Network Configuration Parameters
CAPI
The following table lists the network configuration parameters for CAPI.
| Parameter | Default | Description |
|---|---|---|
| NAE_IP | No default | IP address/hostname of the CipherTrust Manager. For details, refer to Setting NAE_IP. |
| NAE_Port | 9000 | Port of the CipherTrust Manager. Note: Clients and servers must use the same port. For details, refer to Setting NAE_Port. |
| KMIP_IP | IP address/hostname of the KMIP compliant server(s). You can configure both IPv4 and IPv6 addresses. Specify the IPv6 address within curly braces {.....}. Example {fe80:0:0:0:200:f8ff:fe21:67cf}. Use multiple IP addresses/hostnames separated by colons (:) when load balancing is used. Example For IPv4 192.168.1.100:192.168.1.101:192.168.1.102 For IPv6 {fe80:0:0:0:200:f8ff:fe21:67cf}:{fe80:234f:0:0:200:f8ff:fe21:832d}. For combination of IPv4 and IPv6 192.168.1.10:{fe80:0:0:0:200:f8ff:fe21:67cf} These servers must have the same value for the KMIP_Port parameter. | |
| KMIP_Port | Port of the KMIP compliant server. | |
| Protocol | tcp | Protocol used for communication between the client and server. Valid values: • tcp • ssl Clients and servers must use the same protocol. It can be either tcp or ssl. The ssl option uses TLSv1.2. By default, TLSv1.2 is enabled on all CipherTrust Manager(s). Recommended value is "ssl". The ssl option is mandatory for communication with KMIP compliant servers. For example, while communicating with KMIP compliant servers, you must set Protocol=ssl. Note: • If your servers are listening to SSL requests, and your clients aren’t sending SSL requests, there will be no communication between the client and the server. • It is recommended that you gradually increase security after confirming connectivity between the client and CipherTrust Manager. Once you have established a TCP connection between the client and server, it is safe to move on to SSL. Initially, configuring a client under the most stringent security constraints can complicate troubleshooting. |
| Syslog_Server_IP | IP address/hostname of the Syslog server where the logs will be redirected/stored. You can configure both IPv4 as and IPv6 addresses. Specify the IPv6 address within curly braces {.....}.Example {fe80:234f:0:0:200:f8ff:fe21:832d}. | |
| Syslog_Server_Port | 514 | Port of the Syslog server where the logs will be redirected/stored. |
| Syslog_Server_Protocol | tcp_ok | Protocol used for communication between the client and the server. Valid values: • udp • tcp_ok - Enables the tcp protocol • ssl - Enables the SSL/TLS protocol • no |
| Syslog_no_of_retries | 3 times | Determines the maximum number of times the connection to server is retried. This is valid when Syslog_Server_Protocol is set to tcp_ok or SSL.Valid value: Any positive integer. |
| Syslog_Retry_Interval | 1 sec | Determines the time in seconds, after which the connection is retried since the last try. This is valid when Syslog_Server_Protocol is set to tcp_ok or SSL.Valid value: Any positive integer. |
| Syslog_Retry_Limit | 2 times | Determines the maximum number of attempts a user can make for one particular connection. This is valid when Syslog_Server_Protocol is set to tcp_ok or SSL.Valid value: Any positive integer. For example, if the value of Syslog_retry_limit = 2 and Syslog_no_of_retries = 3, the maximum number of times a connection can be re-tried is 3x2=6 times at time gap of value set for Syslog_Retry_Interval.Note: Some amount of data loss is expected in UDP. |
PKCS#11
The following table lists the network configuration parameters for PKCS#11.
| Parameter | Default | Description |
|---|---|---|
| NAE_IP | No default | IP address/hostname of the CipherTrust Manager. For details, refer to Setting NAE_IP. |
| NAE_Port | 9000 | Port of the CipherTrust Manager. Note: Clients and servers must use the same port. For details, refer to Setting NAE_Port. |
| Protocol | tcp | Protocol used for communication between the client and server. Valid values: • tcp • ssl Clients and servers must use the same protocol. It can be either tcp or ssl. The ssl option uses TLSv1.2. By default, TLSv1.2 is enabled on all CipherTrust Manager(s). Recommended value is "ssl". The ssl option is mandatory for communication with KMIP compliant servers. For example, while communicating with KMIP compliant servers, you must set Protocol=ssl. Note: • If your servers are listening to SSL requests, and your clients aren’t sending SSL requests, there will be no communication between the client and the server. • It is recommended that you gradually increase security after confirming connectivity between the client and CipherTrust Manager. Once you have established a TCP connection between the client and server, it is safe to move on to SSL. Initially, configuring a client under the most stringent security constraints can complicate troubleshooting. |
