Managing Clients

A client is a computer system where the data needs to be protected. A compatible CTE Agent software is installed on the client. The CTE Agent can protect data on the client or devices connected to it. A client can be associated with multiple GuardPoints for encryption of various paths (refer to Managing GuardPoints for details).

The Clients page of the CipherTrust Data Security Platform Service GUI displays all clients protected by encryption Agents.

CDSPaaS supports CTE Agent for Windows 7.6.0-132 and above and CTE Agent for Linux 7.6.0-134 and above. Each CDSPaaS service supports up to 50 clients. We recommend up to 100 guardpoints per client. Contact Thales to set up deployments with more than 50 clients or more than 5000 guardpoints.

Registering Clients

When CTE clients are registered, they are automatically added to the CipherTrust Data Security Platform Service GUI. Refer to the CTE Agent Quick Start Guide specific to your platform for information on installing and configuring CTE Agents.

Adding Clients Manually

Optionally, the CipherTrust Data Security Platform Service administrator can manually add a client to the CipherTrust Data Security Platform Service GUI - even before the CTE Agent is installed on it.

To add the client manually:

1. Log on to the CipherTrust Data Security Platform Service GUI as administrator.

2. Open the Transparent Encryption application. The Clients page is displayed.

3. Click Create Client. The General Info screen of the Create Client wizard is displayed.

General Info

1. Specify a unique Name for the client.

2. Set the Password Generation Method. The options are:

   • Generate: A password is generated automatically by CipherTrust Data Security Platform Service. This is the default method.

   • Manual: Set the password manually.

     1. Select Manual.

     2. Enter the new password in the Password and Confirm Password fields. The password must match in both fields.

     Note

     The password must contain minimum eight characters including at least:

     • One capital letter

     • One number

     • One of these special characters: ! @ # $ % ^ & * ( ) { } [ ]

   Refer to Changing Client Password for details.

3. Provide a Description for the client.

4. Specify the following, as appropriate:

   • UserSpace Client: Ensure that the check box is clear. This check box specifies whether the client will be a CTE UserSpace client.

   • Registration Allowed: Whether to allow client's registration with the CipherTrust Data Security Platform Service. Select to allow, clear to deny registration. By default, the registration is not allowed.

   • Communication Enabled: Whether to enable the client's communication with the CipherTrust Data Security Platform Service. Select to enable, clear to disable communication. By default, the communication is disabled. This can only be enabled when Registration Allowed is enabled.

5. Click Next. The Add GuardPoints screen is displayed.

Add GuardPoints (Optional)

Optionally, you can create GuardPoints on the manually added client. CTE supports creation of all types of GuardPoints on such clients.

1. Click Create GuardPoint.

2. Select a Policy. Refer to Policy Type under Creating Policies > Step 1: Specify General Information for details.

3. Specify the Type of the GuardPoint. Refer to Automatic and Manual GuardPoints for details on types of GuardPoints.

4. Specify the Path (or Cloud Object Storage URL for a COS GuardPoint) to be protected. Refer to Managing GuardPoints for details.

5. Configure Preserve Sparse Region, In-Place Data Transformation, and/or Auto Mount as appropriate. The options vary based on the selected policy, as follows:

   • Preserve Sparse Region pre-selected for an LDT policy.

   • In-Place Data Transformation pre-selected for an IDT policy.

   • Auto Mount for a Standard policy.

   Note

   • The Secure Start option cannot be enabled for GuardPoints on manually added clients.

   • The Multifactor Authentication option is unavailable for GuardPoints on manually added clients.

6. Click Create. The newly created GuardPoint appears in the list.

7. Click Next. The Confirmation screen is displayed.

Confirmation

1. Verify the client details. The Confirmation screen displays general information about the client and details of the GuardPoints added to the client.

   If the details are incorrect or you want to modify them, click Back and update the details.

2. Click Save.

The newly created client appears in the clients list.

Searching Clients

The Clients page on the CipherTrust Data Security Platform Service GUI shows the list of registered clients.

To search for a registered client:

1. Log on to the CipherTrust Data Security Platform Service GUI as administrator.

2. Open the Transparent Encryption application. The Clients page is displayed. This page lists the clients added to this CipherTrust Data Security Platform Service appliance.

3. In the Search box, enter the client name. Search is case-insensitive. You can enter all or part of a client name. A partial client name displays every client with a name that contains the specified string.

   

Viewing Clients

The Clients page shows the total number of clients, clients with errors, clients with warnings, healthy clients, unregistered clients. The Status Bar contains the following tabs:

• Total Clients: Shows the total number of registered and unregistered clients with all types of health status.

• Errors: Shows the number of clients with errors.

• Warnings: Shows the number of clients with warnings.

• Healthy: Shows the number of healthy clients.

• Unregistered: Shows the number of unregistered clients.

• Expunged: Shows the number of expunged clients.

Refer to Client States for details.

Click each tab to filter the clients. The clients list displays names of clients in the CipherTrust Data Security Platform Service database and details about their configuration.

To view the clients added to the CipherTrust Data Security Platform Service:

1. Open the Transparent Encryption application.

2. Click Clients > Clients. The clients list shows the following details:

   

   Column	Description
   Status	Health status of the client: • Healthy • Error • Warning • Unregistered • Expunged The Unregistered and Expunged states are not applicable to the CTE for Kubernetes clients. Refer to Client States for details.
   Client Name	Name link of the client on the CipherTrust Data Security Platform Service.
   Client Type	The type of the client. CipherTrust Data Security Platform Service only supports FS (a CTE client)
   Protection Mode	The protection mode of the client: • CTE (File system protection, unregistered clients) • RWP (Ransomware protection, Windows clients) • CTE RWP (Both file system and Ransomware protection, Windows clients) When you unenroll (unregister) a client, its Protection Mode does not change. For example, if the Protection Mode of a client before unenrolling is CTE RWP, the mode remains CTE RWP after the client is unenrolled.
   OS Type	OS running on the client: • AIX • LINUX • WINDOWS • UNKNOWN • FREEBSD UNKNOWN is displayed for unregistered or manually added clients. FREEBSD is supported by CTE UserSpace.
   Agent Version	Version of the CTE Agent installed on the client. For unregistered or manually added clients, the field is empty.
   Description	Description to identify the client.
   Encryption Modes	Encryption mode(s) used to protect GuardPoints on the client, for example, CBC, CBC_CS1, and XTS.
   LDT Enabled	Whether LDT is enabled on the client.
   Profile	Profile linked to the client.

   The **Encryption Modes**, **LDT Enabled**, and **Profile** columns are hidden by default. To show/hide a column, click the custom view icon (![Custom View icon]({static}/images/cte/cust-view-ico.png)), select/clear the desired column, and click **OK**.
   

Client States

• Healthy: Client is registered with the CipherTrust Data Security Platform Service without any errors, that is, init is received from Agent without any issues.

• Error: Client's communication is broken with the CipherTrust Data Security Platform Service for more than five minutes.

• Warning: Client's communication is broken with the CipherTrust Data Security Platform Service or a GuardPoint is inactive due to any reasons.

• Unregistered: Client is unenrolled from the CipherTrust Data Security Platform Service.

• Expunged: Client's delete operation is triggered, but its confirmation is not yet received from the Agent.

Getting Latest Client Status

By default, the status of a registered client is updated on the CipherTrust Data Security Platform Service when the configuration of the client changes. However, if needed, you can manually fetch the latest status of the client at any time.

To get the latest status of a client:

1. Open the Transparent Encryption application.

2. Click Clients > Clients.

3. Click the overflow icon () corresponding to the desired client.

4. Click Refresh.

The client status on the Clients page is refreshed.

Unenrolling Clients

A registered CTE client can be unenrolled from the CipherTrust Data Security Platform Service. When the client is unenrolled (unregistered), the communication between the CTE Agent and the CipherTrust Data Security Platform Service is removed. The CTE Agent can no longer communicate with the CipherTrust Data Security Platform Service. However, the CipherTrust Data Security Platform Service still maintains the client configuration to allow re-registration.

Important Notes

• A CTE client with Active LDT GuardPoints cannot be unenrolled (unregistered).

• After unenrolling, the client's GuardPoints will still be displayed on the CipherTrust Data Security Platform Service. However, their status will be displayed as Unknown.

• The status of the client capabilities, for example, LDT, will not change on the CipherTrust Data Security Platform Service. They will be displayed the same as they were before unenrolling the client.

• The associated client under the Client-Management section of the API playground is deleted after unenrolling. If the client is not deleted automatically, you can delete it manually.

• The status of the unenrolled client will be displayed as Unregistered on the CipherTrust Data Security Platform Service.

To unenroll a client from the CipherTrust Data Security Platform Service:

1. Open the Transparent Encryption application.

2. Click Clients > Clients.

3. Click the overflow icon () corresponding to the desired client.

4. Click UnEnroll. A dialog box appears prompting to confirm the action.

   An unenrolled client requires re-registration to enroll with the CipherTrust Data Security Platform Service again.

5. Click UnEnroll.

The selected client is unenrolled from the CipherTrust Data Security Platform Service. It status on the CipherTrust Data Security Platform Service becomes Unregistered.

Reregistering Clients

An unenrolled client requires reregistration to enroll with the CipherTrust Data Security Platform Service again.

When you try to reregister a client, you must enable the same set of capabilities that were enabled on the client before reregistration. Also, specify name of at least one client group (if the client was associated with any groups). Refer to Reregistering CTE Clients for details.

Deleting Clients

A CTE client can be deleted when it is no longer required to be associated with the CipherTrust Data Security Platform Service.

Clients with the Healthy, Unregistered, Warning, and Error states can be deleted from the CipherTrust Data Security Platform Service.

After you initiate the client deletion operation, the operation:

1. Waits for confirmation from the CTE Agent before deleting anything from the CipherTrust Data Security Platform Service.

2. Changes the client status to Expunged on the CipherTrust Data Security Platform Service.

3. After receiving confirmation from the Agent:

   • Deletes all entries, capabilities, and GuardPoints associated with the client.

   • Removes the client record from the CipherTrust Data Security Platform Service.

   However, in some cases, due to network issues or any other reasons, the CipherTrust Data Security Platform Service does not receive confirmation from the CTE Agent. In such cases, the client configurations cannot be deleted from the CipherTrust Data Security Platform Service and the client remains stuck at the Expunged state. Such clients need to be deleted manually. Refer to Deleting Expunged Clients Manually for details.

4. Deletes the associated client from the Client-Management section of the API playground.

Before proceeding with client deletion, read and understand the additional information provided on client deletion, Agent uninstallation, clients with System and Agent locks, and deletion indicators in Deleting Clients.

The CipherTrust Data Security Platform Service provides options to delete individual clients or multiple clients in one go. To delete the client from the CipherTrust Data Security Platform Service GUI.

1. Open the Transparent Encryption application.

2. Click Clients > Clients.

3. Click the desired tab to view the instructions.

   Individual Clients

   1. Under Client Name, click the overflow icon () corresponding to the client you want to delete.

   2. Click Delete. A dialog box appears prompting to confirm the action.

   3. Click Delete.

   The selected client is deleted and its entry is removed from the Clients page after the CipherTrust Data Security Platform Service receives confirmation from the CTE Agents.

   Multiple Clients

   A maximum of 200 clients can be deleted at once.

   1. Select the desired clients.

      To select all clients visible on the page, select the top check box to the left of the Status heading.

   2. Click the delete icon (). A dialog box appears prompting to confirm the action.

   3. Click Delete.

   The selected clients are deleted and their entries are removed from the Clients page after the CipherTrust Data Security Platform Service receives confirmation from the CTE Agents.

Refer to Deleting Expunged Clients Manually for details on deleting Expunged clients.

Deleting Expunged Clients Manually

If due to any reasons, the CipherTrust Data Security Platform Service does not receive the deletion confirmation from the CTE Agent, the client remains stuck in the Expunged state. The client cannot be deleted automatically from the CipherTrust Data Security Platform Service.

To manually delete an Expunged client and its configurations from the CipherTrust Data Security Platform Service, run the /v1/transparent-encryption/clients/{id}/delete API with the force delete option ("force_del_client").

When running the API, set "force_del_client": true. Refer to the API playground documentation for details.