BDT Config File
The BDT Config file contains the following attributes:
| See Also |
|---|
| Sample BDT Config File |
Global Config File Attributes
The configuration of the BDT utility is stored in JSON format in the file bdt.config. At the top of the file are several global configuration settings, followed by settings that configure the main underlying tools used by BDT:
| Attribute | Default Value | Mandatory/Optional | Description |
|---|---|---|---|
inputDirectory | No default | Mandatory | The path to the directory in which the input file or DB is placed. |
outputDirectory | No default | Mandatory | The path to the directory in which the output file or DB needs to be placed. |
threadCount | No default | Mandatory | The maximum number of running threads required to transform a file. |
batchSize | No default | Mandatory | The total number of records in the batch. |
crypto{} | - | Mandatory (for encryption and decryption) | Contains settings for the cryptographic provider used in this BDT configuration. Either go with default jce (CADP-JCE) or configure it for vae (Vormetric Application Encryption). Refer to Cryptographic Provider Attributes section for details.Note: The crypto{} object replaces the previously-used vae{} object, which is now deprecated. |
dataProtectionConfig{} | No default | Mandatory (if policy is fetched from Key Manager) | Contains credential information which will be used to get centralized policy. Refer to Data Protection Attributes section for details. |
vts{} | No default | Mandatory (for tokenization and detokenization) | Contains settings to customize the behavior of the CipherTrust Vaultless Tokenization (CT-VL). Refer to CT-VL Attributes section for details. |
characterSets{} | No default | Mandatory | Contains configurable list of charset names and their range. |
Cryptographic Provider Attributes
BDT has a separate section to configure 'Cryptographic Provider'. The crypto{} object contains the following settings:
| Attribute | Default Value | Mandatory/Optional | Description |
|---|---|---|---|
@type | jce | Optional | BDT provides two types of cryptographic providers - one is default jce (CADP-JCE) and other is vae. |
userName | No default | Mandatory | (Used only when using default crypto provider). Key owner user name. |
password | No default | Mandatory | (Used only when using default crypto provider). Key owner user password. |
pin | No default | Mandatory | (Used only when crypto provider is vae). Key Manager passphrase. |
libPath | No default | Mandatory | (Used only when crypto provider is vae). Path to vae library. |
Data Protection Attributes
BDT has a separate section for 'Data Protection Profile' to add it's user information.
The dataProtectionConfig{} object contains the following settings:
| Attribute | Default Value | Mandatory/Optional | Description |
|---|---|---|---|
@type | No default | Mandatory | For the dataProtectionConfig, BDT supports two login methods:Password - The user logs in using password.user_certificate - The user logs in using a user certificate. |
userName | No default | Mandatory | (Used only when @type value is user name). User name having access to batch data transformation on key manager. |
password | No default | Mandatory | (Used only when @type value is password). User password having access to batch data transformation on key manager. Run bdt -e option to set password. |
hostName | No default | Mandatory | (Used only when @type value is user_certificate). Hostname of the machine where tokenization server is running. |
serverConfig | No default | Mandatory | (Used only when @type value is user_certificate).truststore: Truststore file path, truststore should have server certificate.password: Truststore file password.verifyHostname: Set to true to enable hostname verification for SSL communication, and false to disable hostname verification. |
clientConfig | No default | Mandatory | (Used only when @type value is user_certificate).keystore: Keystore file path of the client.storePassword: Keystore file password of the client.keyPassword: Key file password, usually same as keystore password. |
CT-VL Attributes
BDT has a separate section for the 'CT-VL Attributes'. The vts{} object contains the following settings:
| Attribute | Default Value | Mandatory/Optional | Description |
|---|---|---|---|
hostName | No default | Mandatory | Hostname of the machine where tokenization server is running. |
userName | No default | Mandatory | The CT-VL username. |
password | No default | Mandatory | The CT-VL password. Use the bdt -e option to enter encrypted value here. Do not use plaintext. |
tokenUrl | No default | Mandatory | The CT-VL tokenize REST URL. |
detokenUrl | No default | Mandatory | The CT-VL detokenize REST URL. |
sslConfig | No default | Mandatory | Contains the server and client authentication configuration attributes. |
Server Authentication Attributes
You must set up SSL for secure communication between the BDT utility and the CT-VL. In the vts{} section of bdt.config, the server{} object contains the following settings related to SSL authentication:
| Attribute | Default Value | Mandatory/Optional | Description |
|---|---|---|---|
sslmode | DEFAULT | Optional | One of the following values:DEFAULT - Trust only a standard valid certificate issued by a Certificate Authority (CA). If the certificate is expired, self-signed, or invalid, communication with the VTS server fails.SPECIFY_SSL_CERT - Trust standard certificates and certificates stored in the provided trust store (specified in the truststore setting). Use to accept self-signed and expired certificates.ALLOW_ALL - Trust all certificates; no trust policy is defined. Any kind of SSL certificate is acceptable, including valid, expired, self-signed, or any other. The truststore setting is not required. |
verifyHostname | false | Optional | Set to true to enable hostname verification for SSL communication, and false to disable hostname verification. |
truststore | No default | Mandatory | (Used only when sslmode is SPECIFY_SSL_CERT) Truststore file path. To set up the truststore: 1. Get the server's public certificate. If not available, open the VTS URL in a browser and export it from the Security option. 2. Import the certificate and create the truststore. Use the following command. It will output the truststore password. keytool -import -alias "vts host certificate" -file server.crt -keystore server.truststoreImportant: Note this password. You need to provide it in the password parameter. |
password | No default | Mandatory | (Used only when sslmode is SPECIFY_SSL_CERT) Truststore file password is obtained on importing the CT-VL certificate and creating the truststore. |
Client Authentication Attributes
In the vts{} section of bdt.config, the client{} object contains the following settings related to SSL authentication:
| Attribute | Default Value | Mandatory/Optional | Description |
|---|---|---|---|
sslmode | DEFAULT | Optional | One of the following values:DEFAULT - Client authentication is disabled. No need to send client identity.ALLOW_ALL - Client authentication is disabled. No need to send client identity.SPECIFY_SSL_CERT - Client authentication is enabled. Create keystore with client certificate and key. Set keystore path in the keystore parameter. Communication succeeds if the CT-VL server finds a valid certificate set in the keystore. |
keystore | No default | Mandatory | Client's keystore file path. This assumes a keystore has already been created; for example, using keytool. |
storepassword | No default | Mandatory | Client's keystore file password. |
keypassword | No default | Mandatory | Client's key password. |
