HyTrust KeyControl provides two methods of support access:
Both methods are described in this chapter.
The restricted support login provides a limited SSH accessible shell in which the KeyControl administrator can gather diagnostic information. It is disabled by default.
Enabling the restricted support account can be done as follows:
The Restricted Support login should now be enabled. Its status should be shown as Enabled on the Manage Support Accounts screen in the console.
For information on accessing the restricted support login see the following material
Once enabled, the restricted support login can be accessed using SSH to port 6666 of the KeyControl appliance. The username is support.
$
ssh -p6666 support@keycontrol1
| Command | Description |
| ps | Process status |
| ls | List directory contents |
| df | Display free space |
| iostat | Report I/O statistics |
| netstat | Show network status |
| procstat | Get detailed process information |
| logbundle | Generate support log bundle |
The commands in the table above can be provided as arguments to onhost, for example:
# onhost ps
If necessary, a HyTrust support representative may ask you to run one or more of these commands for diagnostic purposes.
In certain support events it may be necessary for HyTrust support to use the Full Support login. This access is a multi factor authentication between the KeyControl administrator and HyTrust support and cannot be enabled without the KeyControl administrator. Your HyTrust support representative will advise you if this is necessary.
Support logins can be disabled as follows:
In certain circumstances it may be necessary to gather diagnostic information and logs from the KeyControl appliance. These logs can be sent to HyTrust support for further analysis. This section describes creating a support bundle.
Click Create Bundle.
Select any optional information to include in the bundle. Your HyTrust support representative will advise you if any of these options are required.
A passphrase can be provided to encrypt the log bundle for secure transmission. The resulting bundle will be encrypted using an AES 256-bit key.
Click Create to create the bundle.
As an admin with Domain privileges go to the Settings page and click Download Logs.
Once created, a summary of the bundle will be displayed. To download, click Download.
Note: this step assumes you have enabled the Restricted Support Login and have started an SSH session. See Restricted Shell and Support Access.
Log bundles can be created using the logbundle command. This can be invoked from the restricted support session as follows:
#
onhost logbundle
The logbundle utility accepts the following options when creating a bundle. Your HyTrust support representative will advise you if any of these are required.
| Command | Description |
| --objectstorde | Include a copy of the objectstore |
|
--cores |
Include copies of any core files |
|
--no-audit |
Do not include a copy of tdhe audit log |
|
--passphrase=secret |
Encrypt the bundle with an AES 256-bit key using the provided passphrase |
The Policy Agent logs information to the following files on Linux and Windows:
Linux: /var/log/hcl.log
Windows: C:\Program Files\hcs\hcl.log
It is also possible to generate a log bundle containing pertinent system information. To do this you can use the hcsinfo command.