Configuring CT-VL through the Command Line

This topic describes how the network administrator uses the CT-VL Command Line Interface (CLI) to configure the CT-VL environment, establish connections between the various components, and other system-level tasks.

Accessing the CLI

The network administrator uses the CT-VL CLI to configure the CT-VL environment as described below:

1. Access the CLI through a terminal emulator like PuTTY.

2. On first access, enter the default login and password:

   login: cliadmin
   Password: cliadmin123

   

   Note

   It is recommended to change the password.

3. On first access, you will be prompted to change the password. Save and store your new password securely.

4. On first access, you will be prompted to review and sign the License Agreement.

Refer to CT-VL CLI Navigation Summary and Guidelines for description about CT-VL CLI commands.

Basic Configuration Steps

Note

• The configuration steps in the following sections employ a subset of the CLI commands. See CT-VL CLI Reference for a summary of CLI commands. For complete usage details on any CLI command, run the command with the --help option.

• For multi-node installations, the basic configuration steps in this section must be completed on each node before you Configure CT-VL Nodes.

Configure the CT-VL Network Settings

Configure the network settings for VMware and bare metal installations with a static IP implementation.

Note

Network settings are required only for VMware and bare metal installations, with a static IP implementation. Do not attempt to set the IP address and gateway of the network interface if you are using CTS in an Azure, Amazon, or Google Cloud Platform. Cloud providers assign the IP addresses to the VM through DHCP.

To configure the CT-VL network settings, complete the following tasks:

• Set the IP address for the CT-VL VM.

• Configure the CT-VL DNS server or use the /etc/hosts file.

Check Deployment Prerequisites for the IP address, gateway address, and DNS values you will need.

Set the IP Address for the CT-VL VM

1. Using the CT-VL CLI, navigate to the network commands menu.

2. There are two ways to set the IP address for the CT-VL VM: Interactive (with the setup command) or Non-interactive (with the set command).

Interactive

To set the IP address using the interactive mode, use the setup command followed by the network device name:

network> setup eth0

Using the setup command prompts you for the IP address, as well as other information required to set up the specified network device, such as subnet mask, gateway, and so on.

Non-interactive

To set up the IP address with the non-interactive mode, use the set command with the --ipaddr IPADDR option and argument value. With the same set command invocation, you can also configure other network and device parameters with additional options:

main> network set --help
usage: set [-h] [--device DEVICE] [--onboot {yes,no}] [--disable {yes,no}] [--dhcp {yes,no}] [--ip IP [IP ...]] [--netmask NETMASK] [--gateway GATEWAY] [--dns IP [IP ...] [--search DOMAIN [DOMAIN ...]] [--use_dhcp_dns {yes,no}] [--mtu MTU] [-y]

Options and Arguments to the Non-interactive set Command:

3) Verify the IP address configuration using the show command followed by the device name:

network> show eth0

Configure the CT-VL DNS Server

If your network environment uses DNS, use the set command to configure the nameservers:

network> set --device <eth0> --dns IP [IP ...]

You can configure a maximum of three nameservers.

Show the network/dns configuration with the show --config option:

network> show --config
network:
version: 2
ethernets:
eth0:
  addresses:
  - "<network ip>"
  nameservers:
    addresses:
    - <DNS Server ip>
  routes:
  - to: "default"
    via: "<Gateway Address"

Note

If you are using DHCP, using the set command overrides the nameservers provided by the DHCP.

The /etc/hosts file

If you have hostnames that do not use DNS, you can use the local /etc/hosts file to resolve IP addresses. To update this file, run the CLI "system hosts" command, which includes options to add or remove IP addresses, and to show the hosts file contents.

main> system hosts
usage: hosts [-h] [--show] [--add IP [HOSTNAME ...]] [--remove IP]
Update hosts file
optional arguments:
-h, --help show this help message and exit
--show Show hosts file entries
--add IP [HOSTNAME ...]
Add/update hosts entry
--remove IP Remove hosts entry

For example:

main> system hosts --add 192.168.99.99 rgrimes
192.168.99.99 rgrimes
10.3.110.187 cts-builder2
main> system hosts --show
192.168.99.99 rgrimes
10.3.110.187 cts-builder2

Note

You must do this on each CT-VL, since entries in the hosts file are not replicated across CipherTrust Vaultless Tokenization Server.

Setting the CT-VL Hostname

Set a hostname for the CT-VL VM. This hostname will be used to identify the CT-VL when the CipherTrust Manager (CM) issues a client-certificate.

To set the hostname of the CT-VL VM, run the system hostname command with the --set option in the CT-VL CLI:

main> system hostname --set your_cts_hostname

Importing a Server Certificate for TLS

Use the vts server_certificate command in the CT-VL CLI to import a server certificate.

Enter the command without any options to see a detailed help message that explains all arguments to the command (some of which are deleted from the example shown below to save space):

main> vts server_certificate
usage: server_certificate [-h] [--import {certificate,key}]
[--create {csr,selfsigned,key}] [--size SIZE]
[--show {key,certificate}] [-y] [--country C]
[--state ST] [--locality L] [--organization O]
[--organizational_unit OU] [--common_name HOSTNAME]
[--email EMAIL] [--dns [DNS [DNS ...]]] [--days DAYS]
Server Certificate Utility
optional arguments:
-h, --help show this help message and exit
--import {certificate,key}
import a certificate or private key
--create {csr,selfsigned,key}
create a certificate signing request, a self-signed certificate, or a new private key.
a certificate signing request is created using [ . . .]

Certificates in PEM Format

All certificates used in CT-VL must be in PEM format. The following is an example of a certificate in PEM format:

-----BEGIN CERTIFICATE-----
MIIDrTCCAxagAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnDEbMBkGA1UEChMSVGhl
IFNhbXBsZSBDb21wYW55MRQwEgYDVQQLEwtDQSBEaXZpc2lvbjEcMBoGCSqGSIb3
DQEJARYNY2FAc2FtcGxlLmNvbTETMBEGA1UEBxMKTWV0cm9wb2xpczERMA8GA1UE
CBMITmV3IFlvcmsxCzAJBgNVBAYTAlVTMRQwEgYDVQQDEwtUU0MgUm9vdCBDQTAe
Fw0wMTEyMDgwNDI3MDVaFw0wMjEyMDgwNDI3MDVaMIGcMRswGQYDVQQKExJUaGUg
U2FtcGxlIENvbXBhbnkxFDASBgNVBAsTC0NBIERpdmlzaW9uMRwwGgYJKoZIhvcN
AQkBFg1jYUBzYW1wbGUuY29tMRMwEQYDVQQHEwpNZXRyb3BvbGlzMREwDwYDVQQI
EwhOZXcgWW9yazELMAkGA1UEBhMCVVMxFDASBgNVBAMTC1RTQyBSb290IENBMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDaiAwfKB6ZBtnTRTIo6ddomt0S9ec0
NcuvtJogt0s9dXpHowh98FCDjnLtCi8du6LDTZluhlOtTFARPlV/LVnpsbyMCXMs
G2qpdjJop+XIBdvoCz2HpGXjUmym8WLqt+coWwJqUSwiEba74JG93v7TU+Xcvc00
5MWnxmKZzD/R3QIDAQABo4H8MIH5MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFG/v
yytrBtEquMX2dreysix/MlPMMIHJBgNVHSMEgcEwgb6AFG/vyytrBtEquMX2drey
six/MlPMoYGipIGfMIGcMRswGQYDVQQKExJUaGUgU2FtcGxlIENvbXBhbnkxFDAS
BgNVBAsTC0NBIERpdmlzaW9uMRwwGgYJKoZIhvcNAQkBFg1jYUBzYW1wbGUuY29t
MRMwEQYDVQQHEwpNZXRyb3BvbGlzMREwDwYDVQQIEwhOZXcgWW9yazELMAkGA1UE
BhMCVVMxFDASBgNVBAMTC1RTQyBSb290IENBggEAMA0GCSqGSIb3DQEBBAUAA4GB
ABclymJfsPOUazNQO8aIaxwVbXWS+8AFEkMMRx6O68ICAMubQBvs8Buz3ALXhqYe
FS5G13pW2ZnAlSdTkSTKkE5wGZ1RYSfyiEKXb+uOKhDN9LnajDzaMPkNDU2NDXDz
SqHk9ZiE1boQaMzjNLu+KabTLpmL9uXvFA/i+gdenFHv
-----END CERTIFICATE-----

Option 1: Regenerating a Self-signed Server Certificate

To generate a self-signed certificate, run the vts server_certificate command with the --create selfsigned option:

main> vts server_certificate --create selfsigned

Enter answers to the informational questions, and restart the web server when asked.

Option 2: Importing an Authenticated Third-party Server Certificate (Recommended)

To import an authenticated third-party CA certificate to the CT-VL, follow the steps below:

1. In the CT-VL CLI, go to the vts category, and enter server_certificate --create csr to generate a certificate request:

   main> vts
   vts> server_certificate --create csr

   Copy

2. Follow the system prompts. A certificate request displays at the command line:

   ------ BEGIN CERTIFICATE REQUEST ------
   . . .
   ------ END CERTIFICATE REQUEST ------

   Copy

3. Copy and paste the certificate request including the "REQUEST" lines onto a third-party certificate request form, such as GoDaddy, Thawte, or Verisign.

4. After receiving the certificate, at the vts command category, run server_certificate --import certificate at the command line:

   vts> server_certificate --import certificate

   Copy

5. When prompted to continue, enter yes.

6. Note that the certificate must be in PEM format. Copy and paste the entire certificate including the CERTIFICATE lines, as shown in the example below:

   -----BEGIN CERTIFICATE-----
   MIID1TCCAr2gAwIBAgIJAMf9x1/DhPfPMA0GCSqGSIb3DQEBCwUAMIGAMQswCQYD
   VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UEBwwIU2FuIEpvc2Ux
   . . .
   9hZV7uAAnRzqaodIPQYAQBwbj58/eo8hMw4JflfJWTavZuFt/hpnbnxEECynd+s4
   cLSgBd7x4aeDKt0vinSvBv2niyZyLOv1eg==
   -----END CERTIFICATE-----

   Copy

7. Enter Ctrl-d to end the input.

8. The CT-VL imports the certificate and tries to verify that the imported certificate matches the private key generated at the time the certificate was generated.

9. The system prompts you to restart the web server. Type yes.

10. The web server component of the CT-VL is restarted, and the new certificate takes effect. The system is set up using the third-party server certificate for TLS connections.

Restarting CT-VL

After all CLI configuration is completed:

1. Navigate to the vts commands menu:

   main > **vts**
   vts

   Copy

2. Restart the web server component of CT-VL:

   vts> service --restart

   Copy