Please Note:

User Guides
CTE Agent Linux and Windows Quick Start Guide
- Installation Prerequisites
- Installing and Registering CTE
  - Installation and Registration on Linux
  - Installation on Windows
  - Registration with Windows
- Guarding a Device with CipherTrust Manager
  - Access the CipherTrust Manager Domain
  - Create an Encryption Key
  - Create a Standard Policy
  - Create a GuardPoint
- Using and Renewing Certificates
- Protecting Data with CTE
- Ransomware Protection
CTE Agent Linux Advanced Configuration Guide
- Overview of CTE
- Getting Started with CTE for Linux
  - Additional Considerations
  - CTE Agent Installation with UEFI Secure Boot
  - Linux Package Installation for Linux Distributions
    - Linux Package Installation for RHEL
    - Linux Package Installation for SLES
    - Linux Package Installation for Ubuntu
  - Verifying Kernel Compatibility
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Linux with CipherTrust Manager
    - Installation Prerequisites
    - Interactive Installation on Linux
    - Silent Installation for CTE or CTE-U on Linux
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Installation and Registration Options
    - Guarding a Device with CipherTrust Manager
  - Ransomware Protection
    - Ransomware Protection Overview
    - Creating GuardPoints for Ransomware Protection
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Using Keycloak for Multifactor Authentication for CTE GuardPoints
    - Exempting some users from authentication with a Whitelist
    - Setting up Multifactor Authentication with a One-Time-Password
    - Setting up Multifactor Authentication with a Time Out
    - Administrator Tasks for Multifactor Authentication
    - Troubleshooting Multifactor Authentication
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Blocking ptrace system calls to prevent process injection attacks
- Logging
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Container Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC-CS1 Keys and Host Groups
- CTE and systemd
  - Overview of CTE and systemd
  - CTE Agent Control Changes on systemd
  - CTE Configuration Changes Required on systemd
    - About systemd Dependency Changes for Unit Configuration Files
    - Location of Application Unit Configuration Files
    - Adding Dependencies to systemd Unit Configuration Files
    - Adding Applications to the secfs-fs-barrier.service File
    - Drop-in Files for systemd
    - Adding Dependencies to the `saslauthd.service` File
  - SystemD Protection
  - Manually Stopping Application or Service
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - fsfreeze and xfs_freeze
  - Protecting Files with Client Settings
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - Secfsd Raw and Block Devices
  - Using Advanced Encryption Set New Instructions (AES-NI)
  - User Cache Lookup Improvements
  - vmutil
  - vmd utility
  - vmsec Utility
- CipherTrust in-Place Data Transformation for Linux
  - Introduction to in-Place Data Transformation (IDT)
  - Requirements for IDT-Capable GuardPoints
  - The CTE Private Region and IDT Device Header
  - IDT-Capable GuardPoint Encryption Keys
  - Guarding an IDT-Capable Device on Linux
    - Initializing an IDT-Capable Device
    - Guard the Linux Device with an IDT-Capable GuardPoint
    - Example of Creating an IDT-Capable GuardPoint on an Existing Linux Device
  - Changing the Encryption Key on Linux IDT-Capable Devices
  - Guarding an IDT-Capable Device with Multiple IO Paths on Linux
  - Linux System and IDT-Capable GuardPoint Administration
  - Resizing Guarded IDT Devices
    - Resizing Guarded IDT Devices
  - Alerts and Errors on Linux
- Upgrading CTE on Linux
- Uninstalling CTE from Linux
- Migrating Agents from CTE-U to CTE
CTE Agent Windows Advanced Configuration Guide
- Overview of CTE
- Getting Started with CTE for Windows
  - Installation Workflow
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for Windows with CipherTrust Manager
    - Interactive Installation on Windows
    - Silent Installation on Windows
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Registering CTE After Installation is Complete
    - Setting the CM log for Ransomware Protection
    - Guarding a Device with CipherTrust Manager
    - Installation Prerequisites
  - Multifactor Authentication for CTE GuardPoints
    - Introduction to Multifactor Authentication
    - Compatible MFA Providers
    - Use Cases for MFA on CTE
    - Exempting some users or processes from authentication with a Whitelist
    - Remote Authentication for Multifactor Authentication
    - Administrator Tasks for Multifactor Authentication
    - Troubleshooting Multifactor Authentication
  - Choosing a Login Name Type
  - Ransomware Protection
    - Ransomware Protection Overview
    - Creating GuardPoints for Ransomware Protection
  - Guarding Data on CIFS Servers and Clients
- Special Cases for CTE Policies
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - FileTable Support on Windows
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
  - Best Practices for AES-CBC-CS1 Keys and Host Groups
- Utilities for CTE Management
  - Agent Health Return Codes
  - agentinfo Utility
  - Backup Utility
  - voradmin secfs Commands
  - vmsec Utility
  - vmutil
- Upgrading CTE on Windows
  - Silent Upgrade
  - CTE Scheduled Upgrade
  - Workaround for MSI CTE Typical, Silent, and Scheduled Upgrades
- Uninstalling CTE from Windows
- Troubleshooting and Best Practices
CTE Agent AIX User and Configuration Guide
- Overview
- Getting Started with CTE for AIX
  - Installation Workflow
  - AIX Package Installation
  - Installing CTE with No Key Manager Registration
  - Configuring CTE for AIX with CipherTrust Manager
    - Installation and Registration Options
    - Installation Prerequisites
    - Interactive Installation on AIX
    - Validating CM and CTE with a Local CA Certificate
    - Using external certificates for communication between CTE Agent and CipherTrust Manager
    - Silent Installation on AIX
    - Guarding a Device with CTE and CipherTrust Manager
- Special Cases for CTE Policies
  - Re-Enabling Automatic Signing for Host Settings
  - Restricting Access Overrides from Unauthorized Identities
  - Backing up DB2 Databases after Encryption
  - Blocking ptrace system calls to prevent process injection attacks
- Logs
  - Setting CTE Agent Logging Preferences
  - Audit Logs
  - Analyzing Audit log entries
  - File System Audit Log Effects Codes
  - Concise Logging
- Enhanced Encryption Mode
  - Compatibility
  - Disk Space
  - Encryption Migration
  - File Systems Compatibility
  - Using the AES-CBC-CS1 Encryption Mode in CM
  - Exceptions and Caveats
- Utilities for CTE Management
  - Agent Health Utility
  - agentinfo Utility (Java version)
  - Backup Utility
  - check_host Utility
  - Displaying Information for Nested File Systems with the DF tool
  - Protecting Files with Client Settings
  - Restricting Access Overrides with Client Settings
  - register_host Utility
  - secfsd Utility
    - secfsd Examples
    - secfsd and Raw Devices
  - Using Client Settings with Shell Scripts
  - vmsec Utility
    - vmsec Examples
    - Configuring Dynamic Host Settings for AIX
  - vmutil
  - vmd utility
- Upgrading CTE on AIX
- Uninstalling CTE from AIX
CTE Agent Data Transformation
- Data Transformation Overview
  - The Data Transformation Process
  - CTE Terminology
  - CTE Components
  - CTE Policies
  - Considerations with Bulk Data Transformation
  - Data Transformation Techniques
    - Copy and Restore Transformation Method
    - The CTE dataxform Utility Transformation Method
  - CTE Protection Policies
  - Overview of the dataxform Utility
    - Multithreading in the dataxform Utility
    - dataxform Space Requirements
    - dataxform Execution Time
    - dataxform and Sparse Files
    - dataxform and Linked Files
  - Automatic Data Transformation
  - Best Practices When Using dataxform
  - Summary
- Initial Data Encryption
  - Data Encryption Overview
  - Using the Copy or Restore Encryption Method on File Systems
  - Using the Copy or Restore Encryption Method on Block Devices
  - Using dataxform to Encrypt Your Data with CipherTrust Manager
- Rekeying
  - Rekeying Overview
  - Rekeying with dataxform
  - Rekeying Using the Manual Copy Method
- Appendix A: DataXform Reference
  - Common Dataxform Examples
    - Verifying that a Guarded Directory Can be Rekeyed with Data Transformation
    - Estimating the Data Transformation Runtime Period
    - Manually Running Data Transformation on Specific Files
    - Running Automatic Data Transformation
  - Cleaning Up a Previous dataxform Session
  - Checking for Hard-Link Files Inside the GuardPoint with dataxform
  - Monitoring Data Transformation
    - Data Transformation Logs
    - Using the Message Log Window
    - Using vordxf Files
    - Using dataxform_status Files
    - Using dataxform_auto_config
    - Using dataxform_auto_lock
  - Recovering a Failed or Incomplete dataxform Session
  - Automatic and Manual GuardPoints
  - Data Transformation Examples and Full Command Syntax
    - Data Transformation Command Syntax Examples
    - Data Transformation Command Parameters
  - Unencrypting Data
CTE Agent Live Data Transformation
- Introduction to LDT
  - Overview of LDT
  - Keys in LDT (Versioned Keys)
  - LDT Policies
  - LDT Runtime Flow
  - LDT Administrator Roles
  - Resiliency
- Getting Started
  - Using LDT
  - Backup/Restore
  - Restrictions
- Installing LDT
  - System Requirements
  - Installing the LDT License
  - Installing and Registering the CTE Agent Software on Linux
  - Installing and Registering the CTE Agent Software on Windows
  - Setting the Linux Kernel Time Zone
  - Enabling LDT on a Protected Host
- Using LDT
  - Creating and Viewing Versioned Keys
  - Creating LDT Policies
  - Quality of Service
    - How to Set QoS
    - QoS Best Practices
  - Creating an LDT GuardPoint
  - Rotating Encryption Keys (Rekey)
    - Manual Key Rotation
    - Creating a Key Rotation Schedule
    - Checking the Rekey Status
    - Obtaining Information About Keys Applied to Files
    - Showing GuardPoints During Rekey (Linux)
    - Suspending and Resuming Rekey and/or Scan Phase
    - Automatic Suspend and Resume of LDT Operations Due to Insufficient Disk Space
    - Rotating Encryption Keys While a Rekey is in Progress (Relaunch)
  - File System Operations
    - Renaming Files and Directories
    - Deleting a File
    - File Handling (Windows Only)
    - Enabling GuardPoints in Read-Only mounted file systems (Linux)
    - Copying Files Into a GuardPoint
    - Behavior of Hard Links Inside and Outside of GuardPoints (Windows)
  - Excluding Files or Directories from Rekey
    - About the Exclusion Attribute for Files Matching an Exclusion Key Rule
    - Requirements for Exclusion Key Rules
    - Usage Notes and Limitations for Configuring Exclusion Key Rules
    - Examples of Exclusion Key Rules
    - Listing All Files Included in an Exclusion Key Rule (Linux)
    - Listing All Files Included in an Exclusion Key Rule (Windows)
    - Dynamic Resource Sets
  - Using LDT with SAP HANA Fibre Channel Systems (Linux Only)
- LDT Administration
  - LDT Metadata in Extended Attributes
    - Listing Extended Attributes
    - MDS File (Linux)
    - Planning for LDT Attribute Storage
    - Using voradmin To Estimate Disk Space Required for LDT
    - Displaying Metadata
    - Verifying Metadata (Windows only)
  - DFS(R) and Replication (Windows)
  - Backing Up and Restoring LDT GuardPoints
    - Clear Text Backup and Restore
    - Encrypted Backup and Restore
    - LDT Policy for Encrypted Backup and Restore
    - Backup/Restore of Metadata Store File in GuardPoints Undergoing Rekey
    - Restore an Encrypted Backup
    - Restoring Non-LDT Backup Data to an LDT GuardPoint
    - Using fsfreeze (Linux only)
    - LDT Backups Using a File System or Storage-Level Snapshot Tool
    - Windows Backup and Snapshots
    - LDT Backup and Restore Troubleshooting
  - LDT Command-Line Administration: voradmin command
  - Migrating a GuardPoint to a Different LDT Policy
  - Removing LDT and Security Encryption
    - Migrating a GuardPoint Out of LDT
    - Deleting LDT Metadata (Linux)
    - Deleting LDT Metadata (Windows)
    - Removing LDT from a Host
  - Uninstalling the Agent while LDT is Rekeying GuardPoints
  - Detecting Loss of NAS connection to an LDT GuardPoint Group
- Using LDT with CIFS/NFS shares
  - Introduction to LDT over CIFS
  - LDT over CIFS/NFS High-Level Overview
  - LDT Communication Groups and LDT GuardPoint Groups
    - Designation of Primary role and Primary Set in an LDT GuardPoint Group
    - Responsibilities of the Primary host
    - Failover for the LDT Communication Group Master and the LDT GuardPoint Group
    - LDT GuardPoint Group Commands
  - Sharing LDT NFS/CIFS GuardPoints between Linux and Windows
  - Limitations
  - Prerequisites
    - Supported Versions
  - Administrating LDT over CIFS/NFS with CipherTrust Manager
    - Adding a CIFS Connector for CipherTrust Manager
    - LDT AccessOnly nodes
    - Policy and GuardPoint Management
    - Key Rotation Commitment
    - LDT Metadata Management Over NFS/CIFS Shares
    - Backup and Restore LDT on NFS GuardPoints
  - Upgrading CTE agent in an LDT Communication Group
    - Upgrading the LDT Agents in an LDT Communication Group from 7.2.0 to 7.3.0
    - New Terminology
    - Upgrading CTE agents in an LDT Communication Group from 7.4.0 to 7.5.0 and post 7.5.0
  - Quality of Service
  - Alerts
  - Troubleshooting
- Troubleshooting LDT
  - Monitoring and Statistics
    - Obtaining Statistics with GuardPoint Status
    - Obtaining LDT Statistics at the Command Line
    - Obtaining a Rekey Report
    - Monitoring Ongoing LDT Operations at the Command Line (Windows only)
  - Protecting LDT GuardPoints against Failure in Underlying File Systems (Linux)
    - Recovery Alerts
  - Alerts Playbook
    - Failure to Enable GuardPoints
    - Failure to Suspend or Resume LDT Operation
    - Insufficient Resources
    - Failed to Update LDT Attribute
    - Rekey Stopped
    - Incomplete Key Rotation
    - Skipped Key Rotation
    - Failed to Update LDT Metadata During Scan Phase
    - File system inconsistencies after system crash
  - Error Messages
  - Warning and Info Messages
  - Recommendations and Considerations
    - All Platform Recommendations and Considerations
    - Windows Recommendations and Considerations
CTE Terminology

Detecting Loss of NAS connection to an LDT GuardPoint Group

This section describes the LDT over NFS mechanism for detection of loss of a NAS (Network attached storage) connection to an LDT over NFS GuardPoint on all members of the LDT GuardPoint Group. LDT over NFS monitors LDT operations on NAS servers for detection of loss of NFS connection and implements steps to recover from loss of NAS access. This section describes the procedures and considerations for recovering an LDT over NFS GuardPoint from loss of NAS connection on a member of LDT GuardPoint Group.

Brief Overview of LDT Rekey Operations

Rekey operations within LDT GuardPoint Groups are executed on the primary host in coordination with other members of the LDT GuardPoint Group. Coordination includes interlocking access to files by applications and rekey operations. It also includes the primary host updating persistent LDT metadata on behalf of the application file or IO operations on any member of the LDT GuardPoint Group. Such active coordination is critical to the correct operations of LDT over NFS. Loss of NAS connection on any of the members in LDT GuardPoint Group disrupts the coordination between primary and other members. LDT manages loss of the NAS access on all members of the LDT GuardPoint Group to ensure data and metadata correctness with minimal impact to production workloads.

This section describes the LDT over NFS mechanism for detection of loss of NAS connection to an LDT over NFS GuardPoint on a member (primary/secondary) host of the group and also describes the procedures and considerations for recovering an LDT over NFS GuardPoint from the loss of NAS connection on a member host of the group.

Effects of loss of NAS connection on a GuardPoint

Loss of NAS connection on any member of an LDT GuardPoint Group, including primary hosts, will have negative effects on active LDT operations on the target NAS, and across the entire LDT GuardPoint Group and applications accessing files inside the affected GuardPoints. Regardless of the LDT status (active or suspended), connection loss of one member ripples through all of the LDT GuardPoint Group members. The following scenarios can occur during loss of NAS access while LDT operations are in active or suspended state:

Application file operations (read/write, truncate, rename, etc.) on files undergoing rekey can be blocked and consequently affect subsequent LDT operations on the same files. Rekey operations will be delayed, or even not started, as the result of pending file IO operations by applications.
Pending LDT rekey IO operations will not complete and consequently, block or prevent, subsequent rekey operations from starting as well as block applications attempting to access such files.
Rotation of a key will block launching rekey on the affected GuardPoints.

LDT over NFS I/O monitoring system to detect loss of NAS connection

To avoid the ripple effect of loss of NAS connection across entire LDT GuardPoint Groups, LDT monitors LDT level operations that access LDT metadata, such as MDS and LDT rekey attributes, and reads/modifies cipher-text data inside files undergoing rekey. LDT monitors progress on LDT operations in-progress. If an operation fails to complete within 30 seconds, LDT declares the pending operation incomplete and takes action to recover from the operation.

LDT over NFS Monitoring Control Thread

LDT starts a special control thread on every CTE host to monitor LDT operations for potential timeouts due to NAS connection loss. The monitoring begins when the first LDT over NFS protected GuardPoint is enabled. This thread monitors LDT operations on all LDT protected GuardPoints on the CTE host.

The LDT over NFS IO monitoring system monitors only LDT level operations. The control thread does not monitor application file operations on the files in the same GuardPoints that LDT over NFS monitoring thread is monitoring. If an application file operation hangs due to loss of NAS connection, the LDT over NFS monitoring control thread will detect it when the LDT operation starts and then timeouts on the same file.

Managing loss of NAS connection to a GuardPoint on the PRIMARY host

LDT takes action to recover from the loss of the NAS connection for LDT GuardPoint Group with multiple CTE clients as members of those groups. The action depends on whether the loss of the connection is detected on the primary host, or other members of the LDT GuardPoint Group. LDT takes no action to recover the LDT GuardPoint Group consisting of one member, a single node. The member of such a group is the LDT primary host for the GuardPoint, and LDT operations are blocked in the event of loss of a NAS connection with those operations resuming after the NAS connection is restored. The recovery action for Groups multiple clients depends on the type of loss.

Managing Primary host losing NAS connection to a GuardPoint - Primary Demotion

As soon as the monitoring thread detects the loss of the NAS connection to a GuardPoint on the primary host, the control thread initiates Primary Self-Demotion to demote the primary host from the primary role and responsibility for the GuardPoint. In this scenario, LDT on the primary host will start the demotion process for the affected GuardPoint in order to elect another member of LDT GuardPoint Group for the primary role. Election of another member triggers the failover process of LDT operations from the demoted primary host to the newly elected primary host. The election and the failover process is transparent and enables LDT to continue rekey operations using the newly elected primary host for all healthy members of the LDT GuardPoint Group.

The detection and recovery action resumes LDT operations and is fully transparent. It does not involve administrator intervention except when finishing rekey operations that were in progress on the demoted primary host when the loss of the NAS connection was detected. From the perspective of the newly promoted primary host, those files are in LDT INCOMPLETE status and resuming rekey on LDT INCOMPLETE files requires administrator intervention.

When the failover from primary role occurs, the newly elected primary host identifies the files undergoing rekey and marks those files as LDT INCOMPLETE status. At this stage, the self-demoted primary host remains in the LDT GuardPoint Group as an active member but without access to the NAS server. Due to the loss of the NAS access, LDT on the self-demoted primary host blocks all new user attempts to access files in the GuardPoint. It then continues to participate in the transformation of the remaining files in the GuardPoint with the newly elected primary host.

Rekey Completion on GuardPoint with INCOMPLETE Files

Although the newly-elected primary host resumes rekey and transforms the remaining files in the GuardPoint, it does not resume transformation on INCOMPLETE files until the self-demoted primary host has been recovered through the manual administrator intervention. Files in INCOMPLETE rekey status are the last files in the GuardPoint after administrator intervention.

Recovering self-demoted primary host

The self-demoted primary host can be recovered manually by shutting down the host with the host membership removed from the LDT GuardPoint Group. A successful shutdown process that halts the host automatically removes the host membership from the LDT GuardPoint Group. Therefore, it is critical for the self-demoted primary host to reach the halt state at the completion of the shutdown. However, the shutdown process may not reach the halt state due to pending IO operations as the result of the loss of NAS connection.

Shutdown failure on self-demoted primary host

If you are using LDT over NFS with GuardPoints across multiple NAS shares, and a primary node loses the connection with a NAS server but does not reach the halt state, then the other GuardPoints from the other NAS shares, that are also guarded on that self-demoted primary node, must be manually removed from the LDT GuardPoint Group for recovery.

When you must manually force the host to halt, this is referred to as an ungraceful failure. Remedy this issue from the newly promoted primary server:

Remove the self-demoted primary host from the GuardPoint. Type:
```
voradmin ldt group remove <hostname_of_self-demoted primary> <guardpoint_path>
```
Note
- When you run the voradmin ldt group remove command for other GuardPoints, from other NAS servers present on that node, and if the node is the primary for any of those GuardPoints, then primary failover is triggered.
Repeat the command on any other GuardPoints on other NAS servers that are guarded by the self-demoted primary host.
Run the recover command for the GuardPoints that were on the node that lost connection to the NAS server. Type:
```
# voradmin ldt demotion recover <guardpoint_pathname>
```

For more information, see the following two sections:

Self-demoted primary host reaches HALT state

If the shutdown process on the self-demoted primary does reach the halt state, then the self-demoted primary host has already been removed from LDT GuardPoint Group. Your next step in the recovery process depends on the status of NAS connection of the host.

If a loss of NAS connection persists, disable the GuardPoints on NAS servers that cannot be accessed on the self-demoted primary host:

Change the guard status of the GuardPoints configured for Auto Guard to remain disabled on the self-demoted primary host
Do not enable GuardPoints configured for Manual Guard if the self-demoted primary host has rebooted

You can then proceed with the following voradmin command to resume rekey operations on the files in INCOMPLETE status. This command must be executed on the newly elected primary host.

# voradmin ldt demotion recover <guardpoint_pathname>

If the loss of NAS connection has been resolved by the time the self-demoted primary host reboots, you can allow CTE start-up services to enable the GuardPoints configured for Auto-Guard on the host, or you can manually enable a GuardPoint configured for Manual Guard. After enabling the GuardPoints, you can perform the following command on the newly-elected primary host to resume rekey on files currently in INCOMPLETE status: use # voradmin ldt demotion recover

Upon completion of the recovery steps, the remaining files in INCOMPLETE status will be rekeyed and the GuardPoint itself will transition to rekeyed state.

Note

Self-demoted primary hosts must be rebooted after the promotion of a member to primary host.

Handling loss of the NAS connection to a GuardPoint on a non-PRIMARY host

In the event of a non-primary host losing NAS connection, the LDT over NFS IO monitoring thread on the non-primary host will detect the loss of the NAS connection and trigger self-isolation from LDT GuardPoint Group.

The outcome of self-isolation is that LDT on the non-primary host blocks all users’ access to the affected GuardPoint and begins acknowledging all LDT requests from the primary host. Effectively, it does not perform subsequent operations requested by the primary host, but it sends positive responses to the primary host so that the primary host can continue rekey operations.

Recovery steps for recovery from a self-isolated secondary host are the same as those for the recovery of a self-demoted primary host.

LDT sends the following alarms to CipherTrust Manager during primary host self-demotion, election of a new primary host after demotion, recovery of the self-demoted primary host, and recovery and transformation of the INCOMPLETE files on the new primary host:

[CGS3347i] LDT over NFS-ALERT: Primary host of GuardPoint [GuardPoint] demoting

LDT on the primary host sends this alarm to notify of the loss of the NAS connection on the primary host, for the specified GuardPoint, and the initiation of the self-demotion process.

[CGS3348i] LDT over NFS-ALERT: Primary host of GuardPoint [GuardPoint] demoted

LDT on the self-demoted primary host sends this alarm for the specified GuardPoint when the self-demotion process completes.

[CGS3349e] LDT over NFS-ALERT: Demotion of Primary host of GuardPoint [GuardPoint] failed, error [ErrorNumber]

LDT on the primary host sends this alarm if the self-demotion attempt fails for the specified GuardPoint. The error code included in the alarm indicates the reason for failure. Notify Thales Support in the event of this alarm.

[CGS3355i] LDT over NFS-ALERT: INCOMPLETE file. After DEMOTION, Admin intervention is required for full recovery, GuardPoint [GuardPoint] objID [InodeNumber] error [ErrorNumber]

LDT on the newly-elected primary host sends this alarm for each file detected in INCOMPLETE status.

[CGS3357i] LDT over NFS-ALERT: Manual recovery invoked to recover the DEMOTED GuardPoint[GuardPoint]

LDT sends this alarm from the newly-elected primary host when the administrator executes the voradmin command to begin the recovery process.

[CGS3358e] LDT over NFS-ALERT: DEMOTED GuardPoint recovered on the newly-elected primary host while the old primary host is still alive, objID [InodeNumber]

LDT sends this alarm from the self-demoted primary host before the recovery steps, if the self-demoted host receives a request for an LDT operation on a file in INCOMPLETE status from the newly-promoted host. This alarm indicates that the newly promoted host has begun recovery of files in INCOMPLETE status without first recovering the self-demoted primary host.

[CGS3354e] LDT over NFS-ALERT: Manual recovery failed on DEMOTED GuardPoint [GuardPoint] objID [InodeNumber] error [ErrorNumber]

LDT sends this alarm from the newly elected primary host, during recovery of an INCOMPLETE file, when it encounters any errors during LDT rekey related to the recovery of the file or during the resumption of rekey on the file.

[CGS3359I] LDT-NFS-ALERT: Secondary host DEMOTED due to loss of NAS connection, GuardPoint [GuardPoint]

LDT on a self-demoted secondary host sends this alarm for the specified GuardPoint when the self-demotion process completes on the self-demoted secondary.

Detecting Loss of NAS connection to an LDT GuardPoint Group

Brief Overview of LDT Rekey Operations

Effects of loss of NAS connection on a GuardPoint

LDT over NFS I/O monitoring system to detect loss of NAS connection

LDT over NFS Monitoring Control Thread

Managing loss of NAS connection to a GuardPoint on the PRIMARY host

Managing Primary host losing NAS connection to a GuardPoint - Primary Demotion

Rekey Completion on GuardPoint with INCOMPLETE Files

Recovering self-demoted primary host

Shutdown failure on self-demoted primary host

Self-demoted primary host reaches HALT state

Handling loss of the NAS connection to a GuardPoint on a non-PRIMARY host

[CGS3347i] LDT over NFS-ALERT: Primary host of GuardPoint [GuardPoint] demoting

[CGS3348i] LDT over NFS-ALERT: Primary host of GuardPoint [GuardPoint] demoted

[CGS3349e] LDT over NFS-ALERT: Demotion of Primary host of GuardPoint [GuardPoint] failed, error [ErrorNumber]

[CGS3355i] LDT over NFS-ALERT: INCOMPLETE file. After DEMOTION, Admin intervention is required for full recovery, GuardPoint [GuardPoint] objID [InodeNumber] error [ErrorNumber]

[CGS3357i] LDT over NFS-ALERT: Manual recovery invoked to recover the DEMOTED GuardPoint[GuardPoint]

[CGS3358e] LDT over NFS-ALERT: DEMOTED GuardPoint recovered on the newly-elected primary host while the old primary host is still alive, objID [InodeNumber]

[CGS3354e] LDT over NFS-ALERT: Manual recovery failed on DEMOTED GuardPoint [GuardPoint] objID [InodeNumber] error [ErrorNumber]

[CGS3359I] LDT-NFS-ALERT: Secondary host DEMOTED due to loss of NAS connection, GuardPoint [GuardPoint]

On this page

Suggest A Change

Detecting Loss of NAS connection to an LDT GuardPoint Group

Brief Overview of LDT Rekey Operations

Effects of loss of NAS connection on a GuardPoint

LDT over NFS I/O monitoring system to detect loss of NAS connection

LDT over NFS Monitoring Control Thread

Managing loss of NAS connection to a GuardPoint on the PRIMARY host

Managing Primary host losing NAS connection to a GuardPoint - Primary Demotion

Rekey Completion on GuardPoint with INCOMPLETE Files

Recovering self-demoted primary host

Shutdown failure on self-demoted primary host

Self-demoted primary host reaches HALT state

Handling loss of the NAS connection to a GuardPoint on a non-PRIMARY host

LDT over NFS demotion-related Alarms to CipherTrust Manager

[CGS3347i] LDT over NFS-ALERT: Primary host of GuardPoint [GuardPoint] demoting

[CGS3348i] LDT over NFS-ALERT: Primary host of GuardPoint [GuardPoint] demoted

[CGS3349e] LDT over NFS-ALERT: Demotion of Primary host of GuardPoint [GuardPoint] failed, error [ErrorNumber]

[CGS3355i] LDT over NFS-ALERT: INCOMPLETE file. After DEMOTION, Admin intervention is required for full recovery, GuardPoint [GuardPoint] objID [InodeNumber] error [ErrorNumber]

[CGS3357i] LDT over NFS-ALERT: Manual recovery invoked to recover the DEMOTED GuardPoint[GuardPoint]

[CGS3358e] LDT over NFS-ALERT: DEMOTED GuardPoint recovered on the newly-elected primary host while the old primary host is still alive, objID [InodeNumber]

[CGS3354e] LDT over NFS-ALERT: Manual recovery failed on DEMOTED GuardPoint [GuardPoint] objID [InodeNumber] error [ErrorNumber]

[CGS3359I] LDT-NFS-ALERT: Secondary host DEMOTED due to loss of NAS connection, GuardPoint [GuardPoint]

On this page