Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Migration

PDB to CDP

search

PDB to CDP

Prerequisites

  • KeySecure Classic is up and running at a supported version. Refer to the KeySecure Classic documentation for details.

  • A supported PDB version is configured with that KeySecure Classic. Refer to the PDB documentation for details.

  • CipherTrust Manager is up and running at a supported version. Refer to CipherTrust Manager Deployment for details.

If you are running an unsupported version, upgrade your environment to a supported version before proceeding. Refer to the corresponding product documentation for upgrade instructions.

Supported Versions

Current Setup

ProductVersion
PDB for Oracle8.8.0 or higher
PDB for SQL Server8.9.0 or higher
PDB for DB28.7.0 or higher
KeySecure Classic8.12.2 or higher

Target Setup

ProductVersion
CDP for Oracle8.12.0 or higher
CDP for SQL Server8.12.0 or higher
CDP for DB28.12.0 or higher
CipherTrust Manager2.2.0 or higher

Migration Steps

  1. Back up keys, users, and certificates on the KeySecure Classic UI. Refer to Creating a Backup File for details.

    While taking a backup, on the Create Backup screen, select the ProtectDB Manager check box.

  2. Restore the backup on the CipherTrust Manager. Refer to Migrating the Backup File for details.

    The local users migrated from KeySecure Classic become a part of the Key Admin and User Admin groups by default.
    You can manage the access rights for each of these users by adding or removing them from a particular group according to the requirement.
    To perform CipherTrust Database Protection related operations on the CipherTrust Manager UI, a local user must be part of the ProtectDB group.
    Refer to System Defined Groups for details.

  3. Replicate database connections on CipherTrust Manager. This step will migrate the database connections created on KeySecure Classic to the CipherTrust Manager. The database connections must be recreated on the CipherTrust Manager with the same connection details.

    1. Viewing database connection information on KeySecure Classic

      1. Log on to KeySecure Classic as an administrator.

      2. Navigate to the Database List section (Security > Databases).

      3. Select the database connection and click Edit Connection to view the connection information.

    2. Replicating database connection on CipherTrust Manager

      1. Log on to the CipherTrust Manager GUI as administrator.

      2. Click CDP to open the application.

        The Databases screen displays the list of existing database connections, if any.

      3. Enter the Connection Information details in the respective fields. The connection information details must have the same values as specified in step 1. For more information about the fields, refer to the Managing Database Connection section of the CDP Server Admin Guide.

      4. Click Save.

        The newly added database appears on the Databases screen. The Status column reflects the status of the connection.

      5. Click the refresh icon on the screen if the status is not updated.

  4. Update properties file. After the server configurations are done, update the ProtectDB.properties file with the NAE_IP and NAE_Port of the CipherTrust Manager. To reflect the changes in the properties file, perform the following steps. These steps vary for each CDP client.

    Oracle

    1. Update the ProtectDB.properties file.

      • For Linux, the properties file is copied to the /lib/safenet/ directory.

      • For Windows, the properties file is copied to the \bin\ directory.

    2. Execute the loadProperties.sh (UNIX/Linux) or loadProperties.bat (Windows) scripts.

      • Depending on the platform, these files are placed at the following location:

        • Unix/Linux: /lib/safenet/

        • Windows: \bin\

    SQL Server

    1. Update the ProtectDB.properties file. The properties file is copied to the C:\Program Files\SafeNet\MsSqlProvider\MSSQLSERVER directory.

    2. Restart the database server.

    DB2

    1. Update the ProtectDB.properties file. The properties file is copied to the JAVA_HOME/lib/ext directory.

    2. Restart the database.

  5. Configure error replacement values on CipherTrust Manager. Unlike all other column encryption properties, the Error Replacement property does not get saved in the metadata. So, to use this option, it must be set for each encrypted and to be encrypted column.

    To set Error Replacement:

    1. Log on to the CipherTrust Manager GUI.

    2. Click CDP to open the application. The Databases screen displays the list of existing database connections, if any.

    3. Click the overflow icon corresponding to the desired database connection.

    4. Click on Manage Tables. The list of tables is displayed on the screen.

    5. Set the Error Replacement option in the encryption properties of the columns of the listed tables. Refer to the Managing Tables section of the CDP Server Admin Guide for details.

  6. Upgrade the CipherTrust Database Protection clients, if required. Refer to the CipherTrust Database Protection documentation for details.

After the CipherTrust Database Protection clients are ready to be used with the CipherTrust Manager, the following operations can be performed through the CipherTrust Manager UI:

  • Managing Database Connections

  • Managing User Mappings

  • Managing Tables

Refer to the CDP Admin Guide for details.

Limitations

The following operations cannot be performed through the CipherTrust Manager UI. You need the pdbctl utility to perform these operations:

  • Encryption

  • Decryption

  • Rotation

  • Creation and deletion of views and triggers

  • Deletion of old data

Refer to the pdbctl Utility User Guide for details.