Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Installing and Deploying CTP

Install CipherTrust Teradata Protection on the Teradata Node

search

Please Note:

Install CipherTrust Teradata Protection on the Teradata Node

Install CipherTrust Teradata Protection

  1. Sign in with root access to the host where you will install CipherTrust Teradata Protection.

  2. Copy or mount the installation file to the host system.

  3. Start the installation. Type:

    # bash ./install ctp-16.10-6.6.0-10-sles12sp3-x86_64.bin

    For example:

    ctp16.10-6.6.0-10-sles12sp3-x86_64.bin

  4. The text of the License Agreement appears. Page through the agreement, then type y and press Enter to accept. The installation proceeds.

  5. At the agent registration prompt, type y or press Enter to proceed with registration, or type n if you plan to register later.

    Do you want to continue with agent registration? (Y/N) [Y]:

  6. Continue to follow the prompts:

    1. Enter the fully qualified host name of the key manager and press Enter.

    2. Verify the host name and press Enter.

  7. Enter the password for the Key Agent library and confirm your entry. Password minimum length for PIN is 8 characters and maximum length is 63 characters.

    Please enter a password for the Key Agent library.
Accesses to this library will be protected by this password.
NOTE: If using Oracle RAC, passwords must be the same on all nodes.
Please enter password:
Enter again to confirm:
Successfully registered the CipherTrust Key Agent with the primary CipherTrust Manager
on <your_servername>.com.
Note: Do not forget this password. You will need it later during CipherTrust Teradata Protection
deployment. To change the password, you must re-register the agent.

    Note

    Do not forget this password. You will need it later during CipherTrust Teradata Protection deployment. To change the password, you must re-register the agent.

Configuring Access Control

Access control parameters are defined in the vormetric_local_cryptoserver.conf file. Set identityacl to on tocindicate identity-based access control is enforced.

When identityacl is set to off, or not configured, coarse-level access control is enforced by default. Identity-based access control uses the same files (allow_encrypt.conf and allow_decrypt.conf) to contain the access control definitions.

Note

  • The formats of coarse-level and identity-based access are different in the whitelist (allow_encrypt.conf and allow_decrypt.conf) files. However, the format of the blacklist (deny_encrypt.conf and deny_decrypt.conf) files are the same for both modes of access control.

  • Do not remove copyright information from blacklist and whitelist files, even if you are not using any one of the files. These files cannot be empty, otherwise CTP fails with an error message about being unable to "retrieve the white and black access lists from crypto server."

Use the identity-based access control to control access at the database column level. Keys can be assigned to encrypt/decrypt one or more database columns, which provides column-level access control based on identity.

Access to database encryption and decryption operations are defined in the allow_encrypt.conf and allow_decrypt.conf configuration files, based on key-value pairs. The encryption key is the key, and a comma-separated list of users who may access that encryption key is the associated value.

Modified Whitelist for Decryption

The modified allow_decrypt.conf file has the following format:

[<denied behavior>]
<key name>:<comma separated list of allowed users>

Where denied behavior is one of the following:

  • deny: Access is denied. This is the default behavior.

  • blank: Blank value will be returned.

  • ciphertext: Encrypted column value will be returned.

  • zero: Zero (0) will be returned.

  • custom text: An administrator-defined custom string specified under double quotes, for example: Access Denied.

    Note

    The blank and custom text denied behaviors are not supported in UDFs that have an integral return type.

A sample allow_decrypt.conf file:

[ciphertext]
Name_Address_key:User1,User3

[“Access Denied”]
Phone_key:User2,User3

[zero]
SSN_key:User3

Note

Multiple denied behaviors for the same key is not allowed in identity-based access control. Do not specify the same key under multiple denied behavior entries, otherwise an error occurs at the BTEQ prompt.

More Configuration Notes

  • Multiple key-user mappings can share the same denied behavior.

  • The wildcard asterisk (*) denotes all users. When * is used, the denied behavior field is ignored.

Modified Whitelist for Encryption

The modified allow_encrypt.conf has the following format:

<key name> : <comma separated list of allowed users>

Consider the following example of a allow_encrypt.conf configuration:

Name_Address_key:User1,User3
Phone_key:User2,User3
SSN_key:User3

Note

Unlike decryption, encryption does not support any custom deny behavior. When a user attempts to encrypt a column using a key that the user does not have access to, the operation is denied.

Coarse-Level Access Control (Default)

With coarse-level access control, users listed in the whitelist can access all database tables.

Note

Identity-based access control goes one step further, by specifying which key can be used by which user.

To configure coarse-level control, decide whether you are blacklist-centric - you have a list of users to block access to a command and all others are unblocked, or whitelist-centric - you have a list of users to allow access to a command and all others are blocked. Choose which orientation makes the most sense for your situation, then create the following four files in /etc/vormetric with 600 permissions (read/write by root only):

  • allow_encrypt.conf

  • allow_decrypt.conf

  • deny_encrypt.conf

  • deny_decrypt.conf

Add the logins of users, one line per user, to either deny (blacklist) or allow (whitelist) access to do encrypting or decrypting. User names must be entirely capitalized. The wildcard character (*) indicates "all users" and it is allowed in the whitelist, but not the blacklist. No other regular expressions are permitted. Make your configuration blacklist-centric by putting just a * in the whitelist and adding user names in the blacklist. Make it whitelist-centric by leaving your blacklist empty and putting user names in the whitelist.

If you are whitelist-centric, only users in allow_decrypt.conf will be able to decrypt data, and only users in allow_encrypt.conf will be able to encrypt data. If you are blacklist-centric, only users in deny_decrypt.conf will not be able to decrypt data, and only users in deny_encrypt.conf will not be able to encrypt data.

Whitelisting approved users of the middleware (the business logic) is recommended. This will block all others, including the Teradata database administrators from accessing sensitive data.

The Linux system administrator must replicate these files to all other Teradata nodes.

Verify the Installation

  1. Run the following commands on the Teradata node to confirm that all components of CTP were entered into the rpm database, which means that CTP was installed successfully.

    rpm -qa | grep vae-td
rpm -qa | grep vee-key

  2. Verify that Registration Allowed and Communication Enabled are selected for the Key Agent.

Silent Mode Install with CipherTrust Manager

  1. Create a config file containing the following fields:

    SERVER_HOSTNAME=<hostname>

  2. Obtain CTP and copy it to the directory that contains the config file that you just created.

  3. Enter:

    # ./ctp<product-version-build-system>.bin -s <config file path>

    Example:

    ./ctp16.10-6.6.0-10-sles12sp3-x86_64.bin -s <config file path>

    Following field is mandatory for the config file:

    NameFunctionRequired
    SERVER_HOSTNAMEHost name of the CipherTrust Manager key managerYes

On this page