Thales CipherTrust Manager k160 User manual
CipherTrust Manager k160
Quick Start Guide
007-500223-001, Rev. A
07/28/2022 Thales Trusted Cyber Technologies, Proprietary 1
CipherTrust Manager k160
Quick Start Guide
This document details quick instructions for starting up and configuring a Thales Trusted Cyber Technologies (TCT) CipherTrust Manager
k160 appliance. Full documentation is located here: https://www.thalesdocs.com/ctp/cm/latest/get_started/deployment/index.html.
Equipment
•Power supply and cable
•Serial-to-USB adapter cable
•Null Modem cable
•(2) Mounting brackets with screws
•CipherTrust k160 Appliance
•(2) Token HSMs
•Ethernet cable (not included)
Front of Unit
Item
Name
Description
A Power
On/Off Powers the appliance on or off.
B Round
Button 1 Reserved for future use.
C Round
Button 2 Reserved for future use.
D USB HSM
Token (High Assurance token shown).
Back of Unit
Item
Name
Description
E (COM)
Console Port Connect a terminal to this port using
the included DB9 to USB cable.
F DC 12V Power Adaptor connection.
G VGA Connect a standard VGA monitor.
H USB ports Disabled/Not used.
I LAN CAT5 Networking Port.
Physical Installation
1. Install the CipherTrust k160 in an appropriate mounting rack
that provides sufficient space front, side, and back for cabling,
airflow, and maintenance.
2. Connect the provided Null Modem cable to the COM port (E).
If your computer does nothave a serialport,use the provided
Serial-to-USB adapter cable.
NOTE: If the adapter is not recognized by yourcomputer, you
may need to install a USB driver. Contact TCT Technical
Support for assistance.
3. Insert an Ethernet cable into the LAN port (I) and connect the
other end to the network.
4. The token is connected to the interface located on the front
panel (D). Install the token and ensure that it is pushed firmly
into the connection.
5. Insert the power cable into the DC 12V (F) and then plug to
an AC power source. The CipherTrust k160 will power up
automatically.
6. Press the power button (A) to turn off.
CipherTrust Manager k160
Quick Start Guide
007-500223-001, Rev. A
07/28/2022 Thales Trusted Cyber Technologies, Proprietary 2
Establish a Connection and Change Default Passwords
After you have rack-mounted the appliance, you must log in to the console to create a secure password for the ksadmin user, and then log
in to the GUI to changethedefault SSHkey and admin user password. Changing these defaults ensures the security of CipherTrust Manager
and is required before beginning to create keys or engage any other cryptographic process.
Open a Serial Connection
A serial connection is initially required to set administrative
credentials and perform any necessary network configurations.
1. Connect the Null Modem cable to the COM port on the back
panel of the k160. If your computer does not have a serial
port, connect the Serial-to-USB adapter cable between the
Null Modem cable and a USB port on your computer.
NOTE: You may need to install a USB driver if the supplied
adapter is not recognized by your computer, contact TCT
Technical Support for assistance.
2. Use a terminal emulation package, such as PuTTY, to open
a serial connection to the k160. Set the serial connection
parameters as follows:
VT100/ANSI
Baud rate: 19200
Data bits: 8
Parity: None
Flow Control: None
Stop bits: 1
NOTE: You may need to press ENTER several times to
initiate the session.
3. When the connection is made, a DHCP-assigned IP address
appears together with the appliance login prompt:
ciphertrust login:
4. As the System Administrator, enter "ksadmin" to log in and
follow the prompts to create a secure password.
The system services start to launch at this point, which can
take several minutes.
5. [Optional] To set a static IP, use NMCLI:
nmcli conn modify “Wired connection 1” ipv4.method
manual ipv4.addresses <CIDR format> ipv4.gateway
<Gateway IP> ipv4.dns <comma separated IPs>
nmcli conn up “Wired connection 1”
NOTE: See also, “CipherTrust Manager > Getting Started >
CipherTrust Manager Deployment > Network Configuration
Tutorial” in the full product documentation.
6. [Optional] Close the serial connection.
Connecting to the GUI for the first time
1. In a web browser, navigate to the IP address displayed or set
via the serial connection. The error displayed is normal.
2. Paste into the field your SSH Public Keyand then select Add.
NOTE: The SSH Public Key must be a 'PEM-formatted RSA
key'. You can generate this key using 'PuTTYgen' or similar
utility. Be sure to store and securely protect the associated
private SSH key, as this key will be required to SSH to the
appliance.
3. Log in using the initial default credentials:
Username: admin
Password: admin
4. Enter a new password using this default Password Policy:
Length: 8-30 characters
At least 1 each:uppercase, lowercase, digit, and other
Log in again using this new password. The CipherTrust
Manager Web Page appears.
CipherTrust Manager k160
Quick Start Guide
007-500223-001, Rev. A
07/28/2022 Thales Trusted Cyber Technologies, Proprietary 3
HSM Root of Trust Configuration
The CipherTrust k160 utilizes a token HSM as its root of trust. After registering the first token HSM, additional tokens may be added.
NOTE: Verify that the tokens are firmly inserted into their USB interfaces and, if applicable, the High Assurance token is not illuminated red.
Download the CLI Toolkit
1. In the web GUI, click the “API” button at the far right of the top
title bar to open the API Playground.
2. On the top left, click into the CLI Guide.
3. Download the ksctl_images.zip package using the blue
download button on the top left of the window.
This package contains the CLI tools andsample configuration
file to initialize the HSM tokens to the k160.
4. Unpackage the ZIP archive on your client workstation.
5. Navigate to the ksctl_images directory, copy the
config_example.yaml under a new name (e.g. “k160.yaml”),
and modify these two lines within:
KSCTL_URL: <IP address of CTM>
KSCTL_TIMEOUT: 180
Perform the HSM Setup
1. From the CLI toolkit (ksctl_images) directory, execute the
following command, aligned to the model of k160:
ksctl --configfile <k160>.yaml hsm setup k160
--reset [--ha | --std]
“--ha”for High Assurance |“--std”for Standard
The HSM configuration validates and the system will reset.
NOTE: If you attempt tolog inon the GUI, you will see various
messages about services starting up and it will take over 10
minutes to complete the start-up process.
2. Log back into the GUI with the original login credentials
(admin/admin) and reestablish a new admin password.
3. [Optional] Verify the HSM token has been set up by visiting
the HSM settings page at “Admin Settings HSM.”
Register an Additional Token HSM
1. Keeping the first token inserted into the k160, insert another
token into an open USB slot on the back of the k160 device.
2. From the CLI toolkit (ksctl_images) directory, execute the
following command:
ksctl –-configfile <k160>.yaml hsm tokens reg
3. Once the command completes, remove the additional token
from the back of the k160.
NOTE:Removing the token from the front of the k160 will
cause a system restart.
Removing a Token During Operation
Removing the token HSM triggers the system services to shut down within 1 minute, shutting off all access to cryptographic materials and
rendering keys, stored objects, etc. encrypted and unusable.
•The system services enter into a restart loop, checking for the reintroduction of a registered token HSM.
•Once a registered token HSM is provided, the system will start back up and resume operations.
•Stored objects can only be recovered by reintroducing a registered token HSM or by performing a system reset and restoring from a
backup.
Table of contents
Other Thales Network Hardware manuals
Thales
Thales payShield 10K PS10-F User manual
Thales
Thales Cryptel-IP CE 621 User manual
Thales
Thales Z-Max.Net User manual
Thales
Thales SafeNet KeySecure k470 User manual
Thales
Thales ProtectToolkit 5.9.1 Operator's manual
Thales
Thales VesseLINK Certus 350 User manual
Thales
Thales CipherTrust Manager k160 User manual
Thales
Thales Cinterion DGL61-W User manual
Thales
Thales payShield 10K PS10-D User manual
Popular Network Hardware manuals by other brands
Cabletron Systems
Cabletron Systems Expansion module DELHE-UA user guide
GSA
GSA Bolide BN-NVR/NX user manual
ProCurve
ProCurve J8456A quick start guide
Lindsay Broadband
Lindsay Broadband LBON320AC Series Installation and operation manual
Panasonic
Panasonic WJ-PB85C16 instructions
KT&C
KT&C Omni IP KNR-p4Px4 Quick installation guide
