DHCP server to always assign the same IP address, to each of these virtual machines.

For virtual machines that you do not expect to keep for extended periods of time, use DHCP and let it allocate IP addresses for these machines.

Use the following procedure to deploy CipherTrust Manager on VMware with a static IP configuration.

Note

This procedure includes preparation of a cloud-init configuration file used to set up a static IP address during launch of the CipherTrust Manager.

  1. Get CipherTrust Manager installation file for VMware from Gemalto Support Portal.

  2. Deploy OVA in ESXi Server.

    1. Select “Deploy OVF Template”.

    2. On the Select an OVF template page, choose OVA file and select NEXT.

    Deploy Template

  3. On the Select a name and folder page, select the name of the virtual machine and its location.

  4. Validate the CipherTrust Manager Virtual Machine Configuration. On the Select a compute resource page, select the destination compute resource (if applicable).

    error

    If you see the above error, please perform the following steps:

    1. Use ovftool.exe to convert ova file into uncompressed file(s).

      Execute the following command:

      ovftool.exe --lax <source_OVA_file> <destination_OVF_file>

      Note

      OVF with compressed disk is not supported on newer version of Vsphere client. It may work on older versions.

    2. Repeat Step 2 with a new installer file.

  5. On the Review details page, verify the template details of the CipherTrust Manager image and if correct, select NEXT.

    Review Details

    1. On the Select storage page, select the storage location to install the CipherTrust Manager and then select NEXT.

    2. On the Select network page, select the network and then select FINISH.

      Caution

      Do not launch/start the machine at this time.

  6. Prepare the cloud-init configuration.

    1. Add a CD drive to the VM.

      CD Drive

    2. Before booting up the VM, prepare the cloud-init configuration. The following cloud-init example configures the VM's ens32 port with a static IP address. Copy this example and edit it for your desired network settings.

      #cloud-config
keysecure:
    netcfg:
        iface:
            name: ens32
            type: static
            address: 192.168.1.150
            netmask: 255.255.255.0
            gateway: 192.168.1.1
            dns1: 192.168.1.100

      Note

      Cloud-init configuration files use YAML syntax; indentation is important and tabs cannot be used.

    3. Convert the string to base64. To convert to base64, use the openssl command:

      openssl base64 -in <infile> -out <outfile>

    4. Save this base64 string to use in next steps.

  7. Add the base64 configuration to the VM. This step shows vSphere web client (Flash) version as demonstration. You may find similar options in other clients.

    1. Select: virtual machine > Configure > Settings > vApp Options

      vAppOptions

    2. Press Edit button on the top right on this page.

    3. Under OVF Settings, select the ISO Image check box, which is next to OVF environment transport.

      ISO Image

    4. On the same page, expand “Properties” to add configuration.

      Properties

    5. Press the New button to add a property for the configuration. On following screen, there are two fields which need to be changed.

      • Label: user-data

      • Default value: <base64 string of configuration, generated in step6-b>

      Note

      Key ID will change automatically when you change Label.

      Edit Properties

    6. Press OK to save the Property Settings.

    7. Then press OK again to save the vApp Options page.

  8. Launch the instance. The VM should boot up configured with a static IP.

On this page