Specific Prerequisites
Establishing a Starting Point
In many production environments, you may find that it has been a very long time since the RAC nodes have had the services restarted or have been completely rebooted. This can result in a lack of understanding of the actual state of the RAC cluster and its ability to survive a reboot on its own, prior to installing CTE.
Restarts can uncover issues in the RAC environment that are unrelated to CTE. To avoid issues after a CTE installation, Thales recommends that you restart each RAC node AFTER CTE is installed and PRIOR to establishing any GuardPoints. This may not be feasible in a single node configuration. However, by doing so, CTE is installed but inactive, and you can ensure that the platform is in a workable state prior to getting started.
The Importance of Device Mapping
It is important to use device naming and mapping in a multi-node RAC configuration. Verify the device names to ensure that the disks are mapped to the same disks on each RAC node before applying any GuardPoints. Thales recommends that RAC nodes use the same device names across all nodes. If they do not match, then problems can occur.
If the RAC nodes use the same device names, use a Host Group to create GuardPoints. If they do not match, do not use a Host Group to create GuardPoints. Set them up independently on each Host.
Important Note about Raw Devices on UNIX
In general, raw devices are created as either character or block mode devices. Any I/O performed on character devices is non-buffered, while I/O on block devices is buffered and performed in defined block sizes (that is, 4K bytes).
While the Oracle documentation for using ASM with raw devices indicates that you can use either character or block devices, CTE REQUIRES a block device for guarding.
• Attempting to apply a GuardPoint on a character device that does not have a corresponding block device may result in a GuardPoint that never encrypts data. The status of the GuardPoint never shows as guarded.
• The WebUI does not support browsing for the character devices. You would need to manually paste the name into the WebUI.
Block Device Support
CipherTrust Transparent Encryption Userspace block device support requires that the underlying kernel supports I/O direct mode for loop devices (LOOP_SET_DIRECT_IO
) in order to properly flush and retrieve data from a disk. This support was not added in the kernel loop driver until kernel 4.10. Any distribution with a kernel level lower than that may improperly cache data and therefore, should not be used in a multi-node setup sharing block devices because stale data may be returned to the application.