Configuring Policies on the CipherTrust Manager

This section covers the following topics:

• Creating Protection Policy

• Creating Access Policy

• Creating User Sets

• Creating Masking Formats

• Viewing Registration Token

Creating Protection Policy

To create a protection policy:

1. Open Application Data Protection.

2. In the left pane, click Protection Policies.

3. On the Protection Policies screen, click Add Protection Policy.

4. On the Create Protection Policy screen, enter/select the following fields.

   Field	Description
   Name	Unique name for the protection policy. Do not use % in the protection policy name.
   Algorithm	Algorithm to be used in the cryptographic operations. You can view the list of supported algorithms here.
   Key	Key to be used in the cryptographic operations.
   Character Set	Name of the character set. For more details, click here.
   Access Policy	Access policy to be associated with the protection policy. Access policies are set of rules that define how the decrypted data will be revealed to the application users. For more details, click here.
   Masking Format	Masking format to be associated with the protection policy. For more details, click here.
   Tweak Algorithm	Tweak algorithm to be used in the cryptographic operations. It is only applicable for the FPE algorithms. Possible options are: • SHA1 • SHA256 • NONE • NULL For FF3, Tweak Algorithm cannot be NULL. For the remaining FPE algorithms, Tweak Algorithm can be NULL.
   Tweak	Tweak data to be used in the cryptographic operations. This field is mandatory if tweak algorithm is specified. If tweak algorithm is NONE, specify a 16-character HEX encoded string. If tweak algorithm is NULL, this field is not required.
   IV	Initialization vector to be used in the cryptographic operations. This field will appear on the UI if FPE/AES or AES/CBC algorithm is selected. • For FPE/AES, IV is derived based on the character set length. To know how to calculate the required IV, click here. • For AES/CBC modes, a 16-byte IV is required. The value must be a HEX encoded string.
   Disable Versioning	If selected, the protection policy cannot be updated and only the ciphertext is returned in the response.
   Version Header	Determines the location of version bytes. Possible options are: • Internal: version bytes are prepended to the ciphertext. • External: version bytes are stored in a separate field. For more details, click here.

5. Click Create. A message stating Protection policy created successfully is displayed and the newly created policy is listed on the Protection Policies page.

Important Notes

Creating Access Policy

To create an access policy:

1. Open Application Data Protection.

2. In the left pane, click Access Policies.

3. On the Access Policies screen, click Add Access Policy. The Add Access Policy wizard is displayed. Follow the steps below to complete the setup:

   1. Add General Info

   2. Configure User Set Rules

   3. Select Default Reveal Format

   4. Confirmation

Add General Info

1. Specify a unique name for the access policy.

2. Describe the access policy.

3. Click Next to go to the User Set Rules tab.

Configure User Set Rules

1. On the User Set Rules tab, click Add User Set Rule.

2. Under the Select User Set(s) section, select the user set for which you want to define the access policy.

3. From the Select Reveal Format drop-down list, select the reveal format for the user set. You can select any of these reveal formats:

   • Plaintext: Plaintext is revealed to the application users.

   • Ciphertext: Ciphertext is revealed to the application users.

   • Error Replacement Value: Error replacement value is returned to the application users. To return error replacement value, you must configure one of the following settings:

     • Select Return NULL value to specify NULL as the Error Replacement Value.

     • Select Return Custom value and specify custom value as the Error Replacement Value.

     

   • Masked Value: Masked value is returned to the application users. When selecting the Masked Value, select Masking Format. To know more about masking, click here.

4. Click Save.

   To configure another user set rule, click Add User Set Rule and repeat steps 2 to 5 else, click Next to go to the Default Reveal Format tab.

Select Default Reveal Format

1. On the Default Reveal Format tab, select any of the following format from the drop-down list. This selection is configured for the users who are not part of any user set rule.

   • Plaintext: Plaintext is revealed to the application users.

   • Ciphertext: Ciphertext is revealed to the application users.

   • Error Replacement Value: Error replacement value is returned to the application users. To return error replacement value, you must configure one of the following settings:

     • Select Return NULL value to specify NULL as the Error Replacement Value.

     • Select Return Custom value and specify custom value as the Error Replacement Value.

     

   • Masked Value: When selecting the Masked Value, select Masking Format. To know more about masking, click here.

2. Click Next to go to the Confirmation screen.

Confirmation

1. On the Confirmation tab, verify the access policy details. The Confirmation screen displays general info, user set rules, and default reveal format.

2. To modify any detail, click Edit and update the details.

3. Click Save to create an access policy. A message stating Access policy created successfully is displayed. The newly created Access Policy is added to the list of access policies.

Using Access Policy

Once the access policy is created, you must map the access policy to the protection policy for reveal operations. Refer to Creating Protection Policy for details.

Creating User Sets

To create a user set:

1. Open Application Data Protection.

2. In the left pane, click User Sets.

3. Click Add User Set. The Add User Set wizard is displayed. Follow the steps below to complete the setup:

   1. Add General Info

   2. Add Users

   3. Confirmation

Add General Info

1. On the General Info tab, enter/select the following fields.

   1. Enter a unique Name for the user set.

   2. Provide a Description for the user set.

   3. Click Next. The Add User Set screen is displayed.

Add Users

1. On the Add Users tab, enter/select the following details.

   1. Under Users, click Add User.

   2. Under Add User, enter the Username in all uppercase and click Add. Similarly, you can add any number of users.

   3. Click Next. The Confirmation screen is displayed.

Confirmation

1. On the confirmation screen, verify the user set details.

2. If you want to modify any detail, click Edit and update the details.

3. Click Save. A message User Set created successfully is displayed.

Creating Masking Formats

To create a masking format:

1. Open Application Data Protection.

2. In the left pane, click Masking Formats.

3. On the Masking Formats screen, click Create Masking Format.

   You can create:

   • Dynamic Masking Format

   • Static Masking Format

Create Dynamic Masking Format

1. On the Create Masking Format screen:

   1. Enter a unique name for the masking format.

   2. Enter a description for the masking format.

   3. Select Masking Format Type as Dynamic.

   4. Select either Show or Hide.

      Show	Select, if you want to show the starting and ending characters.
      Mask	Select, if you want to mask the starting and ending characters.

   5. In the First Characters field, select the numbers of characters to be shown or masked.

   6. In the Last Characters field, select the numbers of characters to be shown or masked.

   7. Enter the Masking Character. The default masking character is X.

2. Click Create. A message Masking format created successfully is displayed. The newly created masking format is listed on the Masking Format page.

Create Static Masking Format

1. On the Create Masking Format screen:

   1. Enter a unique name for the masking format.

   2. Enter a description for the masking format.

   3. Select Masking Format Type as Static.

   4. In the First Characters field, select the numbers of characters to be preserved.

   5. In the Last Characters field, select the numbers of characters to be preserved.

   The remaining characters will be encrypted based on the selected algorithm.

2. Click Create. A message Masking format created successfully is displayed. The newly created masking format is listed on the Masking Format page.

Viewing Registration Token

To view a registration token:

1. Sign in to the CipherTrust Manager GUI as administrator.

2. Open Application Data Protection.

3. In the left pane, click Applications. The list of applications is displayed on the screen.

4. On the Applications page, under Name, click the application for which you want to view the registration token.

5. Copy the Registration token.