Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Install Virtual CipherTrust Manager

Microsoft Azure Deployment

search

Please Note:

Microsoft Azure Deployment

You can deploy a CipherTrust Manager within the Microsoft Azure Cloud Computing Platform, including in the Azure Government environment (Arizona, Iowa, Virginia, and Texas regions).

Minimum Requirements

To deploy a CipherTrust Manager instance, the following minimum requirements apply:

  • System volume: 50 GB for evaluation, 100 GB for production

  • Memory: 16 GB

  • vCPUs: 2

  • NICs: 1

These minimum system requirements are for a system with light to moderate load. For applications that heavily load the system, additional memory and CPU allocation are required. The system volume holds all data as well as backups.

Deploying in Azure

This section provides the steps for deploying a Virtual CipherTrust Manager instance in Microsoft Azure. Refer to the Azure documentation for general information on launching a VM in Microsoft Azure.

Prerequisites

  • If using a Windows client, use PuTTY or similar utility to SSH to your CipherTrust Manager instance as KeySecure Administrator (ksadmin).

    If needed, use PuTTYgen or similar utility to format the SSH Key Pair.

  • If using a Linux client: use, SSH to login as KeySecure Administrator (ksadmin).

To launch a Virtual CipherTrust Manager instance

  1. Sign in to the Azure or Azure Government portal.

  2. Search for Thales Virtual CipherTrust Manager on the Marketplace page.

    Only the latest version is available on the Marketplace page.

    Older versions back to 2.6 are available through the Azure CLI. Some versions older than 2.6 are available from Thales customer support as a VHD file.

To deploy the latest Virtual CipherTrust Manager Version from Marketplace

  1. Select the Thales Virtual CipherTrust Manager image from the Virtual Machines group.

    The following steps apply to the Azure recommended 'Resources Manager' deployment model.

  2. Click Create. The first screen of the Create virtual machine page is displayed.

  3. Change the Subscription type if desired.

  4. Select an existing Resource group or enter the name for a new one.

    For deployments with Azure Dedicated HSMs, this must be the same resource group as for Luna client host VM and the Dedicated HSM.

  5. Specify the Region of an Azure Datacenter. For example, East US.

    For Azure government, this must be one of USGov Arizona, USGov Iowa, USGov Virginia, or USGov Texas.

  6. Enter a Virtual machine name, which is the hostname for the virtual machine your are creating, for example, "mycompany-ciphertrust".

  7. Select the Size for the VM that supports the Minimum Requirements.

  8. Select the SSH Public Key for the Authentication type.

    SSH Public Key authentication must be used. Password authentication is not allowed when connecting as the initial user. We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.

  9. For the Username, enter "ksadmin", the default name for the System Administrator.

    You MUST use the name “ksadmin” for this initial user.

  10. For the SSH public key source, select one of "Generate new key pair", "Use existing public key", "Use existing public key stored in Azure". We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.

    It is important that you have access to the key pair you select, otherwise you will not have permissions to perform administrator operations like performing upgrades, advanced logging or an appliance reset.

  11. In the SSH Public Key field, provide the necessary information for the SSH public key source selected in the last step.

  12. Select Next: Disks >. The Disks screen is displayed.

  13. Change the OS disk type to "Standard HDD", unless you desire a faster disk.

  14. Select an Encryption type depending on the Azure-level disk encryption you prefer.

  15. Select Next: Networking >. The Networking screen is displayed.

    The Virtual Network, Subnet, Public IP and Configure network security group fields are populated with default values for this VM, if you have preset networking values for other Azure VMs. Create new values if needed.

    For deployments with Azure Dedicated HSMs, the virtual network must also include the Dedicated HSM instance, and the lunaclient host instance. The subnet must also include the lunaclient host instance; this is subnet is referred to as the "Compute" subnet.

    For a list of security groups/ports, refer to Network Security Groups.

  16. Select Next: Management >. The Management screen is displayed.

  17. Select Next: Advanced > The Advanced screen is displayed.

  18. If desired, you can apply cloud-init configuration. Paste cloud-init configuration in the Custom Data field.

  19. Select Next: Tags >. The Tags screen is displayed.

  20. Enter any desired tags.

  21. Select Next: Review + create >. This is the final screen. Enter an email address, and click Create to launch the VM.

    Azure will run an evaluation of your virtual machine creation configuration.

    1. If the validation was not successful, a Validation failed message is displayed:

      Click on the arrow for details and precede to correct the cause of the validation error.

    2. If the validation is successful, a Validation passed screen is displayed, listing all VM details:

  22. Select Create to begin deployment of this VM. This screen is displayed indicating that deployment is in process.

    When deployment completes, this screen is displayed, providing access to all resources supporting the new VM.

  23. Connect to the CipherTrust Manager Web Page.

    1. Select the resource with the IP address, in this example: Keysecure-k170v-test-ip.

    2. Browse to this IP address (in this example enter https://40.117.142.62). The Log In screen appears.

  24. Log in using the initial default credentials: Username = admin, Password = admin

    The following notice is displayed:

    If the default credentials do not work, you may need to retrieve an autogenerated password, as described in changing the initial password.

  25. Enter a new password using this default Password Policy:

    Min length: 8
    Max length: 30
    Min number of upper cases: 1
    Min number of lower cases: 1
    Min number of digits: 1
    Min number of other characters: 1
    

    A new Login screen appears.

  26. Using your new password, log in again. The CipherTrust Manager Web Page appears.

  27. At this point, it's strongly recommended to configure an NTP server.

    1. Navigate to Admin Settings > NTP.

    2. Enter in an NTP Server hostname.

    3. For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.

    4. Click the +Add NTP Server button.

    See Network Time Protocol Server Configuration for more details.

Virtual CipherTrust Manager includes a 90 day trial license. To activate your instance with a term or perpetual license, see Licensing.

To deploy versions back to 2.6 using the Azure CLI

  1. List the Virtual CipherTrust Manager images available through the Azure CLI. Find the URN value for your desired version.

    az vm image list --offer cm_k170v --all
    

    Example response:

    [
      {
        "offer": "cm_k170v",
        "publisher": "thalesdiscplusainc1596561677238",
        "sku": "ciphertrust_manager",
        "urn": "thalesdiscplusainc1596561677238:cm_k170v:ciphertrust_manager:2.6.6506",
        "version": "2.6.6506"
      },
      {
        "offer": "cm_k170v",
        "publisher": "thalesdiscplusainc1596561677238",
        "sku": "ciphertrust_manager",
        "urn": "thalesdiscplusainc1596561677238:cm_k170v:ciphertrust_manager:2.7.6808",
        "version": "2.7.6808"
      }
    ]
    
  2. Accept the terms for the desired Virtual CipherTrust Manager image version.

    az vm image terms accept --urn <image_urn>
    
  3. Create the VM image. You provide or specify the following values:

    • The image URN.

    • The name of an existing resource group. The image's region will be taken from this resource group.

      For deployments with Azure Dedicated HSMs, this must be the same resource group as for Luna client host VM and the Dedicated HSM.

      For Azure government, the region must be one of USGov Arizona, USGov Iowa, USGov Virginia, or USGov Texas.

    • A new name for the VM.

    • A desired size for the VM, that meets the Minimum Requirements.

    • The admin username set to ksadmin. This is required to supply an SSH key at launch time, and for SSH access. The only allowed value is ksadmin.

    • A public IP SKU set to Standard

    • A source for the SSH key. You can choose to generate a new SSH key pair(--generate-ssh-keys), enter a name for an existing key already stored in Azure (--ssh-key-name <name_of_existing_ssh_key_in_azure>), or upload an SSH key file (--ssh-key-value <ssh_key_file>). We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.

      It is important that you have access to the key pair you select, otherwise you will not have permissions to perform administrator operations like performing upgrades, advanced logging or an appliance reset.

    • (Optional) If you wish to perform cloud-init configuration to set some initial values for CipherTrust Manager, you can use the -d or --custom-data flag to pass in the user data from config.dat file.

    Example syntax

     az vm create --resource-group <resource_group> --name <desired_vm_name> --image <image_urn> --size <desired_image_size> --admin-username ksadmin {--generate-ssh-keys | --ssh-key-name <name_of_existing_ssh_key_in_azure> | --ssh-key-value <ssh_key_file>} [--custom-data <config.dat_file_path>] --public-ip-sku Standard
    

    Example command with Standard_F4s_V2 size and SSH key generation

     az vm create --resource-group myURNVM --name myVM --image thalesdiscplusainc1596561677238:cm_k170v:ciphertrust_manager:2.6.6506 --admin-username ksadmin --size Standard_F4s_v2 --generate-ssh-keys --public-ip-sku Standard
    

    Example response

    {
      "fqdns": "",
      "id": "/subscriptions/260ecbe7-777b-4d3c-84ea-887620498863/resourceGroups/myURNVM/providers/Microsoft.Compute/virtualMachines/myVM",
      "location": "westus",
      "macAddress": "00-00-00-00-00-00",
      "powerState": "VM running",
      "privateIpAddress": "1.1.1.1",
      "publicIpAddress": "2.2.2.2",
      "resourceGroup": "myURNVM",
      "zones": ""
    }
    

    Note the public IP address returned in the VM creation response.

  4. Open the 443 port to allow web browsing to the Virtual CipherTrust Manager instance.

    az vm open-port -g <resource_group_name> -n <virtual_machine_name> --port '443'
    
  5. Navigate to the https://<VM_public_IP_address> to connect to the CipherTrust Manager Web Page. The public IP address was returned when the VM was created. You can also view this value in the Azure portal Virtual Machine list.

    The Log In screen appears.

  6. Log in using the initial default credentials: Username = admin, Password = admin

    The following notice is displayed:

    If the default credentials do not work, you may need to retrieve an autogenerated password, as described in changing the initial password.

  7. Enter a new password using this default Password Policy:

    Min length: 8
    Max length: 30
    Min number of upper cases: 1
    Min number of lower cases: 1
    Min number of digits: 1
    Min number of other characters: 1
    

    A new Login screen appears.

  8. Using your new password, log in again. The CipherTrust Manager Web Page appears.

  9. At this point, it's strongly recommended to configure an NTP server.

    1. Navigate to Admin Settings > NTP.

    2. Enter in an NTP Server hostname.

    3. For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.

    4. Click the +Add NTP Server button.

    See Network Time Protocol Server Configuration for more details.

Virtual CipherTrust Manager launches in Community Edition, with some restrictions on functionality. You can activate a 90 day trial evaluation for full functionality. To activate your instance with a trial evaluation, or term or perpetual license, see Licensing.