Multi-Site Support

This chapter describes how to configure the multi-site feature in CT-V and covers the following topics:

Overview of Multi-Site Support

Configuring the CT-V for Multi-Site Support

Multi-site Partitioning

Overview of Multi-Site Support

The multi-site feature enables you to control how CT-V behaves when deployed across multiple data centers. For vaults that employ the partitioning scheme, CT-V hashes the plain text to determine into which data center database it should insert or retrieve the data. When propagating the token to vaults on other sites, CT-V propagates it after completing the initial insert. When retrieving tokens, CT-V first searches the local data center. If not found, it searches the remote sites. For deleting tokens, CT-V first deletes the token from the local data center and then from other sites in the order the sites are configured.

The preceding paragraph outlines the process flow of CT-V for multi-site in a nutshell. Let us try to understand how the tokenization process in multi-site is achieved by considering four data centers DC1, DC2, DC3, and DC4 with SiteIDs 0, 1, 2, and 3 respectively.

Now in multi-site tokenization, one SiteID is set as a local site and the others are considered remote sites. When a token is to be inserted into a token vault, the SiteID where the token is to be inserted is determined by Thales default hashing algorithm IHashSiteIdGenerator. If the hashing siteID is unavailable it will be inserted in the next siteID as per the sequencing order of sites.

Suppose the hashing algorithm determines that the hashing site is SiteID 2, so the token will be inserted there. The token is then inserted to other sites depending on the value set for the parameter PropagateToNSites in the MultiSite.properties file. If the value is set to 0, the token will not be inserted into any other site, if it is set to -1, the token will be inserted into all the available sites. Suppose the value is set to 2, which means CT-V will try to insert the token in two more sites i.e. SiteID 3 and SiteID 0, after inserting the token in the hashing site, which in our example is SiteID 2. If any site is down, say SiteID 3, the system will propagate the token to only SiteID 0.

Get() method: When a user runs the Get() method, it searches the token in the local siteID and returns the token, if it is available on the local site. If the token is not available in the local site, it searches the next siteID, in the order the sites are sequenced. If the token is available in the next site, get() method returns the token and also inserts the token to the local site or all missing sites (where the token insertion failed initially) or no insertion is done depending on the value (LocalOnly, AllMissingSites or Disabled) set for the StoreToDatabaseAfterRemoteGet parameter in the MultiSite.properties file.

The following diagram outlines the deployment of CT-V in two data centers.

Where;

• DC - 1 = Data Center 1

• DC - 2 = Data Center 2

• GTM = Global Traffic Manager

• LST = Local CT-V -Client

You can use the hashing scheme to determine how tokens are inserted. The following TokenService methods are used in multi-site:

• insert()

• get()

• delete()

This chapter explains the steps to configure CT-V for multi-site support. Kindly ensure that all participating CTV software(s) are upgraded to version 6.5 or later before configuring CT-V for multi-site support.

Configuring the CT-V for Multi-Site Support

To control how CT-V behaves when deployed across multiple data centers you can use the insert(), get(), and delete() methods to determine how tokens are created, propagated, retrieved, and deleted.

To configure CT-V for multi-site support:

1. Install CT-V on each site. Configure SafeNetToken.properties as normal.

2. Configure the MultiSite.properties file for each site.

   a. Set the SiteID. The SiteID must be unique for each site as it identifies the location of the database site.

   b. Specify the TOKEN VAULTS that will participate in the multi-site operations.

   c. Set the PropagateToNSites value. This determines the number of additional sites to which CT-V will propagate the token. The default value is set at 0 to disable propagation. Set to -1 to propagate to all sites.

The configuration parameters in the MultiSite.properties file enable you to control the multi-site properties. The parameters are further explained below.

Parameters

CT-V provides default values for the multi-site parameters for each data center/site, so you do not need to set them in order to start using the multi-site feature. You can change the behavior of this process by adjusting the parameters in the MultiSite.properties file.

• Use SiteID to identify the location of the local database site. This must be a unique value as it essentially corresponds to a database center/site. The possible values must begin at 0 followed by 1, 2, 3, and so on, and must be in a sequence.

• Use MultiSiteVaultsPartitioning to specify the list of token vaults that participate in multi-site operations using the hashing scheme. For example, MultiSiteVaultsPartitioning=TEST_VAULT. The properties in this file are ignored if no values are defined under this parameter.

• Use PropagateToNSites to represent the number of additional sites to which CT-V will propagate a token. The possibilities are 0, or a value representing the number of sites to which a token will be propagated. The default value is set at 0 to disable propagation. Set to -1 to propagate to all sites. For Vaults that use the MultiSiteVaultsPartitioning scheme, it hashes the input data to determine in which site to initially insert the token or the next available site in round robin (in case the hash site is down). If the property value is -1, CT-V inserts the token in all sites, starting with the one to which the input value is hashed. If the value is 0, CT-V inserts the token in the site to which the input value is hashed. If the value > 0, CT-V will start only with the site to which the input data is hashed, and propagate the token to the number of sites as per the value indicated in the parameter PropagateToNSites.

• Use ContinuePropagationOnError to determine whether CT-V should continue propagating tokens when it fails to propagate a token to a site. The valid values are Yes (to enable propagating tokens if CT-V is unable to reach a site) and No (to stop propagating tokens after CT-V is unable to reach a site). The default value is Yes.

• Use StoreToDatabaseAfterRemoteGet to replicate tokens to the local site or to the remote sites where it failed to propagate earlier. The valid values are AllMissingSites (to replicate token in all missing sites where it failed to propagate earlier), LocalOnly (to replicate on local site regardless of the value of propagatedToNSites), and Disabled (to not replicate token). The default is LocalOnly.

• The following database connection pooling parameters, supported data center (database site) wise, can be specified in the MultiSite.properties file.

  • c3p0.initialPoolSize

  • c3p0.maxStatementsPerConnection

  • c3p0.acquireRetryAttempts

  • c3p0.checkoutTimeout

  • c3p0.minPoolSize

  • c3p0.maxPoolSize

  • c3p0.maxIdleTime

  You can find details of the C3p0 settings available at the following link: http://www.mchange.com/projects/ c3p0/#configuration_properties

  • The parameters for local database settings are mentioned in the SfntDbp.properties file, whereas for the multi-site feature they are specified in the MultiSite.properties file (as above).

  • All properties mentioned in SfntDbp.properties, except c3p0 logging, can also be configured per site through MultiSite.properties.

  • The pooling parameters can be prefixed by a user-defined site name. For example, dc1.c3p0.initialPoolSize , where dc1 is a user-defined site name.

  • The properties configured in MultiSite.properties override the ones configured in the master configuration file, SfntDbp.properties.

  • Applying any properties other than the ones mentioned above will be ignored without reporting any message.

Multi-site Partitioning

Along with multi-site, CT-V allows the flexibility to the user to determine which data center must be used to insert a token to or retrieve a token from.

With the below-mentioned interface, the user may provide specific implementation and provide the fully qualified name of the class in the CustomSiteIDGeneratorClassName property in the Multisite.properties file. If no class name is specified for CustomSiteIDGeneratorClassName property in the Multisite.properties file, then CT-V uses the existing algorithm to decide the data center database.

public interface IHashSiteIdGenerator
{
    /**
     Thread safety consideration should be taken care while overriding this method
     Provide your custom Site Id algo via overriding this method
     @return SiteId, which represent a database when CT-V runs in multisite mode
    **/
    public int hashSiteID() throws TokenException;
}

This implementation must be installed in the classpath of the CT-V.

Multi-site Partitioning in .Net

To enable multi-site partitioning in .Net, it is required to place the jar containing customHashSiteID implementation in the classpath. to supply classpath variable in .Net edit the registry entry as mentioned below:

1. Make a jar containing a custom implementation class say custom.jar.

2. Place the custom.jar in the desired location say c:\custom\custom.jar

3. Open regedit tool to edit registry entries in windows.

4. Find key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SafeNet\SafeNetTokenization or HKEY_ LOCAL_MACHINE\SOFTWARE\SafeNet\SafeNetTokenization depending upon the system configuration.

5. Edit the key ClassPath by following the below pattern:

   <LOCATIONOFJAR>\;<EXISTING VALUE>

   For example, if ClassPath=C:\Program Files\SafeNet then edit ClassPath=C:\custom\custom.jar\;C:\Program Files\SafeNet\

6. Save and Exit regedit.

7. Now add a custom class in the Multisite.properties file and run .Net TS.