Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

CipherTrust Manager Administration

Basic Interface Configuration

search

Please Note:

Basic Interface Configuration

Interfaces are services the CipherTrust Manager hosts. Most interfaces are listening on a particular port, but may also represent other input channels, like local shell access or serial port access. To view the Interfaces page in the UI, go to Admin Settings > Interfaces.

The CipherTrust Manager currently supports five interfaces:

  • web: The HTTP server on port 80 and 443. This interface serves both the GUI and the REST API.

  • ssh: The SSH server on port 22.

  • nae: The NAE-XML server on port 9000.

  • kmip: The KMIP server on port 5696.

  • SNMP: The SNMP Agent on port 161.

Note

The Web, KMIP, and NAE interfaces have several options to control authentication to those interfaces. The Authentication Settings for NAE, KMIP, and Web interfaces page describes these settings in detail.

Effect of updating interface settings

If you have active NAE, KMIP, or web connections, we recommend that you plan for connection downtime before updating interface settings, especially for updates to the initial default interfaces.

• When you update the port of the default interface of NAE, KMIP, and WEB, all nodes in the cluster restart. However, if you update any other setting apart from the port, no node in the cluster restarts.
• If you update any setting on the non-default interfaces of NAE, KMIP, and WEB, no node in the cluster restarts.

There are some interface changes that are applied immediately and trigger an automatic services restart. This restart can disrupt running NAE, KMIP, and web connections and cause an immediate downtime of a few minutes. If your CipherTrust Manager is part of a cluster, the interface settings change can also replicate to other nodes, and disrupt running NAE, KMIP, and web connections to those nodes. Therefore, plan for some downtime before updating interfaces.

Interface settings changes that are known to cause an immediate loss of connection are:

  • Updating the port for NAE, KMIP, or web interface

  • Enabling the Hard Delete option for the KMIP interface

Other interface changes require a manual Services Restart.

View the initial set of interfaces using ksctl


ksctl interfaces list

Response


{
  "skip": 0,
  "limit": 10,
  "total": 4,
  "resources": [
    {
      "id": "ee242373-2555-48c7-923b-86ed3e785504",
      "name": "kmip",
      "mode": "tls-cert-pw-opt",
      "cert_user_field": "CN",
      "auto_gen_ca_id": "kylo:kylo:naboo:localca:9d13d43a-381e-481a-80a1-9463acfff84a",
      "trusted_cas": {
        "local": [
          "kylo:kylo:naboo:localca:9d13d43a-381e-481a-80a1-9463acfff84a"
          ]
        },
      "createdAt": "2020-07-20T12:59:14.776939Z",
      "updatedAt": "2020-07-20T12:59:24.703806Z",
      "default_connection": "local_account",
      "port": 5696,
      "network_interface": "all",
      "interface_type": "kmip",
      "local_auto_gen_attributes": {
        "cn": "kmip.keysecure.local",
        "email_addresses": [
          "support@gemalto.com"
        ],
        "names": [
          {
            "C": "US",
            "ST": "MD",
            "L": "Belcamp",
            "O": "Gemalto",
            "OU": ""
          }
        ],
        "generated": false
      },
      "enabled": true
    },
    {
      "id": "a4db15b4-64fc-40d3-8465-9935866bbe09",
      "name": "nae",
      "mode": "no-tls-pw-req",
      "cert_user_field": "CN",
      "auto_gen_ca_id": "kylo:kylo:naboo:localca:9d13d43a-381e-481a-80a1-9463acfff84a",
      "trusted_cas": {
        "local": [
          "kylo:kylo:naboo:localca:9d13d43a-381e-481a-80a1-9463acfff84a"
        ]
      },
      "createdAt": "2020-07-20T12:59:14.770938Z",
      "updatedAt": "2020-07-20T16:21:43.427252Z",
      "default_connection": "local_account",
      "port": 9000,
      "network_interface": "all",
      "interface_type": "nae",
      "local_auto_gen_attributes": {
        "cn": "nae.keysecure.local",
        "email_addresses": [
          "support@gemalto.com"
        ],
        "names": [
          {
            "C": "US",
            "ST": "MD",
            "L": "Belcamp",
            "O": "Gemalto",
            "OU": ""
          }
        ],
        "generated": false
      },
      "enabled": true
    },
    {
      "id": "c8c6e4c1-30d7-4317-9d37-a9ec217ffb17",
      "name": "ssh",
      "trusted_cas": {},
      "createdAt": "2020-07-20T12:59:14.7787Z",
      "updatedAt": "2020-07-20T12:59:14.7787Z",
      "port": 22,
      "network_interface": "all",
      "interface_type": "ssh",
      "local_auto_gen_attributes": {
        "cn": "ssh.keysecure.local",
        "email_addresses": [
          "support@gemalto.com"
        ],
        "names": [
          {
            "C": "US",
            "ST": "MD",
            "L": "Belcamp",
            "O": "Gemalto",
            "OU": ""
          }
        ],
        "generated": false
      },
      "enabled": true
    },
    {
      "id": "e64d84b0-e952-4fa3-83c9-e1d1bc52a996",
      "name": "web",
      "mode": "tls-cert-opt-pw-opt",
      "cert_user_field": "CN",
      "auto_gen_ca_id": "kylo:kylo:naboo:localca:9d13d43a-381e-481a-80a1-9463acfff84a",
      "trusted_cas": {
        "local": [
          "kylo:kylo:naboo:localca:9d13d43a-381e-481a-80a1-9463acfff84a"
        ]
      },
      "createdAt": "2020-07-20T12:59:14.774618Z",
      "updatedAt": "2020-07-20T12:59:23.37516Z",
      "port": 443,
      "network_interface": "all",
      "interface_type": "web",
      "local_auto_gen_attributes": {
        "cn": "web.keysecure.local",
        "email_addresses": [
          "support@gemalto.com"
        ],
        "names": [
          {
            "C": "US",
            "ST": "MD",
            "L": "Belcamp",
            "O": "Gemalto",
            "OU": ""
          }
        ],
        "generated": false
      },
      "enabled": true
    }
  ]
}

Updating interface ports

You can change ports for the following interfaces:

  • WEB

  • NAE

  • KMIP

Syntax

ksctl interfaces modify --name <interface-name> --port <port-number>

You can find <Interface-Name> using the command ksctl interfaces list.

Example 1: Changing the default WEB interface port to 8443


ksctl interfaces modify --name web --port 8443

Response


{
    "id": "f1af6f94-43af-4350-84d0-ec6b08639e5b",
    "name": "web",
    "mode": "tls-cert-opt-pw-opt",
    "cert_user_field": "CN",
    "auto_gen_ca_id": "kylo:kylo:naboo:localca:a9319f59-5914-41a2-886e-32b8930d082c",
    "trusted_cas": {
        "local": [
            "kylo:kylo:naboo:localca:a9319f59-5914-41a2-886e-32b8930d082c"
        ]
    },
    "createdAt": "2020-12-09T14:25:14.596482Z",
    "updatedAt": "2020-12-09T14:29:50.246509Z",
    "port": 8443,
    "network_interface": "all",
    "interface_type": "web",
    "local_auto_gen_attributes": {
        "cn": "web.keysecure.local",
        "email_addresses": [
            "support@gemalto.com"
        ],
        "names": [
            {
                "C": "US",
                "ST": "MD",
                "L": "Belcamp",
                "O": "Gemalto",
                "OU": ""
            }
        ],
        "generated": false
    },
    "enabled": true
}

Example 2: Changing the default NAE interface port to 443


ksctl interfaces modify --name nae --port 443

Response


{
    "id": "2228f2aa-f973-4fda-b633-ead376db3e19",
    "name": "nae",
    "mode": "unauth-tls-pw-opt",
    "cert_user_field": "CN",
    "auto_gen_ca_id": "kylo:kylo:naboo:localca:a9319f59-5914-41a2-886e-32b8930d082c",
    "trusted_cas": {
        "local": [
            "kylo:kylo:naboo:localca:a9319f59-5914-41a2-886e-32b8930d082c"
        ]
    },
    "createdAt": "2020-12-09T14:25:14.594319Z",
    "updatedAt": "2020-12-09T14:35:22.75339Z",
    "default_connection": "local_account",
    "port": 443,
    "network_interface": "all",
    "interface_type": "nae",
    "minimum_tls_version": "tls_1_2",
    "local_auto_gen_attributes": {
        "cn": "nae.keysecure.local",
        "email_addresses": [
            "support@gemalto.com"
        ],
        "names": [
            {
                "C": "US",
                "ST": "MD",
                "L": "Belcamp",
                "O": "Gemalto",
                "OU": ""
            }
        ],
        "generated": false
    },
    "enabled": true
}

Enabling/disabling interfaces

You can enable or disable the following interfaces:

  • SSH

  • NAE

  • KMIP

To enable/disable an interface using the GUI, click Action Button > Enable/Disable.

After the user has enabled/disabled an interface, it remains in same state even after restarting the device and it will get replicated if the device is part of a cluster.
After an interface has been disabled, the CipherTrust Manager drops all incoming and existing connections on that interface.

Enable or disable an interface using ksctl

When using ksctl:

  • To enable an interface: ksctl interfaces enable --name <interface-name>

  • To disable an interface: ksctl interfaces disable --name <interface-name>

    Only the SSH, KMIP, and NAE interfaces can be enabled or disabled. Replace <interface-name> in the above commands with ssh, kmip, or nae for these interfaces.

Example: Disabling the SSH interface


ksctl interfaces disable --name ssh

Response


{
  "id": "2e8d2344-c40b-466c-8202-d05d2cb6738a",
  "name": "ssh",
  "trusted_cas": {},
  "createdAt": "2020-08-13T10:22:32.792266Z",
  "updatedAt": "2020-08-14T11:11:28.564276Z",
  "port": 22,
  "network_interface": "all",
  "interface_type": "ssh",
  "local_auto_gen_attributes": {
    "cn": "ssh.keysecure.local",
    "email_addresses": [
      "support@gemalto.com"
    ],
    "names": [
      {
        "C": "US",
        "ST": "MD",
        "L": "Belcamp",
        "O": "Gemalto",
        "OU": ""
      }
    ],
    "generated": false
  },
  "enabled": false
}

Adding and removing interfaces (NAE, KMIP, and SNMP)

You can add and remove interfaces other than default interfaces (NAE, KMIP, and WEB). Currently, the Create and Delete commands are supported only for the NAE, KMIP, and SNMP interfaces.

Adding the SNMP interface

To configure SNMP agent, you must add the SNMP interface.

Adding the SNMP interface in the GUI

  1. Navigate to Admin Settings > Interfaces

  2. Select + Add Interface.

  3. Select SNMP and click Next.

  4. Provide the following values:

    • A friendly name.

    • A port for the SNMP interface to listen on. 161 is the default recommended port.

    • A network interface.

  5. Select Save.

Adding the SNMP interface using ksctl

The following command adds the SNMP interface:

ksctl interfaces create --type snmp --name <friendly_name_for_the_interface> --port <port_to_listen_on> --network-interface <network_interface_on_host>

The default, recommended port is 161. Valid network interfaces are all or a particular network interface name such as ens32. You can use ksctl network interfaces list to view available network interfaces.

To create a new NAE interface:

Example


ksctl interfaces create -o 9009 -y nae

Response


{
  "id": "456eb374-ec5c-40e8-bc89-4ab485c20c6c",
  "name": "nae_all_9009",
  "mode": "unauth-tls-pw-opt",
  "cert_user_field": "CN",
  "auto_gen_ca_id": "kylo:kylo:naboo:localca:61476734-4778-40ec-a3be-06654d123513",
  "trusted_cas": {
    "local": [
      "kylo:kylo:naboo:localca:61476734-4778-40ec-a3be-06654d123513"
    ],
    "external": []
  },
  "createdAt": "2019-01-21T05:52:57.657447Z",
  "updatedAt": "2019-01-21T05:52:57.657447Z",
  "default_connection": "local_account",
  "custom_uid_size": 0,
  "port": 9009,
  "network_interface": "all",
  "interface_type": "nae"
}

To create a new KMIP interface

Example


ksctl interfaces create -o 5697 -y kmip

Response


{
  "id": "90b3b131-d6d8-4985-abdd-539162c136c3",
  "name": "kmip_all_5697",
  "mode": "tls-cert-pw-opt",
  "cert_user_field": "CN",
  "auto_gen_ca_id": "kylo:kylo:naboo:localca:c729ffe0-f6ad-49ad-8558-2db435b112c7",
  "trusted_cas": {
    "local": [
      "kylo:kylo:naboo:localca:c729ffe0-f6ad-49ad-8558-2db435b112c7"
    ]
  },
  "createdAt": "2019-08-22T10:10:28.05794Z",
  "updatedAt": "2019-08-22T10:10:28.05794Z",
  "default_connection": "local_account",
  "port": 5697,
  "network_interface": "all",
  "interface_type": "kmip"
}

Deleting an interface

You can delete an NAE, KMIP, or SNMP interface.

Delete all SNMP configuration, including communities, users, and management stations, before deleting the SNMP interface.

Example


ksctl interfaces delete -n nae_all_9009