To provide the best customer experience, CipherTrust Manager (available as virtual and physical appliances) has transitioned to the new Entitlement Management System (EMS). The system allows you to activate new features and manage existing licenses for the CipherTrust Manager appliance and Connectors.
Important points to review before proceeding:
CipherTrust Manager release v2.2.0 introduces license count enforcement for KMIP clients.
CipherTrust Manager release v2.0.0 introduces support for enforced CipherTrust Transparent Encryption (CTE), CipherTrust Transparent Encryption (CTE UserSpace), and CipherTrust Cloud Key Manager (CCKM).
In CipherTrust Manager 2.0, the trial period for Data Discovery and Classification (DDC) has been extended from 30 to 90 days. A new 15 TB data allowance license has also been added.
For NextGen KeySecure versions lower than 1.9.0, physical appliances come with default 90-days trial licenses, which is replaced by a perpetual license as part of the appliance sale.
NextGen KeySecure version 1.9.0 onward, physical appliances no longer come with default 90-days trial licenses. They are licensed "out of the box." Separate connectors licenses are required on these appliances.
NextGen KeySecure v1.8.0 introduced ProtectV licensing support and enforcement, the same as ProtectFile and KMIP, through self-service License Portal on the Sentinel platform. Registering new ProtectFile or ProtectV clients and enabling KMIP client communications require active licenses on the NextGen KeySecure appliance.
NextGen KeySecure v1.7.0 introduced support for enforced ProtectFile and KMIP licenses.
Changes in CipherTrust Manager
New Key Manager Lock Code and Connector Lock Code are introduced for server licenses.
The Connector Lock Code is applicable to all nodes of a cluster to enforce Connector licenses across the cluster nodes. Activation is required for every individual NextGen KeySecure appliance by using the Key Manager Lock Code.
To activate the purchased Connector license, you need to activate the license for the Connector Lock Code and add it to any one node of the cluster. The license is replicated to all nodes of the cluster.
CipherTrust Manager Licenses
Physical CipherTrust Manager appliances are licensed out of the box whereas virtual appliances require their own licenses. Apart from this, both physical and virtual CipherTrust Manager appliances follow the same licensing model.
CipherTrust Manager licenses are node locked. Every node in a CipherTrust Manager cluster requires a separate license.
Every clone of a CipherTrust Manager appliance requires a separate license.
CipherTrust Manager enforces Connector licenses through self-service License Portal on the Sentinel platform. Registering new clients, adding new AWS accounts, running new scans and generating new reports, and enabling KMIP client communications require active Connector licenses on the CipherTrust Manager appliance.
In a CipherTrust Manager cluster, the Connector Lock Code is applicable to all nodes of the cluster to enforce Connector licenses across the cluster nodes. When a Connector license is activated for one CipherTrust Manager appliance, the license is replicated to all nodes of the cluster.
Flex Connector Licenses
CipherTrust Manager simplifies Connector licensing by offering flexible (Flex) purchase options. A Connector license can be redeemed to purchase another Connector license of the same type. You can adjust or restructure licenses later according to your requirements. Moreover, new licensed features can be turned on by existing Flex Connectors.
Flex licenses are available for the CipherTrust platform only. They are not supported for NextGen KeySecure and KeySecure Classic.
The following table lists the supported Flex licenses.
|Flex Connector - Basic||Flex Connector - Advanced||Flex Connector - Premium||Flex Utilities||Flex Ability|
|CTE UserSpace||CT-VL (VTS)||CTE Teradata||Efficient Storage||-|
|CAKM for Oracle TDE|
|CT-V (TM)||CDP (PDB)||Container Security||-|
|CAKM for MS SQL Server EKM|
|REST Crypto Services||CTP for Teradata (VTPD)||-||-|
|CAKM for LUKS||-||BDT||-||-|
How Do Flex Connectors Work?
Suppose you want to buy 10 CTE Agents, with 10 LDT add-on licenses, 5 KMIP, 20 CKM, and 12 CADP (ProtectApp) licenses. The following table lists the licenses you need:
|Flex Connector Type||Quantity|
|Flex Connector - Basic||30 (covers CTE and CAKM)|
|Flex Connector - Advanced||12 (covers CADP)|
|Flex Utilities||10 (covers LDT)|
|Flex Ability||5 (covers KMIP)|
You can redeem 10 CTE product licenses and 20 CAKM product licenses with the Flex Connector - Basic. Later, you can trade in 10 CKM licenses for 10 CTE licenses. Similarly, you can trade 10 CTE licenses for 10 CAKM licenses.
Licensing Pages on GUI
On the KeySecure Classic, available features can be found on the Device tab under Feature Activation List as shown in the image below:
On the NextGen KeySecure, the Admin Settings > Licensing page shows the Installed Licenses. The following image illustrates the NextGen KeySecure v1.10 GUI.
The license count can be found under the Total Clients and Used Clients columns. For unlimited licenses (during the trial period), the Total Clients count shows a high number. When a license is activated and uploaded to the NextGen KeySecure, Total Clients reflects the number of purchased and activated licenses. Used Clients indicates the number of active licenses used for currently registered clients on the NextGen KeySecure appliance.
On the CipherTrust Manager GUI, the Admin Settings > Licensing page shows the Installed licenses (features). The following image illustrates the CipherTrust Manager v2.0 GUI.
To view the CCKM Cloud Unit Usage, expand the CCKM feature. The usage is shown under Total Cloud Units and Used Cloud Units, as shown below.
To view the Client Usage of a connector, expand the feature. For example, the usage of CTE-TransparentEncryption is shown under Total Clients and Used Clients, as shown below.
For unlimited licenses (during the trial period), the total count shows a high number. When a license is activated and uploaded to the CipherTrust Manager, total count reflects the number of purchased and activated licenses. The used count indicates the number of active licenses used for currently registered clients/cloud units on the CipherTrust Manager appliance.
30 days before a license expires, an orange banner appears on the CipherTrust Manager GUI, as a system message on every page to inform the administrator of the license status.
A red banner is displayed, when one or more licenses are expired. When an administrator navigates through the GUI, the red banner appears as a system message at the top of every page.
License Enforcement for CCKM
Expected behavior with CCKM licenses is explained in this section.
CipherTrust Manager appliance has activated Connector licenses: When CCKM licenses are activated and uploaded to a CipherTrust Manager, you can add cloud accounts and Google projects to the license capacity. The number of accounts and Google projects that you can add cannot exceed the license count.
The CipherTrust Manager acts as a Luna HSM client for root of trust (RoT) and CCKM Embedded (with Luna HSM as a key source). Separate client licenses for Luna HSMs are not required on the CipherTrust Manager. However, you need to apply usual partition licenses on the Luna HSM side.
Reaching license capacity: Additional accounts cannot be added because the license count has been exhausted. In this case, users can delete currently configured AWS accounts or buy additional licenses to add more accounts.
License expires: The CipherTrust Manager GUI displays a red banner to inform the administrator of expired licenses. At this time, no new AWS accounts can be added. However, users can still manage currently added accounts for 90 days from license expiry. After 90 days, the CCKM configurations on the CipherTrust Manager become read-only.
License Enforcement for DDC
Expected behavior with DDC licenses is explained in this section.
CipherTrust Manager virtual appliance has trial license activated: DDC is deployed with a trial license already installed and activated "out of the box". This allows you to enjoy a fully-functional product for 90 days and up to the 1 TB of data allowance.
Data allowance is used up: You can continue scanning but cannot generate reports. However, the data from scans is stored so after you install a new license, you can access the data and generate reports.
License expires: The DDC configuration on CipherTrust Manager becomes read-only. While you still have access to your old reports, you cannot generate new reports, add new targets, or create new scans. The data collected so far is not deleted, so you can access it when you install a new license.
License Enforcement for KMIP
License enforcement on KMIP client communication is explained in this section.
CipherTrust Manager appliance has activated KMIP license: Valid KMIP license will enable the KMIP feature on the CipherTrust Manager. KMIP clients can communicate with the CipherTrust Manager.
Reaching license capacity: A warning appears indicating that the CipherTrust Manager is running in non-compliance mode.
License expires: A red banner appears on the CipherTrust Manager GUI to inform the administrator of expired licenses. KMIP feature (from API) will show as expired. Also, a warning indicates that the CipherTrust Manager is running in non-compliance mode.
License Enforcement for Other Connectors
Expected behavior with CTE, CTE LDT, CTE UserSpace, ProtectFile, and ProtectV Connector licenses is explained in this section.
CipherTrust Manager appliance has activated Connector licenses: When Connector licenses are activated and uploaded to a CipherTrust Manager, you can register clients to the license capacity. The number of clients that you can register cannot exceed the Connector license count.
Reaching license capacity: If you attempt to register additional clients, registration fails because the license count has been exhausted. In this case, users can delete currently configured clients or buy additional licenses to register new clients.
License expires: The CipherTrust Manager GUI displays a red banner to inform the administrator of expired licenses. At this time, no new client registration is allowed. However, the users can still manage currently registered clients for 90 days from the license expiry. After 90 days, changes on currently registered clients are restricted and only decryption of data is allowed.
License Enforcement Summary
|Platform||License Type||License Enforcement||License Count Enforcement||Grace Period (90 Days)|
|NextGen KeySecure 1.10||-||-||-||-|
|-||DDC||Yes||Yes||Yes (DDC configuration becomes read only)|
|CipherTrust Manager 2.2||-||-||-||-|
|-||DDC||Yes||Yes||Yes (DDC configuration becomes read only)|
|-||CTE Teradata||Yes (uses base CTE)||Yes (uses base CTE)||Yes (uses base CTE)|
|-||CTE SAP HANA||Yes (uses base CTE)||Yes (uses base CTE)||Yes (uses base CTE)|