Configure CipherTrust Teradata Protection

Following are the steps to configure CTP and get the system up and running:

1. Choose between the Normal Mode and Fast Mode.

   Before configuring CipherTrust Teradata Protection, you must first determine whether you will run in the Normal Mode or Fast Mode. This decision will affect the configuration settings.

   Below table outlines the various attributes of each mode and how they are enabled:

   	Normal Mode (udfaes off)	Fast Mode (udfaes on)
   Teradata Protected Mode (comment out the alter function lines in install_udfs.bteq)	• Supported by 5.2.2 and later releases. • Encryption/decryption done on cryptoserver.	• 5.2.3 and later releases. • Encryption/decryption done locally inside the respective UDF.
   TeradataUnprotected Mode (Default)	Not generally used.	• Recommended for maximum performance. • Encryption/decryption done locally inside the respective UDF.

   Specify the Teradata Protected or Unprotected Mode in the BTEQ file. Specify the udfaes parameter (Fast Mode or Normal Mode) in the CipherTrust Local Cryptoserver Daemon configuration file.

2. Create a Basic Teradata Query (BTEQ) script from the provided sample to install the UDFs.

   1. Change directories:

      # cd/opt/vormetric/DataSecurityExpert/agent/pkcs11/teradata/udfs/
      

   2. Copy the UDF sample script install_udfs.bteq.sample to a file named install_udfs.bteq in the same directory. Keep install_udfs.bteq.sample as a reference, and use install_udfs.bteq as your working BTEQ script.

   3. Edit install_udfs.bteq as per the embedded instructions. Replace the words in capital letters with real values. For example, change USERNAME and PASSWORD to a real username and password.

      bteq << $EOF
      * Replace Teradata USERNAME and PASSWORD with a site-specific username and password.
      .logon USERNAME,PASSWORD;
      * Replace DBC with the database from which you want to derive the thales user.
      * Note that the USER who installs the UDFs into the system must be set to the latin
      * char set. After the UDFs are installed, the character set for this particular
      * user MAY be changed to something else, for instance UNICODE. But during the UDF
      * installation, the user’s character set MUST be latin.
      create user thales from DBC as perm=10000000 password=SOMEPASSWORD default character set
      latin;
      grant create function on thales to thales;
      grant alter function on thales to thales;
      grant drop function on thales to thales;
      grant execute function on thales to public;
      .logoff
      .logon thales,SOMEPASSWORD;
      replace function encrypt_string (inputString varchar(16384), inputKeyname varchar(256))
      returns varbyte(16000) specific encrypt_string language c no sql not deterministic
      parameter style sql called on null input external name 'co:udf_encrypt_string:./udf_
      encrypt_string.o';
      replace function decrypt_data (inputString varbyte(16000), inputKeyname varchar(256))
      returns varchar(16384) specific decrypt_data language c no sql not deterministic
      parameter style sql called on null input external name 'co:udf_decrypt_data:./udf_
      decrypt_data.o';
      replace function encrypt_byteint (inputdata byteint, inputKeyname varchar(256)) returns
      varbyte(16000) specific encrypt_byteint language c no sql not deterministic parameter
      style sql called on null input external name 'F:encrypt_byteint';
      replace function decrypt_byteint (inputString varbyte(16000), inputKeyname varchar(256))
      returns byteint specific decrypt_byteint language c no sql not deterministic parameter
      style sql called on null input external name 'F:decrypt_byteint';
      replace function encrypt_smallint (inputdata smallint, inputKeyname varchar(256))
      returns varbyte(16000) specific encrypt_smallint language c no sql not deterministic
      parameter style sql called on null input external name 'F:encrypt_smallint';
      replace function decrypt_smallint (inputString varbyte(16000), inputKeyname varchar
      (256)) returns smallint specific decrypt_smallint language c no sql not deterministic
      parameter style sql called on null input external name 'F:decrypt_smallint';
      replace function encrypt_int (inputString integer, inputKeyname varchar(256)) returns
      varbyte(16000) specific encrypt_int language c no sql not deterministic parameter style
      sql called on null input external name 'F:encrypt_int';
      replace function decrypt_int (inputString varbyte(16000), inputKeyname varchar(256))
      returns integer specific decrypt_int language c no sql not deterministic parameter style
      sql called on null input external name 'F:decrypt_int';
      replace function decrypt_ff1_smallint (inputString varchar(8192) CHARACTER SET LATIN,
      inputKeyname varchar(256)) returns smallint specific decrypt_ff1_smallint language c no
      sql not deterministic parameter style sql called on null input external name 'F:decrypt_
      ff1_smallint';
      replace function decrypt_ff1_int (inputString varchar(8192) CHARACTER SET LATIN,
      inputKeyname varchar(256)) returns integer specific decrypt_ff1_int language c no sql
      not deterministic parameter style sql called on null input external name 'F:decrypt_ff1_
      int';
      replace function encrypt_time (inputdata time, inputKeyname varchar(256)) returns
      varbyte(16000) specific encrypt_time language c no sql not deterministic parameter style
      sql called on null input external name 'F:encrypt_time';
      replace function decrypt_time (inputString varbyte(16000), inputKeyname varchar(256))
      returns time specific decrypt_time language c no sql not deterministic parameter style
      sql called on null input external name 'F:decrypt_time';
      replace function encrypt_date (inputdata date, inputKeyname varchar(256)) returns
      varbyte(16000) specific encrypt_date language c no sql not deterministic parameter style
      sql called on null input external name 'F:encrypt_date';
      replace function decrypt_date (inputString varbyte(16000), inputKeyname varchar(256))
      returns date specific decrypt_date language c no sql not deterministic parameter style
      sql called on null input external name 'F:decrypt_date';
      replace function encrypt_timestamp (inputdata timestamp, inputKeyname varchar(256))
      returns varbyte(16000) specific encrypt_timestamp language c no sql not deterministic
      parameter style sql called on null input external name 'F:encrypt_timestamp';
      replace function decrypt_timestamp (inputString varbyte(16000), inputKeyname varchar
      (256)) returns timestamp specific decrypt_timestamp language c no sql not deterministic
      parameter style sql called on null input external name 'F:decrypt_timestamp';
      replace function encrypt_char (inputString varchar(16384), inputKeyname varchar(256),
      inputCharcolumnsize INTEGER) returns varbyte(16000) specific encrypt_char language c no
      sql not deterministic parameter style sql called on null input external name 'co:udf_
      encrypt_char:./udf_encrypt_char.o';
      replace function decrypt_char (inputString varbyte(16000), inputKeyname varchar(256),
      inputCharcolumnsize INTEGER) returns varchar(16384) specific decrypt_char language c no
      sql not deterministic parameter style sql called on null input external name 'co:udf_
      decrypt_char:./udf_decrypt_char.o';
      replace function encrypt_cbc (inputString varchar(8192) CHARACTER SET UNICODE,
      inputKeyname varchar(256)) returns varbyte(16000) specific encrypt_cbc language c no sql
      not deterministic parameter style sql called on null input external name 'co:udf_
      encrypt_cbc:./udf_encrypt_cbc.o';
      replace function decrypt_cbc (inputString varbyte(16000), inputKeyname varchar(256))
      returns varchar(8192) CHARACTER SET UNICODE specific decrypt_cbc language c no sql not
      deterministic parameter style sql called on null input external name 'co:udf_decrypt_
      cbc:./udf_decrypt_cbc.o';
      replace function encrypt_fpe (inputString varchar(8192) CHARACTER SET UNICODE,
      inputKeyname varchar(256)) returns varchar(8192) CHARACTER SET UNICODE specific encrypt_
      fpe language c no sql not deterministic parameter style sql called on null input
      external name 'co:udf_encrypt_fpe:./udf_encrypt_fpe.o';
      replace function decrypt_fpe (inputString varchar(8192) CHARACTER SET
      UNICODE, inputKeyname varchar(256)) returns varchar(8192) CHARACTER SET UNICODE specific
      decrypt_fpe language c no sql not deterministic parameter style sql called on null input
      external name 'co:udf_decrypt_fpe:./udf_decrypt_fpe.o';
      replace function encrypt_fpe_byteint (inputString byteint, inputKeyname varchar(256))
      returns varchar(8192) CHARACTER SET LATIN specific encrypt_fpe_byteint language c no sql
      not deterministic parameter style sql called on null input external name 'F:encrypt_fpe_
      byteint';
      replace function encrypt_fpe_smallint (inputString smallint, inputKeyname varchar(256))
      returns varchar(8192) CHARACTER SET LATIN specific encrypt_fpe_smallint language c no
      sql not deterministic parameter style sql called on null input external name 'F:encrypt_
      fpe_smallint';
      replace function encrypt_fpe_int (inputString integer, inputKeyname varchar(256))
      returns varchar(8192) CHARACTER SET LATIN specific encrypt_fpe_int language c no sql not
      deterministic parameter style sql called on null input external name 'F:encrypt_fpe_
      int';
      replace function decrypt_fpe_byteint (inputString varchar(8192) CHARACTER SET LATIN,
      inputKeyname varchar(256)) returns byteint specific decrypt_fpe_byteint language c no
      sql not deterministic parameter style sql called on null input external name 'F:decrypt_
      fpe_byteint';
      replace function decrypt_fpe_smallint (inputString varchar(8192) CHARACTER SET LATIN,
      inputKeyname varchar(256)) returns smallint specific decrypt_fpe_smallint language c no
      sql not deterministic parameter style sql called on null input external name 'F:decrypt_
      fpe_smallint';
      replace function decrypt_fpe_int (inputString varchar(8192) CHARACTER SET LATIN,
      inputKeyname varchar(256)) returns integer specific decrypt_fpe_int language c no sql
      not deterministic parameter style sql called on null input external name 'F:decrypt_fpe_
      int';
      replace function encrypt_ff1 (inputString varchar(8192) CHARACTER SET UNICODE,
      inputKeyname varchar(256)) returns varchar(8192) CHARACTER SET UNICODE specific encrypt_
      ff1 language c no sql not deterministic parameter style sql called on null input
      external name 'co:udf_encrypt_ff1:./udf_encrypt_ff1.o';
      replace function decrypt_ff1 (inputString varchar(8192) CHARACTER SET UNICODE,
      inputKeyname varchar(256)) returns varchar(8192) CHARACTER SET UNICODE specific decrypt_
      ff1 language c no sql not deterministic parameter style sql called on null input
      external name 'co:udf_decrypt_ff1:./udf_decrypt_ff1.o';
      replace function encrypt_ff1_byteint (inputString byteint, inputKeyname varchar(256))
      returns varchar(8192) CHARACTER SET LATIN specific encrypt_ff1_byteint language c no sql
      not deterministic parameter style sql called on null input external name 'F:encrypt_ff1_
      byteint';
      replace function encrypt_ff1_smallint (inputString smallint, inputKeyname varchar(256))
      returns varchar(8192) CHARACTER SET LATIN specific encrypt_ff1_smallint language c no
      sql not deterministic parameter style sql called on null input external name 'F:encrypt_
      ff1_smallint';
      replace function encrypt_ff1_int (inputString integer, inputKeyname varchar(256))
      returns varchar(8192) CHARACTER SET LATIN specific encrypt_ff1_int language c no sql not
      deterministic parameter style sql called on null input external name 'F:encrypt_ff1_
      int';
      replace function decrypt_ff1_byteint (inputString varchar(8192) CHARACTER SET LATIN,
      inputKeyname varchar(256)) returns byteint specific decrypt_ff1_byteint language c no
      sql not deterministic parameter style sql called on null input external name 'F:decrypt_
      ff1_byteint';
      replace function decrypt_ff1_smallint (inputString varchar(8192) CHARACTER SET LATIN,
      inputKeyname varchar(256)) returns smallint specific decrypt_ff1_smallint language c no
      sql not deterministic parameter style sql called on null input external name 'F:decrypt_
      ff1_smallint';
      replace function decrypt_ff1_int (inputString varchar(8192) CHARACTER SET LATIN,
      inputKeyname varchar(256)) returns integer specific decrypt_ff1_int language c no sql
      not deterministic parameter style sql called on null input external name 'F:decrypt_ff1_
      int';
      * Comment out the following ten lines in order to run the ten UDFs in a separate
      process.
      * By default, UDFs run in a separate process ("protected mode"), which incurs a
      performance penalty of up to 20x or 25x or 30x
      alter function encrypt_string execute not protected;
      alter function decrypt_data execute not protected;
      alter function encrypt_char execute not protected;
      alter function decrypt_char execute not protected;
      alter function encrypt_cbc execute not protected;
      alter function decrypt_cbc execute not protected;
      alter function encrypt_fpe execute not protected;
      alter function decrypt_fpe execute not protected;
      alter function encrypt_ff1 execute not protected;
      alter function decrypt_ff1 execute not protected;
      alter function encrypt_byteint execute not protected;
      alter function decrypt_byteint execute not protected;
      alter function encrypt_smallint execute not protected;
      alter function decrypt_smallint execute not protected;
      alter function encrypt_int execute not protected;
      alter function decrypt_int execute not protected;
      alter function encrypt_time execute not protected;
      alter function decrypt_time execute not protected;
      alter function encrypt_date execute not protected;
      alter function decrypt_date execute not protected;
      alter function encrypt_fpe_byteint execute not protected;
      alter function decrypt_fpe_byteint execute not protected;
      alter function encrypt_fpe_smallint execute not protected;
      alter function decrypt_fpe_smallint execute not protected;
      alter function encrypt_fpe_int execute not protected;
      alter function decrypt_fpe_int execute not protected;
      alter function encrypt_ff1_byteint execute not protected;
      alter function decrypt_ff1_byteint execute not protected;
      alter function encrypt_ff1_smallint execute not protected;
      alter function decrypt_ff1_smallint execute not protected;
      alter function encrypt_ff1_int execute not protected;
      alter function decrypt_ff1_int execute not protected;
      .logoff
      .quit
      

   4. If you want to run in the Teradata Protected Mode, comment out the alter function lines. Leave them as is to run in the Teradata Unprotected Mode.

   5. By default, the BTEQ script installs the UDFs in the newly created database called thales. You may change the installation script to install them in the location of your choice.

   6. Run the BTEQ script.

      For example:

      # [/opt/vormetric/DataSecurityExpert/agent/pkcs11/teradata/udfs]# ./install_udfs.bteq
      

   After this script has successfully run, the UDFs are installed in the newly created database with the default name thales.