CipherTrust Manager (available as virtual and physical appliances) uses the Entitlement Management System (EMS) to manage license purchases. The system allows you to activate new features and manage existing licenses for the CipherTrust Manager appliance and Connectors.
Important points to review before proceeding:
- CipherTrust Manager release v2.8.0 introduces licensing support for CTE Kubernetes (K8s) clients.
CipherTrust Manager Licenses
Physical CipherTrust Manager appliances are licensed out of the box whereas virtual appliances require their own licenses.
Virtual CipherTrust Manager instances start in Community Edition when first launched, without a Virtual CipherTrust Manager license. You require the Virtual CipherTrust Manager license to access some features. You can apply a 90-day trial evaluation or purchased license to access all features.
CipherTrust Manager licenses are node locked. Every node in a CipherTrust Manager cluster requires a separate license.
Every clone of a CipherTrust Manager appliance requires a separate license.
If you redeploy a CipherTrust Manager, the license can be recovered with assistance from customer support. Virtual CipherTrust Managers restored from snapshots do not need new licenses.
Licenses are activated with the the Key Manager Lock Code.
The k170v model is limited to 4 or fewer CPUs. The k470v license allows for more than 4 CPUs.
Consult Virtual CipherTrust Manager Licensing Model for more information on license enforcement.
CipherTrust Manager enforces Connector licenses through self-service License Portal on the Sentinel platform. Registering new clients, adding new cloud enforced entities, running new scans and generating new reports, and enabling KMIP client communications require active Connector licenses on the CipherTrust Manager appliance.
For details about what operations add to the license count for a particular connector, consult the licensing model page for that product:
In a CipherTrust Manager cluster, the Connector Lock Code is applicable to all nodes of the cluster to enforce Connector licenses across the cluster nodes. When a Connector license is activated for one CipherTrust Manager appliance, the license is replicated to all nodes of the cluster.
To move a Connector license from one CipherTrust Manager cluster to another, revoke the Connector license on one cluster by contacting Thales Customer Support. Then, reactivate the license using the second cluster's Connector Lock Code. The new license string should be uploaded to the second CipherTrust Manager cluster.
If you redeploy a Virtual CipherTrust Manager, Connector licenses can be recovered. Virtual CipherTrust Managers restored from snapshots do not need new licenses.
Community Edition and Trial Evaluation
Every new Virtual CipherTrust Manager instance is deployed as Community Edition. This is a free mode without any license applied.Community Edition has some limitations on administration features. As well, you require licenses for individual client Connector applications to perform Connector operations.
You can start a 90 day trial evaluation of all administration features and most Connectors, or apply purchased licenses.
Applying a Purchased License
If you want to apply a purchased license,
Contact a Thales sales representative to purchase the licenses which are right for you.
There are different options available for time-limited rental or perpetual licenses. As well, some licenses apply counts for operations such as registering clients, generating reports or assigning more CPUs to the Virtual CipherTrust Manager. Consult the licensing model page of your desired product for enforcement details.
When you receive one or more Entitlement IDs for your purchase, visit the License Portal to view available licenses.
Activate your licenses to apply them to your Virtual CipherTrust Manager.
Key Manager Lock Code and Connector Lock Code present on a Virtual CipherTrust Manager instance are used to license the Virtual CipherTrust Manager platform and Connector features.
The Key Manager Lock Code is used for the Virtual CipherTrust Manager license. This license is unique to each CipherTrust Manager appliance, and is not replicated across a cluster.
The Connector Lock Code is used for Connector licenses. Connector licenses are applicable to all nodes of a cluster to enforce Connector licenses across the cluster nodes.
Viewing and Managing Installed Licenses
On the CipherTrust Manager web console, the Admin Settings > Licensing page shows the Installed licenses (features). You can view and delete installed licenses from this page.
Flex Connector Licenses
CipherTrust Manager simplifies Connector licensing by offering flexible (Flex) purchase options. A Connector license can be redeemed to purchase another Connector license of the same type. You can adjust or restructure licenses later according to your requirements. Moreover, new licensed features can be turned on by existing Flex Connectors.
The following table lists the supported Flex licenses.
|Flex Connector - Basic||Flex Connector - Advanced||Flex Connector - Premium||Flex Utilities||Flex Ability|
|CTE UserSpace||CT-VL (VTS)||CTE Teradata||Efficient Storage||-|
|CAKM for Oracle TDE|
|CT-V (TM)||CDP (PDB)||Container Security||-|
|CAKM for MS SQL Server EKM|
|DPG||CDP for Teradata (VTPD)||-||-|
|CAKM for LUKS||-||BDT||-||-|
How Do Flex Connectors Work?
Suppose you want to buy 10 CTE Agents, with 10 LDT add-on licenses, 5 KMIP, 20 CAKM, and 12 CADP (ProtectApp) licenses. The following table lists the licenses you need:
|Flex Connector Type||Quantity|
|Flex Connector - Basic||30 (covers CTE and CAKM)|
|Flex Connector - Advanced||12 (covers CADP)|
|Flex Utilities||10 (covers LDT)|
|Flex Ability||5 (covers KMIP)|
You can redeem 10 CTE product licenses and 20 CAKM product licenses with the Flex Connector - Basic. Later, you can trade in 10 CAKM licenses for 10 CTE licenses. Similarly, you can trade 10 CTE licenses for 10 CAKM licenses.
30 days before a license expires, an orange banner appears on the CipherTrust Manager GUI, as a system message on every page to inform the administrator of the license status.
A red banner is displayed, when one or more licenses are expired. When an administrator navigates through the GUI, the red banner appears as a system message at the top of every page.
These banners are displayed when any license expires, even if other licenses are still valid. For example, if the Virtual CipherTrust Manager license expires before Connector licenses, the expiration does not affect currently registered Connectors.
There is no alert or log entry from the Connector side.
License expiration is based on the CipherTrust Manager’s date. Please note the default time zone on the appliance is UTC if no NTP server is configured.
License Enforcement Summary
The following table summarizes license enforcement for the license types.
|License Type||License Enforcement||License Count Enforcement||Grace Period (90 Days)|
|DDC||Yes||Yes||Yes (DDC configuration becomes read only)|
|KMIP||Yes||Yes (Continues working in non-compliance mode)||N/A (Continues working in non-compliance mode)|
|CTE Teradata||Yes (uses base CTE)||Yes (uses base CTE)||Yes (uses base CTE)|
|CTE SAP HANA||Yes (uses base CTE)||Yes (uses base CTE)||Yes (uses base CTE)|
CipherTrust Intelligent Protection (CIP) is not a licensed product. However, you need the following licenses to use it:
• CipherTrust Manager: Refer to Virtual CipherTrust Manager Licensing Model for details.
• CipherTrust Data Discovery and Classification: Refer to DDC Licensing Model for details.
• CipherTrust Transparent Encryption: Refer to CTE Licensing Model for details.
Connector licenses are enforced through CipherTrust Manager, so the enforcement behaves the same regardless of client software version.
For details about the license enforcement for a particular product, consult the licensing model page for that product: