Please Note:

You are not viewing the most recent version of this page. 7.7.0 is the latest version available.

Integrations and Solutions
CTE Agent for AIX Integration Guide
- Using CTE with Oracle
  - CTE on Oracle ACFS Overview
  - Creating an Oracle ASM Disk Group for Guarding
  - Oracle RAC ASM
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Basic Troubleshooting Techniques
- Using CTE with PowerTech Antivirus
CTE Agent for Linux Integration Guides
- Installing CTE on Hadoop
  - Overview
  - Implementing CTE on HDFS
    - Create an Encryption Zone in HDFS Name Space for AWS EMR
    - Using the Original Information from HDFS
    - Create an HDFS Host Group and GuardPoint in CipherTrust Manager
    - Adding a New DataNode to a CTE-protected HDFS
    - Configure NameNodes
    - Take a DataNode Offline and Perform Data Transformation
    - Implementing CTE on HDFS on a Single Host
  - Deploy Cloudera Hadoop on CTE
  - HDFS Upgrade with CTE
    - Configure the Hadoop Cluster for CTE
    - Create a CipherTrust Configuration Group
    - Update the Hadoop-env Template with CTE Settings
    - Modify the HDFS IOCTL
    - Change the HDFS File Rename Check
    - User Information Push
    - Uninstalling CTE for the Hadoop Cluster
  - CTE Installation and Configuration
    - Configuring Hadoop to Use CTE
  - Deleting Metadata in HDFS when Migrating Out of LDT
- Using CTE with Oracle
  - Basic Troubleshooting Techniques
    - Verifying Database Encryption
  - Using CTE LDT with Oracle
  - Oracle RAC ASM and ASMLib
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - Oracle RAC ASMLib Multi-Disk Online Method
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Using CTE with Oracle ASM Filter Driver
    - Audience
    - Enable Oracle ASMFD for CTE
    - Configure CTE and create a guarded Oracle ASMFD
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Offline method
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Online method
    - Uninstall/ Upgrade CTE with active ASMFD Setup
  - Using Oracle with CTE-U
- Integrating and Configuring EDB
- Integration with Pacemaker
  - Performing CTE maintenance with an LDT GuardPoint in a Pacemaker Setup
  - Using CTE with Pacemaker
- Using CTE with SQL Server on Linux on Red Hat 8
- Configuring Support for SAP HANA
- Using CTE with GlusterFS
- NetApp Snapshot Directory
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
  - Stop secfs Before Upgrading StorNext LAN Clients
- Using CTE with McAfee Endpoint Security for Linux Threat Prevention
- Using CTE with Trend Micro Deep Security Software
- CTE for Cloud Object Storage
  - Overview
  - System and Software Requirements
  - Client Software Requirements
  - CTE COS S3 Installation Overview
  - Install Required Linux Packages
  - Install CTE with COS Service
  - Configure the AWS CLI to use the COS Root CA Certificate
  - Configure the AWS CLI Network Proxy
  - Configure CTE COS S3
  - Configure a CTE COS S3 Role for Guarded Buckets
    - Secure an S3 Bucket with the CTE COS S3 Role
    - Disable the CTE COS S3 Role for an S3 Bucket
  - Guard an AWS Bucket
  - Additional COS Proxy Root CA Certificate Information
  - Protecting Python Programs with CTE
  - Enable COS on an Agent with no COS Service
  - Creating a COS Policy
  - Uninstall COS from an Agent
- CTE-Efficient Storage for Linux
  - Introduction to CTE-Efficient Storage
    - CTE-Efficient Storage Enhanced Storage Arrays
    - Efficient Storage Device Header and CTE Private Region
    - Device Size
    - ES GuardPoint Encryption Keys
    - Policy Requirements for ES GuardPoints
  - Guarding an Efficient Storage Device on Linux
    - Requirements for Efficient Storage GuardPoints on Linux
    - Initialize Linux Efficient Storage Devices
    - Guard the Linux Device with an ES GuardPoint
    - Example of Creating an ES GuardPoint on an Existing Linux Device
  - Guarding a CTE-Efficient Storage Device with Multiple IO Paths on Linux
  - Linux System and ES GuardPoint Administration
    - voradmin ESG Commands on Linux
    - Viewing Device Status and the ES Header on Linux
    - File System Mount Points on Linux
    - Linux System Utilities for Signing
  - Changing the Encryption Key on Linux ESG Devices
  - Resizing Guarded Efficient Storage Devices
    - Example: Resizing a Linux Device
  - Use Cases involving Efficient Storage GuardPoints
    - Use Case 1: Single Encryption Key
    - Use Case 2: Device-Level GuardPoints
    - Use Case 3: Directory-Level GuardPoints
    - Best Practices for the Migration of a legacy Raw Device Guardpoint to an Efficient Storage Guardpoint
    - Migration Prerequisites
    - Migration
    - Use Case 4: Using CTE-Efficient Storage with LVM
  - Alerts and Errors on Linux
- CTE with Teradata Database Appliances
  - IDT-Capable GuardPoints and Teradata Database Appliances
  - Requirements and Considerations
  - Guarding a Teradata Database Device
    - Install CTE on the Teradata Database Appliance
    - Identify the Devices to Be Guarded
    - Select the Initial Configuration Method
    - Initialize and Guard the Database Devices Using the Standard Initialization Method
    - Initialize and Guard the Teradata Database Devices Using the Backup/Restore Method
  - Changing the Encryption Key on Teradata Devices
  - Access Rules to Apply on the Teradata Database Appliance
  - Replication of IDT Metadata Files Across Members of a Clique
  - Best Practices
  - Uninstalling CTE from the Teradata Cluster
  - Alerts and Errors
  - Generating IDT-capable Metadata for Teradata Storage Expansion
- Integrating CTE with an Exasol Database
- Integrating CTE with a Couchbase Database
- Integrating CTE with an EnterpriseDB Postgres Advanced Server
- Integrating CTE with a MongoDB database
- Integrating CTE with an Apache Cassandra database
- Integrating CTE with a Neo4j Database
CTE Agent for Windows Integration Guides
- Using CTE with Microsoft SQL AlwaysOn and SQL File Tables
  - Using CTE with Microsoft SQL
    - Using CTE with SQL
    - Using CTE with SQL FileTables
    - Installing CTE on Microsoft SQL AlwaysOn
    - Data Transformation (Encryption in place)
    - Copy/Restore
    - SQL Server Policy Tuning
  - Using LDT with Microsoft SQL
    - Using LDT with SQL AlwaysOn
    - Using LDT with SQL FILESTREAM
- CTE with DFSR
  - Overview
  - Creating Required DFSR Policy Components
  - Using the Standard Encryption Method
    - Creating Standard Policies for DFSR
    - Creating Standard GuardPoints with the DFSR Hub and Spoke Topology
    - Creating Standard GuardPoints with the DFSR Full Mesh Topology
  - Using the CTE-LDT Encryption Method
    - Creating a CTE-LDT Policy for DFSR
    - Creating a CTE-LDT GuardPoint for DFSR
- Secure Start
  - Secure Start Overview
  - Prerequisites
  - Encrypt by Moving the AD Service into a Guarded Directory
  - Encrypt Data in Place with Offline Transformation
  - Encrypt with an LDT Transformation Policy
  - Configure the Time Out Failure
  - Recover a Server After it Loses Connection to the Key Manager
  - Other Use Cases
  - Best Practices for Encrypting and Protecting the AD Service
- Exchange DAG
  - Exchange DAG Overview
  - CTE Policies for Exchange DAG
    - Creating a Policy for CTE-LDT Encryption with CipherTrust Manager
    - Creating Policies for Standard Encryption with CipherTrust Manager
  - Encrypting with CTE-LDT in an Exchange DAG Environment
  - Encrypting with a Standard CTE Policy in the Exchange DAG Environment
  - Decrypting with CTE-LDT in an Exchange DAG Environment
- Storage Spaces Direct
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
- CTE-Efficient Storage for Windows
  - Introduction to CTE-Efficient Storage
    - CTE-Efficient Storage Enhanced Storage Arrays
    - Efficient Storage Device Header and CTE Private Region
    - Device Size
    - ES GuardPoint Encryption Keys
    - Policy Requirements for ES GuardPoints
  - Guarding an Efficient Storage Device on Windows
    - Requirements for Efficient Storage GuardPoints on Linux
    - Limitations for ES GuardPoints on Windows
    - Initialize Windows CTE-Efficient Storage Devices
    - Guard the Windows Device with an ES GuardPoint
  - Windows System and ES GuardPoint Administration
  - Changing the Encryption Key for a Windows ES GuardPoint
  - Resizing Guarded Efficient Storage Devices
  - Use Cases involving Efficient Storage GuardPoints
    - Use Case 1: Single Encryption Key
    - Use Case 2: Device-Level GuardPoints
    - Use Case 3: Directory-Level GuardPoints
    - Use Case 4: Full Device Protection
  - Alerts and Errors on Windows
- Encrypt Microsoft OneDrive files with CTE

Basic Troubleshooting Techniques

The following are some of the most common configuration issues that prevent the Oracle ASM configuration from working properly.

If you encountering errors similar to:

ORA-15075: disk(s) are not visible cluster-wide
ORA-15032: not all alterations performed

This could be the result of improper settings for the I/O layer, meaning that your disks are not properly configured.

Perform the following tasks to verify that the settings are correct:

On the CipherTrust Manager, in the Host Group that was created for the RAC cluster, verify that the host group for this configuration does NOT have the Cluster Group option set ( this option is only for GPFS, which is not supported with CTE).
Ensure that the GuardPoints for the block devices are set at the Host Group level. This ensures that each node receives identical GuardPoints.
Verify that the GuardPoints are active on all nodes. When the GuardPoints are set, go to each node and verify that they are set and guarded, using the WebUI or the secfsd –status guard command. If they do not guard correctly, make sure the device names are the same across all nodes.
From ASM, make sure that the asm_diskstring parameter is modified to include the CTE devices and that the proper pathname is used, see Altering ASM_DISKSTRING on ASM.

Verifying Database Encryption

Option 1

The best way to verify the state of the data, without impacting anything in the existing environment, is to use the Oracle kfed command. You can run this command against the native path of the existing GuardPoints and make sure it returns with valid header information. If it returns valid information with the GuardPoint in place, then this confirms that the data is properly encrypted. If it returns with invalid header information, then that indicates that the data is either clear, double encrypted, or not in the expected encrypted state. The syntax for running this command would look similar to the following but will vary based on your environment.

/app/oracle/grid/product/19.0.0/grid/bin/kfed read /dev/<diskName>

If the location is properly encrypted, following is an example of the viewable output:

/app/oracle/grid/product/19.0.0/grid/bin/kfed read /dev/<diskName>

System Response:

kfbh.endian:                          1 ; 0x000: 0x01
kfbh.hard:                          242 ; 0x001: 0xf2
kfbh.type:                          124 ; 0x002: *** Unknown Enum ***
kfbh.datfmt:                         66 ; 0x003: 0x42
kfbh.block.blk:              1088904227 ; 0x004: blk=1088904227
kfbh.block.obj:              1558192170 ; 0x008: file=8234
kfbh.check:                  3321251423 ; 0x00c: 0xc5f6465f
kfbh.fcn.base:                932956641 ; 0x010: 0x379bc9e1
kfbh.fcn.wrap:               3040493590 ; 0x014: 0xb53a4016
kfbh.spare1:                 3806015223 ; 0x018: 0xe2db2ef7
kfbh.spare2:                 3794962182 ; 0x01c: 0xe2328706
60000000000D8000 01F27C42 40E75C23 5CE0202A C5F6465F
[..|B@.\#\. *..F_]
60000000000D8010 379BC9E1 B53A4016 E2DB2EF7 E2328706  [7....:@......2..]
60000000000D8020 CA2F30AD 522B4D21 99292639 004EBB34  [./0.R+M!.)&9.N.4]
60000000000D8030 A3896BE8 BD839D23 2204E19E 946C575C  [..k....#"....lW\]
60000000000D8040 4CE2218F 35E1B101 AF751A70 780E6D6E  [L.!.5....u.px.mn]
60000000000D8050 5E7E6A38 C600ED5F 929047C4 DF372A8E  [^~j8..._..G..7*.]
60000000000D8060 E103152D BA87CC03 11A7D963 9D72FCE1
[...-.......c.r..]
60000000000D8070 1EC6B48B 03EE869F 61D651F9 E7614957  [........a.Q..aIW]
60000000000D8080 810E0353 9C461F49 69569733 501D19EF  [...S.F.IiV.3P...]
60000000000D8090 B268002B 4F9457B6 BDB04AC5 D3D07446  [.h.+O.W...J...tF]
60000000000D80A0 FD9EE5E0 9B46CB66 30D10B22 F63AB77E  [.....F.f0..".:.~]
60000000000D80B0 6FF79075 4BBD1FAD 8F226188 7774300D  [o..uK...."a.wt0.]
60000000000D80C0 A809B6FB E1F1C80B B5760E68 9747D97D  [.........v.h.G.}]
KFED-00322: Invalid content encountered during block traversal: [kfbtTraverseBlock][Invalid OSM block type][][124]

Option 2

The second option to verify the state of the data is to use the dd command. This requires you to specify some blocks and write it out to a file. After this completes, read the file using the strings command. You can do this while the device is in use. In the example below some sectors are skipped and it only dumps 10000 counts.

For example:

dd if=/dev/asm_data2p1 of=/tmp/dd2.out skip=1047 count=10000

Option 3

The third option to verify the state of the data without impacting the existing environment is to use the strings command.

Note

The strings command cannot read a busy or large device.

You can run this command against the native path (/dev/<deviceName>) of the existing GuardPoints (/dev/secvm/dev/<deviceName>). By executing the strings command against the native path strings /dev/devicename | more, this does not go through the SecVM device and therefore is not be decrypted. If it is encrypted the output should contain illegible text.

Basic Troubleshooting Techniques

Verifying Database Encryption

Option 1

Option 2

Option 3

On this page

Suggest A Change