How to Run a Demo
A full demo environment is provided to allow you test drive DPG, see how it is installed, and use its features to protect sensitive data using a Helm Chart.
With this demo, we also provide a Sample Application Server to experience end to end DPG functionalities.
Note
This demo is performed on Amazon AWS using Amazon Elastic Kubernetes Service (EKS), however, DPG can be deployed on all cloud and/or K8s providers.
Sample Application Details
Supported API URL: /api/sample/resource/{id}
Supported Methods
POST Method: Allows you add any data (irrespective of structure) in JSON format based on {id}. This method returns the same JSON body in response. The JSON body is saved in the internal cache of the APPlication Server.
GET Method: Allows you to fetch data for a given {id}.
PATCH Method: Allows you to modify the entire JSON body for a given {id}.
DELETE Method: Allows you to delete the entry for a given {id}.
Prerequisites
A Kubernetes environment is deployed and working.
Helm is installed. Refer to https://helm.sh/docs/intro/install/ for details.
Your Kubernetes environment and orchestrator has access to the ciphertrust-data-protection-gateway repository. For any repositories related issue, contact dpg.admin@thalesgroup.com.
This repository contains the following images:
DPG (with latest tag): thalesgroup/ciphertrust-data-protection-gateway:latest
Sample Application Server (with appserver tag): thalesgroup/ciphertrust-data-protection-gateway:appserver
CipherTrust Manager is installed. Refer to CipherTrust Manager Deployment for details.
Deploy Demo Environment using Helm Charts
Deploy Application Server
Create a namespace for your deployment, for example,
myspace.kubectl create namespace myspaceConfigure current-context by updating your local
kubeconfigfile.aws eks --region <aws_region> update-kubeconfig --name <dpg-cluster_name> -n myspaceDownload and copy the following files:
deployment.yaml to
<target_directory>\templates.values.yaml to
<target_directory>.Chart.yaml to
<target_directory>.
Note
To download the files, right-click each link and click Save Link As.
Navigate to the
<target_directory>.Install Sample APPlication Server in your namespace. For this demo, we will use
dpgdemoas the Helm release name.helm install dpgdemo . -n myspaceThe status
DEPLOYEDindicates the installation is successful.Verify the deployment with the following command.
helm list -n myspaceThe output should list the deployed Helm releases,
dpgdemo.The Sample Application Server is deployed successfully and ready to use.
Test Drive Sample Application Server
Post Request
Syntax
<Method> <Request URL> <Header name> <Header value> <JSON Body>
Request Parameters
| Parameter | Description |
|---|---|
| Method | POST |
| Request URL | A sample URL is http://<instanceip>:32082/api/sample/resource/{id}.• To find the value of instanceip, run kubectl get nodes-o wide -n myspace. You need to use the EXTERNAL-IP of the node on which your instance is deployed. • If you are using nodeport other than 32082, specify its value in the sample url or you can find the value of nodeport using kubectl get svc -o wide -n myspace command. In the commands above, myspace is the namespace you created in Deploy using Helm. |
| Header name | Content-Type |
| Header value | application/json |
| JSON Body | See the sample request below. NOTE: The JSON Body contains "key":"value" pairs. |
Sample Request
The value of {id} should be unique.
http://<instanceip>:32082/api/sample/resource/{id}
{
"ssn": "123-45-6789",
"creditAccount": "123456789",
"creditCard":[
{
"number": "5252-5252-5252-5252",
"cvv": "111",
"expiry": "03/24"
}
]
}
Sample Response
{
"ssn": "123-45-6789",
"creditAccount": "123456789",
"creditCard":[
{
"number": "5252-5252-5252-5252",
"cvv": "111",
"expiry": "03/24"
}
]
}
In the above sample, the Sample Application Server returned the original data without modifying it.
Create Policies, Configurations, Registration Token on the CipherTrust Manager
Before deploying DPG, ensure that the following steps are performed from the CipherTrust Manager.
Create character sets
Create protection policies
Create DPG policy
Create application
To do so, use any of these options:
Deploy DPG
Download and replace the following files:
deployment.yaml to
<target_directory>\templates.values.yaml to
<target_directory>.
Note
These files contain the references of both Sample Application Server and DPG.
To download the files, right-click each link and click Save Link As.
Navigate to the
<target_directory>and run the following command to upgrade the deployment :helm upgrade dpgdemo . -n myspace
Test Drive DPG
Post Request
Syntax
<Method> <Request URL> <Header name> <Header value> <JSON Body>
Request Parameters
| Parameter | Description |
|---|---|
| Method | POST |
| Request URL | A sample URL is http://<instanceip>:32082/api/sample/resource/{id}.• To find the value of instanceip, run kubectl get nodes-o wide -n myspace. You need to use the EXTERNAL-IP of the node on which your instance is deployed. • If you are using nodeport other than 32082, specify its value in the sample url or you can find the value of nodeport using kubectl get svc -o wide -n myspace command. In the commands above, myspace is the namespace you created in Deploy using Helm. |
| Header name | Content-Type |
| Header value | application/json |
| JSON Body | See the sample request below. NOTE: The JSON Body contains "key":"value" pairs. |
Sample Request
http://<instanceip>:32082/api/sample/resource/{id}
{
"ssn": "123-45-6789",
"creditAccount": "123456789",
"creditCard":[
{
"number": "5252-5252-5252-5252",
"cvv": "111",
"expiry": "03/24"
}
]
}
Sample Response
{
"creditAccount": "123456789",
"creditCard": [
{
"cvv": "200010163",
"expiry": "03/24",
"number": "5252-5252-5252-5252"
}
],
"ssn": "123-45-6789"
}
In this sample, DPG is protecting the CVV number (111) in the post request and returns ciphertext (200010163). Here, first six digits are the policy header.
Note
We assume that you have configured CVV number to be protected in the POST request of DPG policy on the CipherTrust Manager.
If any sensitive data in REST API is not mapped with DPG policy, it will pass through DPG without performing any action (PROTECT/REVEAL) on the data.
Get Request
Syntax
<Method> <Request URL>
Request Parameters
| Parameter | Description |
|---|---|
| Method | GET |
| Request URL | A sample URL is http://<instanceip>:32082/api/sample/resource/{id}.• To find the value of instanceip, run kubectl get nodes-o wide -n myspace. You need to use the EXTERNAL-IP of the node on which your instance is deployed. • If you are using nodeport other than 32082, specify its value in the sample url or you can find the value of nodeport using kubectl get svc -o wide -n myspace command. In the commands above, myspace is the namespace you created in Deploy using Helm. |
Sample Request
Note
The {id} must be same as the one used in the POST request.
http://<instanceip>:32082/api/sample/resource/{id}
Sample Response
{
"creditAccount": "123456789",
"creditCard": [
{
"cvv": "111",
"expiry": "03/24",
"number": "5252-5252-5252-5252"
}
],
"ssn": "123-45-6789"
}
In this sample, DPG is revealing the CVV number (111) in the get request.
Note
We assume that you have configured CVV number to be revealed in the GET request of DPG policy on the CipherTrust Manager.
