Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Installing and Deploying CTP

Deploy CipherTrust Teradata Protection on a Teradata Node

search

Please Note:

Deploy CipherTrust Teradata Protection on a Teradata Node

After installing CipherTrust Teradata Protection on the node, configure and deploy the application.

Note

This procedure must be done for every node.

  1. Sign in as root user on the node.

  2. Optional: Set up CTP whitelists or blacklists.

  3. Create a new profile configuration file based on the provided sample.

    # cd /etc/vormetric
# cp profiles.conf.sample profiles.conf

    Keep profiles.conf.sample as a reference, and use profiles.conf as your working configuration file. Modify this file to serve your purposes.

  4. Create a CipherTrust Local Cryptoserver Daemon configuration file.

    # cd /etc/vormetric
# cp vormetric_local_crypto_server.conf.sample vormetric_local_crypto_server.conf

    Keep vormetric_local_crypto_server.conf.sample as a reference, and use vormetric_local_crypto_server.conf as your working configuration file.

    Modify the following lines in the CipherTrust Local Cryptoserver Daemon configuration file:

    /etc/vormetric/vormetric_local_crypto_server.conf:
Copyright (c) 2018 by <Your_Company>
iv <Initialization_Vector>
loglevel <desired_loglevel>
udfaes <on_or_off>

    where:

    • Your_Company: Name of your company.

    • iv: Initialization vector, a 16-byte 32 hex character number. This must be the same for all nodes. Example: 0149AB83FC68D3C1395ABC4692DF931C.

    • loglevel: Desired log level for logging events. Examples: debug, info, or error.

      • debug: Adds large, detailed debugging logs during crypto operations, with a very large performance overhead. A debug log level is not recommended in a production environment.

      • info: Adds less-informative logs when crypto operations are performed successfully, with reduced performance overhead. An info log level is not recommended in a production environment.

      • error: Adds logs only when an error occurs during product execution. The error log level is recommended in a production environment, because it incurs no performance overhead.

    • udfaes: Specifies the Normal Mode (udfaes off) or Fast Mode (udfaes on).

  5. Invoke the CipherTrust Local Cryptoserver with the -e command line option. Example:

    # /opt/vormetric/DataSecurityExpert/agent/pkcs11/teradata/bin/vormetric_local_crypto_server -e

    You are prompted for the PIN that you created in the last step of Install CipherTrust Teradata Protection on the Teradata Node. This PIN is written in encrypted form to the last line of vormetric_local_crypto_server.conf.

  6. If you are using the Monit process supervision tool, configure the /etc/monitrc file.

    Add these five lines:

    check process vormetric_local_crypto_server with pidfile /var/run/vormetric_local_crypto_server.pid
start program = “/etc/init.d/vormetric_local_crypto_server start"
stop program = “/etc/init.d/vormetric_local_crypto_server stop"
if failed unixsocket /tmp/vormetric then restart
if 5 restarts within 5 cycles then timeout

  7. Start the CipherTrust Local Cryptoserver Daemon:

    # /etc/init.d/vormetric_local_crypto_server start

    Teradata database users now have access to the UDFs and the VAE C API library.

    Note

    Do not start multiple versions of the cryptoserver at the same time.

  8. Test the UDFs. In the following example, replace SOMEPASSWORD with your actual Teradata user password.

    The following example tests one of the UDFs. It is recommend to issue additional SQL requests to test all UDFs.

    [/etc/vormetric]# bteq .logon thales,thales
Teradata BTEQ 14.10.00.10 for LINUX. PID: 11978
Copyright 1984-2014, Teradata Corporation. ALL RIGHTS RESERVED.
Enter your logon or BTEQ command:
.logon thales,SOMEPASSWORD
*** Logon successfully completed.
*** Teradata Database Release is 14.10.03.02
*** Teradata Database Version is 14.10.03.02
*** Transaction Semantics are BTET.
*** Session Character Set Name is 'ASCII'.
*** Total elapsed time was 2 seconds.
BTEQ -- Enter your SQL request or BTEQ command:
select thales.encrypt_string('hello world','KEY1');
select thales.encrypt_string('hello world','KEY1');
*** Query completed. One row found. One column returned.
*** Total elapsed time was 2 seconds.
encrypt_string('hello world','KEY1')
---------------------------------------------------------------------
490C35C33A5E07587ED4A6AFB15A16C9

Configure CTP with CipherTrust Manager

If your node is using the CipherTrust Manager (and you entered the CipherTrust Manager hostname during installation), perform the following additional steps after the initial installation.

  1. Run the vormetric_local_crypto_server daemon located at /opt/vormetric/DataSecurityExpert/agent/pkcs11/teradata/bin location with -e option:

    # cd /opt/vormetric/DataSecurityExpert/agent/pkcs11/teradata/bin
# vormetric_local_crypto_server -e

  2. Enter the following configuration details:

    • IP Address of the CipherTrust Manager.

    • NAE Port - if not specified, defaults to 9000.

    • CipherTrust Manager username.

    • CipherTrust Manager password.

  3. Enter NAE protocol, either tcp or ssl.

    Note

    Using tcp is not secure.

    • If you enter tcp, enter y at the following prompt:

      Running registration will delete any existing CA and client certificates. Do you wish to continue? <y/n>: y

      CTP configuration to the CipherTrust Manager with tcp is complete.

    • If you enter ssl, enter y at the following prompt:

      Running registration will delete any existing CA and client certificates. Do you wish to continue? <y/n>: y

      You are prompted for additional information that is incorporated into your certificate request:

      • Country code (2 letter code, for example, US).

      • State or Province name (for example, California).

      • Locality or city name (for example, San Jose).

      • Organization name (for example, company).

      • Organizational Unit name (for example, section).

      • Common Name (for example, your name or your server's hostname).

        Enter Common Name as the CipherTrust Manager login username when configuring the below NAE interface modes on the CipherTrust Manager:

        • Verify client cert, username taken from client cert, auth request is optional.

        • Verify client cert, password is needed, username in cert must match username in authentication request.

      • Email Address (optional).

      CTP configuration to the CipherTrust Manager with ssl is complete.

Installation over a Teradata Cluster

When installing CTP on a Teradata cluster, repeat the installation steps on each node of the cluster.

On this page