Microsoft Azure Deployment
You can deploy a CipherTrust Manager within the Microsoft Azure Cloud Computing Platform, including in the Azure Government environment (Arizona, Iowa, Virginia, and Texas regions).
Minimum Requirements
To deploy a CipherTrust Manager instance, the following minimum requirements apply:
System volume: 50 GB for evaluation, 100 GB for production
Memory: 16 GB
vCPUs: 2
NICs: 1
These minimum system requirements are for a system with light to moderate load. For applications that heavily load the system, additional memory and CPU allocation are required. The system volume holds all data as well as backups.
Deploying in Azure
This section provides the steps for deploying a Virtual CipherTrust Manager instance in Microsoft Azure. Refer to the Azure documentation for general information on launching a VM in Microsoft Azure.
Prerequisites
If using a Windows client, use PuTTY or similar utility to SSH to your CipherTrust Manager instance as KeySecure Administrator (ksadmin).
If needed, use PuTTYgen or similar utility to format the SSH Key Pair.
If using a Linux client: use, SSH to login as KeySecure Administrator (ksadmin).
To launch a Virtual CipherTrust Manager instance
Sign in to the Azure or Azure Government portal.
Search for CipherTrust Manager on the Marketplace page.
Only the latest version is available on the Marketplace page, as CipherTrust Manager Community Edition.
Older versions back to 2.6 are available through the Azure CLI. Some versions older than 2.6 are available from Thales customer support as a VHD file.
To deploy the latest Virtual CipherTrust Manager Version from Marketplace
Select the Thales Virtual CipherTrust Manager image from the Virtual Machines group.
The following steps apply to the Azure recommended 'Resources Manager' deployment model.
Click Create. The first screen of the Create virtual machine page is displayed.
Change the Subscription type if desired.
Select an existing Resource group or enter the name for a new one.
For deployments with Azure Dedicated HSMs, this must be the same resource group as for Luna client host VM and the Dedicated HSM.
Specify the Region of an Azure Datacenter. For example, East US.
For Azure government, this must be one of USGov Arizona, USGov Iowa, USGov Virginia, or USGov Texas.
Enter a Virtual machine name, which is the hostname for the virtual machine your are creating, for example, "mycompany-ciphertrust".
Select the Size for the VM that supports the Minimum Requirements.
Select the SSH Public Key for the Authentication type.
SSH Public Key authentication must be used. Password authentication is not allowed when connecting as the initial user. We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.
For the Username, enter "ksadmin", the default name for the System Administrator.
You MUST use the name “ksadmin” for this initial user.
For the SSH public key source, select one of "Generate new key pair", "Use existing public key", "Use existing public key stored in Azure". We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.
It is important that you have access to the key pair you select, otherwise you will not have permissions to perform administrator operations like performing upgrades, advanced logging or an appliance reset.
In the SSH Public Key field, provide the necessary information for the SSH public key source selected in the last step.
Select Next: Disks >. The Disks screen is displayed.
Change the OS disk type to "Standard HDD", unless you desire a faster disk.
Select an Encryption type depending on the Azure-level disk encryption you prefer.
Select Next: Networking >. The Networking screen is displayed.
The Virtual Network, Subnet, Public IP and Configure network security group fields are populated with default values for this VM, if you have preset networking values for other Azure VMs. Create new values if needed.
For deployments with Azure Dedicated HSMs, the virtual network must also include the Dedicated HSM instance, and the lunaclient host instance. The subnet must also include the lunaclient host instance; this is subnet is referred to as the "Compute" subnet.
For a list of security groups/ports, refer to Network Security Groups.
Select Next: Management >. The Management screen is displayed.
Select Next: Advanced > The Advanced screen is displayed.
If desired, you can apply cloud-init configuration. Paste cloud-init configuration in the Custom Data field.
Select Next: Tags >. The Tags screen is displayed.
Enter any desired tags.
Select Next: Review + create >. This is the final screen. Enter an email address, and click Create to launch the VM.
Azure will run an evaluation of your virtual machine creation configuration.
If the validation was not successful, a Validation failed message is displayed:
Click on the arrow for details and precede to correct the cause of the validation error.
If the validation is successful, a Validation passed screen is displayed, listing all VM details:
Select Create to begin deployment of this VM. This screen is displayed indicating that deployment is in process.
When deployment completes, this screen is displayed, providing access to all resources supporting the new VM.
Connect to the CipherTrust Manager Web Page.
Select the resource with the IP address, in this example: Keysecure-k170v-test-ip.
Browse to this IP address (in this example enter https://40.117.142.62). The Log In screen appears.
Log in using the initial default credentials: Username = admin, Password = admin
The following notice is displayed:
If the default credentials do not work, you may need to retrieve an autogenerated password, as described in changing the initial password.
Enter a new password using this default Password Policy:
Min length: 8 Max length: 30 Min number of upper cases: 1 Min number of lower cases: 1 Min number of digits: 1 Min number of other characters: 1A new Login screen appears.
Using your new password, log in again. The CipherTrust Manager Web Page appears.
At this point, it's strongly recommended to configure an NTP server.
Navigate to Admin Settings > NTP.
Enter in an NTP Server hostname.
For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.
Click the +Add NTP Server button.
See Network Time Protocol Server Configuration for more details.
Virtual CipherTrust Manager includes a 90 day trial license. To activate your instance with a term or perpetual license, see Licensing.
To deploy versions back to 2.6 using the Azure CLI
List the Virtual CipherTrust Manager images available through the Azure CLI. Find the URN value for your desired version.
az vm image list --offer cm_k170v --allExample response:
[ { "offer": "cm_k170v", "publisher": "thalesdiscplusainc1596561677238", "sku": "ciphertrust_manager", "urn": "thalesdiscplusainc1596561677238:cm_k170v:ciphertrust_manager:2.6.6506", "version": "2.6.6506" }, { "offer": "cm_k170v", "publisher": "thalesdiscplusainc1596561677238", "sku": "ciphertrust_manager", "urn": "thalesdiscplusainc1596561677238:cm_k170v:ciphertrust_manager:2.7.6808", "version": "2.7.6808" } ]Accept the terms for the desired Virtual CipherTrust Manager image version.
az vm image terms accept --urn <image_urn>Create the VM image. You provide or specify the following values:
The image URN.
The name of an existing resource group. The image's region will be taken from this resource group.
For deployments with Azure Dedicated HSMs, this must be the same resource group as for Luna client host VM and the Dedicated HSM.
For Azure government, the region must be one of USGov Arizona, USGov Iowa, USGov Virginia, or USGov Texas.
A new name for the VM.
A desired size for the VM, that meets the Minimum Requirements.
The admin username set to
ksadmin. This is required to supply an SSH key at launch time, and for SSH access. The only allowed value isksadmin.A public IP SKU set to
StandardA source for the SSH key. You can choose to generate a new SSH key pair(
--generate-ssh-keys), enter a name for an existing key already stored in Azure (--ssh-key-name <name_of_existing_ssh_key_in_azure>), or upload an SSH key file (--ssh-key-value <ssh_key_file>). We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.It is important that you have access to the key pair you select, otherwise you will not have permissions to perform administrator operations like performing upgrades, advanced logging or an appliance reset.
(Optional) If you wish to perform cloud-init configuration to set some initial values for CipherTrust Manager, you can use the
-dor--custom-dataflag to pass in the user data fromconfig.datfile.
Example syntax
az vm create --resource-group <resource_group> --name <desired_vm_name> --image <image_urn> --size <desired_image_size> --admin-username ksadmin {--generate-ssh-keys | --ssh-key-name <name_of_existing_ssh_key_in_azure> | --ssh-key-value <ssh_key_file>} [--custom-data <config.dat_file_path>] --public-ip-sku StandardExample command with Standard_F4s_V2 size and SSH key generation
az vm create --resource-group myURNVM --name myVM --image thalesdiscplusainc1596561677238:cm_k170v:ciphertrust_manager:2.6.6506 --admin-username ksadmin --size Standard_F4s_v2 --generate-ssh-keys --public-ip-sku StandardExample response
{ "fqdns": "", "id": "/subscriptions/260ecbe7-777b-4d3c-84ea-887620498863/resourceGroups/myURNVM/providers/Microsoft.Compute/virtualMachines/myVM", "location": "westus", "macAddress": "00-00-00-00-00-00", "powerState": "VM running", "privateIpAddress": "1.1.1.1", "publicIpAddress": "2.2.2.2", "resourceGroup": "myURNVM", "zones": "" }Note the public IP address returned in the VM creation response.
Open the
443port to allow web browsing to the Virtual CipherTrust Manager instance.az vm open-port -g <resource_group_name> -n <virtual_machine_name> --port '443'Navigate to the
https://<VM_public_IP_address>to connect to the CipherTrust Manager Web Page. The public IP address was returned when the VM was created. You can also view this value in the Azure portal Virtual Machine list.The Log In screen appears.
Log in using the initial default credentials: Username = admin, Password = admin
The following notice is displayed:
If the default credentials do not work, you may need to retrieve an autogenerated password, as described in changing the initial password.
Enter a new password using this default Password Policy:
Min length: 8 Max length: 30 Min number of upper cases: 1 Min number of lower cases: 1 Min number of digits: 1 Min number of other characters: 1A new Login screen appears.
Using your new password, log in again. The CipherTrust Manager Web Page appears.
At this point, it's strongly recommended to configure an NTP server.
Navigate to Admin Settings > NTP.
Enter in an NTP Server hostname.
For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.
Click the +Add NTP Server button.
See Network Time Protocol Server Configuration for more details.
Virtual CipherTrust Manager launches in Community Edition, with some restrictions on functionality. You can activate a 90 day trial evaluation for full functionality. To activate your instance with a trial evaluation, or term or perpetual license, see Licensing.