Google Cloud Deployment
You can deploy a CipherTrust Manager instance in Google Cloud.
Minimum Requirements
To deploy a CipherTrust Manager instance, the following minimum requirements apply:
System volume: 100 GB
Memory: 16 GB
vCPUs: 2
NICs: 1
Note
These minimum system requirements are for a system with light to moderate load. For applications that heavily load the system, additional memory and CPU allocation are required. The system volume holds all data as well as backups.
Deploying in Google Cloud
This section provides the steps for deploying a Virtual CipherTrust Manager instance from the Google Cloud Marketplace. Refer to the Google Cloud Platform documentation for general information on launching a VM in Google Cloud.
Note
We recommend first launching the Virtual CipherTrust Manager instance, and then providing the SSH key for the ksadmin
user using the CipherTrust Manager web UI, as presented in the steps below. If you wish to instead use Google Cloud tools to provide the SSH key, you must provide the username ubuntu
.
Prerequisite
If you wish to set a static IP for your Virtual CipherTrust Manager instance, you must reserve a static external IP address for your project before launching the VM. Consult Google documentation to do so.
To launch a CipherTrust Manager instance
Using your gmail address, sign in to the Google Cloud Platform.
In the Google Cloud Platform top banner, select a project or create a new one.
To create a New Project:
Select New Project.
Enter a Project Name and Project ID.
Enter a Location if you already have a parent organization you want to use.
Select Create.
The project's DASHBOARD appears.
Navigate to the Google Cloud Marketplace and search for "CipherTrust Manager" images.
On the results, select CipherTrust Manager Community Edition.
Select Launch.
To create a CipherTrust Manager instance, review and modify these fields as needed:
Enter a Deployment name for the instance.
Select the Zone closest to your location.
Review that the Machine type is e2-standard-4 (4vCPU, 16 GB memory), which is optimized for Virtual CipherTrust Manager. If you want to change the Machine type, make sure the selection is in keeping with the minimum requirements.
Review Boot disk type and Boot disk size in GB. The default of Standard Persistent Disk and 100 fulfill the minimum requirements of the image.
If desired, in the Network interface section External IP drop down, you can select any static IP which is reserved for your project. Consult Google documentation on reserving a static IP address for a project.
Note
After launching the VM, you can confirm the static IP was applied using the nmcli tool in an SSH session.
In the Firewall section, ensure that checkboxes for Allow HTTP traffic and Allow HTTPS traffic are enabled.
Enable the checkbox to accept the GCP Marketplace Terms of Service and Thales - European Union - Frankfurt Terms of Service.
Select Deploy to launch the instance.
Your new virtual CipherTrust Manager is created and appears in Deployment Manager.
Click on the Site address for the newly created vCM.
A new browser tab opens to this address and the CipherTrust Manager web page appears.
You are prompted to enter an SSH key to authenticate the
ksadmin
user in an SSH session.Note
We support OpenSSH for the public key format. The corresponding private key can be OpenSSH, PKCS1, or PKCS8 format. You can generate this key pair using 'PuTTYgen' or similar utility. Save this SSH Public Key at a safe location. You will need this key for future SSH access.
After replacing the default SSH Public Key, the Log In screen appears. For more options to replace the default SSH Public Key, see Starting Services After Deployment.
Log in using the initial default credentials for the root administrator: Username = admin, Password = admin
The following notice is displayed:
Note
If the default credentials do not work, you may need to retrieve an autogenerated password, as described in Changing the Initial Password.
Enter a new password using this default Password Policy:
A new Login screen appears.
Using your new password, log in again. The CipherTrust Manager Web Page appears.
At this point, it's strongly recommended to configure an NTP server.
Navigate to Admin Settings > NTP.
Enter in an NTP Server hostname.
For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.
Click the +Add NTP Server button.
See Network Time Protocol Server Configuration for more details.
Obtain the
ks_patch_disable_cloud_init.tar.gz.gpg
archive file from Thales support portal. This archive file is required to disable the cloud-init service after first launch, to prevent unauthorized usage of cloud-init.Transfer the archive file to the CipherTrust Manager. You require the private SSH key associated with the
ksadmin
account. The command and supported private key format depends on the operating system you are transferring the archive file from.Source Operating System Example Command Syntax Required Private Key Format Linux scp -i <path_to_private_SSH_key> <archive_file_name> ksadmin@<ip>:.
OpenSSH format Windows pscp -i <path_to_private_SSH_key> <archive_file_name> ksadmin@<ip>:.
PuTTY PPK format Login as
ksadmin
to an SSH session or cloud web console.Apply the archive file to disable cloud-init.
Congratulations! You have successfully deployed a CipherTrust Manager instance.
Note
Virtual CipherTrust Manager launches in Community Edition, with some restrictions on functionality. You can activate a 90 day trial evaluation for full functionality. To activate your instance with a trial evaluation, or a term or perpetual license, see Licensing.
SSH Access to the New Instance
If using a Windows client, use PuTTY or similar utility to SSH to your CipherTrust Manager instance as KeySecure Administrator (ksadmin). If needed, use PuTTYgen or similar utility to format the SSH Key Pair.
If using a Linux client use SSH to login as KeySecure Administrator (ksadmin).
Disk Resize Available with Disk Encryption
After you launch an unencrypted Virtual CipherTrust Manager and disable the cloud-init service, you cannot resize the disk. If you require a Virtual CipherTrust Manager with a larger or smaller disk size:
Encrypt the disk for the Virtual CipherTrust Manager instance and then attempt re-size.
Take a backup on the existing Virtual CipherTrust Manager, deploy a new Virtual CipherTrust Manager instance with the desired disk size, and restore the backup file on the new instance.