Setting up Key Management for a CTERA Portal
  • 5 Minutes to read
  • Dark
    Light
  • PDF

Setting up Key Management for a CTERA Portal

  • Dark
    Light
  • PDF

Article Summary

After adding the security license, you add a key management server to the portal.

To display the key management option in the CTERA Portal user interface, you need to run an activation CLI.

Setting up key management involves the following steps:

Generating Keys for the Key Management Service

The server and client keys are generated in Thales CipherTrust Manager. The procedures described below use a local server certificate. If you want to use an external server certificate, replace Local with External in the procedures.

To add the server certificate to Thales CipherTrust Manager:

  1. Access the Thales CipherTrust Manager as an administrator.
    image.png

  2. Click the CA > Local in the navigation pane.
    The Local Certificate Authorities page is displayed.
    image.png

  3. Click the Add Local CA.
    The Add Local CA window is displayed.
    image.png

    Note

    If using an external certificate, you copy and paste the certificate in the following window and click Save:
    image.png

  4. Enter the information for the certificate and click Create Local CA.
    The Local Certificate Authorities page is redisplayed, showing the local server certificate.

  5. Click the ellipsis (...) on the right of the certificate and then click Download.

To generate the client private key and certificate:

  1. Access the Thales CipherTrust Manager as an administrator.
    image.png
  2. Click the KMIP product.
    The Registered Clients page is displayed.
    image.png
  3. Click the Client Profile in the navigation pane.
    The Client Profiles page is displayed.
    image.png
  4. Click the Add Profile.
    The Add Profile window is displayed.
    image.png
  5. Enter a Profile Name and click Save.
  6. Click Registration Token in the navigation pane.
    The Registration Token page is displayed.
    image.png
  7. Click New Registration Token.
    The Create New Registration Token window is displayed.
    image.png
  8. Click Begin.
    image.png
  9. Provide a Name prefix for the token and click Select CA.
    image.png
  10. Choose Local CA and select the CA from the drop-down list. This is the certificate added to Thales CipherTrust Manager.
  11. Click Select Profile.
    image.png
  12. Choose either the Client Profile from the drop-down list and click Create Token.
    image.png
  13. Copy the token and click Done.
    The Registration Token page is redisplayed, showing the token that was created.
  14. Click Registered Clients in the navigation pane.
    The Registered Clients page is displayed.
    image.png
  15. Click Add Client.
    The Add Client window is displayed.
    image.png
  16. Enter a Name and the Registration Token, copied in step 13 and, if required, the Client certificate and click Save.
    The Add Client window is displayed with buttons to download the client private key and certificate and a CSR.
    image.png
  17. Click the Save Private key and Save Certificate buttons to download the private key and client certificate.
    image.png
    Warning

    If you do not download the private key, you cannot get it later and will not be able to set up key management in CTERA Portal with the this key and certificate.

    Note

    You can download the certificate later.
    image.png

Setting Up the CTERA Portal Key Management Service

You can specify key management server settings and authentication specifications.

To set up key management:

  1. In the global administration view, select Services > Key Management in the navigation pane.
    The KEY MANAGEMENT page is displayed.
    image.png
    The Status bar at the top of the page shows the current status:
    Active/RUNNING OK – The server is running on at least one server.
    Disabled/NOT RUNNING – The CTERA Portal is not licensed for key management.
    Error/ALL KEY MANAGEMENT SERVERS ARE OFFLINE – There is an error with the key management service.
    Failed/INTERNAL ERROR – There is a error with the key management service.
    No Servers/NOT RUNNING – A key management server has not been defined.
    Warning – There is a problem with the key management service. The status message is one of the following:

    • REMOVING THE SERVICE...
    • FAILED TO REMOVE SERVICE
    • SOME KEY MANAGEMENT SERVERS ARE OFFLINE
    • KEY MANAGEMENT SERVICE IS IN WARNING STATE

  2. Click Settings in the Status bar at the top of the page to configure the key management settings.
    image.png

  3. Click Advanced Settings.
    The Key Management Settings window is displayed.
    image.png
    Key Server Type – The type of key manager server. Currently, only Thales CipherTrust is supported.
    Timeout – The amount of time to wait for a reply from the key management server before the operation times out.
    Key expiration – The amount of time the before the key encryption keys become invalid.

    Note

    Keys are automatically rotated before they expire.

    Port – The port used by the key management server.

  4. Click Client Certificate to upload the client certificate.
    image.png

  5. Click Select File to select the .pem file KMS client certificate to use, from the procedure described in Generating Keys for the Key Management Service procedure.

    Note

    Only pem files are allowed.

  6. Click Select File to select the private key, from the procedure described in Generating Keys for the Key Management Service procedure. The private key must match the KMS certificate.

  7. Click KMS Server Certificate to upload the server certificate.
    image.png

  8. Click Select File to select the .pem file KMS server certificate to use, from the procedure described in Generating Keys for the Key Management Service procedure.

    Note

    Only pem files are allowed. The certificate must match the client certificate.

  9. Click SAVE.

If there is a problem with the certificate, for example the client and server certificates do not match, an error is displayed, with additional information written to the log.

Managing Key Management Servers in CTERA Portal

You can use more than one key management server. CTERA recommends using more than one key management server for high availability. All the key management servers are expected to be members of a synchronized cluster. All the key management servers use the same client certificate and private key and server certificate and not a separate set per server.

To add or edit a key management server:

  1. In the global administration view, select Services > Key Management in the navigation pane.
    The KEY MANAGEMENT page is displayed.
    image.png
  2. To add a new key management server, click Add a Server.
    The New Key Server window is displayed.
    image.png
    Or,
    To edit an existing key management server, click the server’s name.
    The key server window is displayed with the server as the window title.
  3. Specify the details:
    Host – The IP address or DNS name of the server.
    Name – A display name for the server.
  4. Click SAVE.

The server is added to the list of key management servers.
image.png
Any new folder group uses managed keys to access the folder group content. All existing folder groups are transitioned to use managed keys by a task that runs in the background.

Each folder group has a key in the key management server. After a file is accessed in the folder group for the first time, the key is saved in a cache in the CTERA Portal. As long as the key is in the cache, access to the files in the folder group is quicker, and access is still possible, even if he key management server is not running.


Was this article helpful?