Configuring Provider and EKM Logs
This section describes the following topics:
Configuring CAKM for Microsoft SQL Server EKM Provider in Microsoft SQL Server
Configuring CAKM for Microsoft SQL Server EKM Provider in SQL Cluster
Note
If no operation is required to be performed by sa user then the other user must have at least the following privileges to perform the CAKM TDE operations:
Alter any credential
Alter any database
Connect SQL
Control server
Create any database
Create login
db owner
Configuring CAKM for Microsoft SQL Server EKM Provider in Microsoft SQL Server
To configure the CAKM for Microsoft SQL Server EKM Provider in the Microsoft SQL Server database:
Enabling EKM in Your Microsoft SQL Server Database
Perform the following steps to enable EKM in your Microsoft SQL Server Database:
Execute the below query on the Microsoft SQL Server.
sp_configure 'show advanced options', 1; RECONFIGURE;Now, run the query mentioned below.
sp_configure 'EKM provider enabled', 1; RECONFIGURE;
Note
Only the sa users with the sysadmin or serveradmin privileges can execute the sp_configure query to change the server configuration. Whereas, the other users can run this command only to view the server configuration.
Loading the DLL
Note
Before loading the DLL, ensure that
NAE_IPandLog_Fileparameters are configured. You can also configure the other parameters as per your requirement. For more details, refer Configuring Properties FileOnly the users with the sysadmin privileges can load the DLL.
To load the DLL, execute the following query. This will create a new cryptographic provider named <provider_name>. Provider name is visible under Security\Cryptographic Providers in Microsoft SQL Server Management Studio.
CREATE CRYPTOGRAPHIC PROVIDER <provider_name>
FROM FILE = '<Installation_Directory>\CipherTrust\CAKM For SQLServerEKM\cakm_mssql_ekm.dll'
Note
Alter the file location if you did not accept the default installation directory.
Creating Credentials with Microsoft SQL Server
To create a SQL credential, execute the following query. This will create a new credential named <credential_name>. The credential is visible under Security\Credentials in Microsoft SQL Server Management Studio.
CREATE CREDENTIAL <credential_name> WITH IDENTITY='<cipherTrust_manager_user>',
SECRET='<cipherTrust_manager_user_password>'
FOR CRYPTOGRAPHIC PROVIDER <provider_name>
You must use a user/password combination that exists on the CipherTrust Manager and that user must have at least Key Admins privileges.
To map this new credential to an existing login on the Microsoft SQL Server, execute the following query:
ALTER LOGIN <Sql_server_login> ADD CREDENTIAL <credential_name>
Configuring CAKM for Microsoft SQL Server EKM Provider in SQL Cluster
CAKM for Microsoft SQL Server EKM Provider can be used in SQL cluster. Install and configure the provider in the cluster environment.
Install the CAKM for Microsoft SQL Server EKM Provider on all the nodes. For more details, refer Installing CAKM for Microsoft SQL Server EKM Provider
On all nodes, modify the required properties in the cakm_mssql_ekm.properties file.
Configure SQL EKM only on one database node, using the following steps:
Create the key (if needed) only on one node. For more details, refer Creating Keys.
Configuring EKM Logs
EKM logs are generated at the file location mentioned in the MS_Sql_Ekm_Log property in the cakm_mssql_ekm.properties file
The default path of log file is where the CAKM For MSSQL EKM is installed.
For example, if CAKM for SQL EKM is installed on the path C:\Program Files\CAKM For SQL EKM, then EKM logs will be created at C:\Program Files\CAKM For SQL EKM\logs\cakm_sql_ekm_wrapper.log. Moreover, you can also change the path by updating the MS_Sql_Ekm_Log parameter in cakm_mssql_ekm.properties file.
You can update the file location where you want EKM logs to be generated. For example:
MS_Sql_Ekm_Log = <log_file_path>
You can configure separate log files for different database instances.
