Defining applications
To define an application:
Log on to the CipherTrust Manager GUI as administrator.
Open Application Data Protection.
In the left pane, click Applications. The list of applications is displayed on the screen.
On the Applications page, click Add Application. The Add Application wizard is displayed. Follow the steps to complete the setup.
The setup will vary based on the chosen connector type.
Click the desired tab to view the steps.
Add General Info
Specify a unique Name for the application.
Select the Connector Type as CRDP from the drop-down list.
Click Next to go to the Settings screen.
Configure Parameters
On the Settings screen, configure the following parameters.
Server Configuration
These parameters are required to configure server settings such as CA, CSR, and Connection configurations.
CA Parameter
Field Description Mandatory Default Local CA Select a local CA from the available options. The CA issues digital certificates and signs CSR. Optional CipherTrust Root CA Note
Local CA should be added in the Local Trusted CAs of the Web interface on the CipherTrust Manager.
CSR Parameters
Field Description Mandatory Default Common Name Select the user. This is the CRDP user who will interact with CM. Optional No default City Name of the city. Optional No default Country Name of the country. Optional No default State Name of the state. Optional No default Organization Name Organization name. Optional No default Organization Unit Organization unit. Optional No default Email Valid email id. Optional No default Certificate Duration Validity period of a client certificate. Optional 730 days Certificate Auto Renewal Turn on the Certificate Auto Renewal toggle to automatically renew the client certificate before it expires in the user environment. The process of certificate auto renewal is explained here. Optional By default, the toggle is off. Connection Configuration
Field Description Mandatory Default Server Heartbeat Threshold Maximum limit of missed heartbeat count. After this limit, the client's state on the CipherTrust Manager changes from warning to error. Yes No default Click Next to go to the Client Configuration screen.
Client Configuration
These parameters are required to initialize CRDP clients.
Logging
Field Description Mandatory Default Log Level The level of logging to determine verbosity of clients logs.
Options
— INFO
— WARN
— ERROR
— DEBUGYes WARN Local Encryption
Field Description Mandatory Default Key Cache Expiry Determines the minimum amount of time a key can be cached. Yes 43200 seconds Connection Configuration
Field Description Mandatory Default Connection Timeout Connection timeout value for clients. Yes 10000 Heartbeat Interval Time interval (in seconds) after which the client needs to send heartbeat notification to the CipherTrust Manager to get updated policies and configurations. Yes 300 seconds Heartbeat Timeout Count Number of missed heartbeats after which the client assumes a CipherTrust Manager instance as inactive. Yes -1 (The container will never be marked as unhealthy.) Tip
Heartbeat is a mechanism that notifies a client about any change in policies and configurations. The client sends the heartbeat to the CipherTrust Manager indicating that it is alive. In response, the CipherTrust Manager notifies client about any changes in the configurations and policies. To know more about the heartbeat parameters, refer to Heartbeat Configuration.
Field Description Mandatory Default Public Key Verifies the JWT. Specify the public key in PKCS1 or PKCS8 format. Mandatory when Enable JWT Verification toggle is turned on. No default Issuer A string that identifies the principal that issued the JWT. Mandatory when Enable JWT Verification toggle is turned on. No default Note
This parameter is only required to be configured if the Enable JWT Verification toggle is turned on. When this field is enabled, CRDP will verify the JWT. By default, this toggle is off.
Field Description Mandatory Default Enable JWT Username Reveal the username for the particular user from the JWT. No By default, toggle is turned off JWT Username Field Specify the JWT username. Mandatory when Enable JWT Username is turned on. No default JWKs URL Specify the JWKs URL through which the JWKs can be fetched and used for validation of the JWT. Mandatory when Enable JWT Username is turned on. By default, toggle is turned off Performance Metrics
Field Description Mandatory Default Enable Performance Metrics When the Enable Performance Metrics toggle is turned on, the administrators can generate metrics logs for CRDP. No By default, the toggle is on.
Click Next to go to Confirmation page.
Confirmation
On the Confirmation screen, verify the application details. This screen displays general information and settings .
If you want to modify any detail, click Edit and update the details.
Click Save. A message stating Application is successfully created is displayed on the screen. At this step, a Registration Token is returned. The clients will use this token to get registered on the CipherTrust Manager. To view the registration token, click here.
Click Close to exit the wizard. The newly defined application is added to the list of Applications.
Add General Info
Specify a unique Name for the application.
Select Connector Type as DPG from the drop-down list.
Click Next to go to the Settings screen.
Note
Ensure the NAE interface with TLS, verify client cert, user name taken from client cert, auth request is optional mode is created and the Allow unregistered clients check-box is selected on the CipherTrust Manager. Refer to CipherTrust Manager Interfaces for detailed instructions.
Configure Parameters
On the Settings screen, configure the following parameters.
Network Configuration
Note
This step is only required for DPG 1.2 and lower versions. For DPG 1.3 and higher versions, skip this step.
Field Description Mandatory Default NAE Interface Port Select interface of the NAE server.
Only the interfaces with TLS, verify client cert, user name taken from client cert, auth request is optional mode are supported.
The firewall rules for this interface must allow communication.Yes No default After selecting the NAE interface, you can choose to ignore the rest of the configurations and instead, use the default values to define your application. To do so, click Next.
Server Configuration
These parameters are required to configure server settings such as CA, CSR, and Connection configurations.
CA Parameter
Field Description Mandatory Default Local CA Local trusted Certificate Authority on the CipherTrust Manager that issues and signs the certificates for SSL. Yes CipherTrust Root CA Note
Local CA should be added in the Local Trusted CAs of the Web interface on the CipherTrust Manager.
CSR Parameters
Field Description Mandatory Default Common Name This is the DPG user who will interact with CM.
— For DPG 1.2 and lower versions, NAE-XML interface is used.
— For DPG 1.3 and higher versions, REST interface is used.
Note: The selected user must exist in the root domain.Yes No default City Name of the city. Yes No default Country Name of the country. Yes No default State Name of the state. Yes No default Organization Name Organization name. Yes No default Organization Unit Organization unit. Yes No default Email Valid email id. Yes No default Certificate Duration Validity period of a client certificate. Yes 730 days Certificate auto renewal Turn on the Certificate auto renewal toggle to automatically renew the CA certificate before it expires in the user environment. By default, the toggle is off. The process of certificate auto renewal is explained here. Connection Configuration
Field Description Mandatory Default Server Heartbeat Threshold Maximum limit of missed heartbeat count. After this limit, the client's state on the CipherTrust Manager changes from warning to error. Yes No default Click Next to go to the Client Configuration screen.
Client Configuration
These parameters are required to initialize DPG clients.
Authentication Method
Field Description Mandatory Default Scheme Name Authentication method used to validate the identity of the application users.
Following methods are allowed:
— Basic: In this scheme, username and password are passed into the authorization request header. The username and password are encoded in Base64 format.
— Bearer: In this scheme, a security token (a cryptic string) is granted to the application users. The application user must send this token in the authorization request header when making any reveal request to DPG.Yes Basic Token Field Name of the field that contains the username in authorization token based on which the level of access control over reveal operation will be identified. Required when Bearer
is selected as the authentication method.No default Logging
Field Description Mandatory Default Log Level The level of logging to determine verbosity of client logs.
Options
— INFO
— WARN
— ERROR
— DEBUGYes WARN Local Encryption
Field Description Mandatory Default Key Cache Expiry Determines the minimum amount of time a key can be cached. Yes 43200 seconds Connection Configuration
Note
If you are using DPG 1.2 and lower versions, configure the following parameters on the CipherTrust Manager UI.
Field Description Mandatory Default Maximum Idle Connection Specifies the maximum number of idle (keep-alive) connections for all hosts. A value of 0 means no limit. Yes 10000 Maximum Idle Connection Per Host Specifies the maximum idle (keep-alive) connections to keep for each host. Yes 10000 Dial Timeout Specifies the maximum duration (in seconds) the DPG server will wait for a connection with the Application Server to succeed. Yes 10 Dial Keep Alive Specifies the interval (in seconds) between keep-alive probes for an active network connection. Yes 10 Connection Idle Timeout Specifies the duration for which a connection is allowed to be idle in the connection pool before it gets automatically closed. Yes 600000 Connection Retry Interval Specifies the time to wait before trying to reconnect to a disabled server. Yes 600000 Connection Timeout Connection timeout value for clients. Yes 60000 Connection Read Timeout Read timeout value for clients. Yes 7000 Size of Connection Pool The maximum number of connections that can persist in a connection pool. Yes 300 Load Balancing Algorithm Determines how the client selects a Key Manager from a load balancing group.
Options
— round-robin
— randomYes round-robin Heartbeat Interval Time interval (in seconds) after which the client needs to send heartbeat notification to the CipherTrust Manager to get updated policies and configurations. Yes 300 Heartbeat Timeout Count Number of missed heartbeats after which the client assumes a CipherTrust Manager instance as inactive. Yes -1 (The container will never be marked as unhealthy.) Note
For DPG 1.3 and higher versions, following parameters should be configured on the CipherTrust Manager UI.
Field Description Mandatory Default Connection Timeout Connection timeout value for clients. Yes 60000 Heartbeat Interval Time interval (in seconds) after which the client needs to send heartbeat notification to the CipherTrust Manager to get updated policies and configurations. Yes 300 Heartbeat Timeout Count Number of missed heartbeats after which the client assumes a CipherTrust Manager instance as inactive. Yes -1 (The container will never be marked as unhealthy.) Tip
Heartbeat is a mechanism that notifies a client about any change in policies and configurations. The client sends the heartbeat to the CipherTrust Manager indicating that it is alive. In response, the CipherTrust Manager notifies client about any changes in the configurations and policies. To know more about the heartbeat parameters, refer to Heartbeat Configuration.
SSL Configuration
Field Description Mandatory Default TLS Enabled Determines whether to enable TLS. If check-box is selected, DPG will communicate with the upstream server over TLS else, TCP will be used. Yes Not selected (not configurable) TLS Skip Verify This field is always selected; DPG doesn't verify the upstream server certificates. Yes Always selected (not configurable) Click Next to go to the Policy page.
Note
Before moving to next step, we recommend you to read about DPG Policies.
Create and Associate Policy
On the DPG Policy page, click Add Endpoint.
On the Create Endpoint screen, perform the following steps:
Enter the API URL. This is the URL of the application for which the DPG will protect the data.
Select Method from the drop-down list. Supported methods are:
POST
GET
PUT
PATCH
DELETE
Note
You must configure JSON path/URL parameters separately for each method.
Click Add Token to configure JSON path/URL. For same method, you can configure Request and Response simultaneously.
On the Create Token in Request screen, enter/select the following details.
Field Description Name Specify the complete JSON path/URL parameters to be protected/revealed. Location Location of the data to be protected/revealed.
Possible options are:
— JSON: If data to be protected is in JSON body.
— URL: If data to be protected is in URL parameters.Operation Cryptographic operation to be performed.
Possible options
— Protect
— RevealProtection Policy Select the protection policy form the drop-down list. If protection policy doesn't exist, click Add Protection Policy and click Select. Refer to Managing Protection Polices for details. External Version Header Specify the name of the parameter that will store the version header details (type, protection policy version, and key version). This parameter appears on the UI only when the selected protection policy uses external version header. Access Policy This parameter appears on the UI if operation type is Reveal. Select the access policy from the drop-down list. If access policy doesn't exist, click Add Access Policy and click Select. Refer to Managing Access Policies for details. If the JSON body has an array of objects, specify the sensitive tokens in the format shown in the below example:
{ "Name": "John", "CreditCard":[ { "CCNumber": "1234-5678-9012-3456", "CVV": "123", "Expiry": "12/03" } ], "Amount" : "250" }
In this example, CreditCard is the array of objects (CCNumber, CVV, Expiry). To protect/reveal CCNumber, specify the token as
CreditCard.[*].CCNumber
in the request/response of the DPG policy. Similarly, to protect/reveal CVV, use the following format:CreditCard.[*].CVV
.Note
If a set of data is already protected with a protection policy, ensure to reveal the data with the same protection policy.
Click Create. The newly created policy is listed on the DPG Policy page.
Now, to configure JSON path/URL parameters for other methods, click Add Endpoint and repeat steps a to g else, click Next to go to the Confirmation screen.
The below diagrams show that different methods require separate endpoint configurations.
Confirmation
On the Add Application page, verify the application details. The Confirmation screen displays general information, settings, and DPG policy.
If you want to modify any detail, click Edit and update the details.
Click Add. A message stating, Application created successfully is displayed on the screen. At this step, a Registration Token is generated. The clients will use this token to get registered on the CipherTrust Manager. To view the registration token, click here.
Click Close to exit the setup. The newly defined application is added to the list of Applications.