Please Note:

Configuring CT-VL through the Command Line

This topic describes how the network administrator uses the CT-VL Command Line Interface (CLI) to configure the CT-VL environment, establish connections between the various components, and other system-level tasks.

Accessing the CLI

The network administrator uses the CT-VL CLI to configure the CT-VL environment as described below:

Access the CLI through a terminal emulator like PuTTY.
On first access, enter the default login and password:
login: cliadmin
Password: cliadmin123
Note
It is recommended to change the password.
On first access, you will be prompted to change the password. Save and store your new password securely.
On first access, you will be prompted to review and sign the License Agreement.

Refer to CT-VL CLI Navigation Summary and Guidelines for description about CT-VL CLI commands.

Basic Configuration Steps

Note

The configuration steps in the following sections employ a subset of the CLI commands. See CT-VL CLI Reference for a summary of CLI commands. For complete usage details on any CLI command, run the command with the --help option.
For multi-node installations, the basic configuration steps in this section must be completed on each node before you Configure CT-VL Nodes.

Configure the CT-VL Network Settings

Configure the network settings for VMware and bare metal installations with a static IP implementation.

Note

Network settings are required only for VMware and bare metal installations, with a static IP implementation. Do not attempt to set the IP address and gateway of the network interface if you are using CTS in an Azure, Amazon, or Google Cloud Platform. Cloud providers assign the IP addresses to the VM through DHCP.

To configure the CT-VL network settings, complete the following tasks:

Set the IP address for the CT-VL VM.
Configure the CT-VL DNS server or use the /etc/hosts file.

Check Deployment Prerequisites for the IP address, gateway address, and DNS values you will need.

Set the IP Address for the CT-VL VM

Using the CT-VL CLI, navigate to the network commands menu.
There are two ways to set the IP address for the CT-VL VM: Interactive (with the setup command) or Non-interactive (with the set command).

Interactive

To set the IP address using the interactive mode, use the setup command followed by the network device name:

network> setup eth0

Using the setup command prompts you for the IP address, as well as other information required to set up the specified network device, such as subnet mask, gateway, and so on.

Non-interactive

To set up the IP address with the non-interactive mode, use the set command with the --ipaddr IPADDR option and argument value. With the same set command invocation, you can also configure other network and device parameters with additional options:

main> network set --help
usage: set [-h] [--device DEVICE] [--onboot {yes,no}] [--disable {yes,no}] [--dhcp {yes,no}] [--ip IP [IP ...]] [--netmask NETMASK] [--gateway GATEWAY] [--dns IP [IP ...] [--search DOMAIN [DOMAIN ...]] [--use_dhcp_dns {yes,no}] [--mtu MTU] [-y]

Options and Arguments to the Non-interactive set Command:

Option	Argument	Description
`--help`	-	Show this help message and exit
`--onboot`	yes/no	Enable this device at boot time
`--disable`	yes/no	Disable network interface
`--device`	DEVICE	Network device interface, for example, eth0, eth1, ...
`--dhcp`	yes/no	Use DHCP
`--ip`	IPADDR	Set the IPv4 address of this device to IPADDR
`--netmask`	NETMASK	Sets the netmask of this device to NETMASK (for example, 255.255.0.00
`--gateway`	GATEWAY	Specify the gateway IP address as GATEWAY
`--dns`	IP [IP ...]	Set `ipaddress` of DNS Nameservers
`--mtu`	MTU	Set the maximum transmission unit (MTU) value to MTU
`--search`	DOMAIN [DOMAIN ...]	Set DNS Search Domains
`--use_dhcp_dns`	yes/no	Set to `no` to override nameservers received from DHCP
`-y`	yes/no	Do not prompt for confirmation

3) Verify the IP address configuration using the show command followed by the device name:

network> show eth0

Configure the CT-VL DNS Server

If your network environment uses DNS, use the set command to configure the nameservers:

network> set --device <eth0> --dns IP [IP ...]

You can configure a maximum of three nameservers.

Show the network/dns configuration with the show --config option:

network> show --config
network:
version: 2
ethernets:
eth0:
  addresses:
  - "<network ip>"
  nameservers:
    addresses:
    - <DNS Server ip>
  routes:
  - to: "default"
    via: "<Gateway Address"

Note

If you are using DHCP, using the set command overrides the nameservers provided by the DHCP.

The /etc/hosts file

If you have hostnames that do not use DNS, you can use the local /etc/hosts file to resolve IP addresses. To update this file, run the CLI "system hosts" command, which includes options to add or remove IP addresses, and to show the hosts file contents.

main> system hosts
usage: hosts [-h] [--show] [--add IP [HOSTNAME ...]] [--remove IP]
Update hosts file
optional arguments:
-h, --help show this help message and exit
--show Show hosts file entries
--add IP [HOSTNAME ...]
Add/update hosts entry
--remove IP Remove hosts entry

For example:

main> system hosts --add 192.168.99.99 rgrimes 
192.168.99.99 rgrimes
10.3.110.187 cts-builder2
main> system hosts --show 
192.168.99.99 rgrimes
10.3.110.187 cts-builder2

Note

You must do this on each CT-VL, since entries in the hosts file are not replicated across CipherTrust Vaultless Tokenization Server.

Setting the CT-VL Hostname

Set a hostname for the CT-VL VM. This hostname will be used to identify the CT-VL when the CipherTrust Manager (CM) issues a client-certificate.

To set the hostname of the CT-VL VM, run the system hostname command with the --set option in the CT-VL CLI:

main> system hostname --set your_cts_hostname

Importing a Server Certificate for TLS

Use the vts server_certificate command in the CT-VL CLI to import a server certificate.

Enter the command without any options to see a detailed help message that explains all arguments to the command (some of which are deleted from the example shown below to save space):

main> vts server_certificate
usage: server_certificate [-h] [--import {certificate,key}]
[--create {csr,selfsigned,key}] [--size SIZE]
[--show {key,certificate}] [-y] [--country C]
[--state ST] [--locality L] [--organization O]
[--organizational_unit OU] [--common_name HOSTNAME]
[--email EMAIL] [--dns [DNS [DNS ...]]] [--days DAYS]
Server Certificate Utility
optional arguments:
-h, --help show this help message and exit
--import {certificate,key}
import a certificate or private key
--create {csr,selfsigned,key}
create a certificate signing request, a self-signed certificate, or a new private key.
a certificate signing request is created using [ . . .]

Certificates in PEM Format

All certificates used in CT-VL must be in PEM format. The following is an example of a certificate in PEM format:

Option 1: Regenerating a Self-signed Server Certificate

To generate a self-signed certificate, run the vts server_certificate command with the --create selfsigned option:

main> vts server_certificate --create selfsigned

Enter answers to the informational questions, and restart the web server when asked.

Option 2: Importing an Authenticated Third-party Server Certificate (Recommended)

To import an authenticated third-party CA certificate to the CT-VL, follow the steps below:

In the CT-VL CLI, go to the vts category, and enter server_certificate --create csr to generate a certificate request:
```
main> vts
vts> server_certificate --create csr
```

Follow the system prompts. A certificate request displays at the command line:

------ BEGIN CERTIFICATE REQUEST ------
. . .
------ END CERTIFICATE REQUEST ------

Copy and paste the certificate request including the "REQUEST" lines onto a third-party certificate request form, such as GoDaddy, Thawte, or Verisign.
After receiving the certificate, at the vts command category, run server_certificate --import certificate at the command line:
```
vts> server_certificate --import certificate
```
When prompted to continue, enter yes.

Note that the certificate must be in PEM format. Copy and paste the entire certificate including the CERTIFICATE lines, as shown in the example below:

Enter Ctrl-d to end the input.
The CT-VL imports the certificate and tries to verify that the imported certificate matches the private key generated at the time the certificate was generated.
The system prompts you to restart the web server. Type yes.
The web server component of the CT-VL is restarted, and the new certificate takes effect. The system is set up using the third-party server certificate for TLS connections.


See Next
Registering CT-VL with CM
Configuring CT-VL Nodes
Configuring an AD/LDAP Server
Configuring ADFS and LDAP for OAuth
Configurng the settings.ini file for LDAP
Restarting CT-VL server

Restarting CT-VL

After all CLI configuration is completed:

Navigate to the vts commands menu:
```
main > **vts**  
vts
```
Restart the web server component of CT-VL:
```
vts> service --restart
```

Suggest A Change

Configuring CT-VL through the Command Line

Accessing the CLI

Basic Configuration Steps

Configure the CT-VL Network Settings

Set the IP Address for the CT-VL VM

Configure the CT-VL DNS Server

The /etc/hosts file

Setting the CT-VL Hostname

Importing a Server Certificate for TLS

Certificates in PEM Format

Option 1: Regenerating a Self-signed Server Certificate

Option 2: Importing an Authenticated Third-party Server Certificate (Recommended)

Restarting CT-VL

On this page