Installation Workflow
In order to install and configure CTE, you need to perform the following high-level tasks:
-
If you want to include the CTE Agent software with the AIX distribution files, see AIX Package Installation.
-
If you want to install the CTE Agent without registering with a key manager, see Installing CTE with No Key Manager Registration. However, you cannot protect any data on the host until it has been registered. See Configuring CTE for AIX with CipherTrust Manager.
-
Create your policies, encryption keys, and GuardPoints using the selected key manager. For details, see: Guarding a Device with CipherTrust Manager.
Additional Considerations
The following sections describe some of the things to keep in mind when configuring CTE.
Port Selection
The following port information applies to both Windows and Linux systems.
Communication through a Firewall
If a protected client must communicate with CipherTrust Manager through a firewall, see the CipherTrust Manager documentation to determine which of the ports must be opened through the firewall.
Communication with CipherTrust Manager
The default port for http communication between CipherTrust Manager and the CTE Agent is 443. If this port is already in use, you can set the port to a different number during the CTE Agent installation.
Communication for LDT over CIFS/NFS
All nodes that intend to use LDT over CIFS/NFS GuardPoint must have the following ports open:
-
7024
-
7025
Note
When you are registering a CipherTrust Transparent Encryption client with CipherTrust Manager, you can manually include a destination port number, (Default: 443). If you enter a port value, using the syntax <hostname or IP address>:<port number>
then CipherTrust Transparent Encryption does not perform a port scan. CipherTrust Transparent Encryption uses the port number provided to verify the target server type using a TLS operation.
If you do not enter a port number, CipherTrust Transparent Encryption performs a port scan to check which ports are listening, including port 443.
Tracking and Preventing Local User Creation
CTE audits any attempts to change user authentication files. It also allows you to prevent any change to user authentication files using the host settings protect
. This includes, but is not limited to user creation, modification, and deletion, or to deny users.
- The
audit
setting is set to on by default. It logs access to the system credential files but does not prevent account modifications. - The
protect
setting both audits and prevents local user account modifications. You must manually enable theprotect
setting for tracking and prevention of local user account creation.
The protect
tag will prevent changes to the files mentioned below. In the absence of the protect
tag in host/client settings, operations on these files are permitted. When a log entry is generated, it is tagged with an [audit
] tag.
-
/etc/passwd
-
/etc/group
-
/etc/ssh/sshd_config
-
/etc/ssh/sshrc
The first time you use the
protect
host setting, you must restart CTE. Subsequent files tagged with theprotect
setting do not require a restart.
Restricted Mode
If you install or upgrade in restricted mode, you cannot revert to unrestricted mode without uninstalling CTE.
You can install CTE in restricted mode. This mode prevents any user other than root
from accessing the following directories:
-
/var/log/vormetric
-
/opt/vormetric/DataSecurityExpert
Restricted Mode also prevents non-root users from running the following utilities:
-
agenthealth
-
agentinfo
-
check_host
-
register_host
-
secfsd
-
vmd
-
vmsec
-
voradmin
Key Agents and Restricted Mode
-
On systems where CTE is installed in restricted mode, you cannot install a key agent (pkcs11) or CipherTrust TDE Key Management.
-
On systems where a key agent (pkcs11) or CipherTrust TDE are already installed, you cannot install CTE in restricted mode.
Restricted Mode Installation
To install in restricted mode, use the -r option.
./vee-fs-<release>-<build>-<system>.bin -r
For example:
./vee-fs-7.2.0-56-aix71.bin -r
Upgrade in Restricted Mode
The upgrade mode is the same as the installation mode.