Deploy BDT as a Standalone Container
This article covers the steps involved in deploying BDT as a standalone container in Docker. Refer to Alternative Deployment Methods for other methods of deploying BDT.
Prerequisites
Docker Container Runtime Environment (CRE) is ready.
Docker version 24.0.1 or higher is installed.
CipherTrust Manager 2.19 or higher is up and running. Refer to CipherTrust Manager Deployment for details.
BDT image repository, thalesciphertrust/ciphertrust-batch-data-transformation, is accessible. This repository contains images of BDT. The image path with the latest tag always points to the latest release.
Note
The user is responsible for maintaining the security of their production environment.
Steps to Deploy BDT as Standalone Container
Create an BDT application on CipherTrust Manager. Click the desired tab to view the instructions.
To create an application from CipherTrust Manager's UI, follow this link.
The application is created on the CipherTrust Manager and a registration token is returned in response. This token is passed in the deployment scripts to register BDT client on the CipherTrust Manager as shown in the below steps.
API:
/v1/data-protection/client-profilesRequest
{ "name": "client_profile_bdt", "app_connector_type": "BDT", "heartbeat_threshold": 5, "configurations": { "log_level": "INFO", "heartbeat_interval": 30, "heartbeat_timeout_count":3, "thread_count": 2, "batch_size": 10 } }Response
{ "id": "9f3edcb1-38e8-4bc7-8c41-99e897560328", "uri": "kylo:kylo:adp-management:client-profiles:client-profile-bdt-9f3edcb1-38e8-4bc7-8c41-99e897560328", "account": "kylo:kylo:admin:accounts:kylo", "createdAt": "2025-03-24T03:26:15.949341161Z", "updatedAt": "2025-03-24T03:26:15.949341161Z", "name": "client_profile_bdt", "app_connector_type": "BDT", "configurations": { "thread_count": 2, "batch_size": 10, "enable_performance_metrics": true, "tls_to_appserver": { "tls_skip_verify": true, "tls_enabled": false }, "auth_method_used": { "scheme_name": "Basic" }, "symmetric_key_cache_enabled": true, "symmetric_key_cache_expiry": 43200, "size_of_connection_pool": 300, "load_balancing_algorithm": "round-robin", "connection_timeout": 30000, "connection_read_timeout": 7000, "connection_idle_timeout": 600000, "connection_retry_interval": 600000, "maximum_idle_connection": 10000, "maximum_idle_connection_per_host": 10000, "dial_timeout": 10, "dial_keep_alive": 60, "log_level": "INFO", "log_rotation": "Daily", "log_size_limit": "100K", "log_max_backup_index": -1, "log_type": "Console", "log_gmt": false, "heartbeat_interval": 30, "heartbeat_timeout_count": 3 }, "csr_parameters": { "csr_cn": "Application Data Protection" }, "ca_id": "04d7f146-684b-47a2-a2c2-e8690be50e18", "enable_client_autorenewal": false, "client_management_profile_id": "0a3b495c-26c2-4a1a-a722-f46bec47e689", "registration_token_id": "0850f54a-dc42-4f3e-a2d3-0b49e19c5ece", "meta": { "has_active_clients": false, "status": "Healthy" } }In response, a registration token is returned. The registration token is passed in the deployment script to register BDT client on the CipherTrust Manager as shown in the below steps.
Pull the BDT image to the container environment as shown below:
docker pull thalesciphertrust/ciphertrust-batch-data-transformation:latestCreate a docker-compose.yml file by copying the following content. You can modify the parameters as needed:
services: bdt: container_name: bdt volumes: - <host_location_for_input>:/opt/app/tmp/<subdirectory_for_input> - <host_location_for_output>:/opt/app/tmp/<subdirectory_for_output> image: <bdt_image_name> ports: - "<host_port>:8080" environment: KMS_HOST: "<kms_host>" KMS_PORT: "443" REG_TOKEN: "<registration_token>"Note
The BDT container listens for
healthzandlivenessprobes on port 8080.You can also download the docker-compose.yml file modify according to your needs.
Here,
<host_port>: Any available port on the host machine.<kms_host>: The IP address or host name of the key manager.<bdt_image_name>: Name of the BDT image pulled.<registration_token>: Registration token generated here.<host_location_for_input>: Location of the directory on the host machine where input file exists.<host_location_for_output>: Location of the directory on the host machine where output file exists.Note
Similarly, you can also map the location of the directory for unprocessed record file.
<input_directory>: Location of directory to be used for input files inside/opt/app/tmp/. Use the same location in File Path field with input file name when creating data source<output_directory>: Location of directory to be used for output file inside/opt/app/tmp/. Use the same location in File Path field with output file name when creating data source
To run database-related transformations, you will need to configure different environment variables in your deployment files, click here for details.
Caution
Volume mounting is mandatory in the following cases during deployment to allow BDT to read or create a file.
When using file as source/destination
When configuring unprocessed record file path
When loading the JDBC driver from the host machine
Use
/opt/app/tmp/to map the external volume with container. Ensure the BDT container has permission to read, write, and execute on the mounted volume else, the deployment will fail.Run the below command from the location where you have downloaded the docker-compose.yml file to bring the BDT container up and running.
docker compose upRun the following command to stop the BDT container.
docker compose down
Verify your deployment
Run the following command to verify your deployment:
curl <BDT instanceip>:<host_port>/healthz
Replace <BDT instanceip> and <host_port> with the actual values from your BDT deployment.
BDT is now deployed successfully and is ready to protect, reveal, and reprotect data. Refer to Tasks for details.
