DDC Agents
This document provides procedures for installing and upgrading Agents in the Operating Systems required by your Data Stores. Agents should always be upgraded to be aligned with the latest server version. To upgrade an Agent, simply re-install it. Before reinstalling, you have to uninstall the older version of the Agent.
Note
As of this release, most Agents without the database runtime component will not be supported. If you have any affected Agents installed without the database runtime component, you have to upgrade them to the database runtime version.
Download the DDC Agents ZIP file corresponding to the CipherTrust Manager version from the Thales Customer Support Portal.
Check the Agent Compatibility Matrix to find a matching Agent to the desired Data Stores.
Extract the Agent Installer Package from DDC Agents ZIP and save it on the host machine where you want to install the Agent.
Follow the appropriate procedure for your Operating System.
Tip
Before you begin the installation, make sure that CipherTrust Manager is reachable from the host where you are installing the Agent.
Agent Compatibility Matrix
The following table lists supported Agent installers for different types of data stores for different platforms and databases to help you select an appropriate installer depending on your data store requirements.
Data Store Category | Data Store Type | Agent Configuration | Agent Installer Packages |
---|---|---|---|
Local Storage | RHEL, CentOS | Local | All RHEL Agents. |
Local Storage | Debian based distros | Local | Debian Agent. |
Local Storage | Windows | Local | All Windows Agents. |
Database Storage | IBM DB2 11.1 and higher | Proxy | All Windows Agents. |
Database Storage | Microsoft SQL 2005 and higher | Proxy | All Windows Agents. Make sure to install the latest ODBC drivers package from the Microsoft site |
Database Storage | Oracle 9 and higher | Local, Proxy | All Windows Agents, and RHEL Agent with database support. |
Database Storage | PostgreSQL 9.5 and higher | Proxy | All Windows Agents, and RHEL Agent with database support. |
Database Storage | SAP HANA 2.0 | Proxy | All Windows Agents. |
Network Storage | Unix File Share (NFS) | Proxy | All RHEL Agents and Debian Agent. |
Network Storage | Windows Share (SMB, CIFS) | Proxy | All Windows Agents. |
Cloud Storage | AWS S3 (Amazon Web Services) | Proxy | All agents provided in this release. |
Cloud Storage | Microsoft Azure Blobs | Proxy | All agents provided in this release. |
Cloud Storage | Office 365: Sharepoint Online | Proxy | All agents provided in this release. |
Cloud Storage | Office 365: Exchange Online | Proxy | All Windows Agents. Agent host architecture (32-bit or 64-bit) must match the Exchange Server |
Big Data | Hadoop 2.7.3 and higher | Proxy | Debian Agent running in Ubuntu 18 |
DDC supports two types of Agent configurations:
Local: Agent is installed and configured directly on the machine that contains sensitive data.
Proxy: Agent is installed and configured on a proxy machine that is used to scan sensitive data on other machines.
Note
The instructions to install and configure Agents in both types of configurations are the same.
RHEL Agents
Operating System | Agent Installer Package | Upgrades Old Package |
---|---|---|
RHEL 7 64-bit | er2-2.3.0-linux3-rh-x64_database-runtime.rpm | er2-2.0.31-linux26-rh-x64.rpm 1er2-2.1.0-linux26-rh-x64.rpm 1 |
RHEL 6 64-bit RHEL 5 64-bit | er2-2.3.0-linux26-rh-x64.rpm | er2-2.0.31-linux26-rh-x64.rpm er2-2.1.0-linux26-rh-x64.rpm |
RHEL 6 32-bit RHEL 5 32-bit | er2-2.3.0-linux26-x32.rpm | er2-2.0.31-linux26-x32.rpm er2-2.1.0-linux26-x32.rpm er2-2.0.31-linux24-x32.rpm er2-2.1.0-linux24-x32.rpm |
RHEL 4 is no longer supported, so if you are running this Operating System please consider upgrading.
Operating System | Deprecated Packages |
---|---|
RHEL 4 32-bit | er2-2.0.31-linux24-x32.rpm er2-2.1.0-linux24-x32.rpm |
Installing Agents on RHEL
To install the Linux 3 database runtime Node Agent on RHEL:
Install the epel-release package:
sudo yum install epel-release
Install the required packages:
sudo yum install libxml2 libgsasl openssl \ libcurl libuuid protobuf krb5-libs libaio
Navigate to the location where the Agent installation package (.rpm) is stored.
Install the Agent by using the following command:
sudo rpm -ivh er2-2.x.x-linux3-rh-x64_database-runtime.rpm
For example:
rpm -ivh er2-2.0.31-linux3-rh-x64_database-runtime.rpm
Connect the Agent to the active CipherTrust Manager node:
er2-config -i <hostname|ip_address>
where,
<hostname|ip_address>
represents the IP address or hostname of the CipherTrust Manager node.Test the connection settings (on the data store that is using this host).
er2-config -t
If the connection has been correctly configured, you should see the following message:
Testing connection setting... Test SUCCESS. Saving settings Configuration updated, please restart agent service The configuration has been saved. Please restart the agent for the changes to take effect.
Restart the Agent:
Option 1
sudo /etc/init.d/er2-agent restart
Option 2
sudo /etc/init.d/er2-agent stop sudo /etc/init.d/er2-agent start
Note
The installation script creates an erecon
user in the erecon
group. Please ensure that this user (or group) is able to read all the files to scan. For security reasons, the account has its password locked to ensure that the user is solely used by the Data Discovery and Classification scanning agent.
Uninstalling Agents from RHEL
To uninstall a DDC Agent:
Stop the DDC Agent.
sudo /etc/init.d/er2-agent stop
Remove the existing packages:
sudo rpm -e er2
Debian Agent
Operating System | Agent Installer Package | Upgrades Old Package |
---|---|---|
Debian 10 64-bit Ubuntu 18 64-bit | er2-2.3.0-linux3-x64_database-runtime.deb | er2-2.0.31-linux3-x64.deb 1er2-2.1.0-linux3-x64.deb 1er2-2.0.31-linux3-x64_database-runtime.deb er2-2.1.0-linux3-x64_database-runtime.deb |
Installing Agents on Debian
Navigate to the location where the Agent installation (.deb) package is stored.
Install the required packages:
sudo apt-get install libaio1 libaio-dev krb5-user \ libgsasl7 libcurl4 libprotobuf10
Install the Agent by using the following command:
sudo dpkg -i er2_2.x.xx-xxxx_.deb
For example:
sudo dpkg -i er2_2.0.31-linux26-x64.deb
The package name that you use with the command may be different and depends on your system's architecture and Agent type.
Connect the Agent to the active CipherTrust Manager node:
sudo er2-config -i <hostname|ip_address>
where
<hostname|ip_address>
represents the IP address or hostname of the CipherTrust Manager node.Test the connection settings (on the data store that is using this host).
sudo er2-config -t
If the connection has been correctly configured, you should see the following message:
Testing connection setting... Test SUCCESS. Saving settings Configuration updated, please restart agent service The configuration has been saved. Please restart the agent for the changes to take effect.
Restart the Agent:
Option 1
sudo /etc/init.d/er2-agent restart
Option 2
sudo /etc/init.d/er2-agent stop sudo /etc/init.d/er2-agent start
Note
The installation script creates an erecon
user in the erecon
group. Please ensure that this user (or group) is able to read all the files to scan. For security reasons, the account has its password locked to ensure that the user is solely used by the Data Discovery and Classification scanning agent.
Uninstalling Agents from Debian
To uninstall a DDC Agent:
Stop the DDC Agent.
sudo /etc/init.d/er2-agent -stop
Remove the existing packages:
sudo dpkg --remove er2
Windows Agents
Operating System | Agent Installer Package | Upgrades Old Package |
---|---|---|
Windows 7/8/8.1 32-bit | er2_2.3.0-windows-x32_database-runtime.msi | er2_2.0.31-windows-x32.msi 1er2_2.1.0-windows-x32.msi 1er2_2.0.31-windows-x32_database-runtime.msi er2_2.1.0-windows-x32_database-runtime.msi |
Windows 7/8/8.1 64-bit Windows 10 64-bit Windows Server 2012/2012 R2 64-bit Windows Server 2016 64-bit Windows Server 2019 64-bit | er2_2.3.0-windows-x64_database-runtime.msi | er2_2.0.31-windows-x64.msi 1er2_2.1.0-windows-x64.msi 1er2_2.0.31-windows-x64_database-runtime.msi er2_2.1.0-windows-x64_database-runtime.msi |
Installing Agents on Windows
Log in to the host machine where you want to install the Agent as administrator.
Run the Agent installer.
In the Welcome screen of the setup wizard, click Next to continue.
The End-User Licence Agreement (EULA) screen is displayed.
Read the license agreement and select I accept the terms in the Licence Agreement.
Click Next to continue.
In the Choose Setup Type screen, select the Install option for the standard installation and click Next to continue.
The Ready to Install screen is displayed.
Click Install to install the product in the default location.
If the User Access Control dialog box appears, click Yes to confirm.
The installation begins and the progress is shown under the Status progress bar.
During the installation, in a separate Node Configuration window, you are asked for the connection details of the active CipherTrust Manager node.
Master server IP address or host name: specify the IP address or host name of the CipherTrust Manager node.
Master server public key and Target Group: skip this configuration part as it is optional and currently not used.
Click Test Connection to test the connection between the Agent and CipherTrust Manager.
If the connection is properly configured, a confirmation will appear stating "Connectivity test is successful". Click OK to close the prompt.
If the connectivity test fails, click OK to close the prompt, make sure that CipherTrust Manager is reachable from the Agent host, and retry the test.
Click Finish to complete the configuration.
After a successful Agent installation, click the Finish button to exit the wizard and complete the installation.
Note
The installer creates a service called Enterprise Recon 2 Agent that runs under the Local System user account.
For scanning MS SQL DB make sure to install the latest ODBC drivers package from the Microsoft site.
Uninstalling Agents from Windows
To uninstall a DDC Agent, you must be logged on as Administrator to the host where the Agent is running.
Navigate to the Control Panel > Programs and Features.
Locate the Enterprise Recon 2 Agent in the list of installed programs.
Right click the Agent and select Uninstall.
In the dialog box that is displayed, select to automatically close the Enterprise Recon 2 Agent application, and click OK to continue.
Walk through the wizard.
Tip
Alternatively, to uninstall a DDC Agent from CLI, run the following commands as Administrator:net stop "Enterprise Recon 2 Agent (<ARCH>)"
wmic product where name="Enterprise Recon 2 Agent (<ARCH>)" uninstall