Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Migrating to CTE or CTE UserSpace

Prerequisites for Migration

search

Please Note:

Prerequisites for Migration

This page lists the prerequisites for migration. Ensure these pre conditions are satisfied before proceeding with migration process.

Prerequisites for Migration for CTE and CTE-U

  1. Users must have the proper licensing for the application to which they are migrating, (CipherTrust Transparent Encryption or CTE-U). For more information on licensing, see CTE UserSpace Licensing Model

  2. User must have Read/Write access to Data Transform.

  3. For Linux installations, the default root access must be read/write. Otherwise, the system can crash.

  4. Ensure that the CTE/CTE-U release supports the OS version on which ProtectFile is installed. CTE Windows supports all of the platforms supported by ProtectFile Windows. CTE-U/CTE Linux supports almost all of the OS versions that ProtectFile supports. The exceptions are listed in Platforms Not Supported by CTE/CTE-U Linux. These ProtectFile instances cannot be migrated to CTE.

  5. Backup the data. The migration process does not preserve state across a power cycle. In the event of a power failure or intentional/ unintentional reboot of a file server when migration is in progress, restore the data from a backup.

  6. Plan downtime. Downtime is required for each protected path on a file server that will be migrated. This means that the other paths can continue to be used with production workloads.

  7. Downtime for an encrypted path means the following:

    1. No application can use that path. In case of NAS shares, the shares must be unmounted from all nodes except the one on which the migration is being performed.

    2. For Linux: In the case of clusters, the migration is carried out on the active node and all of the other nodes must be passive.

    3. For Windows: Storage must be offline. Otherwise, failover can occur.

    4. In case an encrypted path is exported as a NAS share, you must stop the export before beginning the migration.

    5. Migration requires that ProtectFile encrypted paths must have Read/Write access to write, which allows plain text access to applications.

  8. Users who are responsible for migration must be a member of the CTE Admin Group. To add a user to a group, see Assign a User to a Group for more information.

Prerequisites for Migration of CTE only

The following prerequisites must be performed before beginning the migration process. Refer to the CTE documentation for more information on installing and configuring CTE:

  1. For CipherTrust Transparent Encryption Linux installations, ensure that CTE is certified for the kernel version on which ProtectFile is installed. In case the kernel version is not certified, do not proceed with the migration and contact Thales support.

  2. For both ProtectFile Windows and Linux installations, ensure that the file system of the encrypted paths is supported by CTE. CTE Windows supports all of the file systems that are supported by ProtectFile Windows. For CTE Linux, there are some file systems which are not supported. File Systems Not Supported by CTE/CTE-U Linux contains the list of file systems that are not supported by CTE Linux. If the file system is not supported by CTE, the migration is not possible.

  3. For ProtectFile Linux installations that protect data on NFS shares, examine the mount point of the NFS shares on each node. For ProtectFile, the NFS shares can be mounted on a different path on each node. However, in CTE, the NFS shares must be mounted on the same path on all of the nodes. Do not proceed with migration until the shares are mounted on the same path on all of the nodes.

    For example:

    /mnt_1 is a mount point

    ProtectFile

    192.168.10.150:/vol1_woodford/qatree1_reserve /mnt_1 ← host 1 192.168.10.150:/vol1_woodford/qatree1_reserve /mnt_2 ← host 2

    CipherTrust Transparent Encryption

    192.168.10.150:/vol1_woodford/qatree1_reserve /mnt_1 ← host 1 192.168.10.150:/vol1_woodford/qatree1_reserve /mnt_1 ← host 2

  4. CTE contains two drivers: vmfiltr and vmlfs. Data migration, from ProtectFile format to CipherTrust Transparent Encryption format, can only work with the vmfiltr drive. To change to the vmfiltr driver, type:

    voradmin config enable vmfiltr

Limitations

Platforms Not Supported by CTE-U v10.x

This is the list of platforms that ProtectFile supports but CTE-U v10 does not.

  • PowerPC 64 Little Endian (ppc64le)

Platforms Not Supported by CTE

  • Oracle Enterprise Linux - UEK kernels

  • PowerPC 64 Little Endian (ppc64le)

OS Not Supported by CTE-U v10

  • Migration to CTE-U v10 is not supported on Ubuntu 18. It is supported on Ubuntu 20.

File Systems Supported by CTE-U v10

Local File Systems Network File Systems
Btrfs NFSv3
Ext4 NFSv4
XFS

File Systems Not Supported by CTE-U v10

This is the list of file systems that CTE-U v10 for Linux does not support.

Not Supported
Ext3
GFS2
OCFS2
TRFS
VxFS

File systems not supported by CTE Linux

Not Supported
BTRFS
OCFS2
GFS2
VxFS

Special Cases

Migration of a CTE-U v9.x in Linux Pacemaker Cluster to CTE-U v10 is supported in both active-active and active-passive scenarios.

On this page