Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Advanced Topics

BDT Config File

search

Please Note:

printsuggest an edit

BDT Config File

Refer to the Sample BDT Config File for details.

copy link to clipboardGlobal Config File Attributes

The configuration of the BDT utility is stored in JSON format in the file bdt.config. At the top of the file are several global configuration settings, followed by settings that configure the main underlying tools used by BDT:

AttributeDefault ValueMandatory/OptionalDescription
inputDirectoryNo defaultMandatoryThe path to the directory in which the input file or DB is placed.
outputDirectoryNo defaultMandatoryThe path to the directory in which the output file or DB needs to be placed.
threadCountNo defaultMandatoryThe maximum number of running threads required to transform a file.
batchSizeNo defaultMandatoryThe total number of records in the batch.
dataProtectionConfigNo defaultMandatory (if policy is fetched from Key Manager)Contains credential information which will be used to get centralized policy.
characterSetsNo defaultMandatoryContains configurable list of charset names and their range.

Users can also define their own characterSets in the bdt.config file as shown below:

"characterSets" : [
{
"Name of CharacterSets" : [ "Range of CharacterSets" ]
}
]
vtsNo defaultMandatory (for tokenization and detokenization)Contains settings to customize the behavior of the CipherTrust Vaultless Tokenization (CT-VL).
cryptoNo defaultMandatory (for encryption and decryption)Contains settings for the cryptographic provider used in this BDT configuration i.e jce (CADP-JCE).

copy link to clipboardData Protection Attributes

BDT has a separate section for 'Data Protection Profile' to add its user information.
The dataProtectionConfig object contains the following settings:

AttributeDefault ValueMandatory/OptionalDescription
@typeNo defaultMandatoryFor the dataProtectionConfig, BDT supports two login methods:

password - The user logs in using password.

user_certificate - The user logs in using a user certificate.
userNameNo defaultOptional(Used only when @type value is password). User name having access to batch data transformation on key manager.
passwordNo defaultOptional(Used only when @type value is password). User password having access to batch data transformation on key manager. Run bdt -e option to set password.
hostNameNo defaultOptional(Used only when @type value is user_certificate). Hostname of the machine where tokenization server is running.
serverConfigNo defaultOptional(Used only when @type value is user_certificate).
clientConfigNo defaultOptional(Used only when @type value is user_certificate).

Below is the sample for @type is set to password:

"dataProtectionConfig":
{
    "@type": "password",
    "username": "test_user",
    "password": ""
}

Below is the sample for @type is set to user_certificate:

"dataProtectionConfig":
{
    "@type": "user_certificate",
    "hostName": "",
    "serverConfig":
    {
        "truststore": "",
        "password": "",
        "verifyHostname": "true"
    },
    "clientConfig":
    {
        "keystore": "",
        "storePassword": "",
        "keyPassword": ""
    },
}

Refer to Sample BDT Config File for details.

copy link to clipboardServer Configuration Attributes

AttributeDefault ValueMandatory/OptionalDescription
truststoreNo defaultMandatoryTruststore file path, truststore should have server certificate.
passwordNo defaultMandatoryTruststore file password.
verifyHostnamefalseOptionalSet to true to enable hostname verification for SSL communication, and false to disable hostname verification.

copy link to clipboardClient Configuration Attributes

AttributeDefault ValueMandatory/OptionalDescription
keystoreNo defaultMandatoryKeystore file path of the client.
storePasswordNo defaultMandatoryKeystore file password of the client.
keyPasswordNo defaultMandatoryKey file password, usually same as keystore password.

copy link to clipboardTransformation Specific Attributes

copy link to clipboardCT-VL Attributes

BDT has a separate section for the 'CT-VL Attributes'. The vts object contains the following settings:

AttributeDefault ValueMandatory/OptionalDescription
hostNameNo defaultMandatoryHostname of the machine where tokenization server is running.
userNameNo defaultMandatoryThe CT-VL username.
passwordNo defaultMandatoryThe CT-VL password. Use the bdt -e option to enter encrypted value here. Do not use plaintext.
tokenUrlNo defaultMandatoryThe CT-VL tokenize REST URL.
detokenUrlNo defaultMandatoryThe CT-VL detokenize REST URL.
sslConfigNo defaultMandatoryContains the server and client authentication configuration attributes.

copy link to clipboardServer Authentication Attributes

You must set up SSL for secure communication between the BDT utility and the CT-VL. In the vts section of bdt.config, the server object contains the following settings related to SSL authentication:

AttributeDefault ValueMandatory/OptionalDescription
sslmodeDEFAULTOptionalOne of the following values:

DEFAULT - Trust only a standard valid certificate issued by a Certificate Authority (CA). If the certificate is expired, self-signed, or invalid, communication with the VTS server fails.

SPECIFY_SSL_CERT - Trust standard certificates and certificates stored in the provided trust store (specified in the truststore setting). Use to accept self-signed and expired certificates.

ALLOW_ALL - Trust all certificates; no trust policy is defined. Any kind of SSL certificate is acceptable, including valid, expired, self-signed, or any other. The truststore setting is not required.
verifyHostnamefalseOptionalSet to true to enable hostname verification for SSL communication, and false to disable hostname verification.
truststoreNo defaultOptional(Used only when sslmode is SPECIFY_SSL_CERT). Truststore file path. To set up the truststore:

1. Get the server's public certificate. If not available, open the VTS URL in a browser and export it from the Security option.

2. Import the certificate and create the truststore. Use the following command. It will output the truststore password.

keytool -import -alias "vts host certificate" -file server.crt -keystore server.truststore

Important: Note this password. You need to provide it in the password parameter.
passwordNo defaultOptional(Used only when sslmode is SPECIFY_SSL_CERT). Truststore file password is obtained on importing the CT-VL certificate and creating the truststore.

copy link to clipboardClient Authentication Attributes

In the vts section of bdt.config, the client object contains the following settings related to SSL authentication:

AttributeDefault ValueMandatory/OptionalDescription
sslmodeDEFAULTOptionalOne of the following values:

DEFAULT - Client authentication is disabled. No need to send client identity.

ALLOW_ALL - Client authentication is disabled. No need to send client identity.

SPECIFY_SSL_CERT - Client authentication is enabled. Create keystore with client certificate and key. Set keystore path in the keystore parameter. Communication succeeds if the CT-VL server finds a valid certificate set in the keystore.
keystoreNo defaultOptional(Used only when sslmode is SPECIFY_SSL_CERT). Client's keystore file path. This assumes a keystore has already been created; for example, using keytool.
storepasswordNo defaultOptional(Used only when sslmode is SPECIFY_SSL_CERT). Client's keystore file password.
keypasswordNo defaultOptional(Used only when sslmode is SPECIFY_SSL_CERT). Client's key password.

copy link to clipboardCryptographic Provider Attributes

BDT has a separate section to configure 'Cryptographic Provider'. The crypto object contains the following settings:

AttributeDefault ValueMandatory/OptionalDescription
@typejceOptionalBDT supports the cryptographic provider jce. If any value is not specified, BDT will use jce, which is a default crypto provider.
userNameNo defaultOptional(Used only when using default crypto provider). Key owner user name.
passwordNo defaultOptional(Used only when using default crypto provider). Key owner user password.

On this page