Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Troubleshooting CTE-LDT

Protecting CTE-LDT GuardPoints against Failure in Underlying File Systems (Linux)

search

Please Note:

Protecting CTE-LDT GuardPoints against Failure in Underlying File Systems (Linux)

CTE-LDT Recovery Challenges

The main challenge with CTE-LDT recovery is a failure to access files or specific blocks in files inside a GuardPoint. Before CTE-LDT runs the recovery process on a GuardPoint, the underlying file system was recovered before file system was mounted. File system recovery may create orphan files in the lost+found directory inside the mount point. If an orphan file belongs to the GuardPoint, CTE-LDT cannot recover the file as the file is no longer in the same directory as it was prior to the crash while it was undergoing rekey.

CTE-LDT Recovery Enhancement

CTE-LDT has been improved for handling inconsistencies in the underlying file system during execution of CTE-LDT recovery. When enabling a GuardPoint after a system crash, CTE-LDT performs consistency checks on the files undergoing rekey at the time of crash before enabling GuardPoint. If the CTE-LDT recovery process is unable to recover any of the affected files, the GuardPoint will not be enabled and CTE-LDT will send the following alert to the CipherTrust Manager:

[CGS3266E] LDT-ALERT: Cannot enable guard point [GuardPoint] due to inconsistencies in underlying file system encountered during LDT recovery.

You can check the status of a GuardPoint and the reason for failing to enable a GuardPoint using the secfsd -status guard command. For example, the GuardPoint/mnt/gp failed to guard because Guard point needs LDT recovery as reported in the Reason column for the following example GuardPoint.

GuardPoint Policy Type   ConfigState Status      Reason
---------- ------ ----   ----------- ------      ------
/mnt/gp    LDT220 manual guarded     not guarded Guard point needs LDT recovery

Details on the specific issues encountered, including any files that could not be recovered, are reported to a log file in the /var/log/vormetric directory. The log file name is in the format:

ldt_recovery_log:<guardpoint_name>:<timestamp>.txt

The log file name starts with ldt_recovery_log, followed by the GuardPoint pathname and the date and time of the recovery attempt. The GuardPoint pathname and date and time are separated with “:”. For example:

/var/log/vormetric/ldt_recovery_log:_mnt_gp:2018-12-08-14:6:12.txt

Refer to the issues listed in the log file, and resolve those issues before enabling the GuardPoint again. A GuardPoint cannot be enabled in subsequent guard attempts until those issues are resolved. Each attempt generates a new log file. Check the CTE-LDT log file for missing files whose inode numbers match inode numbers of orphan files in lost+found. If there is a match, restore the file from lost+found to the pathname specified in the CTE-LDT recovery log file. Be sure to run the mv command to restore the file to the original location, do not run the cp command. After resolving all or some of the reported issues, you must run the command voradmin ldt recover <GuardPoint> to repeat the recovery process.

voradmin ldt recover <GuardPoint>

Running this command resolves the problems that can be corrected and clears the failed recovery status on the GuardPoint, allowing the GuardPoint to enable automatically within 30 seconds. If the GuardPoint does not enable, you can enable it using secfsd –guard command, if manual guard, or enable it on the CipherTrust Manager, if auto-guard. Note that if you are unable to resolve all of the reported issues, you accept the loss of some data or files, as reported in the latest recovery log file for the GuardPoint, when you run the command voradmin ldt recover <GuardPoint>.

On this page