Support and Diagnostics

Introduction
Enabling the Support Accounts on KeyControl / DataControl Virtual Storage appliance
Full System Access
VM-Level encryption log files
Support Event Alerts
Sending log files to HyTrust through the GUI

Introduction

This chapter describes the various support and diagnostic capabilities that are built into HyTrust KeyControl/DataControl. We describe access to the "Jail" where you can get logs and support information as well as how to extract the logs through the webGUI and send them to HyTrust support.

Enabling the Support Accounts on the KeyControl server and the DataControl agent

Please note that for support login access to a KeyControl server or DataControl agent you need access to port 22 for full support and 6666 for limited support login. These are only needed at support time.

To enable support for diagnostics and debugging, log on to the console on the KeyControl appliance or DataControl agent in question. Option 4 allows you to select access to the node's jail as well as enable full HyTrust access.

Select the option for Restricted Support Login. You will then be prompted to type a new password for restricted login support.

Once Jail access is enabled, it will be displayed in the support menu as follows:

When enabling full support access, the window in which the access is allowed is then displayed:

Accessing the Jail through the restricted support login

Once access for the restricted support login is enable, it is then possible to log on to the Jail through SSH using the IP address of the KeyControl appliance or DataControl agent as follows:

$ ssh -p 6666 support@192.168.140.151
Warning: Permanently added '[192.168.140.151]:6666' (RSA) to the list of known hosts.
support@192.168.140.151's password:
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
	The Regents of the University of California.  All rights reserved.

root@dbgjail ~]#

The Jail provides a limited view on the running appliance but never exposes encryption keys, sensitive data in the clear or any part of the HyTrust KeyControl/DataControl agent that could result in compromising important data.

The onhost command allows you to obtain diagnostic information:

[root@dbgjail ~]# onhost
usage: onhost <cmd> [params]
<cmd> can be -
   ps        -> process status
   ls        -> list
   df        -> display free disk space
   iostat    -> report I/O statistics
   netstat   -> show network status
   procstat  -> get detailed process information
   getdbg    -> collect system debug info for support

If information is needed for HyTrust support, run the getdbg command

# onhost getdbg
Running command:  getdbg
Created /support/hcs-dbg-kps1-20110905-040333.tgz

A tarball is created that contains debugging information needed by HyTrust support. This tarball can be copied out of the Jail using scp. Note that scp from outside of the Jail is disabled.

Full System Access

Full system access is only available to HyTrust support staff. If full system access is needed, please talk with the HyTrust support team.

VM-Level encryption log files

The DataControl agent writes error records to the following files on Linux and Windows:

Linux - /var/log/hcl.log
Windows - \Program Files\hcs\hcl.log

You should not need to view the contents of these files unless you detect an issue and wish to report it to HyTrust support.

Support Event Alerts

If the HyTrust software detects an issue with the runtime environment, you may see the following email alert:

From: admin 
Subject: HyTrust Alert
Date: August 7, 2014 10:30:00 AM PDT
To: xxx@yyy.com

A support event has occurred on HyTrust node
192.168.140.151/kps1.hcs.int.  Please consult documentation
or HyTrust support for suggested procedures.

Your appliance will still be functional although we suggest that you send log files to HyTrust support. You can do this through the Jail using the onhost command or use the procedure documented in the next section.

Sending log files to HyTrust through the GUI

In addition to obtaining Jail access and being able to extract the logs from the Jail, you can also extract them from the webGUI and have them emailed to HyTrust support and also to yourself. Note that only Security administrators can access the Support link.

On the top right of the GUI screen, select the Support link as follows:

Click Send to send the logs to HyTrust. You can also send yourself the full audit log by checking the box.

You will then receive one or two emails depending on which options you checked.

Back to Contents

Administrator's Guide to HyTrust KeyControl and HyTrust DataControl v2.6