Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

CipherTrust Manager Deployment

Network Configuration Tutorial

search

Please Note:

Network Configuration Tutorial

You can configure multiple network interfaces after installing and initializing a CipherTrust Manager physical appliance or private cloud Virtual CipherTrust Manager.

Network interface configuration on public clouds should be done using the cloud provider's tools.

This configuration is performed using GNOME NetworkManager and its nmcli tool.

This tutorial provides an example of typical network configuration steps. These steps show how to view network devices, view network connections, set DHCP with IPv4 for a connection, and then modify the connection to use a static IP instead of DHCP.

Planning is required for network interface bonding, configuring static routes, or configuring VLAN.

Basic Network Configuration Tasks with nmcli

  1. Connect as the ksadmin user to the CipherTrust Manager appliance through its serial connection, or the Virtual CipherTrust Manager through its console.

    Modifying a remote network interface over SSH is risky. The remote connection will stop responding if the IP address settings are incorrectly configured, resulting in the remote machine being unreachable.

  2. Use nmcli to list the available network devices (also called network interfaces or NICs). The devices listed in this example are truncated for brevity.

    nmcli device

DEVICE       TYPE      STATE         CONNECTION
kylo0        bridge    connected     kylo0
ens3         ethernet  connected     Wired connection 1
ens4         ethernet  disconnected  --
veth05d02c4  ethernet  unmanaged     --
...

    The output of this command might show over 30 devices. However, only a few require explanation:

    • kylo0 is used for internal communication by CipherTrust Manager services. It should never be altered in any way.

    • ens3 is an active device with a NetworkManager connection profile named Wired Connection 1.

    • ens4 is an inactive device with no NetworkManager connection profile defined.

    • veth05d02c4 is an unmanaged device and should be ignored because NetworkManager cannot be used to control or configure the device.

    As a general rule, device names starting with eth or en are devices an administrator can configure.

  3. Use nmcli to see an active device's live values. In this example the only active device so far is ens3.

    nmcli device show ens3

GENERAL.DEVICE:            ens3
GENERAL.TYPE:              ethernet
GENERAL.HWADDR:            00:50:56:99:3F:54
GENERAL.MTU:               1500
GENERAL.STATE:             100 (connected)
GENERAL.CONNECTION:        Wired connection 1
GENERAL.CON-PATH:          /org/freedesktop/NetworkManager/ActiveConnection/8
WIRED-PROPERTIES.CARRIER:  on
IP4.ADDRESS[1]:            10.121.105.97/22
IP4.GATEWAY:               10.121.104.1
IP4.DNS[1]:                10.121.8.7
IP4.DNS[2]:                172.16.2.13
IP4.DNS[3]:                172.16.2.12
IP6.ADDRESS[1]:            fe80::bd7e:b93f:7e66:4b92/64
IP6.GATEWAY:

    The output shows that IPv4 has an address and accompanying values and that IPv6 only has a link-local address.

  4. Use nmcli conn to see the configured network devices that NetworkManager calls connections. Notice that the connections listed in this example do not include device ens4 because it is not yet configured.

    nmcli conn

NAME                 UUID                                  TYPE            DEVICE
Wired connection 1   9d86421b-7032-48eb-ac5a-3c84d285d01e  802-3-ethernet  ens3

  5. Use nmcli to create a connection configuration for the device ens4 using DHCP for IPv4 and no IPv6 configuration. When ipv4.method and/or ipv6.method are not explicitly provided, then NetworkManager uses auto by default.

    There is a known issue in CipherTrust Manager instances upgraded from 2.4 and earlier, where the network interface name may be associated with a different MAC address after a reboot. Because of this issue, it is highly recommended to bind the connection to the device's MAC address instead of the network interface name when creating the connection profile.

    1. View details for ens4. Retain the MAC address, shown as the GENERAL.HWADDR value, for creating a connection later.

      nmcli device show ens4

GENERAL.DEVICE:            ens4
GENERAL.TYPE:              ethernet
GENERAL.HWADDR:            00:50:56:99:3F:55
...

    2. Create the connection, binding it to the MAC address. Provide a meaningful connection name based on the context of use. For example, if ens3 is responsible for web traffic and ens4 is responsible for database traffic, then naming the connections web and db provides better context for how they are used.

      nmcli conn add type ethernet con-name <connection_name> ifname '' -- ethernet.mac-address 00:50:56:99:3F:55 ipv4.method auto ipv6.method ignore

  6. Use nmcli to confirm the connection is created with the correct configuration for device ens4. The configuration and active values in this example are truncated for brevity.

    nmcli conn show <connection_name>

connection.id:                          <connection_name>
connection.uuid:                        d797d28c-fe8a-49ab-8181-271870d6cfc6
connection.interface-name:              ens4
connection.type:                        802-3-ethernet
...
ipv4.method:                            auto
...
ipv6.method:                            ignore
...
IP4.ADDRESS[1]:                         10.121.105.113/22
IP4.GATEWAY:                            10.121.104.1
IP4.DNS[1]:                             10.121.8.7
IP4.DNS[2]:                             172.16.2.13
IP4.DNS[3]:                             172.16.2.12
...

    The output format uses lowercase key names to indicate configuration values (e.g. ipv4.method) and uppercase key names to indicate live values (e.g. IP4.ADDRESS[1]). From this output we can see the newly configured device's IP address obtained via DHCP is 10.121.105.113.

  7. Try connecting to the connection's IP address from a browser and confirm that CipherTrust Manager UI loads. If the UI does not load, try pinging the address to confirm the IP address can be reached or use other network tools such as netcat to verify connectivity.

  8. You can use the modify sub-command to change the connection configuration. Use nmcli to modify device ens4's connection to use a static IP address instead of DHCP. You must provide a gateway and DNS server(s).

    nmcli conn modify <connection_name> ipv4.method manual ipv4.addresses 10.121.105.18/22 ipv4.gateway 10.121.104.1 ipv4.dns 8.8.8.8,8.8.4.4

nmcli conn show <connection_name> | grep IP4.ADDRESS

IP4.ADDRESS[1]:                         10.121.105.113/22

  9. To ensure that DHCP-provided DNS servers are ignored, run the command:

    nmcli conn modify <connection_name> ipv4.ignore-auto-dns yes

  10. Notice that the IP4.ADDRESS[1] field listed in the second command still has the original IP address obtained via DHCP. In order to activate the modification, the connection must be restarted using the up sub-command:

    nmcli conn up <connection_name>

Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/15)

nmcli conn show <connection_name> | grep IP4.ADDRESS

IP4.ADDRESS[1]:                         10.121.105.18/22