Please Note:

Integrations and Solutions
CTE Agent for AIX Integration Guide
- Using CTE with Oracle
  - CTE on Oracle ACFS Overview
  - Creating an Oracle ASM Disk Group for Guarding
  - Oracle RAC ASM
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Basic Troubleshooting Techniques
- Using CTE with PowerTech Antivirus
CTE Agent for Linux Integration Guides
- Installing CTE on Hadoop
  - Overview
  - Implementing CTE on HDFS
    - Create an Encryption Zone in HDFS Name Space for AWS EMR
    - Using the Original Information from HDFS
    - Create an HDFS Host Group and GuardPoint in CipherTrust Manager
    - Adding a New DataNode to a CTE-protected HDFS
    - Configure NameNodes
    - Take a DataNode Offline and Perform Data Transformation
    - Implementing CTE on HDFS on a Single Host
  - Deploy Cloudera Hadoop on CTE
  - HDFS Upgrade with CTE
    - Configure the Hadoop Cluster for CTE
    - Create a CipherTrust Configuration Group
    - Update the Hadoop-env Template with CTE Settings
    - Modify the HDFS IOCTL
    - Change the HDFS File Rename Check
    - User Information Push
    - Uninstalling CTE for the Hadoop Cluster
  - CTE Installation and Configuration
    - Configuring Hadoop to Use CTE
  - Deleting Metadata in HDFS when Migrating Out of LDT
- Using CTE with Oracle
  - Basic Troubleshooting Techniques
    - Verifying Database Encryption
  - Using CTE LDT with Oracle
  - Oracle RAC ASM and ASMLib
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - Oracle RAC ASMLib Multi-Disk Online Method
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Using CTE with Oracle ASM Filter Driver
    - Audience
    - Enable Oracle ASMFD for CTE
    - Configure CTE and create a guarded Oracle ASMFD
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Offline method
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Online method
    - Uninstall/ Upgrade CTE with active ASMFD Setup
  - Using Oracle with CTE-U
- Integrating and Configuring EDB
- Integration with Pacemaker
  - Performing CTE maintenance with an LDT GuardPoint in a Pacemaker Setup
  - Using CTE with Pacemaker
- Using CTE with SQL Server on Linux on Red Hat 8
- Configuring Support for SAP HANA
- Using CTE with GlusterFS
- NetApp Snapshot Directory
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
  - Stop secfs Before Upgrading StorNext LAN Clients
- Using CTE with McAfee Endpoint Security for Linux Threat Prevention
- Using CTE with Trend Micro Deep Security Software
- CTE for Cloud Object Storage
  - Overview
  - System and Software Requirements
  - Client Software Requirements
  - CTE COS S3 Installation Overview
  - Install Required Linux Packages
  - Install CTE with COS Service
  - Configure the AWS CLI to use the COS Root CA Certificate
  - Configure the AWS CLI Network Proxy
  - Configure CTE COS S3
  - Configure a CTE COS S3 Role for Guarded Buckets
    - Secure an S3 Bucket with the CTE COS S3 Role
    - Disable the CTE COS S3 Role for an S3 Bucket
  - Guard an AWS Bucket
  - Additional COS Proxy Root CA Certificate Information
  - Protecting Python Programs with CTE
  - Enable COS on an Agent with no COS Service
  - Creating a COS Policy
  - Uninstall COS from an Agent
- CTE-Efficient Storage for Linux
  - Introduction to CTE-Efficient Storage
    - CTE-Efficient Storage Enhanced Storage Arrays
    - Efficient Storage Device Header and CTE Private Region
    - Device Size
    - ES GuardPoint Encryption Keys
    - Policy Requirements for ES GuardPoints
  - Guarding an Efficient Storage Device on Linux
    - Requirements for Efficient Storage GuardPoints on Linux
    - Initialize Linux Efficient Storage Devices
    - Guard the Linux Device with an ES GuardPoint
      - Data Relocation on Existing Linux Devices
      - Data Transformation on Existing Linux Devices
    - Example of Creating an ES GuardPoint on an Existing Linux Device
  - Guarding a CTE-Efficient Storage Device with Multiple IO Paths on Linux
  - Linux System and ES GuardPoint Administration
    - voradmin ESG Commands on Linux
    - Viewing Device Status and the ES Header on Linux
    - File System Mount Points on Linux
    - Linux System Utilities for Signing
  - Changing the Encryption Key on Linux ESG Devices
  - Resizing Guarded Efficient Storage Devices
    - Example: Resizing a Linux Device
  - Use Cases involving Efficient Storage GuardPoints
    - Use Case 1: Single Encryption Key
    - Use Case 2: Device-Level GuardPoints
    - Use Case 3: Directory-Level GuardPoints
      - Challenges with Root Access on Linux
    - Best Practices for the Migration of a legacy Raw Device Guardpoint to an Efficient Storage Guardpoint
    - Migration Prerequisites
    - Migration
    - Use Case 4: Using CTE-Efficient Storage with LVM
  - Alerts and Errors on Linux
- CTE with Teradata Database Appliances
  - IDT-Capable GuardPoints and Teradata Database Appliances
  - Requirements and Considerations
  - Guarding a Teradata Database Device
    - Install CTE on the Teradata Database Appliance
    - Identify the Devices to Be Guarded
    - Select the Initial Configuration Method
    - Initialize and Guard the Database Devices Using the Standard Initialization Method
    - Initialize and Guard the Teradata Database Devices Using the Backup/Restore Method
  - Changing the Encryption Key on Teradata Devices
  - Access Rules to Apply on the Teradata Database Appliance
  - Replication of IDT Metadata Files Across Members of a Clique
  - Best Practices
  - Uninstalling CTE from the Teradata Cluster
  - Alerts and Errors
  - Generating IDT-capable Metadata for Teradata Storage Expansion
- Integrating CTE with an Exasol Database
- Integrating CTE with a Couchbase Database
- Integrating CTE with an EnterpriseDB Postgres Advanced Server
- Integrating CTE with a MongoDB database
- Integrating CTE with an Apache Cassandra database
- Integrating CTE with a Neo4j Database
CTE Agent for Windows Integration Guides
- Using CTE with Microsoft SQL AlwaysOn and SQL File Tables
  - Using CTE with Microsoft SQL
    - Using CTE with SQL
    - Using CTE with SQL FileTables
      - Supported FileTables Use Cases
      - Unsupported FileTables Use Cases
    - Installing CTE on Microsoft SQL AlwaysOn
    - Data Transformation (Encryption in place)
    - Copy/Restore
    - SQL Server Policy Tuning
  - Using LDT with Microsoft SQL
    - Using LDT with SQL AlwaysOn
    - Using LDT with SQL FILESTREAM
- CTE with DFSR
  - Overview
  - Creating Required DFSR Policy Components
  - Using the Standard Encryption Method
    - Creating Standard Policies for DFSR
    - Creating Standard GuardPoints with the DFSR Hub and Spoke Topology
    - Creating Standard GuardPoints with the DFSR Full Mesh Topology
  - Using the CTE-LDT Encryption Method
    - Creating a CTE-LDT Policy for DFSR
    - Creating a CTE-LDT GuardPoint for DFSR
- Secure Start
  - Secure Start Overview
  - Prerequisites
  - Encrypt by Moving the AD Service into a Guarded Directory
  - Encrypt Data in Place with Offline Transformation
  - Encrypt with an LDT Transformation Policy
  - Configure the Time Out Failure
  - Recover a Server After it Loses Connection to the Key Manager
  - Other Use Cases
  - Best Practices for Encrypting and Protecting the AD Service
- Exchange DAG
  - Exchange DAG Overview
  - CTE Policies for Exchange DAG
    - Creating a Policy for CTE-LDT Encryption with CipherTrust Manager
    - Creating Policies for Standard Encryption with CipherTrust Manager
  - Encrypting with CTE-LDT in an Exchange DAG Environment
  - Encrypting with a Standard CTE Policy in the Exchange DAG Environment
  - Decrypting with CTE-LDT in an Exchange DAG Environment
- Storage Spaces Direct
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
- CTE-Efficient Storage for Windows
  - Introduction to CTE-Efficient Storage
    - CTE-Efficient Storage Enhanced Storage Arrays
    - Efficient Storage Device Header and CTE Private Region
    - Device Size
    - ES GuardPoint Encryption Keys
    - Policy Requirements for ES GuardPoints
  - Guarding an Efficient Storage Device on Windows
    - Requirements for Efficient Storage GuardPoints on Linux
    - Limitations for ES GuardPoints on Windows
    - Initialize Windows CTE-Efficient Storage Devices
    - Guard the Windows Device with an ES GuardPoint
  - Windows System and ES GuardPoint Administration
  - Changing the Encryption Key for a Windows ES GuardPoint
  - Resizing Guarded Efficient Storage Devices
  - Use Cases involving Efficient Storage GuardPoints
    - Use Case 1: Single Encryption Key
    - Use Case 2: Device-Level GuardPoints
    - Use Case 3: Directory-Level GuardPoints
    - Use Case 4: Full Device Protection
  - Alerts and Errors on Windows
- Encrypt Microsoft OneDrive files with CTE

Integrating CTE with a Couchbase Database

This document describes how to integrate CTE with a Couchbase database.

Test Environment

CTE Agent: 7.2.0.128
CipherTrust Manager: 2.8.0
OS: RHEL/CentOS 8.2
Couchbase: 7.1
File System: XFS

System Requirement Specifications

RAM: 16 GB
Storage: 32 GB
CPU: 3 GHz

Steps

To integrate CTE with a Couchbase database:

Create a Couchbase Cluster
Install and Register the CTE Agent
Create the GuardPoints
Create a Bucket and Run N1QL Query

Create a Couchbase Cluster

Create a Couchbase cluster of one or more nodes. You will install Couchbase Server and CTE Agent on these nodes.

Perform the following steps on all the nodes:

Log on to the SSH client.

Install the Couchbase Server.

dnf install -y https://packages.couchbase.com/releases/couchbase-release/couchbase-release-1.0-x86_64.rpm
dnf install -y couchbase-server

Output:

[root@NOIENC1PFL—IR30 ~]# rpm -qa | grep couch
couchbase-server-7.1.1-3175.x86_64
couchbase-release-1.0-11.x86_64

Ensure that the couchbase-server service is running.

service couchbase-server status

Output:

[root@NOIENC1PFL—IR3O ~]# service couchbase—server status
Redirecting to [bin/systemctl status couchbase-server.service
o couchbase—server.service — Couchbase Server
Loaded: loaded (/usr/lib/systemd/system/couchbase—server.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2022-07-28 10:28:39 IST; 1 months 15 days ago
Docs: httgs:[zdocs.couchbase.com
Main PID: 2577 (beam.smp)
Tasks: 424 (limit: 23815)
Memory: 1.36
CGroup: /system.slice/couchbase—server.service
        |-2577 /opt/couchbase/lib/erlang/erts—12.1.5/bin/beam.smp -A 16 -sbwt none -- -root /opt/couchbase/lib/erlan
        |-2600 /opt/couchbase/lib/erlang/erts-12.1.5/bin/epmd -daemon
        |-2681 erl_chi1d_setup 200000
        |-2701 /opt/couchbase/bin/gosecrets
        |-2705 /opt/couchbase/lib/erlang/erts-12.1.5/bin/beam.smp -A 16 -sbt u -P 327680 -K true -swt low -sbwt none
        |-2727 er1_chi1d_setup 200000
        |-2746 sh -s disksup
        |-2748 /opt/couchbase/lib/erlang/lib/os_mon—2.7.1/priv/bin/memsup
        |-2749 /opt/couchbase/lib/erlang/lib/os_mon—2.7.1/priv/bin/cpu_sup
        |-2750 portsigar for ns_1@cb.local 2577

Initialize the node.

/opt/couchbase/bin/couchbase-cli node-init -c <Node_IP> -u <USERNAME> -p <PASSWORD> --node-init-data-path /opt/couchbase/var/lib/couchbase/data --node-init-index-path /opt/couchbase/var/lib/couchbase/data --node-init-eventing-path /opt/couchbase/var/lib/couchbase/data --node-init-analytics-path /opt/couchbase/var/lib/couchbase/data --ipv4

Output:

[root@NOIENC1PFL-IR30 ~]# /opt/couchbase/bin/couchbase-cli node-init -c 10.164.11.191 -u placeholdername -p placeholderpwd --node-init-data-path /opt/couchbase/var/lib/couchbase/data --node-init-index-path /opt/couchbase/var/Iib/couchbase/data --node-init-eventing-path /opt/couchbase/var/lib/couchbase/data --node-init-analytics-path /opt/couchbase/var/lib/couchbase/data --ipv4
SUCCESS: Node initialized
[root@NOIENC1PFL-IR30 ~]#

After initializing all the nodes to be part of the cluster:

Create the cluster on one of the nodes.

/opt/couchbase/bin/couchbase-cli cluster-init -c 10.164.11.191 --cluster-username <CLUSTER_USERNAME> --cluster-password <CLUSTER_PASSWORD> --services data,index,query --cluster-ramsize 512 --cluster-index-ramsize 256

Output:

[root@NOIENC1PFL-IR30 ~]# /opt/couchbase/bin/couchbase-cli cluster-init -c 10.164.11.191 --cluster-username admin --cluster-password pvlinux --services data,index,query --cluster-ramsize 512 --cluster-index-ramsize 256
SUCCESS: Cluster initialized
[root@NOIENC1PFL-IR30 ~]#

Note

The ramsize of the data, index, and other files can be changed according to the system availability.

Add the remaining nodes to the cluster.

/opt/couchbase/bin/couchbase-cli server-add -c 10.164.11.191:8091 --username <CLUSTER_USERNAME> --password <CLUSTER_PASSWORD> --server-add 10.164.14.158 --server-add-username someName --server-add-password somePassword --services data

Note

Disable and stop the firewall on all the nodes.

Output:

[root@NOIENC1PFL-IR30 ~]# /opt/couchbase/bin/couchbase-cli server-add -c 10.164.11.191:8091 --username admin --password pvlinux --server-add 10.164.14.158 --server-add-username someName --server-add-password somePassword --services data
SUCCESS: Server added
[root@NOIENC1PFL-IR30 ~]#

Rebalance all the nodes from any node.

/opt/couchbase/bin/couchbase-cli rebalance -c 10.164.11.191:8091 --username <CLUSTER_USERNAME> --password <CLUSTER_PASSWORD>

Output:

[root@NOIENC1PFL-IR30 ~]# /opt/couchbase/bin/couchbase-cli rebalance -c 10.164.11.191:8091 --username admin --password pvlinux
SUCCESS: Rebalance complete
[root@NOIENC1PFL-IR30 ~]#

Note

Couchbase recommends to rebalance the nodes when they are added or removed, and on failover.

Ensure that all the nodes are in a healthy state.

/opt/couchbase/bin/couchbase-cli server-list -c localhost:8091 --username <CLUSTER_USERNAME> --password <CLUSTER_PASSWORD>

Output:

[root@NOIENC1PFL-IR30 ~]# /opt/couchbase/bin/couchbase-cli server-list -c localhost:8091 --username admin --password pvlinux
ns_1@10.164.11.191 10.164.11.191:8091 healthy active
ns_1@10.164.11.203 10.164.11.203:8091 healthy active
ns_1@10.164.14.158 10.164.14.158:8091 healthy active
[root@NOIENC1PFL-IR30 ~]#

The sample output above shows that all the nodes are healthy.

Install and Register the CTE Agent

Install the CTE Agent on all nodes of the Couchbase cluster.
Register the CTE Agent with the CipherTrust Manager.

Refer to CTE - Agent Quick Start Guide for details.

Create the GuardPoints

Perform the following steps on all the cluster nodes.

On the CTE client, stop the Couchbase service.
```
service couchbase-server stop
```
On the CipherTrust Manager, create the GuardPoint. While creating the GuardPoint:
- Enter the Path of the important Couchbase database, for example, /opt/couchbase/var/lib/couchbase/data/.
- Select the Policy Type as Standard.
  
  Note
  • If the Couchbase buckets are already created, Dataxform needs to be performed.
  • You can also create LDT policy.
- Create a User Set with users root and couchbase, and give them the permission to perform all Actions and Effects.
Refer to Creating GuardPoints for details.

Ensure that the GuardPoint status is guarded on the CTE client.

secfsd -status guard

Output:

[root@N01ENC1PFL-IR30 data]# secfsd -status guard

GuardPoint                                  Policy                  Type        ConfigState     Status      Reason
----------                                  ------                  ----        -----------     ------      ------
/opt/couchbase/var/liblcouchbase/data       production_policy       local       guarded         guarded     N/A
[root@N01ENC1PFL-IR30 data]#

Create a Bucket and Run N1QL Query

Log on to the Couchbase Web Console.
Create a new bucket. Refer to the Couchbase documentation for details.

Alternatively, you can use an existing sample bucket.

On any CTE client, check for the newly created bucket in the bucket list.

/opt/couchbase/bin/couchbase-cli bucket-list -c localhost:8091 --username admin --password pvlinux

Output:

[root@NOIENC1PFL-IR30 ~]# /opt/couchbase/bin/couchbase-cli bucket-list -c localhost:8091 --username admin --password pvlinux
travel-sample
bucketType: membase
numReplicas: 1
ramQuota: 629145600
ramUsed: 55536304
[root@NOIENC1PFL-IR30 ~]#

Perform an operation on the bucket by running an N1QL query.

/opt/couchbase/bin/cbq -u=admin
select name from `travel-sample` WHERE type="airline" LIMIT 1;

Output:

[root@NOIENC1PFL-IR30 ~]# /opt/couchbase/bin/cbq -u=admin
 Enter Password:
 Connected to : http://localhost:8091/. Type Ctrl-D or \QUIT to exit.

 Path to history file for the shell : /root/.cbq_history
cbq> select name from `travel-sample` WHERE type="airline"  LIMIT 1;
{
    "requestID": "54f7edb8-4511-49f2-bead-8393e62d60d3",
    "signature": {
        "name": llj0.sonll
    },
    "results": [
    {
        "name": "40-Mile Air"
    }
    ],
    "status": "success",
    "metrics": {
    "elapsedTime": "27.916695ms",
    "executionTime": "27.827434ms",
    "resultCount": 1,
    "resultSize": 37,
    "serviceLoad": 12
    }
}
cbq>

Integrating CTE with a Couchbase Database

Test Environment

System Requirement Specifications

Steps

Create a Couchbase Cluster

Install and Register the CTE Agent

Create the GuardPoints

Create a Bucket and Run N1QL Query

On this page

Suggest A Change