Concepts

Application

An application, configured on the CipherTrust Manager, contains the necessary configurations that are required to describe the REST API endpoint of an application and how to protect data. It also contains the configuration parameters for DPG. The application includes:

• Name: friendly label to describe the application to be protected.

• Settings: configuration parameters required to initialize and configure DPG associated to an application.

  Settings include:

  • Network Configuration: allows you to select the appropriate pre-configured NAE interface port.

  • SSL Configuration: allows you to configure the CA (Certificate Authority).

  • CSR: allows you to configure parameters required to create or renew client certificates.

  • Logging: where you can select the appropriate logging level.

  • Connection Configuration: parameters that allow you to set timeout values and a few other parameters.

  • Local Encryption: parameters to set key cache expiry

• CSR parameters: required to create or renew client certificates.

• NAE port: port number on which NAE communication is to be done.

• Policies: defines collection of rules that govern cryptographic operation. Refer to Managing Applications for details.

DPG policy

DPG policy is a set of rules that determines when and how to protect/reveal sensitive data moving through DPG. DPG can protect/reveal any data that is transferred through a REST API call in JSON format. The sensitive data is specified by its location in JSON or in URL parameters. DPG allows you to configure on which data the cryptographic operations are to be performed in each REST method (POST, GET, PUT, PATCH, DELETE). Protection of the sensitive data is governed by the Protection Policy associated with the DPG policy. DPG policy is created at the time of configuring an Applications.

Protection Policy

Protection policy defines a set of rules that govern the cryptographic operation. The protection policy includes entities such as algorithm, key, mode, and character set. Refer to Managing Protection Policy for details.

Access Policy

Access policies contain set of rules that govern how the decrypted data will be revealed based on the user. Each access policy has a default reveal format for any " user" that is not part of any user set. Access policy can act differently for different users sets. Refer to Managing Access Policy for details.

User Set

A user set is a collection of users that you want to grant or deny access to reveal data. User sets are configured in access policies. Policies can be applied to user sets, not to individual users. Refer to Managing User Set for details.

Heartbeat

Heartbeat is a lightweight mechanism that allows DPG to poll the CipherTrust Manager for any change in policies and/or configurations. Refer to Heartbeat Configuration for details.

Key Caching

The key caching feature allows DPG to securely cache a copy of the in-use symmetric key that it received from the CipherTrust Manager using the NAE XML protocol, and store it for a limited time to perform cryptographic operations locally. Key caching saves the network roundtrips for key lookups improving the performance dramatically. Keys cached on DPG are stored in secured process memory only; they are not stored on disk. Only symmetric keys that are marked exportable can be cached.

To export the keys, the following criteria must be met:

• You must be the key owner.

• You must be part of a group with permissions on the key and should only perform those operations that are configured for that group.