Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

Migration

PDB for Teradata to CTP

search

PDB for Teradata to CTP

Prerequisites

  • Minimum supported Teradata database version required by ProtectDB (PDB) for Teradata is installed and configured with a supported KeySecure Classic version.

  • Minimum supported CipherTrust Manager version required by PDB for Teradata is installed.

Supported Versions

Current Setup

ProductVersion
ProtectDB (PDB) for Teradata8.11.0 or higher
KeySecure Classic8.11.0 or higher

Target Setup

ProductVersion
CipherTrust Teradata Protection (CTP)6.5.0 or higher
CipherTrust Manager2.2 or higher

Migration Steps

  1. Back up keys, users, and certificates on the KeySecure Classic UI. Refer to Creating a Backup File for details.

    While taking backup, on the Create Backup screen, select the ProtectDB Manager check box.

  2. Restore the backup on the CipherTrust Manager. Refer to Migrating the Backup File for details.

    The local users migrated from KeySecure Classic become a part of the Key Admin and User Admin groups by default.
    You can manage the access rights for each of these users by adding or removing them from a particular group according to the requirement.
    To perform related database operations on the CipherTrust Manager UI, a local user must be part of the ProtectDB group.
    Refer to System Defined Groups for details.

  3. Decrypt the tables using Decrypt UDFs of CTP.

  4. Uninstall PDB for Teradata using the uninstall.sh script. At this step, all the user mapping and table mapping are deleted. Refer to SafeNet ProtectDB for Teradata User Guide for details.

  5. Install CTP following the instructions mentioned in the CTP Installation Reference Guide.

  6. Encrypt table using CTP UDFs.

Limitations

User Mapping

  • GUI utility to map users with keys and view tables is no longer available.

  • Access to database encryption and decryption operations are defined in the allow_encrypt.conf and allow_decrypt.conf configuration files, based on the key-value pairs.

  • The encryption key is the "key", and a comma-separated list of users who may access that encryption key is the associated "value".

Profile Approach

CTP provides profiles.conf to streamline the invocation of the CBC, FPE, and FF1 UDFs. The following is a sample profiles.conf file that contains two profiles named ccnum and address:

[ccnum]
method = aes_cbc_pad
iv = 000102030405060708090A0B0C0D0E0F
keyname = KEY_1
[address]
method = aes_cbc_pad
iv = 0F0E0D0C0B0A09080706050403020100
keyname = KEY_1

With these profile definitions, the following UDF calls can be made:

encrypt_cbc('1234-9876-5678-6543', 'ccnum')
encrypt_cbc('2860 Junction Avenue, San Jose, CA 95134', 'address')