Thales CipherTrust Manager k160 User manual
CipherTrust Manager k160
Quick Start Guide
007-500223-001, Rev. E
04/30/2023 Thales Trusted Cyber Technologies, Proprietary 1
CipherTrust Manager k160
Quick Start Guide
This document details quick instructions for starting up and configuring a Thales Trusted Cyber Technologies (TCT) CipherTrust Manager
k160 appliance. Full documentation is located here: https://www.thalesdocs.com/ctp/cm/latest/get_started/deployment/index.html.
Required Equipment
•Power supply and cable
•Serial-to-USB adapter cable
•Null Modem cable
•(2) Mounting brackets with screws
•KeySecure k160 Appliance
•(2) USB Tokens (Standard or High Assurance)
•USB Extender Cable (High Assurance)
•Ethernet cable (not included)
WARNING: To avoid inadvertently locking the token HSM, wait to insert the first USB token HSM until ready to proceed with the “Perform
the HSM Setup” instructions below.
Front of Unit
Item Name Description
A Power
On/Off Powers the appliance on or off.
B Round
Button 1 Reserved for future use.
C Round
Button 2 Reserved for future use.
D USB Token
HSM Standard or High Assurance.
(High Assurance token shown.)
Back of Unit
Item Name Description
E (COM)
Console Port Connect a terminal to this port using
the included DB9 to USB cable.
F DC 12V Power Adaptor connection.
G VGA Connect a standard VGA monitor.
H USB ports Used to register additional tokens.
I LAN CAT5 Networking Port.
Physical Installation
1. Install the CipherTrust k160 in an appropriate mounting rack
that provides sufficient space front, side, and back for cabling,
airflow, and maintenance.
2. Connect the provided Null Modem cable to the COM port (E).
If your computer does not havea serial port,use the provided
Serial-to-USB adapter cable.
NOTE: If the adapter is not recognized by your computer, you
may need to install a USB driver. Contact TCT Technical
Support for assistance.
3. Insert an Ethernet cable into the LAN port (I) and connect the
other end to the network.
4. Insert the power cable into the DC 12V (F) and then plug to
an AC power source. The CipherTrust k160 will power up
automatically.
5. Press the power button (A) to turn off.
CipherTrust Manager k160
Quick Start Guide
007-500223-001, Rev. E
04/30/2023 Thales Trusted Cyber Technologies, Proprietary 2
Establish a Connection and Change Default Passwords
Open a Serial Connection
A serial connection is initially required to set administrative
credentials and perform any necessary network configurations.
1. Connect the Null Modem cable to the COM port on the back
panel of the k160. If your computer does not have a serial
port, connect the Serial-to-USB adapter cable between the
Null Modem cable and a USB port on your computer.
NOTE: If your system does not automatically install the USB
driver, contact TCT Technical Support for assistance.
2. Use a terminal emulation package, such as PuTTY, to open
a serial connection to the k160. Set the serial connection
parameters as follows:
VT100/ANSI
Baud rate: 19200
Data bits: 8
Parity: None
Flow Control: None
Stop bits: 1
NOTE: You may need to press ENTER several times to start
the session.
3. When the connection is made, a DHCP-assigned IP address
appears together with the appliance login prompt:
ciphertrust login:
4. As the System Administrator, enter "ksadmin" to log in and
follow the prompts to create a secure password.
The system services start to launch at this point, which can
take several minutes.
5. To set a static IP address, use NMCLI:
nmcli conn modify “Wired connection 1”
ipv4.method manual ipv4.addr <k160 IP/netmask
(CIDR)> ipv4.gateway <Gateway IP> ipv4.dns
<comma separated IPs>
nmcli general hostname <hostname.domain>
nmcli conn up “Wired connection 1”
nmcli conn show “Wired connection 1”
NOTE: See, “CipherTrust Manager > Getting Started >
CipherTrust Manager Deployment > Network Configuration
Tutorial” in the full product documentation.
6. [Optional] Close the serial connection.
Connecting to the GUI for the first time
1. In a web browser, navigate to the IP address displayed or set
via the serial connection. The error displayed is normal.
2. Paste into the field your SSH Public Key and then select Add.
NOTE: The SSH Public Key must be a 'PEM-formatted RSA
key'. You can generate this key using 'PuTTYgen' or similar
utility.
WARNING: Be sure to store and securely protect the
associated private SSH key, as this key will be required to
SSH to the appliance.
3. Log in using the initial default credentials:
Username: admin
Password: admin
4. Enter a new password using this default Password Policy:
Length: 8-30 characters
At least 1 each:uppercase, lowercase, digit, and other
Log in again using this new password. The CipherTrust
Manager Web Page appears.
CipherTrust Manager k160
Quick Start Guide
007-500223-001, Rev. E
04/30/2023 Thales Trusted Cyber Technologies, Proprietary 3
HSM Root of Trust Configuration
The CipherTrust k160 utilizes a token HSM as its root of trust. After registering the first token HSM, additional tokens may be added.
Download the CLI Toolkit
1. In the web GUI, click the “API” button at the far right of the top
title bar to open the API Playground.
2. On the top left, click into the CLI Guide.
3. Download the ksctl_images.zip package using the blue
download button on the top right of the window.
This package contains the CLI tools and sample configuration
file to initialize the HSM tokens to the k160.
NOTE: Previous versions of KSCTL may not be fully
compatible. Use the CLI package as downloaded from the
k160 being deployed.
4. Unpackage the ZIP archive on your client workstation.
5. Navigate to the ksctl_images directory, copy the
config_example.yaml under a new name (e.g. “k160.yaml”),
and modify these lines within:
KSCTL_URL: <k160 IP>:443
KSCTL_PASSWORD: <password set in GUI above>
KSCTL_TIMEOUT: 360
Perform the HSM Setup
1. Insert the first token HSM into the front slot of the k160.
NOTE: Verify that the tokens are firmly inserted into their
USB interfaces and, if applicable, the High Assurance token
is not illuminated red.
2. From the CLI toolkit (ksctl_images) directory, execute the
following command, aligned to the model of k160:
ksctl.exe --configfile "<path>\<k160>.yaml"
hsm setup k160 --reset [--ha | --std]
“--ha”for High Assurance |“--std”for Standard
The HSM configuration validates and the system will reset.
NOTE: If you attempt to log inon the GUI, you will see various
messages about services starting up and it will take over 10
minutes to complete the start-up process.
3. Log back into the GUI with the original login credentials
(admin/admin) and reestablish a new admin password.
4. Verify the HSM token has been set up by visiting the HSM
settings page at “Admin Settings HSM.”
Register an Additional Token HSM
1. Keeping the first token inserted into the k160, insert
another token into a USB slot on the back of the k160.For
HA models, use the provided USB extender cable.
2. From the CLI toolkit (ksctl_images) directory, execute the
following command:
ksctl –-configfile "<path>\<k160>.yaml" hsm
tokens reg
3. Once the command completes, remove the additional
token from the back of the k160.
WARNING:Removing the token from the front of the k160
will cause a system restart.
Removing a Token During Operation
Removing the token HSM triggers the system services to shut down within 1 minute, shutting off all access to cryptographic materials and
rendering keys, stored objects, etc. encrypted and unusable.
•The system services enter into a restart loop, checking for the reintroduction of a registered token HSM.
•Once a registered token HSM is provided, the system will start back up and resume operations.
•Stored objects can only be recovered by reintroducing a registered token HSM or by performing a system reset and restoring from a
backup.
CipherTrust Manager k160
Quick Start Guide
007-500223-001, Rev. E
04/30/2023 Thales Trusted Cyber Technologies, Proprietary 4
Troubleshooting
Issue
Resolution
HA Token HSM lights up red after being inserted
for a period of time
The HA Token HSM has locked itself and needs to be power cycled. Remove
the token HSM from the appliance, wait ~10 seconds, and then reinsert into the
USB slot.
If performing initial configuration, wait to insert the HA Token HSM until ready to
proceed with the “Perform the HSM Setup."
HA Token HSM lights up red immediately after
being inserted.
Contact Thales TCT Technical Support.
Table of contents
Other Thales Network Hardware manuals
Thales
Thales payShield 10K PS10-F User manual
Thales
Thales payShield 10K PS10-D User manual
Thales
Thales VesseLINK Certus 350 User manual
Thales
Thales SafeNet KeySecure k470 User manual
Thales
Thales Cryptel-IP CE 621 User manual
Thales
Thales ProtectToolkit 5.9.1 Operator's manual
Thales
Thales Z-Max.Net User manual
Thales
Thales CipherTrust Manager k160 User manual
Thales
Thales Cinterion DGL61-W User manual
Popular Network Hardware manuals by other brands
Cabletron Systems
Cabletron Systems Expansion module DELHE-UA user guide
GSA
GSA Bolide BN-NVR/NX user manual
ProCurve
ProCurve J8456A quick start guide
Lindsay Broadband
Lindsay Broadband LBON320AC Series Installation and operation manual
Panasonic
Panasonic WJ-PB85C16 instructions
KT&C
KT&C Omni IP KNR-p4Px4 Quick installation guide
