Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Alternative Deployments

CT-VL Deployment Prerequisites

search

Please Note:

CT-VL Deployment Prerequisites

All Prerequisites

  • CipherTrust Manager server 2.0 or higher.

  • VMWare vSphere ESXi Server 6.0 or higher; Hyper-V; AWS, Azure, Google, and KVM cloud Platforms.

  • Intel x86_64 physical machine (bare metal) can also be used in lieu of a virtual machine. Where virtual machines are mentioned in this document, it is also applicable to physical machines.

  • CT-VL ISO, OVA, or cloud images with version 2.6.0 or higher. For physical machines, the disk size must be at least 85GB.

  • For optimal performance, the recommended settings for a CT-VL VM are 4 CPUs and 16GB memory.

Active Directory/LDAP Server Requirements

An optional AD/LDAP server can be used to generate users and authenticate their credentials when they request services.

See Understanding CT-VL Authentication and Authorization for a conceptual basis on how AD/LDAP is used.

Requirements:

  • Access to the AD/LDAP server containing users and groups that will have CT-VL privileges.

  • For LDAPS, the LDAP server’s CA certificate must be imported into the Tokenization Server.

Load Balancer Requirements

A cluster of CT-VL nodes can be installed and run as one coherent CT-VL system using a load balancer. The load balancer acts as the main entry point for tokenization and crypto services to distribute load across all nodes in the cluster. It provides scalability and reliability to the system.

CT-VL supports the following methods of load balancing:

  • Round-robin: Requests are distributed in a round-robin fashion.

  • Least-connected: Allows the load balancer to control the load on some CT-VL nodes.

  • IP-hash: The client IP address is used to determine what server in a server group should be selected for the client request. This can be used for client's session sticky or persistent.

The load balancer must be able to use TLS1.1 and higher.

Port Configuration

If CT-VL must communicate with other components through a firewall, open the ports in the firewall as mentioned in the following tables.

Below table describes each port you must open for incoming communication to CT-VL:

Port No.ProtocolCommunicationDescription
22TCPManagement Console → CT-VLAdministration CLI SSH access.
443TCPBrowser → CT-VL
Requester → CT-VL
CLI → CT-VL		HTTPS access for Administration GUI and REST/JSON API.
5432TCPCT-VL ↔ CT-VLThis port is required if a cluster of more than one node is used. This is used exclusively for communication between the CT-VL nodes in a cluster.

Below table describes each CT-VL port you must open for outgoing communication from CT-VL:

Port No.ProtocolCommunicationDescription
User-definedTCPCTS → Log ServerRemote logging.
123UDPCT-VL ↔ NTP ServerOptional network time synchronization.
389TCPCT-VL → LDAP ServerOptional LDAP connection.
636TCPCT-VL → LDAPS ServerOptional LDAPS (LDAP over TLS) connection.

On this page