Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Administration

How to Run a Demo

search

Please Note:

printsuggest an edit

How to Run a Demo

A full demo environment is provided to allow you test drive DPG, see how it is installed, and use its features to protect sensitive data using a Helm Chart.

With this demo, we also provide a Sample Application Server to experience end to end DPG functionalities.

Note

This demo is performed on Amazon AWS using Amazon Elastic Kubernetes Service (EKS), however, DPG can be deployed on all cloud and/or K8s providers.

copy link to clipboardSample Application Details

Supported API URL: /api/sample/resource/{id}

copy link to clipboardSupported Methods

  • POST Method: Allows you add any data (irrespective of structure) in JSON format based on {id}. This method returns the same JSON body in response. The JSON body is saved in the internal cache of the APPlication Server.

  • GET Method: Allows you to fetch data for a given {id}.

  • PATCH Method: Allows you to modify the entire JSON body for a given {id}.

  • DELETE Method: Allows you to delete the entry for a given {id}.

copy link to clipboardPrerequisites

copy link to clipboardDPG Image Repository

The ciphertrust-data-protection-gateway repository contains the following images for DPG 1.4.0:

  • DPG (with 1.4.0 tag): thalesciphertrust/ciphertrust-data-protection-gateway:1.4.0

  • DPG (with latest tag): thalesciphertrust/ciphertrust-data-protection-gateway:latest

    The image path with the latest tag always points to the latest release.

  • Sample Application Server (with appserver tag): thalesciphertrust/ciphertrust-data-protection-gateway:appserver

copy link to clipboardDeploy Demo Environment using Helm Charts on AWS

copy link to clipboardDeploy Application Server

  1. Create a namespace for your deployment, for example, myspace.

    kubectl create namespace <myspace>

  2. Configure current-context by updating your local kubeconfig file.

    aws eks --region <aws_region> update-kubeconfig --name <dpg-cluster_name> -n myspace

  3. Download and copy the following files:

    Note

    To download the files, right-click each link and click Save Link As.

  4. Navigate to the <target_directory>.

  5. Install Sample APPlication Server in your namespace. For this demo, we will use dpgdemo as the Helm release name.

    helm install dpgdemo . -n myspace

    The status DEPLOYED indicates the installation is successful.

  6. Verify the deployment with the following command.

    helm list -n myspace

    The output should list the deployed Helm releases, dpgdemo.

    The Sample Application Server is deployed successfully and ready to use.

copy link to clipboardTest Drive Sample Application Server

copy link to clipboardPost Request

copy link to clipboardSyntax

<Method> <Request URL> <Header name> <Header value> <JSON Body>

copy link to clipboardRequest Parameters
ParameterDescription
MethodPOST
Request URLA sample URL is http://<instanceip>:32082/api/sample/resource/{id}.
• To find the value of instanceip, run kubectl get nodes -o wide. You need to use the EXTERNAL-IP of the node on which your instance is deployed.
• If you are using nodeport other than 32082, specify its value in the sample url or you can find the value of nodeport using kubectl get svc -o wide -n myspace command.
In the commands above, myspace is the namespace you created in Deploy using Helm.
Header nameContent-Type
Header valueapplication/json
JSON BodySee the sample request below.
NOTE: The JSON Body contains "key":"value" pairs.
copy link to clipboardSample Request

The value of {id} should be unique.

http://<instanceip>:32082/api/sample/resource/{id}
{
"ssn": "123-45-6789",
"creditAccount": "123456789",
"creditCard":[
  {
    "number": "5252-5252-5252-5252",
    "cvv": "111",
    "expiry": "03/24"
    }
              ]
}
copy link to clipboardSample Response
{
"ssn": "123-45-6789",
"creditAccount": "123456789",
"creditCard":[
  {
    "number": "5252-5252-5252-5252",
    "cvv": "111",
    "expiry": "03/24"
    }
              ]
}

In the above sample, the Sample Application Server returned the original data without modifying it.

copy link to clipboardCreate Policies, Configurations, Registration Token on the CipherTrust Manager

Before deploying DPG, ensure that the following steps are performed from the CipherTrust Manager UI.

  1. Create Character Set

  2. Create User Set

  3. Create Masking Format

  4. Create Access Policy

  5. Create Protection Policy

  6. Create DPG Policy

  7. Define Application

The detailed instructions are available in the Application Data Protection Admin Guide. You can also perform these steps though the CipherTrust Manager's RESTful API. Refer to CipherTrust Manager API Playground for detailed instructions.

copy link to clipboardDeploy DPG

  1. Download and replace the following files:

    Note

    • These files contain the references of both Sample Application Server and DPG.

    • To download the files, right-click each link and click Save Link As.

    • The servercrt and serverkey parameters of the values.yaml file are required only when TLS_ENABLEDis set to true.

  2. Update the values of kms and reg_token fields in the values.yaml file.

    Here,

    • KMS is the IP address of your CipherTrust Manager instance.

    • reg_token is the token generated on the CipherTrust Manager while defining Applications. This token is used to register DPG clients on the CipherTrust Manager.

  3. Navigate to the <target_directory> and run the following command to upgrade the deployment:

    helm upgrade dpgdemo . -n myspace

copy link to clipboardTest Drive DPG

copy link to clipboardPost Request

copy link to clipboardSyntax

<Method> <Request URL> <Header name> <Header value> <JSON Body>

copy link to clipboardRequest Parameters
ParameterDescription
MethodPOST
Request URLA sample URL is http://<instanceip>:32082/api/sample/resource/{id}.
• To find the value of instanceip, run kubectl get nodes -o wide. You need to use the EXTERNAL-IP of the node on which your instance is deployed.
• If you are using nodeport other than 32082, specify its value in the sample url or you can find the value of nodeport using kubectl get svc -o wide -n myspace command.
In the commands above, myspace is the namespace you created in Deploy using Helm.
Header nameContent-Type
Header valueapplication/json
JSON BodySee the sample request below.
NOTE: The JSON Body contains "key":"value" pairs.
copy link to clipboardSample Request
http://<instanceip>:32082/api/sample/resource/{id}
{

"ssn": "123-45-6789",
"creditAccount": "123456789",
"creditCard":[
  {

    "number": "5252-5252-5252-5252",
    "cvv": "111",
    "expiry": "03/24"

    }
              ]
}
copy link to clipboardSample Response
{
"creditAccount": "123456789",
"creditCard": [
  {
"cvv": "1001000163",
"expiry": "03/24",
"number": "5252-5252-5252-5252"
}
],
"ssn": "123-45-6789"
}

In this sample, DPG is protecting the CVV number (111) in the post request and returns ciphertext (1001000163). Here, first seven digits represent the version header bytes.

Note

  • We assume that you have configured CVV number to be protected in the POST request of DPG policy on the CipherTrust Manager.

  • If any sensitive data in REST API is not mapped with DPG policy, it will pass through DPG without performing any action (PROTECT/REVEAL) on the data.

copy link to clipboardGet Request

copy link to clipboardSyntax

<Method> <Request URL>

copy link to clipboardRequest Parameters
ParameterDescription
MethodGET
Request URLA sample URL is http://<instanceip>:32082/api/sample/resource/{id}.
• To find the value of instanceip, run kubectl get nodes -o wide. You need to use the EXTERNAL-IP of the node on which your instance is deployed.
• If you are using nodeport other than 32082, specify its value in the sample url or you can find the value of nodeport using kubectl get svc -o wide -n myspace command.
In the commands above, myspace is the namespace you created in Deploy using Helm.
Request HeadersThis parameter contains the authorization tag and is required when revealing the data.
Following authentication schemes are allowed:
— Basic
— Bearer
A valid user name should be present in the authorization tag. For more information on Authentication, refer to Configure Authentication Scheme.
copy link to clipboardSample Request using Curl

You can use any of the supported authentication methods to send request to DPG. For this demo, we are using Basic authentication scheme.

copy link to clipboardSample Request
curl --user <username>:<password> http://<instanceip>:32082/api/sample/resource/{id}
copy link to clipboardSample Response
{
"creditAccount": "123456789",
"creditCard": [
  {
"cvv": "111",
"expiry": "03/24",
"number": "5252-5252-5252-5252"
}
],
"ssn": "123-45-6789"
}

While revealing the data, DPG takes the following parameters into account:

  • Protection Policy: Determines how to protect and reveal data. It comprises of key, cipher, access policy, and character set needed to protect/reveal data.

  • User: Username in the authorization header.

If the user in the authorization header is not part of any user set or authorization header is not specified, the access policy uses the default format to reveal data.

In this sample, DPG is revealing the data as plaintext, that is 111.

Note

In this sample, we assume that you have configured CVV number to be revealed as plaintext in the access policy for <user> on the CipherTrust Manager. For more information, refer to Creating Policies.

copy link to clipboardProtect samples with prefix

A prefix helps user identify the type of data being protected. The maximum length for prefix is 7 characters and only All Printable ASCII characters are allowed. To add prefix to the data, the prefix field in the protection policy create or update wizard should be configured. During the reveal operation, when reveal format is plaintext, the prefix is truncated and only decrypted value is returned to the user. For other reveal formats, prefix is not truncated from the output.

  • For internal protection policy, the resultant will contain version header bytes + prefix (if enabled) + ciphertext.

  • For disabled version, the resultant will contain prefix (if enabled) + ciphertext.

  • For external protection policy, the resultant will contain prefix (if enabled) + ciphertext. The version header bytes will be stored in external_version field.

copy link to clipboardSample request with disabled versioning
curl --location 'http://<{DPG-IP}>:{DPG-port}/api/sample/resource/34' \--header 'Content-Type: application/json' \--header 'Authorization: Basic Og==' \--data ' { "creditCardNo": "1234567891111" }
copy link to clipboardSample Response
{
    "creditCardNo":"CCN8648383582231701"
}
copy link to clipboardSample request with internal versioning
curl --location 'http://<{DPG-IP}>:{DPG-port}/api/sample/resource/34' \--header 'Content-Type: application/json' \--header 'Authorization: Basic Og==' \--data ' { "creditCardNo": "1234567891111" }
copy link to clipboardSample Response
{
    "creditCardNo":"1001000CCN8648383582231701"
}
copy link to clipboardSample request with external versioning
curl --location 'http://<{DPG-IP}>:{DPG-port}/api/sample/resource/34' \--header 'Content-Type: application/json' \--header 'Authorization: Basic Og==' \--data ' { "creditCardNo": "1234567891111" }
copy link to clipboardSample Response
{
    "creditCardNo":"CCN8648383582231701",
    "CCExternalVersion":"1001000"
}

In the above samples, there is a protection policy which uses FPE/AES/UNICODE and prefix value is configured as CCN. A DPG policy is defined to protect token creditCardNo for API_URL/api/sample/resource/{id}.

On this page