How to Run a Demo
A full demo environment is provided to allow you test drive DPG, see how it is installed, and use its features to protect sensitive data using a Helm Chart.
With this demo, we also provide a Sample Application Server to experience end to end DPG functionalities.
Note
This demo is performed on Amazon AWS using Amazon Elastic Kubernetes Service (EKS), however, DPG can be deployed on all cloud and/or K8s providers.
Sample Application Details
Supported API URL: /api/sample/resource/{id}
Supported Methods
POST Method: Allows you add any data (irrespective of structure) in JSON format based on {id}. This method returns the same JSON body in response. The JSON body is saved in the internal cache of the APPlication Server.
GET Method: Allows you to fetch data for a given {id}.
PATCH Method: Allows you to modify the entire JSON body for a given {id}.
DELETE Method: Allows you to delete the entry for a given {id}.
Prerequisites
A Kubernetes environment is deployed and working.
Helm is installed. Refer to https://helm.sh/docs/intro/install/ for details.
CipherTrust Manager is up and running. Refer to CipherTrust Manager Deployment for details.
DPG Image Repository
The ciphertrust-data-protection-gateway repository contains the following images for DPG 1.3.0:
DPG (with 1.3.0 tag): thalesciphertrust/ciphertrust-data-protection-gateway:1.3.0
DPG (with latest tag): thalesciphertrust/ciphertrust-data-protection-gateway:latest
The image path with the latest tag always points to the latest release.
Sample Application Server (with appserver tag): thalesciphertrust/ciphertrust-data-protection-gateway:appserver
Deploy Demo Environment using Helm Charts on AWS
Deploy Application Server
Create a namespace for your deployment, for example,
myspace.kubectl create namespace <myspace>Configure current-context by updating your local
kubeconfigfile.aws eks --region <aws_region> update-kubeconfig --name <dpg-cluster_name> -n myspaceDownload and copy the following files:
deployment.yaml to
<target_directory>/templates.values.yaml to
<target_directory>.Chart.yaml to
<target_directory>.
Note
To download the files, right-click each link and click Save Link As.
Navigate to the
<target_directory>.Install Sample APPlication Server in your namespace. For this demo, we will use
dpgdemoas the Helm release name.helm install dpgdemo . -n myspaceThe status
DEPLOYEDindicates the installation is successful.Verify the deployment with the following command.
helm list -n myspaceThe output should list the deployed Helm releases,
dpgdemo.The Sample Application Server is deployed successfully and ready to use.
Test Drive Sample Application Server
Post Request
Syntax
<Method> <Request URL> <Header name> <Header value> <JSON Body>
Request Parameters
| Parameter | Description |
|---|---|
| Method | POST |
| Request URL | A sample URL is http://<instanceip>:32082/api/sample/resource/{id}.• To find the value of instanceip, run kubectl get nodes -o wide. You need to use the EXTERNAL-IP of the node on which your instance is deployed. • If you are using nodeport other than 32082, specify its value in the sample url or you can find the value of nodeport using kubectl get svc -o wide -n myspace command. In the commands above, myspace is the namespace you created in Deploy using Helm. |
| Header name | Content-Type |
| Header value | application/json |
| JSON Body | See the sample request below. NOTE: The JSON Body contains "key":"value" pairs. |
Sample Request
The value of {id} should be unique.
http://<instanceip>:32082/api/sample/resource/{id}
{
"ssn": "123-45-6789",
"creditAccount": "123456789",
"creditCard":[
{
"number": "5252-5252-5252-5252",
"cvv": "111",
"expiry": "03/24"
}
]
}
Sample Response
{
"ssn": "123-45-6789",
"creditAccount": "123456789",
"creditCard":[
{
"number": "5252-5252-5252-5252",
"cvv": "111",
"expiry": "03/24"
}
]
}
In the above sample, the Sample Application Server returned the original data without modifying it.
Create Policies, Configurations, Registration Token on the CipherTrust Manager
Before deploying DPG, ensure that the following steps are performed from the CipherTrust Manager UI.
Create Character Set
Create User Set
Create Masking Format
Create Access Policy
Create Protection Policy
Create DPG Policy
Define Application
The detailed instructions are available in the Application Data Protection Admin Guide. You can also perform these steps though the CipherTrust Manager's RESTful API. Refer to CipherTrust Manager API Playground for detailed instructions.
Deploy DPG
Download and replace the following files:
deployment.yaml to
<target_directory>/templatesvalues.yaml to
<target_directory>
Note
These files contain the references of both Sample Application Server and DPG.
To download the files, right-click each link and click Save Link As.
The
servercrtandserverkeyparameters of thevalues.yamlfile are required only whenTLS_ENABLEDis set to true.
Update the values of
kmsandreg_tokenfields in thevalues.yamlfile.Here,
KMSis the IP address of your CipherTrust Manager instance.reg_tokenis the token generated on the CipherTrust Manager while defining Applications. This token is used to register DPG clients on the CipherTrust Manager.
Navigate to the
<target_directory>and run the following command to upgrade the deployment:helm upgrade dpgdemo . -n myspace
Test Drive DPG
Post Request
Syntax
<Method> <Request URL> <Header name> <Header value> <JSON Body>
Request Parameters
| Parameter | Description |
|---|---|
| Method | POST |
| Request URL | A sample URL is http://<instanceip>:32082/api/sample/resource/{id}.• To find the value of instanceip, run kubectl get nodes -o wide. You need to use the EXTERNAL-IP of the node on which your instance is deployed. • If you are using nodeport other than 32082, specify its value in the sample url or you can find the value of nodeport using kubectl get svc -o wide -n myspace command. In the commands above, myspace is the namespace you created in Deploy using Helm. |
| Header name | Content-Type |
| Header value | application/json |
| JSON Body | See the sample request below. NOTE: The JSON Body contains "key":"value" pairs. |
Sample Request
http://<instanceip>:32082/api/sample/resource/{id}
{
"ssn": "123-45-6789",
"creditAccount": "123456789",
"creditCard":[
{
"number": "5252-5252-5252-5252",
"cvv": "111",
"expiry": "03/24"
}
]
}
Sample Response
{
"creditAccount": "123456789",
"creditCard": [
{
"cvv": "1001000163",
"expiry": "03/24",
"number": "5252-5252-5252-5252"
}
],
"ssn": "123-45-6789"
}
In this sample, DPG is protecting the CVV number (111) in the post request and returns ciphertext (1001000163). Here, first seven digits represent the version header bytes.
Note
We assume that you have configured CVV number to be protected in the POST request of DPG policy on the CipherTrust Manager.
If any sensitive data in REST API is not mapped with DPG policy, it will pass through DPG without performing any action (PROTECT/REVEAL) on the data.
Get Request
Syntax
<Method> <Request URL>
Request Parameters
| Parameter | Description |
|---|---|
| Method | GET |
| Request URL | A sample URL is http://<instanceip>:32082/api/sample/resource/{id}.• To find the value of instanceip, run kubectl get nodes -o wide. You need to use the EXTERNAL-IP of the node on which your instance is deployed. • If you are using nodeport other than 32082, specify its value in the sample url or you can find the value of nodeport using kubectl get svc -o wide -n myspace command. In the commands above, myspace is the namespace you created in Deploy using Helm. |
| Request Headers | This parameter contains the authorization tag and is required when revealing the data. Following authentication schemes are allowed: — Basic — Bearer A valid user name should be present in the authorization tag. For more information on Authentication, refer to Configure Authentication Scheme. |
Sample Request using Curl
You can use any of the supported authentication methods to send request to DPG. For this demo, we are using Basic authentication scheme.
Sample Request
curl --user <username>:<password> http://<instanceip>:32082/api/sample/resource/{id}
Sample Response
{
"creditAccount": "123456789",
"creditCard": [
{
"cvv": "111",
"expiry": "03/24",
"number": "5252-5252-5252-5252"
}
],
"ssn": "123-45-6789"
}
DPG takes the following parameters into account while revealing the data:
Protection Policy: Determines how to protect and reveal data. It comprises of key, cipher, access policy, and character set needed to protect/reveal data.
User: Username in the authorization header.
If the user in the authorization header is not part of any user set or authorization header is not specified, the access policy uses the default format to reveal data.
In this sample, DPG is revealing the data as plaintext, that is 111.
Note
In this sample, we assume that you have configured CVV number to be revealed as plaintext in the access policy for <user> on the CipherTrust Manager. For more information, refer to Creating Policies.
