Please Note:

Administration
CRDP Workflow
Quick Start
Alternative Deployment Methods
- Deploy CRDP in Kubernetes Environment (without Helm Chart)
- Deploy CRDP as a Standalone Container
Tasks
- Perform operations using APIs
- Change key manager
- Change application
- Configure user for access policy
- Deploy CRDP on custom port
- Change TLS settings between application and CRDP
- Renew client certificate
- View logs in Kubernetes environment
- Monitoring CRDP health
- Configure CRDP with identity providers
  - Configure AWS as IdP
  - Configure Azure AD as IdP
  - Configure GCP as IdP
- Handle small characters input
- Generate irreversible tokens
- Authorization using JWT verification
  - Request CRDP Resources using DPoP-Bound JWT
  - Generate a DPoP bound access token from Identity Server
  - Generate Key Pair
Advanced Topics
- Concepts
  - Protection Policy Functionalities
- Environment Variables
- CRDP Logging
- Performance Metrics
- Behavior on Container Shutdown
- Upgrade CRDP
Examples
- Protect data
- Reveal data
- Bulk protect
- Bulk reveal
Troubleshooting

CRDP
Administration
Advanced Topics
Concepts

Concepts

Application

An application, configured on the CipherTrust Manager, contains the necessary settings that are required to protect/reveal data. Refer to Managing Application for details.

Protection policy

Protection policy defines a set of rules that govern the cryptographic operations. The protection policy includes entities such as algorithm, key, IV, access policy name, and character set. Refer to Protection Policy Functionalities for details.

Access policy

Access policies contain set of rules that govern how the protected data will be revealed based on the username. Each access policy has a default reveal format for any username that is not part of any user set. For CRDP, the CipherTrust Manager administrator can configure access policy to get username from message body of the reveal request or from JWT token.

Refer to Managing Access Policy and Configure User for Access Policy for details.

Dynamic masking

Creates masking format for the reveal operation. Dynamic masking format determines how the output of the reveal operation is displayed to the application users. Refer to Masking Format for details.

User set

A user set is a collection of users that you want to grant or deny access to reveal data. User sets are configured in access policies. Refer to Managing User Set for details.

Note

Policies can be applied to user sets, not to individual users.

Heartbeat

Heartbeat is a lightweight mechanism that allows CRDP to poll the CipherTrust Manager for any change in configurations. Refer to Heartbeat Configuration

Note

The time on both the client and server machines must be synchronized. To achieve this, NTP (Network Time Protocol) should be configured. Follow instructions to set up NTP

Behavior of CRDP when heartbeat threshold has crossed

If the count of the continuous skipped heartbeat becomes equivalent to the value of Heartbeat Timeout Count parameter, the CRDP client enters a revoked state after a maximum of 5 minutes. At this point, its liveness and health probes become false. In this scenario, CRDP does not processes data. This safeguard ensures the crypto operations are not performed when the container’s state is unhealthy and unrecoverable.

Key Caching

The key caching feature allows CRDP to securely cache a copy of the in-use key that it received from the CipherTrust Manager using the REST protocol. Key caching is limited for the value set in the [Key Cache Expiry] parameter while creating an application to perform cryptographic operations locally.

Suggest A Change

Concepts

Application

Protection policy

Access policy

Dynamic masking

User set

Heartbeat

Behavior of CRDP when heartbeat threshold has crossed

Key Caching

On this page