Administration
CipherTrust Manager Administration
- Authentication
  - Users
  - Authentication Tokens
  - Client Management
  - Authenticating to the REST API
- Key Policies
- Changing Passwords
- Groups
- Quorums
- Scheduler
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Google Cloud Platform (GCP)
  - Microsoft Azure
  - Salesforce
  - SAP Data Custodian
  - CIFS/SMB
  - Oracle Cloud Infrastructure (OCI)
  - OIDC
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
CCKM Administration
- Overview
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
  - Managing Policies
  - Managing AWS Templates
  - Migrating to IAM Roles Anywhere Connections
  - Downloading AWS Metadata
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Managing Azure Certificates
  - Managing Azure Secrets
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Downloading Azure Metadata
- AWS External Key Store Resources
  - Managing External Key Store Resources
- AWS CloudHSM Key Store Resources
  - Managing an AWS CloudHSM Key Store from CCKM
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
  - Downloading Google Metadata
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Prerequisites
  - Communication with KACLS
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
- Microsoft Double Key Encryption (DKE) Resources
  - Managing DKE Endpoints
  - Managing DKE Authorized Tenants
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
  - Managing Certificates from Salesforce Organizations
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
  - Downloading SAP Metadata
- Oracle Cloud Resources
  - Managing Oracle Vaults
  - Managing Oracle Keys
  - Managing Oracle Tenancies
  - Scheduling Operations
  - Managing Oracle Reports
  - Managing Oracle Compartments
  - Downloading Oracle Metadata
- OCI External Resources
  - Managing Identity Providers
  - Managing External Vaults
  - Managing External Keys
- Key Material Export and Upload
CTE Administration
- Overview
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
  - Fetching Latest Capabilities from Clients
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating Ransomware Protection GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
  - Enabling and Disabling MFA on GuardPoints
- Multifactor Authentication
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Ransomware Protection
- Unique to Client Keys
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes

Troubleshooting

This section describes how to handle the issues that you might face when using CTE with the CipherTrust Data Security Platform Service.

Connection Issues

Symptoms	Possible Cause and Remediation
• Client status is Error • Configuration changes are not pushed to the client • Requests like Browse file system are failing	Analyze the CTE logs, identify connection failure reasons, and rectify them: 1. Look for the issues in the `/var/log/vormetric/server_comms.log` file on the CTE agent. This file contains information about the CipherTrust Data Security Platform Service's communication with the client. 2. Identify the cause of the issue. 3. Restart `vmd` to get the latest `init`.

Registration Issues

Symptoms Possible Cause and Remediation

Registration fails with conflict errors Conflict errors occur when a client with the given name already exists on the CipherTrust Data Security Platform Service. To fix these issues:
• Delete the existing client entry from the CipherTrust Data Security Platform Service.
• Unenroll the existing client if you want to register it with another CipherTrust Data Security Platform Service.
NOTE: A conflict error might occur even if no CTE client with the given name exists on the CipherTrust Data Security Platform Service. This happens because the client's entry, which was added during registration, is no longer associated with the CTE client due to any failure in enrollment. To resolve this issue:
1. Run the API /v1/transparent-encryption/clients/delete with the flag delete_stale_clients set to true. DON'T specify any other parameters when running the API. Alternatively, run the command ksctl cte clients bulk-delete --delete-stale-clients true on the CLI. This cleans up the stale client entries.
2. Retry registration with the same name.

Reregistration fails with capabilities related errors Capabilities cannot be disabled during reregistration with the CipherTrust Data Security Platform Service. To disable the CTE Agent capabilities, delete the client from the CipherTrust Data Security Platform Service and register again with these capabilities disabled.

Symptoms	Possible Cause and Remediation
Registration fails with conflict errors	Conflict errors occur when a client with the given name already exists on the CipherTrust Data Security Platform Service. To fix these issues: • Delete the existing client entry from the CipherTrust Data Security Platform Service. • Unenroll the existing client if you want to register it with another CipherTrust Data Security Platform Service. NOTE: A conflict error might occur even if no CTE client with the given name exists on the CipherTrust Data Security Platform Service. This happens because the client's entry, which was added during registration, is no longer associated with the CTE client due to any failure in enrollment. To resolve this issue: 1. Run the API `/v1/transparent-encryption/clients/delete` with the flag `delete_stale_clients` set to `true`. DON'T specify any other parameters when running the API. Alternatively, run the command `ksctl cte clients bulk-delete --delete-stale-clients true` on the CLI. This cleans up the stale client entries. 2. Retry registration with the same name.
Reregistration fails with capabilities related errors	Capabilities cannot be disabled during reregistration with the CipherTrust Data Security Platform Service. To disable the CTE Agent capabilities, delete the client from the CipherTrust Data Security Platform Service and register again with these capabilities disabled.

Configuration Issues

Symptoms	Possible Cause and Remediation
Mismatched log levels between the CipherTrust Data Security Platform Service configuration and client logs	Try these: • Check the configuration in the linked profile on the CipherTrust Data Security Platform Service. • Validate the vmd configuration on the CTE client by running: `vmsec vmdconfig`

Suggest A Change

Troubleshooting

Connection Issues

Registration Issues

Configuration Issues

On this page