Open topic with navigation

Support and Diagnostics

Introduction

This chapter describes the various support and diagnostic capabilities that are built into HyTrust KeyControl/DataControl. We describe access to the "Jail" where you can get logs and support information as well as how to extract the logs through the webGUI and send them to HyTrust support.

Enabling the Support Accounts on KeyControl

Please note that for support login access to a KeyControl node or HyTrust DataControl Policy Agent (Policy Agent) you need access to port 22 for full support and 6666 for limited support login. These are only needed at support time.

To enable support for diagnostics and debugging, log on to the console on the KeyControl node or Policy Agent in question. Option 4 allows you to select access to the node's jail as well as enable full HyTrust access.

SD Console Menu

Select the option for Restricted Support Login. You will then be prompted to type a new password for restricted login support.

SD Console Restricted1

Once Jail access is enabled, it will be displayed in the support menu as follows:

SD Console Jail Enabled

When enabling full support access, the window in which the access is allowed is then displayed:

SD Console Jail Enabled

Accessing the Jail through the restricted support login

Once access for the restricted support login is enabled, it is then possible to log on to the Jail through SSH using the IP address of the KeyControl node or Policy Agent as follows:

$ ssh -p 6666 support@192.168.140.151

Warning: Permanently added '[192.168.140.151]:6666' (RSA) to the list of known hosts. support@192.168.140.151's password: Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. root@dbgjail ~]#

The Jail provides a limited view on the running node but never exposes encryption keys, sensitive data in the clear or any part of the HyTrust KeyControl node / Policy Agent that could result in compromising important data.

The onhost command allows you to obtain diagnostic information:

[root@dbgjail ~]# onhost
usage: onhost <cmd> [params]
<cmd> can be -
   ps        -> process status
   ls        -> list
   df        -> display free disk space
   iostat    -> report I/O statistics
   netstat   -> show network status
   procstat  -> get detailed process information
   getdbg    -> collect system debug info for support

If information is needed for HyTrust support, run the getdbg command

# onhost getdbg
Running command:  getdbg
Created /support/hcs-dbg-kps1-20110905-040333.tgz

A tarball is created that contains debugging information needed by HyTrust support. This tarball can be copied out of the Jail using scp. Note that scp from outside of the Jail is disabled.

Full System Access

Full system access is only available to HyTrust support staff. If full system access is needed, please talk with the HyTrust support team.

VM-Level encryption log files

The Policy Agent writes error records to the following files on Linux and Windows:

  • Linux - /var/log/hcl.log
  • Windows - \Program Files\hcs\hcl.log

You should not need to view the contents of these files unless you detect an issue and wish to report it to HyTrust support.

Support Event Alerts

If the HyTrust software detects an issue with the run-time environment, you may see the following email Alert:

From: admin <rootATkps1.hcs.int>"
Subject: HyTrust Alert
Date: August 7, 2014 10:30:00 AM PDT
To: "xxx@yyy.com"

A support event has occurred on HyTrust node
192.168.140.151/kps1.hcs.int.  Please consult documentation
or HyTrust support for suggested procedures.

Your node will still be functional although we suggest that you send log files to HyTrust support. You can do this through the Jail using the onhost command or use the procedure documented in the next section.

Sending log files to HyTrust through the GUI

In addition to obtaining Jail access and being able to extract the logs from the Jail, you can also extract them from the webGUI and have them emailed to HyTrust support and also to yourself. Note that only Security Administrators can access Support.

To send log files to HyTrust, from the Settings Icon, click Send Logs.You can also send yourself the full audit log by checking the box.

SD Support Logs

You will then receive emails, if you checked Send a copy of the logs to my e-mail address.

SD Email

Open topic with navigation