Complete first-time logon to Web UI and replace SSH key

After deploying CipherTrust Manager, you must immediately sign in to the CipherTrust Manager Web Interface to initialize the system. For physical appliances and private clouds (VMware and Hyper-V), this includes a mandatory, one-time replacement of the default SSH key. For all deployments, you are prompted to change the default admin password. Finally, as a best practice, confirm SSH access using the new key.

About the keys

  • Keys must be 2048-bit, RSA key pair (public and private), OpenSSH compatible, PEM format.

  • If you have a Virtual CipherTrust Manager on a public cloud (AWS, Google Cloud, Microsoft Azure), the SSH key provided at launch does not need to be replaced.

    Back up credentials and SSH certificates immediately

    When setting up the Thales CipherTrust Key Management System (KMS), it is critical that you securely save the following:

    • Administrator credentials

    • SSH private key/certificate

    Failure to do so may result in permanent loss of access to the CipherTrust system and all encrypted data it protects.

    • Neither Thales nor Verint can recover this information if it is lost.

    • There is no password reset or recovery mechanism without the SSH key.

    • Loss of these credentials may lead to irreversible data loss.

    We strongly recommend:

    • Storing credentials in a secure, access-controlled vault.

    • Backing up the SSH key in multiple secure locations.

    • Verifying access to the backup before completing installation.

Procedure 

  1. Generate a 2048-bit RSA key pair in OpenSSH-compatible PEM format:

    • On Linux or Windows (Git Bash or WSL):

      1. Open a terminal, and run: ssh-keygen -t rsa -b 2048

      2. When prompted, press Enter to skip the passphrase or set one if you prefer.

    • On PuTTYgen: 

      1. Generate the SSH key pair.

      2. Export the public and private keys in PEM format.

  2. Confirm that two files were created:

    • A private key (keep this secure)

    • A public key (upload it to Web UI in the next step).

  3. Replace the SSH key using the Web UI:

    1. Open a web browser and go to https://<ciphertrust-ip-address>.

    2. When prompted, paste the new SSH public key into the provided field.

    3. Click Add.

    The Log In screen appears, confirming that the key was successfully replaced.

    The system finishes initializing and is now fully operational.

  4. Log in and change the default password:

    1. Log in using the default credentials, user name: admin Password: admin.

    2. When prompted, change the password.

      Passwords must be 8–30 characters long and include at least one uppercase letter, one lowercase letter, one digit, and one special character.

    3. Log in again using the new password.

    After you successfully log in, the CipherTrust Manager dashboard appears.

  5. Confirm that your SSH client utility can connect to CipherTrust Manager using the new SSH key.

    Open the SSH client (for example, PuTTY), select an SSH session, and enter the IP address of the CipherTrust Manager instance (this is the same IP address used to browse to the Web UI).

    If you are using PuTTY, make sure that your SSH keys are in ppk format.

What to do next 

Complete first-time logon to Console

Related topics 

Workflow: Configure CipherTrust Manager