Private Cloud Deployment

You can deploy a Virtual CipherTrust Manager instance in a private cloud. Support is currently provided for VMware vSphere, Microsoft Hyper-V, Nutanix AHV, and OpenStack, with file downloads available on the customer support portal.

As part of private cloud deployment, you make decisions on disk encryption, setting a static IP, and disabling IPv6. For each of these options, you can apply them before launch, after launch, or not at all. In addition, you can use nmcli after first launch to set static routes, bond network interfaces, disable IPv6, or configure VLAN, if needed for your network.

The following flowchart demonstrates the decisions you make during virtual private cloud deployment.

Minimum Requirements

To deploy a CipherTrust Manager instance, the following minimum requirements apply:

• System volume: 50 GB for evaluation, 100 GB for production

• Memory: 16 GB

• vCPUs: 2

• NICs: 1

These minimum system requirements are for a system with light to moderate load. For applications that heavily load the system, additional memory and CPU allocation are required. The system volume holds all data as well as backups.

Deploying on VMware vSphere

This section guides you through the steps needed to deploy a Virtual CipherTrust Manager on VMware vSphere.

Refer to the VMware vSphere documentation for general information on launching a VM.

Prerequisite

• OVA file: If your vSphere Client does not support deployment of OVA files directly, see Decompressing an OVA file.

To launch the Virtual CipherTrust Manager

Virtual CipherTrust Manager supports VMware vSphere/ESXi v5.1 and higher versions. To launch Virtual CipherTrust on vSphere/ESXi v5.0 or lower versions, you need to change the virtual machine’s hardware version from vmx-09 to vmx-08 or vmx-07. Use the VMware OVF Tool to make this change.

1. In vSphere Client, select Deploy OVF Template....

   You will need sufficient privileges to access this selection.

   

2. In the Deploy OVF Template dialog box, enter the location of the OVA file in the Source field and launch the VM. After successful launch, the Virtual CipherTrust Manager appears under the inventory folder in the left pane.

3. In the left pane, select the newly launched Virtual CipherTrust Manager.

4. In the middle pane, select the Summary tab and click on the Web console.

   The window opens in your browser. IP information is displayed along with the ciphertrust login: prompt.

5. If an IP address is not displayed, you likely do not have DHCP configured and you are not using Cloud-init configuration. You do not have access to a static IP for the CipherTrust Manager GUI. In this case:

   1. At the ciphertrust login: prompt, enter "ksadmin" to log in and follow the prompts to create a secure password.

   2. Use the nmcli utility to configure a static IP address. nmcli can also be used to set static routes, bond network interfaces, disable IPv6, or configure VLAN, if needed for your network.

6. Access the GUI by browsing to the Virtual CipherTrust Manager's IP address in a web browser.

   The initial CipherTrust Manager Web Page screen is displayed:

   

7. The Error displayed is normal and simply requires the default SSH Public Key to be replaced. As the initial KeySecure admin (ksadmin) you must paste in your SSH Public Key in the box provided and then select Add.

   We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. The supported key algorithm is RSA. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security. You can generate this key using 'PuTTYgen' or similar utility. Save this SSH Public Key at a safe location. You will need this key for future SSH access.

   After replacing the default SSH Public Key, the Log In screen appears. For more options to replace the default SSH Public Key, see Starting Services After Deployment.

8. Log in using the initial default credentials: Username = admin, Password = admin

   The following notice is displayed:

   

   If the default credentials do not work, you may need to retrieve an autogenerated password, as described in Changing the Initial Password.

9. Enter a new password using this default Password Policy:

   Min length: 8
   Max length: 30
   Min number of upper cases: 1
   Min number of lower cases: 1
   Min number of digits: 1
   Min number of other characters: 1
   

   A new Login screen appears.

10. Using your new password, log in again. The CipherTrust Manager Web Page appears.

    

11. At this point, it's strongly recommended to configure an NTP server.

    1. Navigate to Admin Settings > NTP.

    2. Enter in an NTP Server hostname.

    3. For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.

    4. Click the +Add NTP Server button.

    See Network Time Protocol Server Configuration for more details.

    Congratulations! You have successfully deployed your Virtual CipherTrust Manager.

12. If you did not apply disk encryption with cloud-init, it is available after first launch with ksctl. Because installation specific secrets are generated the first time a Virtual CipherTrust Manager instance is launched, it is recommended that the instance be encrypted at launch time to ensure these secrets are never exposed.

Virtual CipherTrust Manager launches in Community Edition, with some restrictions on functionality. You can activate a 90 day trial evaluation for full functionality. To activate your instance with a trial evaluation, or a term or perpetual license, see Licensing.

Decompressing an OVA File

The Virtual CipherTrust Manager package includes an Open Virtual Appliance (OVA) file for launching Virtual CipherTrust Manager on VMware vSphere. Some versions of the vSphere Client do not support deployment of OVA files directly. In this case it is recommended to extract the .ovf, .vmdk, and .mf files using the VMware OVF Tool. You can then launch Virtual CipherTrust Managers using these files.

Example: To decompress the .ovf file, execute this operation:

ovftool.exe --lax <source_OVA_file> <destination_OVF_file>

<source_OVA_file>: represents the OVA file included in the Virtual CipherTrust Manager package.

<destination_OVF_file>: represents a name for the OVF file.

Using Cloud-init with VMware vSphere

Virtual CipherTrust Manager uses Cloud-init to inject configuration information prior to first boot. Cloud-init is a standard configuration mechanism that is supported in vSphere.

Below is an example of setting a static IP address using Cloud-init and vSphere.

To setup a static IP address using Cloud-init

1. Create your Cloud-init configuration file. This is a text file containing the specific configuration you want to use. Refer to "Plan Configuration Settings for Deployment with Cloud Init" for other available configuration parameters. Here is a simple configuration file for a static IP:

   #cloud-config
   keysecure:
     netcfg:
       iface:
         name: ens32
         type: static
         address: 10.121.107.103
         netmask: 255.255.252.0
         gateway: 10.121.104.1
         dns1: 172.16.2.12
   

   The configuration parameters that save deployment steps after first launch are disk encryption, static IP, and disabling IPv6. Because installation specific secrets are generated the first time a Virtual CipherTrust Manager instance is launched, it is recommended that the instance be encrypted at launch time to ensure these secrets are never exposed.

2. VMware requires this file to be converted to base64. To convert to base64, use the openssl command:

   openssl base64 -in <infile> -out <outfile>
   

   The above file converted to base64 is below:

   I2Nsb3VkLWNvbmZpZw0Ka2V5c2VjdXJlOg0KICBuZXRjZmc6DQogICAgaWZhY2U6DQogICAgICBuYW1lOiBldGgwDQogICAgICB0eXBlOiBzdGF0aWMNCiAgICAgIGFkZHJlc3M6IDEwLjEyMS4xMDcuMTAzDQogICAgICBuZXRtYXNrOiAyNTUuMjU1LjI1Mi4wDQogICAgICBnYXRld2F5OiAxMC4xMjEuMTA0LjENCiAgICAgIGRuczE6IDE3Mi4xNi4yLjEy
   

3. Create a Virtual CipherTrust Manager in VMware, but do not boot it.

4. Configure the VM with the following:

   The vSphere web client should be used since some configuration parameters are not available with the Windows client.

   1. Add an empty CD/DVD drive to the VM, no configuration of it is necessary.

   2. Under vApp Options > OVF Settings > OVF Environment Transport, select ISO Image.

   3. Under vApp Options > Properties create a property with the Key "user-data", and a default value of the base64 encoded file.

5. Boot up your system.

   Due to a bug, some versions of Virtual CipherTrust Manager may not apply the static IP on the initial boot. After a reboot, the IP address will be applied correctly.

6. If you did not apply disk encryption with cloud-init, it is available after first launch with ksctl. Because installation specific secrets are generated the first time a Virtual CipherTrust Manager instance is launched, it is recommended that the instance be encrypted at launch time to ensure these secrets are never exposed.

Deploying in Hyper-V

The CipherTrust Manager Private Cloud Image supports Microsoft Hyper-V in the form of a Virtual Hard Disk (VHDX) image. This image has been tested as a Generation 1 Hyper-V virtual machine.

Refer to the Microsoft Hyper-V Manager documentation for general information on launching a VM using an existing disk on Hyper-V.

This section guides you through the steps needed to deploy a Virtual CipherTrust Manager on Microsoft Hyper-V.

Prerequisites

• Virtual CipherTrust Manager Virtual Hard Disk (VHDX) image.

To decompress the zipped image file you received from Thales Sales

1. Locate the image file you received from Thales sales; e.g. k170v-1.x.x.xxxx.vhdx.zip.

2. Decompress this file by right-clicking on the file and selecting Extract All....

   This is a large file and will take some time. A single decompressed file will result, which is a Hard Disk Image File; e.g. k170v-1.x.x.xxxx.vhdx.

3. Note the location of this file as you will need it below when creating the virtual machine.

Launch the Hyper-V Manager on your Windows System

1. If needed, install Hyper-V on your Windows system.

   For example, for Windows 10, refer to: Install Hyper-V on Windows 10

2. Open Hyper-V Manager on your Windows system.

Create a Virtual CipherTrust Manager instance

1. In the Hyper-V Manager UI, select Action > New > Virtual Machine.

   

   The 'New Virtual Machine Wizard' begins with the 'Before You Begin' screen.

   

2. Here you have the choice to either 'create a virtual machine with default values' and then modify them later, or you can 'create a virtual machine with custom configuration'. This procedure uses the option to 'create a virtual machine with custom configuration'. Select Next.

3. In the 'Select Name and Location' screen,

   

   1. Enter a descriptive name of the virtual machine you are creating.

   2. Enter the folder path of where the virtual machine will reside, or use the specified default folder path.

   3. Select Next.

4. In the 'Specify Generation' screen, select Generation 1 and then select Next.

   

5. In the 'Assign Memory' screen, select the desired amount of memory for you new virtual machine. Note the Private Cloud minimum requirement for this setting in Minimum Requirements.

   

   1. Enter the value.

   2. If you wish to 'use Dynamic Memory' for this virtual machine, leave the box checked (default).

   3. Select Next.

6. In the 'Configure Networking' screen drop down box, choose Default Switch and then select Next.

   

7. In the 'Connect Virtual Hard Disk' screen,

   

   1. Select the button for Use an existing virtual hard disk,

   2. Enter the location of the 'vhdx' file you decompresses earlier, e.g. c:/k170v-1.x.x.xxxx.vhdx

   3. Select Next.

8. In the 'Completing the New Virtual Machine Wizard screen,

   

   1. Review the Summary description of the virtual machine your are about to create.

   2. To make a change, select 'Previous' to go back to change setting(s).

   3. When ready, select Finish.

      Your new virtual machine is created within a few seconds.

Connect to you new virtual machine

1. In the Hyper-V Manager, right-click on the new virtual machine and select Connect to connect to the new Virtual CipherTrust Manager instance.

   The initial screen shows that the VM is turned off.

2. Click on Start.

3. Access the Console Window of you newly created virtual machine,

   The window opens in your browser. IP information is displayed along with the ciphertrust login: prompt.

4. If an IP address is not displayed, you likely do not have DHCP configured and you are not using Cloud-init configuration. You do not have access to a static IP for the CipherTrust Manager GUI. In this case:

   1. At the ciphertrust login: prompt, enter "ksadmin" to log in and follow the prompts to create a secure password.

   2. Use the nmcli utility to configure a static IP address. nmcli can also be used to set static routes, bond network interfaces, disable IPv6, or configure VLAN, if needed for your network.

5. Access the GUI by browsing to the Virtual CipherTrust Manager's IP address in a web browser.

   The initial CipherTrust Manager Web Page screen is displayed:

   

6. The Error displayed is normal and simply requires the default SSH Public Key to be replaced. As the initial KeySecure admin (ksadmin) you must paste in your SSH Public Key in the box provided and then select Add.

   We support OpenSSH format for the public key, and OpenSSH, PKCS1, or PKCS8 format for the private key. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security. You can generate this key pair using 'PuTTYgen' or similar utility. Save the SSH public and private keys. The SSH Private key, used to access the System Administrative account "ksadmin", is extremely sensitive and should be kept in a secure environment.

   After replacing the default SSH Public Key, the Log In screen appears. For more options to replace the default SSH Public Key, see Starting Services After Deployment.

7. Log in using the initial default credentials: Username = admin, Password = admin

   The following notice is displayed:

   

   If the default credentials do not work, you may need to retrieve an autogenerated password, as described in Changing the Initial Password.

8. Enter a new password using this default Password Policy:

   Min length: 8
   Max length: 30
   Min number of upper cases: 1
   Min number of lower cases: 1
   Min number of digits: 1
   Min number of other characters: 1
   

   A new Login screen appears.

9. Using your new password, log in again. The CipherTrust Manager Web Page appears.

   

   Congratulations! You have successfully deployed your CipherTrust Manager virtual machine.

10. At this point, it's strongly recommended to configure an NTP server.

    1. Navigate to Admin Settings > NTP.

    2. Enter in an NTP Server hostname.

    3. For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.

    4. Click the +Add NTP Server button.

    See Network Time Protocol Server Configuration for more details.

11. If you did not apply disk encryption with cloud-init, it is available after first launch with ksctl. Because installation specific secrets are generated the first time a Virtual CipherTrust Manager instance is launched, it is recommended that the instance be encrypted at launch time to ensure these secrets are never exposed.

Virtual CipherTrust Manager launches in Community Edition, with some restrictions on functionality. You can activate a 90 day trial evaluation for full functionality. To activate your instance with a trial evaluation, or a term or perpetual license, see Licensing.

Using Cloud-init with Hyper-V

The Virtual CipherTrust Manager uses cloud-init to inject configuration information prior to first boot. Cloud-init is a standard configuration mechanism that is supported in Hyper-V. Cloud-init is supported as an ISO image for Hyper-V, mounted as media to use with the virtual CD/DVD drive. The ISO image must have two text files named user-data and meta-data.

The configuration parameters that save deployment steps after first launch are disk encryption, static IP, and disabling IPv6. Because installation specific secrets are generated the first time a Virtual CipherTrust Manager instance is launched, it is recommended that the instance be encrypted at launch time to ensure these secrets are never exposed.

Below is an example of setting up disk encryption and the user's ssh key using cloud-init and Hyper-V.

Example: To setup disk encryption and the user's SSH key

1. Prepare the user-data file. This is a text file containing the specific configuration you want to use. Refer to "Plan Configuration Settings for Deployment with Cloud Init" for other available configuration parameters. Here is a simple user-data configuration file for setting up disk encryption and the user's SSH key.

     #cloud-config
     diskenc:
       encrypt: true
     ssh_authorized_keys:
       - <replace with your OpenSSH format ssh public key>
   

   You must provide the SSH key in OpenSSH format. The corresponding private key can be OpenSSH, PKCS1, or PKCS8 format. RSA is the supported key algorithm. We recommend RSA 4096, with RSA 2048 as a minimum size for adequate security.

2. Create the meta-data file. This is a text file containing user provided instance parameters, for example:

   instance-id: <some instance id>`
   local-hostname: <host name for the instance>
   

3. Create the ISO image file:

   1. Make sure genisoimage utility is installed.

   2. Create the ISO file:

      genisoimage -o config.iso -volid cidata -joliet -rock user-data meta-data
      

4. Create a Virtual CipherTrust Manager in Hyper-V, but do not boot it.

5. In Hyper-V manager:

   1. Right click on the instance and go to "Settings...".

   2. Under IDE Controller 1 > DVD Drive > Specify the media to use with your virtual CD/DVD drive, select Image File

   3. Browse to the config.iso file generated in step 3 above.

   4. Select OK.

6. Boot up your Virtual CipherTrust Manager.

Deploying on the Nutanix AHV

This section guides you through the steps needed to deploy a Virtual CipherTrust Manager on Nutanix AHV.

Prerequisites

• OVA file: It is mandatory to decompress the OVA file before deployment to generate a VMDK file. For steps, see Decompressing an OVA file

Creating a CipherTrust Manager Virtual Machine

Perform the following steps to create a CipherTrust Manager virtual machine on a Nutanix Cluster:

Do not host a CipherTrust Manager virtual machine on the encrypted cluster where it is being used. This can lead to complete data loss if there is an issue with the VM while it is hosted in that cluster.

1. Go to the Prism Element.

2. Create a Storage Container.

   1. Go to the Storage page and click Storage Container.

      The Create Storage Container window appears.

   2. Specify the Name and select a Storage Pool.

   3. (Optional Step) If required, click Advanced Settings for the settings related to compression, cache, duplication, and so on.

   4. Click Save.

      The New Storage Container will be added.

3. Create/Upload an image on the Nutanix Cluster.

   1. Go to Settings > Image Configuration. Click Upload Image.

      The Create Image page appears.

   2. Specify/select the following fields/options:

      • Name

      • Annotations

      • Image Type

      • Select the Storage Container

      • Image Source

   3. Click Save.

      The application will start uploading the image. This can take some time depending on the network speed. After the uploading process is complete, the new image is created, and the image activation process is initiated. You can use the image after it becomes active. This image can be accessed from Settings > Image Configuration.

4. Go to the VM page and click Create VM.

5. Specify/select the following fields/options:

   1. General Configuration

      • Name

      • Description

      • Timezone

   2. Minimum Requirements

      Refer to Minimum Requirements.

   3. Disks

      Remove any existing disk and click Add New Disk. Specify the following fields:

      • Type: DISK

      • Operation: Clone from Image Service

      • Bus Type: SCSI

      • Image: Select image created in the previous step

      • Index: Next Available

      Click Add. The disk will be added.

   4. Set Boot configuration to Legacy BIOS or UEFI.

   5. Network Adapter

      Click Add New NIC and specify the following details:

      • Network Name: Select a pre-configured network

      • VLAN ID: Specify the required value

      • Network Connection State: Set to Connected

      • Network Address/Prefix: Set to the required value

      Click Add to add the Network Adapter.

   6. Go to VM Host Affinity and select the Host(s) as required. Click Save.

6. Click Save after completing all configurations.

   The new VM will be created.

Booting the CipherTrust Manager VM

Go to the VM page and locate the newly added VM in the VM Name column. You can use search option, if required.

1. Click on the VM name and scroll down.

2. Click Power On.

3. Access the CipherTrust Manager in a web browser using its IP Address.

4. Access the GUI by browsing to the Virtual CipherTrust Manager's IP address in a web browser.

   The initial CipherTrust Manager Web Page screen is displayed:

   

5. The Error displayed is normal and simply requires the default SSH Public Key to be replaced. As the initial KeySecure admin (ksadmin) you must paste in your SSH Public Key in the box provided and then select Add.

   We support OpenSSH for the public key format. The corresponding private key can be OpenSSH, PKCS1, or PKCS8 format. You can generate this key pair using 'PuTTYgen' or similar utility. Save this SSH Public Key at a safe location. You will need this key for future SSH access.

   After replacing the default SSH Public Key, the Log In screen appears. For more options to replace the default SSH Public Key, see Starting Services After Deployment.

6. Log in using the initial default credentials: Username = admin, Password = admin

   The following notice is displayed:

   

   If the default credentials do not work, you may need to retrieve an auto-generated password, as described in Changing the Initial Password.

7. Enter a new password using this default Password Policy:

   Min length: 8
   Max length: 30
   Min number of upper cases: 1
   Min number of lower cases: 1
   Min number of digits: 1
   Min number of other characters: 1
   

   A new Login screen appears.

8. Using your new password, log in again. The CipherTrust Manager Web Page appears.

   

9. At this point, it's strongly recommended to configure an NTP server.

   1. Navigate to Admin Settings > NTP.

   2. Enter in an NTP Server hostname.

   3. For an authenticated NTP Server, enter in a symmetric key value in the NTP Key field.

   4. Click the +Add NTP Server button.

   See Network Time Protocol Server Configuration for more details.

Congratulations! You have successfully deployed your Virtual CipherTrust Manager.

Virtual CipherTrust Manager launches in Community Edition, with some restrictions on functionality. You can activate a 90 day trial evaluation for full functionality. To activate your instance with a trial evaluation, or a term or perpetual license, see Licensing.