Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Managing Applications

Defining Applications

search

Please Note:

Defining Applications

To define an application:

  1. Log on to the CipherTrust Manager GUI as administrator.

  2. Open Application Data Protection.

  3. In the left pane, click Applications. The list of applications is displayed on the screen.

  4. On the Applications page, click Add Application. The Add Application wizard is displayed. Follow the steps to complete the setup.

The setup will vary based on the chosen connector type.

Click the desired tab to view the steps.

  1. Add General Info

  2. Configure Parameters

  3. Confirmation

Add General Info

  1. Specify a unique Name for the application.

  2. Select the Connector Type as CRDP from the drop-down list.

  3. Click Next to go to the Settings screen.

Configure Parameters

  1. On the Settings screen, configure the following parameters.

    CA Parameter

    FieldDescriptionMandatoryDefault
    Local CASelect a local CA from the available options. The CA issues digital certificates and signs CSR.OptionalCipherTrust Root CA

    CSR Parameters

    FieldDescriptionMandatoryDefault
    Common NameSelect the user. This is the CRDP user who will interact with CM.OptionalNo default
    CityName of the city.OptionalNo default
    CountryName of the country.OptionalNo default
    StateName of the state.OptionalNo default
    Organization NameOrganization name.OptionalNo default
    Organization UnitOrganization unit.OptionalNo default
    EmailValid email id.OptionalNo default
    Certificate DurationValidity period of a client certificate.Optional730 days
    Certificate Auto RenewalTurn on the Certificate Auto Renewal toggle to automatically renew the client certificate before it expires in the user environment. The process of certificate auto renewal is explained here.OptionalBy default, the toggle is off.

    Client Configuration Parameters

    1. Logging Parameter

      FieldDescriptionMandatoryDefault
      Log LevelThe level of logging to determine verbosity of clients logs.
      Options
      — INFO
      — WARN
      — ERROR
      — DEBUG      		YesWARN

    2. Local Encryption Parameter

      FieldDescriptionMandatoryDefault
      Key Cache ExpiryDetermines the minimum amount of time a key can be cached.Yes43200 seconds

    3. Connection Configuration Parameters

      FieldDescriptionMandatoryDefault
      Connection TimeoutConnection timeout value for clients.Yes10000
      Heartbeat IntervalTime interval (in seconds) after which the client needs to send heartbeat notification to the CipherTrust Manager to get updated policies and configurations.Yes300 seconds
      Heartbeat Timeout CountNumber of missed heartbeats after which the client marks a CipherTrust Manager inactive.Yes-1 (The container will never be marked as unhealthy.)

      Tip

      Heartbeat is a mechanism that notifies a client about any change in policies and configurations. The client sends the heartbeat to the CipherTrust Manager indicating that it is alive. In response, the CipherTrust Manager notifies client about any changes in the configurations and policies. To know more about the heartbeat parameters, refer to Heartbeat Configuration.

    4. JWT Verification Parameters

      Note

      The following parameters are only required to be configured if the Enable JWT Verification toggle is turned on. When this field is enabled, CRDP will verify the JWT. By default, this toggle is off.

      FieldDescriptionMandatoryDefault
      Public KeyVerifies the JWT. Specify the public key in PKCS1 or PKCS8 format.Mandatory when Enable JWT Verification toggle is turned on.No default
      IssuerA string that identifies the principal that issued the JWT.Mandatory when Enable JWT Verification toggle is turned on.No default

  2. Click Next to go to Confirmation page.

Confirmation

  1. On the Confirmation screen, verify the application details. This screen displays general information and settings .

  2. If you want to modify any detail, click Edit and update the details.

  3. Click Save. A message stating Application is successfully created is displayed on the screen. At this step, a Registration Token is returned. The clients will use this token to get registered on the CipherTrust Manager. To view the registration token, click here.

  4. Click Close to exit the wizard. The newly defined application is added to the list of Applications.

  1. Add General Info

  2. Configure Parameters

  3. Create and Associate Policy

  4. Confirmation

Add General Info

  1. Specify a unique Name for the application.

  2. Select Connector Type as DPG from the drop-down list.

  3. Click Next to go to the Settings screen.

Note

Ensure the NAE interface with TLS, verify client cert, user name taken from client cert, auth request is optional mode is created and the Allow unregistered clients check-box is selected on the CipherTrust Manager. Refer to CipherTrust Manager Interfaces for detailed instructions.

Configure Parameters

  1. On the Settings screen, configure the following parameters.

    1. Network Configuration Parameter

      FieldDescriptionMandatoryDefault
      NAE Interface PortSelect interface of the NAE server.
      Only the interfaces with TLS, verify client cert, user name taken from client cert, auth request is optional mode are supported.
      The firewall rules for this interface must allow communication.      		YesNo default

      After selecting the NAE interface, you can choose to ignore the rest of the configurations and instead, use the default values to define your application. To do so, click Next.

    2. CA Parameter

      FieldDescriptionMandatoryDefault
      Local CAAuthenticates the user defined in the Common Name. The CA must be associated with the interface selected in the previous step.YesCipherTrust Root CA

    3. CSR Parameters

      FieldDescriptionMandatoryDefault
      Common NameSelect the user from the drop-down list. This is the DPG user who will interact with CM.
      — For DPG 1.2 and lower versions, NAE-XML interface is used.
      — For DPG 1.3 and higher versions, REST interface is used.
      Note: The selected user must exist in the root domain.      		YesNo default
      CityName of the city.YesNo default
      CountryName of the country.YesNo default
      StateName of the state.YesNo default
      Organization NameOrganization name.YesNo default
      Organization UnitOrganization unit.YesNo default
      EmailValid email id.YesNo default
      Certificate DurationValidity period of a client certificate.Yes730 days
      Certificate auto renewalTurn on the Certificate auto renewal toggle to automatically renew the CA certificate before it expires in the user environment. By default, the toggle is off. The process of certificate auto renewal is explained here.

    4. Authentication Method

      FieldDescriptionMandatoryDefault
      Scheme NameAuthentication method used to validate the identity of the application users.
      Following methods are allowed:
      Basic: In this scheme, username and password are passed into the authorization request header. The username and password are encoded in Base64 format.
      Bearer: In this scheme, a security token (a cryptic string) is granted to the application users. The application user must send this token in the authorization request header when making any reveal request to DPG.      		YesBasic
      Token FieldName of the field that contains the username in authorization token based on which the level of access control over reveal operation will be identified.Required when Bearer is selected as the authentication method.No default

    5. Logging

      FieldDescriptionMandatoryDefault
      Log LevelThe level of logging to determine verbosity of client logs.
      Options
      — INFO
      — WARN
      — ERROR
      — DEBUG      		YesWARN
      Log TypeType of the log. The log type for DPG is Console.YesConsole (not configurable)

    6. Local Encryption Parameters

      FieldDescriptionMandatoryDefault
      Symmetric Key Cache EnabledDetermines whether the symmetric key caching feature is enabled.YesAlways enabled (not configurable)
      Symmetric Key Cache ExpiryDetermines the minimum amount of time a key can be cached.Yes43200

    7. Connection Configuration

      FieldDescriptionMandatoryDefault
      Maximum Idle ConnectionSpecifies the maximum number of idle (keep-alive) connections for all hosts. A value of 0 means no limit.Yes10000
      Maximum Idle Connection Per HostSpecifies the maximum idle (keep-alive) connections to keep for each host.Yes10000
      Dial TimeoutSpecifies the maximum duration (in seconds) the DPG server will wait for a connection with the Application Server to succeed.Yes10
      Dial Keep AliveSpecifies the interval (in seconds) between keep-alive probes for an active network connection.Yes10
      Connection Idle TimeoutSpecifies the duration for which a connection is allowed to be idle in the connection pool before it gets automatically closed.Yes600000
      Connection Retry IntervalSpecifies the time to wait before trying to reconnect to a disabled server.Yes600000
      Connection TimeoutConnection timeout value for clients.Yes60000
      Connection Read TimeoutRead timeout value for clients.Yes7000
      Size of Connection PoolThe maximum number of connections that can persist in a connection pool.Yes300
      Load Balancing AlgorithmDetermines how the client selects a Key Manager from a load balancing group.
      Options
      — round-robin
      — random      		Yesround-robin
      Heartbeat IntervalTime interval (in seconds) after which the client needs to send heartbeat notification to the CipherTrust Manager to get updated policies and configurations.Yes300
      Heartbeat Timeout CountNumber of missed heartbeats after which the client marks a CipherTrust Manager inactive.Yes-1 (The container will never be marked as unhealthy.)

      Tip

      Heartbeat is a mechanism that notifies a client about any change in policies and configurations. The client sends the heartbeat to the CipherTrust Manager indicating that it is alive. In response, the CipherTrust Manager notifies client about any changes in the configurations and policies. To know more about the heartbeat parameters, refer to Heartbeat Configuration.

    8. SSL Configuration

      FieldDescriptionMandatoryDefault
      TLS EnabledDetermines whether to enable TLS. If check-box is selected, DPG will communicate with the upstream server over TLS else, TCP will be used.YesNot selected (not configurable)
      TLS Skip VerifyThis field is always selected; DPG doesn't verify the upstream server certificates.YesAlways selected (not configurable)

  2. Click Next to go to the Policy page.

    Note

    Before moving to next step, we recommend you to read about DPG Policies.

Create and Associate Policy

  1. On the DPG Policy page, click Add Endpoint.

  2. On the Create Endpoint screen, perform the following steps:

    1. Enter the API URL. This is the URL of the application for which the DPG will protect the data.

    2. Select Method from the drop-down list. Supported methods are:

      • POST

      • GET

      • PUT

      • PATCH

      • DELETE

      Note

      You must configure JSON path/URL parameters separately for each method.

    3. Click Add Token to configure JSON path/URL. For same method, you can configure Request and Response simultaneously.

    4. On the Create Token in Request screen, enter/select the following details.

      FieldDescription
      NameSpecify the complete JSON path/URL parameters to be protected/revealed.
      LocationLocation of the data to be protected/revealed.
      Possible options are:
      JSON: If data to be protected is in JSON body.
      URL: If data to be protected is in URL parameters.
      OperationCryptographic operation to be performed.
      Possible options
      — Protect
      — Reveal
      Protection PolicySelect the protection policy form the drop-down list. If protection policy doesn't exist, click Add Protection Policy and click Select. Refer to Managing Protection Polices for details.
      External Version HeaderSpecify the name of the parameter that will store the version header details (type, protection policy version, and key version). This parameter appears on the UI only when the selected protection policy uses external version header.
      Access PolicyThis parameter appears on the UI if operation type is Reveal. Select the access policy from the drop-down list. If access policy doesn't exist, click Add Access Policy and click Select. Refer to Managing Access Policies for details.

      If the JSON body has an array of objects, specify the sensitive tokens in the format shown in the below example:

                      {
                    "Name": "John",
                    "CreditCard":[
                    {
                        "CCNumber": "1234-5678-9012-3456",
                        "CVV": "123",
                        "Expiry": "12/03"
                    }
                    ],
                    "Amount" : "250"
                }

      In this example, CreditCard is the array of objects (CCNumber, CVV, Expiry). To protect/reveal CCNumber, specify the token as CreditCard.[*].CCNumber in the request/response of the DPG policy. Similarly, to protect/reveal CVV, use the following format: CreditCard.[*].CVV.

      Caution

      If a set of data is already protected with a protection policy, ensure to reveal the data with the same protection policy.

    5. Click Create. The newly created policy is listed on the DPG Policy page.

    Now, to configure JSON path/URL parameters for other methods, click Add Endpoint and repeat steps a to g else, click Next to go to the Confirmation screen.

    The below diagrams show that different methods require separate endpoint configurations.

Confirmation

  1. On the Add Application page, verify the application details. The Confirmation screen displays general information, settings, and DPG policy.

  2. If you want to modify any detail, click Edit and update the details.

  3. Click Add. A message stating, Application created successfully is displayed on the screen. At this step, a Registration Token is generated. The clients will use this token to get registered on the CipherTrust Manager. To view the registration token, click here.

  4. Click Close to exit the setup. The newly defined application is added to the list of Applications.

On this page