Administration
CipherTrust Manager
- CipherTrust Manager Release Model
- Supported Upgrade Paths
- Authentication
  - Authentication Settings for NAE, KMIP, Web, and Preboot Interfaces
  - Users
  - Certificate Based Authentication for Users
  - Managing Your Own User Account Settings
  - Authentication Tokens
  - Client Management
  - Authenticating to the REST API
- Attribute-based Access Control Permissions for Resources
  - Backup
  - Certificate Authority
  - Client Management
  - Cluster
  - Keys
  - Connection Managers
  - Proxies & Allowed Proxies
  - DNS Hosts
  - Domains
  - Groups & Groupmaps
  - Interfaces
  - Connections
  - Logs
  - Log Forwarders
  - Quorum
  - Records
  - Users
  - Scheduler
  - Servers
  - SNMP
  - Policies
  - Migrations
  - Licensing
  - HSM
  - Miscellaneous
  - Network
  - ProtectApp
  - Secrets
- Password Policy
- Key Policies
- Changing Passwords
- Domain Management
- Groups
- Group Mapping
- Services
- Root of Trust Hardware Security Module
- Clusters and Nodes
- CipherTrust Manager System Monitoring
  - Records
  - Alarms
  - Syslogs
  - Debug Logs
  - Log Forwarding
  - Prometheus Metrics Endpoint
- Policies
- Banners
- Basic Interface Configuration
- Proxy Configuration
- Quorums
- SNMP
- SMTP
- Backups
- Scheduling Backups
- Disk Encryption After Initial Deployment
- Scheduler
- Connection Manager
  - Connections
  - Labels in Connection Manager
  - AWS
  - Google
  - Secure Copy Protocols (SCP/SFTP)
  - Azure
  - Hadoop Knox
  - Loki
  - Salesforce
  - Luna Network HSM
  - Elasticsearch
  - SAP Data Custodian
  - CIFS/SMB
  - Syslog
  - Oracle Cloud Infrastructure
  - DSM Connection
  - OIDC
  - LDAP
  - Attestation Authority Connection
  - CM Connection/External CM
    - Managing CM Connections using GUI
    - Configuring CM Connections using ksctl
  - Akeyless Gateway
- Browsing LDAP Users and Groups
- System Upgrade/Downgrade
- Configuring DNS Hosts
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
- MKEK Rotation
- Certificate Authority
- System Info
- System Properties
- Network Diagnostics
- Integrating Logging with Splunk App
- Return Material Authorization (RMA) Guidance
- Secrets Management
- Reports
- Key Templates
Application Data Protection
- Interfaces
- Managing DPG Configurations
  - Managing DPG Applications
- Managing CRDP Configurations
  - Managing CRDP Applications
- Managing CDP for Teradata VantageCloud Lake Configurations
  - Managing CDP for Teradata VCL Applications
- Managing CADP for Java Configurations
  - Managing CADP for Java Applications
- Managing BDT Configurations
  - Managing BDT Applications
  - Managing Data Sources
  - Managing Job Configuration
    - Running Job from Application
    - Running Job from Job Configuration
  - Job Status
- Managing Character Sets
  - Creating character set
  - Deleting character set
- Managing User Sets
  - Viewing user sets
  - Creating user sets
  - Deleting user sets
- Managing Masking Formats
  - Viewing masking format
  - Creating masking formats
  - Deleting masking format
  - Modifying masking format
- Managing Access Policy
  - Viewing access policy
  - Creating access policy
  - Modifying access policy
  - Deleting access policy
- Managing Protection Policy
  - Viewing protection policy
  - Creating protection policy
  - Modifying protection policy
  - Deleting protection policy
  - Protection Policy Versioning
  - IV for FPE/AES
  - Key States
  - Tweak algorithm and tweak data compatibility details
- Tasks
  - How to delete stale clients
  - View updated status of clients
  - Auto Renewal of Client Certificates
  - Fetch Latest Data from CipherTrust Manager
- Heartbeat Configuration
- Single Pane of Glass
Batch Data Transformation (BDT)
- Protection Profiles
- BDT Policies
- BDT Containers
CipherTrust Cloud Key Manager (CCKM)
- Overview
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
  - Managing Policies
  - Managing AWS Templates
  - Migrating to IAM Roles Anywhere Connections
  - Downloading AWS Metadata
- AWS CloudHSM Key Store Resources
  - Managing an AWS CloudHSM Key Store from CCKM
- AWS External Key Store Resources
  - Managing External Key Store Resources
  - AWS XKS Performance Summary
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Managing Azure Certificates
  - Managing Azure Secrets
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Performance Summary
  - Allowing AD Users to Manage Azure Vaults
  - Configuring Connection to Azure Using Private Link
  - Downloading Azure Metadata
- Microsoft Double Key Encryption (DKE) Resources
  - Managing DKE Endpoints
  - Managing DKE Authorized Tenants
- External CipherTrust Resources
  - Managing External CipherTrust Domains
  - Managing External CipherTrust Keys
- DSM Resources
  - Managing DSM Domains
  - Managing DSM Keys
  - Scheduling Operations
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
  - Downloading Google Metadata
  - Performance Summary
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
  - Google EKM Performance Summary
  - Managing Google EKM Cryptospaces
  - Managing Google EKM Cryptospace Endpoints
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Licensing
  - Prerequisites
  - Communication with KACLS
  - CSE Guest Access Support for Google Meet and Google Drive
  - Google CSE support for Google's end-to-end encrypted email
  - Clustering for Google Workspace
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
  - Viewing Google Workspace CSE Records
  - Performance Summary
    - Google Calendar
    - Google Drive
    - Google Meet
    - Gmail
- Key Material Export and Upload
- Luna HSM Resources
  - Managing Luna HSM Partitions
  - Managing Luna HSM Keys
  - Scheduling Operations
- Oracle Cloud Resources
  - Managing Oracle Vaults
  - Managing Oracle Keys
  - Managing Oracle Tenancies
  - Scheduling Operations
  - Managing Oracle Reports
  - Managing Oracle Compartments
  - Downloading Oracle Metadata
- OCI External Resources
  - Managing Identity Providers
  - Managing External Vaults
  - Managing External Keys
  - OCI EKMS Performance Summary
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
  - Performance Summary
  - Downloading SAP Metadata
- SAP HYOK Resources
  - Licensing
  - SAP HYOK endpoints
  - SAP HYOK keystores
  - Scheduling Operations
  - Performance summary
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
  - Managing Certificates from Salesforce Organizations
- Migrate from CCKM Appliance
- Migrate DKE source keys from local to external CipherTrust Manager
- Backup and Restore
CipherTrust Data Protection (CDP)
- Interfaces
- Concepts
- Configuring Oracle Databases
- Configuring DB2 Databases
- Configuring SQL Server Databases
- Configuring Teradata Databases
- Tasks
  - View Job History
  - Delete Views and Triggers
  - Create Views and Trigger
  - Delete Old Data
  - Create Domain Index
  - Encrypt a Column
  - Decrypt a Column
  - Configure Migration Server
- SSL Connection Over JDBC
  - SSL Connection Over JDBC for Oracle
  - SSL Connection Over JDBC for DB2
- Troubleshooting
CipherTrust Transparent Encryption UserSpace (CTE UserSpace)
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Collecting Agent Information
  - Fetching Latest Capabilities from Clients
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Sharing Resources Across Domains
- Multifactor Authentication
- Communication with CipherTrust Manager
- Communication Workflow with CipherTrust Manager Behind a Load Balancer
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Confidential Computing
- Load Balancer
- Operations
- Certificate Renewal
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - Creating GuardPoints
- API Response Codes
CipherTrust Transparent Encryption (CTE)
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
  - Collecting Agent Information
  - Fetching Latest Capabilities from Clients
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
  - Managing FAM Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating Ransomware Protection GuardPoints
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing Designated Primary Set Connection
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
  - Enabling and Disabling MFA on GuardPoints
- Managing Kubernetes Storage Groups and Clients
  - Managing Kubernetes Storage Groups
  - Managing Kubernetes Clients
  - Protecting Kubernetes Clients
  - Collecting Kubernetes Agent Information
- Sharing Resources Across Domains
- Multifactor Authentication
- Communication with CipherTrust Manager
- Communication Workflow with CipherTrust Manager Behind a Load Balancer
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Migrating CTE Configuration from Data Security Manager
- Migration Summary
- Permissions
- Quorum Control
- Confidential Computing
- Ransomware Protection
- File Activity Monitoring (FAM)
- Unique to Client Keys
- Load Balancer
- Operations
- Certificate Renewal
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes
Data Discovery and Classification (DDC)
- DDC overview
- Concepts
  - User groups
  - Locations
  - Information types
  - Classification profiles
  - Scans
  - Reports
  - Agents
  - Similarity search
- Discovering sensitive information
  - Local storage
  - Big data
    - Hadoop
    - Teradata
  - Network storage
    - NFS Share
    - SMB/CIFS Share
  - Server
    - Exchange Server
    - Sharepoint Server
  - Clouds
    - AWS S3
    - Azure Blobs
    - Azure Table
    - Google Workspace: GDrive
    - Google Workspace: Gmail
    - Office 365: Exchange Online
    - Office 365: OneDrive for Business
    - Office 365: SharePoint Online
    - Salesforce
  - Databases
    - IBM Db2
    - MongoDB
    - Microsoft SQL
    - MySQL
    - Oracle
    - PostgreSQL
    - SAP HANA
- Logging
- Operations
- Troubleshooting
- Appendix
- Deployment Security
ProtectFile
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Operations
- Migration from KeySecure Classic to CipherTrust Manager
- Migrating ProtectFile to CipherTrust Transparent Encryption
Secrets Management
- Configure Secrets Management
- Create and Protect Akeyless Secrets
- Configuring Hashicorp Vault Proxy with CSM
- Integrating External Secrets Operator (ESO) K8s plugin with CipherTrust Secrets Manager (Akeyless)
- CSM Integration with Luna Network HSM
- CSM Akeyless Gateway Version Files for CipherTrust Manager
- Managing Akeyless Gateway Versions for CSM
- Troubleshooting

Prometheus Metrics Endpoint

You can use the Prometheus metrics endpoint to connect the Prometheus monitoring system to CipherTrust Manager. You can set Prometheus to scrape the CipherTrust Manager continuously, providing metrics over time to help monitor overall system health, performance, and cryptographic activity.

A sample configuration with Prometheus and Grafana docker images is available on Github. The Grafana data visualization application provides graph visualizations of the Prometheus-collected metrics.

Prerequisites for Sample Configuration

CipherTrust Manager 2.7.0 or later
Docker
Docker Compose (docker-compose)

Sample Configuration Setup

On your CipherTrust Manager, enable Prometheus metrics, either through a POST to the /v1/system/metrics/prometheus/enable endpoint, or with the ksctl metrics prometheus enable CLI command.

A token is returned, which Prometheus needs to scrape CipherTrust Manager.

Note

This token does not expire, but can be manually renewed with ksctl metrics prometheus renew-token or a POST to /v1/system/metrics/prometheus/renew-token.
Get the token which Prometheus needs to scrape CipherTrust Manager, if needed. You can use GET with the /v1/system/metrics/prometheus/status endpoint or ksctl metrics prometheus status.

In the Prometheus Metrics directory, edit the prometheus.yml file.

At minimum, you must provide the CipherTrust Manager hostname/IP in targets and the prometheus API token in bearer token. Prometheus can scrape multiple CipherTrust Managers, which might or might not share the API Token. This is an example configuration file with three CipherTrust Manager nodes, of which two share the same Prometheus API token:

scrape_configs:
  - job_name: "CipherTrust Manager"
    scheme: "https"
    tls_config:
      #ca_file: "/trusted_cas/web-keysecure-local.pem"
      #server_name: "web.keysecure.local"
      insecure_skip_verify: true
    bearer_token: "1zplR4njZsRN5dNeWAFXhkL1x7MU9q4H"
    metrics_path: "/api/v1/system/metrics/prometheus"
    static_configs:
      - targets:
        - "1.1.1.1"
        - "1.1.1.2"
  - job_name: "CipherTrust Manager Staging"
    scheme: "https"
    tls_config:
      #ca_file: "/trusted_cas/web-keysecure-local.pem"
      #server_name: "web.keysecure.local"
      insecure_skip_verify: true
    bearer_token: "TnRHpdL9v8MnWv8DhN9xuAaKgPevMEZs"
    metrics_path: "/api/v1/system/metrics/prometheus"
    static_configs:
      - targets:
        - "1.1.1.3"

Set up TLS authentication. By default, the Prometheus configuration sets insecure_skip_verify: true which is not recommended for production deployments as it skips SSL/TLS certificate validation for the CipherTrust Manager server.
1. On CipherTrust Manager, download the certificate associated with the web interface. Export to a pem format.
```
ksctl interfaces certificate get --name web --icertfile <desired-filename>.pem
```
2. Use openssl to retrieve the Common Name (CN) of the certificate, which will become the server_name value in Prometheus.
```
openssl x509 -noout -subject -in <your-file>.pem
```
  Example response:
```
subject=C = US, ST = MD, L = Belcamp, O = Gemalto, CN = web.keysecure.local
```
  The CN value, web.keysecure.local, is the value needed for Prometheus.
3. Copy the certificate file to the trusted_cas folder in the Prometheus Metrics directory.
4. Edit the prometheus.yaml file to include the ca_file path and server_name of the certificate, and disable the insecure_skip_verify parameter. For example:
```
scrape_configs:
  - job_name: "CipherTrust Manager"
    scheme: "https"
    tls_config:
      ca_file: "/trusted_cas/web-keysecure-local.pem"
      server_name: "web.keysecure.local"
      #insecure_skip_verify: true
    bearer_token: "TnRHpdL9v8MnWv8DhN9xuAaKgPevMEZs"
    metrics_path: "/api/v1/system/metrics/prometheus"
    static_configs:
      - targets:
        - "1.1.1.1"
```
In the Prometheus directory run make up to start the stack.

Note

You can run make down to stop the stack and make clear to stop the stack and all persisted data.
Visit the Prometheus Dashboard in a browser at http://localhost:9090.
1. Navigate to Status > Target to ensure that Prometheus is scraping CipherTrust Manager. The state should display as UP for each node, with no errors.
2. If you detect a problem, verify the metrics endpoint on CipherTrust Manager with ksctl metrics prometheus get --api-token <api-token>, or curl -k 'https://<hostname>/api/v1/system/metrics/prometheus' -H 'Authorization: Bearer <api-token>' --compressed ). You can also use The Docker Compose logs to debug problem, with docker-compose logs -f.
Visit the Grafana Dashboard in a browser at http://localhost:3000.
1. Login with the user admin and the password admin. Set a new password when prompted.
2. Go to Dashboards -> Home to view the included dashboards.

Metrics Prefixes

The following high-level categories of metrics are returned from the endpoint:

Prefixes	Metrics Type	Prometheus Exporter, Package, or Integration
`ciphertrust_`	Metrics for specific CipherTrust resource applications. For example, size of the server audit log or key cache hits.	N/A
`dummy_`	Custom internal metrics that can be disregarded.	N/A
`docker_`	Metrics for the Docker containers that underlie CipherTrust Manager microservices, such as state, lifecycle, and resource usage.	docker_exporter
`go_`	Metrics gathered by the Go runtime. Most useful for debugging purposes with Thales engineers.	go-metrics
`http_`	Metrics about HTTP traffic to and from the CipherTrust Manager REST API endpoints and entities external to CipherTrust Manager. For example, response time and number of requests to an endpoint.	N/A
`httpclient_`	Metrics about HTTP traffic between internal CipherTrust Manager microservices. For example, response time and number of requests.	N/A
`node_`	Metrics for the CipherTrust Manager host, such as CPU and disk details.	Node exporter
`process_`	Metrics for microservices written in Go, including CPU, memory and file descriptor usage as well as the process start time.	Process collector of the go Prometheus package
`promhttp_`	Measures number of times individual microservices are called divided by HTTP code.	promhttp Go package
`sql_`	CipherTrust-specific metrics collected to analyze performance issues. Most useful for debugging purposes with Thales engineers.	N/A

Available Metrics Dashboards

The following dashboards are displayed in Grafana for CipherTrust Manager:

CipherTrust Manager Developer - Metrics relevant to internal CipherTrust Manager developers to debug problems. This includes:
- Average JWT processing time
- Applications and Accounts Totals
- Key Encryption Key (KEK)s Count
- Authorization Policies Cache Hits pr Minute
- Average Prometheus Metrics Scraping Response Time
CipherTrust Manager Host - Metrics about the health of the CipherTrust Manager host, including CPU details, memory details, network details, network connections, and disk details.
CipherTrust Manager HTTP Traffic - Metrics about HTTP traffic to the CipherTrust Manager. This includes:
- Average HTTP Response Time Per Minute
- HTTP Requests in the Last Minute
- Average Network Latency Per Minute
- Average CM HTTP Client Response Time Per Minute
- HTTP 500 Errors in the Last Minute
CipherTrust Manager NAE - Basic metrics about the performance of the NAE-XML cryptographic interface. This includes XML response time and XML processing time.
CipherTrust Manager NAE Developer - More detailed metrics about operations and performance on the NAE-XML interface, intended for debugging. This includes:
- Key Info Cache Misses Time Per Minute
- Key Info Cache Hits Time Per Minute
- XML Total Processing time
- XML Parsing Time
- XML Transmit Time
- XML Receive Time
- XML Execution Time
CipherTrust Manager Resources - Metrics about creation and use of objects on CipherTrust Manager, such as audit records, keys, licenses, backup, and users. This includes:
- Audit Records Created Per Second Over The Last Minute
- Audit Records Created In Last Five Minutes
- Total Number of Audit Records
- Total Number of Keys By Algorithm
- Crypto Operations Per Second Over The Last Minute
- Total Number Of Connector Licenses Deployed
- Number of License Units Consumed
- License Unit Consumption by Percentage
- Total Number Of Group Users in the System
- Total Number Of Key Rotations
- Key Rotations In Last Five Minutes
- Time Taken To Create Backup
- Number of Backups taken
- Total number of Keys by States and Algorithm
CipherTrust Manager Services - Metrics about the performance of individual microservices within CipherTrust Manager, intended for debug purposes. This includes:
- CPU percentage
- Memory usage
- Network I/O (transmitting and receiving)
- Disk I/O (reading and writing)
CipherTrust Manager Node Metrics - Metrics of the nodes in a clustered system showing the node connection information. This includes:
- Write, flush, and replay lags
- Sent, write, flush, and replay lag sizes
- Whether replication is blocked
- Whether node is connected
- Connect time for a node
- Apply rate
- Catchup interval
- Uptime for a connection
CipherTrust Manager CTE Resources - More detailed metrics about operations and performance on the CTE resources, intended for debugging. This includes:
- CTE Clients
- CTE Clients Health Status
- CTE Groups
- CTE Guard Points State
CipherTrust Manager Secrets - Metrics for the various secrets (Akeyless) gateway operations. This includes:
- CPU utilization metrics
- Disk I/O metrics
- CPU load metrics
- Memory utilization metrics
- Network interface I/O metrics & TCP connection metrics
- Current transaction number
- Total transaction by an admin client
- Total transaction limit per hour
- Status of HTTP response
- Total number of requests
For more details, click here.

Suggest A Change

Prometheus Metrics Endpoint

Prerequisites for Sample Configuration

Sample Configuration Setup

Metrics Prefixes

Available Metrics Dashboards

On this page