Integrating CTE with an EnterpriseDB Postgres Advanced Server
This document describes how to integrate CTE with an EnterpriseDB (EDB) Postgres Advanced Server.
Test Environment
-
CTE Agent: 7.2.0.128
-
CipherTrust Manager: 2.9.0
-
OS: RHEL 7.9
-
EDB Postgres Advanced Server: 14.5
-
File System: XFS
Steps
To integrate CTE with an EnterpriseDB Postgres Advanced Server:
Install the Prerequisite Packages
Install the prerequisite packages by performing the following steps on the client machine.
-
Log on to the SSH client.
-
Run this command.
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Now you can install the EDB Postgres Advanced Server.
Install and Configure the EDB Postgres Advanced Server
Before starting the installation and configuration, ensure that the client machine is already registered with the RHEL. Perform the following steps.
-
Log on to the EDB.
-
Go to the EDB Profile section and copy the EDB repository credentials.
-
On the SSH client, install the repository configuration package.
yum -y install https://yum.enterprisedb.com/edbrepos/edb-repo-latest.noarch.rpm
-
Update the credentials in
/etc/yum.repos.d/edb.repo
file with the copied credentials.sed -i "s@<username>:<password>@john:Kh0kVuJg7Wg60Gn1@" /etc/yum.repos.d/edb.repo
-
Install the EDB Postgres Advanced Server.
yum -y install edb-as14-server
Output:
Installed: edb-as14-server.x86_64 0:14.5.0-1.rhel7 Dependency Installed: edb-as14-pgagent.x86_64 0:4.2.2-1.rhel7 edb-as14-server-client.x86_64 0:14.5.0-1.rhel7 edb-as14-server-cloneschema.x86_64 0:1.16-1.rhel7 edb-as14-server-contrib.x86_64 0:14.5.0-1.rhel7 edb-as14-server-core.x86_64 0:14.5.0-1.rhel7 edb-as14-server-devel.x86_64 0:14.5.0-1.rhel7 edb-as14-server-docs.x86_64 0:14.5.0-1.rhel7 edb-as14-server-indexadvisor.x86_64 0:14.5.0-1.rhel7 edb-as14-server-libs.x86_64 0:14.5.0-1.rhel7 edb-as14-server-llvmjit.x86_64 0:14.5.0-1.rhel7 edb-as14-server-parallel-clone.x86_64 0:1.9-1.rhel7 edb-as14-server-pldebugger.x86_64 0:1.1-1.rhel7 edb-as14-server-plperl.x86_64 0:14.5.0-1.rhel7 edb-as14-server-plpython3.x86_64 0:14.5.0-1.rhel7 edb-as14-server-pltcl.x86_64 0:14.5.0-1.rhel7 edb-as14-server-sqlprofiler.x86_64 0:4.0-1.rhel7 edb-as14-server-sqlprotect.x86_64 0:14.5.0-1.rhel7 edb-as14-server-sslutils.x86_64 0:1.3-1.rhel7 Complete!
An enterprisedb user will be created.
-
Initialize the database cluster.
PGSETUP_INITDB_OPTIONS="-E UTF-8" /usr/edb/as14/bin/edb-as-14-setup initdb
-
Start the database server.
systemctl start edb-as-14
-
Connect to the database server.
-
As the enterprisedb user, open a psql session.
sudo su - enterprisedb /usr/edb/as14/bin/psql -d edb -p 5444
Now, you can create a database with tables and enter data in the tables, using the simple SQL commands.
-
Ensure that the Database server is running.
/usr/edb/as14/bin/pg_ctl status -D /var/lib/edb/as14/data
Output:
-bash-4.2$ /usr/edb/as14/bin/pg_ctl status -D /var/lib/edb/as14/data pg_ctl: server is running (PID: 43002) /usr/edb/as14/bin/edb-postgres "-D" "/var/lib/edb/as14/data"
Install and Register the CTE Agent
-
Install the CTE Agent on the client machine where the EDB Postgres Advanced Server is installed and configured.
-
Register the CTE Agent with the CipherTrust Manager.
Refer to CTE - Agent Quick Start Guide for details.
Integrate EDB with CTE
On the SSH client, perform the following steps.
-
As a super (root) user, stop the EDB server.
systemctl stop edb-as-14
-
Update the
edb-as-14.service
file.-
Navigate to
/lib/systemd/system/
. -
Open
edb-as-14.service
in a text editor. -
Below the Unit section, add the following line.
Requires=secfs-fs-barrier.service
-
Save the change and close the file.
-
-
Update the
secfs-fs-barrier.service
file.-
Navigate to
/lib/systemd/system/
. -
Open
secfs-fs-barrier.service
in a text editor. -
At the end of the Before section, add the following line.
edb-as-14.service
-
Save the change and close the file.
-
-
Reboot the system.
-
Stop the EDB server.
-
Restart the SecFS.
-
Start the EDB server again.
The setup is ready, now you can guard the EDB data and log directories.
Create the GuardPoints
Perform the following steps on the CTE client.
-
On the CTE client, stop the EDB server.
-
On the CipherTrust Manager, create the GuardPoints. While creating the GuardPoint:
-
Enter the Path of the data and log directories that are
/var/lib/edb/as14/data
and/var/log/edb/as14
. -
Select the Policy Type, you can select it either as Standard or Live Data Transformation (LDT).
-
Create a User Set with users
root
andenterprisedb
, and give them the permission to perform all Actions and Effects.
Refer to Creating GuardPoints for details.
-
-
Once the policy is enabled, start the EDB server.