DDC Agents
This document provides procedures for installing and upgrading Agents in the Operating Systems required by your Data Stores. Agents should always be upgraded to be aligned with the latest server version. To upgrade an Agent, simply re-install it. Before reinstalling, you have to uninstall the older version of the Agent.
As of this release, most Agents without the database runtime component will not be supported. If you have any affected Agents installed without the database runtime component, you have to upgrade them to the database runtime version.
Download the DDC Agents ZIP file corresponding to the CipherTrust Manager version from the Thales Customer Support Portal.
Check the Agent Compatibility Matrix to find a matching Agent to the desired Data Stores.
Extract the Agent Installer Package from DDC Agents ZIP and save it on the host machine where you want to install the Agent.
Follow the appropriate procedure for your Operating System.
Before you begin the installation, make sure that CipherTrust Manager is reachable from the host where you are installing the Agent.
Agent Compatibility Matrix
The following table lists supported Agent installers for different types of data stores for different platforms and databases to help you select an appropriate installer depending on your data store requirements.
| Data Store Category | Data Store Type | Agent Configuration | Debian | RHEL | Windows |
|---|---|---|---|---|---|
| Local Storage | RHEL, CentOS | Local |  |  | |
| Local Storage | Debian based distros | Local | | | |
| Local Storage | Windows | Local | | | |
| Database Storage | IBM DB2 11.1 and higher | Proxy | | | |
| Database Storage | Microsoft SQL 2005 and higher | Proxy | | | 1 |
| Database Storage | Oracle 9 and higher | Proxy | | 2 | |
| Database Storage | PostgreSQL 9.5 and higher | Proxy | 3 | 3 | 3 |
| Database Storage | SAP HANA 2.0 | Proxy | | | 4 |
| Database Storage | MySQL | Proxy | 5 | 5 | 5 |
| Database Storage | MongoDB | Proxy | | | |
| Network Storage | Unix File Share (NFS) | Proxy | | | |
| Network Storage | Windows Share (SMB, CIFS) | Proxy | | | |
| Cloud Storage | AWS S3 (Amazon Web Services) | Proxy | | | |
| Cloud Storage | Office 365: Sharepoint Online | Proxy | | | |
| Cloud Storage | Office 365: Exchange Online | Proxy | | | 6 |
| Cloud Storage | Office 365: OneDrive for Business | Proxy | | | |
| Cloud Storage | Azure Blobs | Proxy | | | |
| Cloud Storage | Azure Tables | Proxy | | | |
| Cloud Storage | G-Suite (G-Mail and G-Drive) | Proxy | | | |
| Big Data | Hadoop 2.7.3 and higher | Proxy | 78 | 9 | |
| Big Data | Teradata 14.0 and 15.0 | Proxy | | | 10 |
| Server | SharePoint Server | Proxy | | | |
| Server | Exchange Server | Proxy | | | |
DDC supports two types of Agent configurations:
Local: Agent is installed and configured directly on the machine that contains sensitive data. Agent completes the scan accessing the files directly from the file system.
Proxy: Agent is installed and configured on a proxy machine that is used to scan sensitive data on other machines. Agent completes the scan accessing the information stored in the data store using the configured port and protocol. Please note that a proxy Agent can be installed on the same host as an in-house data store.
⚫ The instructions to install and configure Agents in both types of configurations are the same.
⚫ To connect to databases you require an Agent with DB runtime. If you have any Agents without DB runtime, please upgrade them to the ones that are included in this release.
RHEL Agents
The table below lists all RedHat Linux Agent installer packages included in this release.
| Operating System | Agent Installer Package | Upgrades Old Package |
|---|---|---|
| RHEL 8 64-bit | er2-2.6.0-linux4-rh-x64_database-runtime.rpm | |
| RHEL 7 64-bit | er2-2.6.0-linux3-rh-x64_database-runtime.rpm | er2-2.5.0-linux3-rh-x64_database-runtime.rpm |
| RHEL 6 64-bit RHEL 5 64-bit | er2-2.6.0-linux26-rh-x64.rpm | er2-2.5.0-linux26-rh-x64.rpm |
| RHEL 6 32-bit RHEL 5 32-bit | er2-2.6.0-linux26-x32.rpm | er2-2.5.0-linux26-x32.rpm |
RHEL 4 is no longer supported, so if you are running this Operating System please consider upgrading.
| Operating System | Deprecated Packages |
|---|---|
| RHEL 4 32-bit | er2-2.0.31-linux24-x32.rpmer2-2.1.0-linux24-x32.rpm |
Installing Agents on RHEL
To install the Linux 3 database runtime Node Agent on RHEL:
Install the epel-release package:
sudo yum install epel-releaseInstall the required packages:
sudo yum install libxml2 libgsasl openssl \ libcurl libuuid protobuf krb5-libs libaioNavigate to the location where the Agent installation package (.rpm) is stored.
Install the Agent by using the following command:
sudo rpm -ivh er2-2.x.x-linux3-rh-x64_database-runtime.rpmFor example:
rpm -ivh er2-2.6.0-linux3-rh-x64_database-runtime.rpmConnect the Agent to the active CipherTrust Manager node:
er2-config -i <hostname|ip_address>where,
<hostname|ip_address>represents the IP address or hostname of the CipherTrust Manager node.Test the connection settings (on the data store that is using this host).
er2-config -tIf the connection has been correctly configured, you should see the following message:
Testing connection setting... Test SUCCESS. Saving settings Configuration updated, please restart agent service The configuration has been saved. Please restart the agent for the changes to take effect.To be able to scan Oracle DB Data Stores, make sure that the agent can resolve its own hostname. If it cannot, add it to its hosts file. For example, if its hostname is 'agent123', add this line:
127.0.0.1 localhost agent123Restart the Agent:
Option 1
sudo /etc/init.d/er2-agent restartOption 2
sudo /etc/init.d/er2-agent stop sudo /etc/init.d/er2-agent start
The installation script creates an erecon user in the erecon group. Please ensure that this user (or group) is able to read all the files to scan. For security reasons, the account has its password locked to ensure that the user is solely used by the Data Discovery and Classification scanning agent.
Uninstalling Agents from RHEL
To uninstall a DDC Agent:
Stop the DDC Agent.
sudo /etc/init.d/er2-agent stopRemove the existing packages:
sudo rpm -e er2
Debian Agents
The table below lists all Debian Linux Agent installer packages included in this release.
| Operating System | Agent Installer Package | Upgrades Old Package |
|---|---|---|
| Debian 10 64-bit Ubuntu 18 64-bit | er2-2.6.0-linux3-x64_database-runtime.deb | er2-2.5.0-linux3-x64_database-runtime.deb |
Installing Agents on Debian
Navigate to the location where the Agent installation (.deb) package is stored.
Install the required packages:
sudo apt-get install libaio1 libaio-dev krb5-user \ libgsasl7 libcurl4 libprotobuf10Install the Agent by using the following command:
sudo dpkg -i er2_2.x.xx-xxxx_xxxx.debFor example:
sudo dpkg -i er2_2.6.0-linux3-x64_database-runtime.debThe package name that you use with the command may be different and depends on your system's architecture and Agent type.
Connect the Agent to the active CipherTrust Manager node:
sudo er2-config -i <hostname|ip_address>where
<hostname|ip_address>represents the IP address or hostname of the CipherTrust Manager node.Test the connection settings (on the data store that is using this host).
sudo er2-config -tIf the connection has been correctly configured, you should see the following message:
Testing connection setting... Test SUCCESS. Saving settings Configuration updated, please restart agent service The configuration has been saved. Please restart the agent for the changes to take effect.Restart the Agent:
Option 1
sudo /etc/init.d/er2-agent restartOption 2
sudo /etc/init.d/er2-agent stop sudo /etc/init.d/er2-agent start
The installation script creates an erecon user in the erecon group. Please ensure that this user (or group) is able to read all the files to scan. For security reasons, the account has its password locked to ensure that the user is solely used by the Data Discovery and Classification scanning agent.
Uninstalling Agents from Debian
To uninstall a DDC Agent:
Stop the DDC Agent.
sudo /etc/init.d/er2-agent -stopRemove the existing packages:
sudo dpkg --remove er2
Windows Agents
The table below lists all Windows Agent installer packages included in this release.
| Operating System | Agent Installer Package | Upgrades Old Package |
|---|---|---|
| Windows 7/8/8.1 32-bit | er2_2.6.0-windows-x32_database-runtime.msi | er2_2.5.0-windows-x32_database-runtime.msi |
| Windows 7/8/8.1 64-bit Windows 10 64-bit Windows Server 2012/2012 R2 64-bit Windows Server 2016 64-bit Windows Server 2019 64-bit | er2_2.6.0-windows-x64_database-runtime.msi | er2_2.5.0-windows-x64_database-runtime.msi |
Installing Agents on Windows
Log in to the host machine where you want to install the Agent as administrator.
Run the Agent installer.
In the Welcome screen of the setup wizard, click Next to continue.
The End-User Licence Agreement (EULA) screen is displayed.
Read the license agreement and select I accept the terms in the Licence Agreement.
Click Next to continue.
In the Choose Setup Type screen, select the Install option for the standard installation and click Next to continue.
The Ready to Install screen is displayed.
Click Install to install the product in the default location.
If the User Access Control dialog box appears, click Yes to confirm.
The installation begins and the progress is shown under the Status progress bar.
During the installation, in a separate Node Configuration window, you are asked for the connection details of the active CipherTrust Manager node.
Master server IP address or host name: specify the IP address or host name of the CipherTrust Manager node.
Master server public key and Target Group: skip this configuration part as it is optional and currently not used.
Click Test Connection to test the connection between the Agent and CipherTrust Manager.
If the connection is properly configured, a confirmation will appear stating "Connectivity test is successful". Click OK to close the prompt.
If the connectivity test fails, click OK to close the prompt, make sure that CipherTrust Manager is reachable from the Agent host, and retry the test.
Click Finish to complete the configuration.
After a successful Agent installation, click the Finish button to exit the wizard and complete the installation.
The installer creates a service called Enterprise Recon 2 Agent that runs under the Local System user account.
For scanning MS SQL DB make sure to install the latest ODBC drivers package from the Microsoft site.
Uninstalling Agents from Windows
To uninstall a DDC Agent, you must be logged on as Administrator to the host where the Agent is running.
Navigate to the Control Panel > Programs and Features.
Locate the Enterprise Recon 2 Agent in the list of installed programs.
Right click the Agent and select Uninstall.
In the dialog box that is displayed, select to automatically close the Enterprise Recon 2 Agent application, and click OK to continue.
Walk through the wizard.
Alternatively, to uninstall a DDC Agent from CLI, run the following commands as Administrator:net stop "Enterprise Recon 2 Agent (<ARCH>)"wmic product where name="Enterprise Recon 2 Agent (<ARCH>)" uninstall
Make sure to install the latest ODBC drivers package from the Microsoft site. Windows agents uses the ODBC drivers installed on the agent host. ODBC Drivers version 17 required to support TLS 1.2 connections. ↩
Make sure that the agent can resolve its own hostname. If not, add it to its hosts file. ↩
Agents include a built-in PostgreSQL driver. This driver does not support password authentication with 'scram-sha-256' method. ↩↩↩
Agent includes built-in drivers. If the Agent host has SAP HANA ODBC drivers installed, the Agent will use those drivers instead of its built-in drivers. ↩
Agents include a built-in MySQL driver. This driver does not support password authentication with 'caching_sha2_password' method. ↩↩↩
Agent host architecture (32-bit or 64-bit) must match the Exchange Server. ↩
Running in Ubuntu 18. ↩
Requires installing some additional packages, included in the Installing Agents on Debian section. ↩
Requires installing some additional packages, included in the Installing Agents on RHEL section. ↩
Agents do not include drivers to connect to Teradata so they require Teradata Tools and Utilities. Install the Teradata Tools and Utilities 16.10.xx on the Agent host. Check Teradata instructions on how to complete the installation. You may need to restart the Agent host after installing Teradata Tools and Utilities. ↩