Deploy CipherTrust Teradata Protection on a Teradata Node

After installing CipherTrust Teradata Protection on the node, configure and deploy the application.

1. Sign in as root user on the node.

2. Optional: Set up CTP whitelists or blacklists.

3. Create a new profile configuration file based on the provided sample.

   # cd /etc/vormetric
   # cp profiles.conf.sample profiles.conf
   

   Keep profiles.conf.sample as a reference, and use profiles.conf as your working configuration file. Modify this file to serve your purposes.

4. Create a CipherTrust Local Cryptoserver Daemon configuration file.

   # cd /etc/vormetric
   # cp vormetric_local_crypto_server.conf.sample vormetric_local_crypto_server.conf
   

   Keep vormetric_local_crypto_server.conf.sample as a reference, and use vormetric_local_crypto_server.conf as your working configuration file.

   Modify the following lines in the CipherTrust Local Cryptoserver Daemon configuration file:

   /etc/vormetric/vormetric_local_crypto_server.conf:
   Copyright (c) 2018 by <Your_Company>
   iv <Initialization_Vector>
   loglevel <desired_loglevel>
   udfaes <on_or_off>
   

   where:

   • Your_Company: Name of your company.

   • iv: Initialization vector, a 16-byte 32 hex character number. This must be the same for all nodes. Example: 0149AB83FC68D3C1395ABC4692DF931C.

   • loglevel: Desired log level for logging events. Examples: debug, info, or error.

     • debug: Adds large, detailed debugging logs during crypto operations, with a very large performance overhead. A debug log level is not recommended in a production environment.

     • info: Adds less-informative logs when crypto operations are performed successfully, with reduced performance overhead. An info log level is not recommended in a production environment.

     • error: Adds logs only when an error occurs during product execution. The error log level is recommended in a production environment, because it incurs no performance overhead.

   • udfaes: Specifies the Normal Mode (udfaes off) or Fast Mode (udfaes on).

5. Invoke the CipherTrust Local Cryptoserver with the -e command line option. Example:

   # /opt/vormetric/DataSecurityExpert/agent/pkcs11/teradata/bin/vormetric_local_crypto_server -e
   

   You are prompted for the PIN that you created in the last step of Install CipherTrust Teradata Protection on the Teradata Node. This PIN is written in encrypted form to the last line of vormetric_local_crypto_server.conf.

6. If you are using the Monit process supervision tool, configure the /etc/monitrc file.

   Add these five lines:

   check process vormetric_local_crypto_server with pidfile /var/run/vormetric_local_crypto_server.pid
   start program = “/etc/init.d/vormetric_local_crypto_server start"
   stop program = “/etc/init.d/vormetric_local_crypto_server stop"
   if failed unixsocket /tmp/vormetric then restart
   if 5 restarts within 5 cycles then timeout
   

7. Start the CipherTrust Local Cryptoserver Daemon:

   # /etc/init.d/vormetric_local_crypto_server start
   

   Teradata database users now have access to the UDFs and the VAE C API library.

   Note

   Do not start multiple versions of the cryptoserver at the same time.

8. Test the UDFs. In the following example, replace SOMEPASSWORD with your actual Teradata user password.

   The following example tests one of the UDFs. It is recommend to issue additional SQL requests to test all UDFs.

   [/etc/vormetric]# bteq .logon thales,thales
   Teradata BTEQ 14.10.00.10 for LINUX. PID: 11978
   Copyright 1984-2014, Teradata Corporation. ALL RIGHTS RESERVED.
   Enter your logon or BTEQ command:
   .logon thales,SOMEPASSWORD
   *** Logon successfully completed.
   *** Teradata Database Release is 14.10.03.02
   *** Teradata Database Version is 14.10.03.02
   *** Transaction Semantics are BTET.
   *** Session Character Set Name is 'ASCII'.
   *** Total elapsed time was 2 seconds.
   BTEQ -- Enter your SQL request or BTEQ command:
   select thales.encrypt_string('hello world','KEY1');
   select thales.encrypt_string('hello world','KEY1');
   *** Query completed. One row found. One column returned.
   *** Total elapsed time was 2 seconds.
   encrypt_string('hello world','KEY1')
   ---------------------------------------------------------------------
   490C35C33A5E07587ED4A6AFB15A16C9
   

Configure CTP with CipherTrust Manager

If your node is using the CipherTrust Manager (and you entered the CipherTrust Manager hostname during installation), perform the following additional steps after the initial installation.

1. Run the vormetric_local_crypto_server daemon located at /opt/vormetric/DataSecurityExpert/agent/pkcs11/teradata/bin location with -e option:

   # cd /opt/vormetric/DataSecurityExpert/agent/pkcs11/teradata/bin
   # vormetric_local_crypto_server -e
   

2. Enter the following configuration details:

   • IP Address of the CipherTrust Manager.

   • NAE Port - if not specified, defaults to 9000.

   • CipherTrust Manager username.

   • CipherTrust Manager password.

3. Enter NAE protocol, either tcp or ssl.

   Note

   Using tcp is not secure.

   • If you enter tcp, enter y at the following prompt:

     Running registration will delete any existing CA and client certificates. Do you wish to continue? <y/n>: y
     

     CTP configuration to the CipherTrust Manager with tcp is complete.

   • If you enter ssl, enter y at the following prompt:

     Running registration will delete any existing CA and client certificates. Do you wish to continue? <y/n>: y
     

     You are prompted for additional information that is incorporated into your certificate request:

     • Country code (2 letter code, for example, US).

     • State or Province name (for example, California).

     • Locality or city name (for example, San Jose).

     • Organization name (for example, company).

     • Organizational Unit name (for example, section).

     • Common Name (for example, your name or your server's hostname).

       Enter Common Name as the CipherTrust Manager login username when configuring the below NAE interface modes on the CipherTrust Manager:

       • Verify client cert, username taken from client cert, auth request is optional.

       • Verify client cert, password is needed, username in cert must match username in authentication request.

     • Email Address (optional).

     CTP configuration to the CipherTrust Manager with ssl is complete.

Automated Install over a Teradata Cluster

This feature detects a cluster and ensures that the installation is performed on all of the nodes in the cluster. The user does not have to do anything to make the installer look for the cluster. This feature is built in. If the cluster exists, the installer will find it. However, any change made in the configuration file is not propagated automatically on all nodes. It must be done manually on all of the nodes by the administrator.

When trying to install CTP on a node, the installer detects the presence of the cluster and tries to install the same CTP on the other nodes. This requires that the installation is performed in the silent install mode. This means that all requisite input is given in a file and CTP is invoked with the -s option.

Upgrade CTP

The intent of this feature is to detect a cluster and ensure that the upgrade is performed on all of the nodes in the cluster.

When trying to upgrade the CTP on a node, the installer detects the presence of the cluster and tries to upgrade the same CTP on the other nodes. If there is a single node, it upgrades the CTP from that node as well.

You can upgrade CTP from either v5.2.5.xx or from 6.1.3.xx to 6.4.0.xx. The upgrade procedure does not update the existing user modified configuration files. It adds the new configuration files, sample configuration files with new features, and binary files.

After the upgrade, you must follow the manual steps to remove the existing UDFs from the database and perform the new UDF installation. Also, after the upgrade has successfully completed, you must restart the cryptographic server to clear old FF1 license information. Failure to complete the cryptographic server restart will cause the application to fail.

Key Rotation

CTP 6.6.0 supports versioned keys. It stores the key version in the ciphertext during encryption. It reads the key version from the ciphertext, retrieves that version of the key from the CipherTrust Manager, and performs the decryption operations with that key. During encryption, CTP always retrieves the latest version of the key, and performs encryption with that key.