Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CTE with Teradata Database Appliances

Requirements and Considerations

search

Please Note:

Requirements and Considerations

Location of the CTE Private Region

The CTE Private Region contains the metadata CTE requires in order to support initial transformation of data on the device and subsequent data transformation to other encryption keys. By default, CTE creates the CTE Private Region at the beginning of the guarded device. If data already exists on the device, CTE requires that the device be expanded by 63 MB to make room for the CTE Private Region. The existing data in the first 63MB of the device is then migrated into the expanded space and the beginning of the device is reserved for the CTE metadata. This data relocation is completely transparent to applications and users.

With a Teradata Database Appliance, however, CTE cannot create the CTE Private Region at the beginning of the Teradata pdisk devices because the disks in the Appliance cannot be expanded. Therefore, for Teradata Databases, CTE stores the metadata in a special directory called the CTE Metadata Directory located at: /var/opt/teradata/vormetric/vte-metadata-dir. This directory contains all of the metadata for every Teradata Database device that is protected by CTE.

While this does not affect the functionality of CTE, it does affect the way administrators need to back up the Teradata Database because both the Teradata Database and the metadata directory must be backed up together. You will not be able to restore a Teradata Database without access to the associated metadata in the CTE metadata directory.

Metadata File Access and Teradata Clusters

A Teradata cluster can contain multiple hosts. The members of a cluster that share access to pdisk devices belong to a clique. When you create an IDT-Capable GuardPoint on a pdisk, the metadata for that GuardPoint must be available to all members of the clique. CTE automatically replicates the metadata files across the members of a clique when the metadata is created or changed. For details, see Replication of IDT Metadata Files Across Members of a Clique.

Additional Requirements and Considerations

  • The Teradata kernel must be at minimum version 4.4.140-96.54.TDC-default on every node of the Teradata Database Appliance on which you plan to install CTE. Refer to the release notes document for CTE releases for compatibility requirements between the kernel releases from Teradata, and the CTE releases.

    • Be sure the version of the Teradata Database is fully compatible with CTE.
    • The Parallel Upgrade Tool (PUT) component of Teradata Database has been enhanced to discover CTE protected devices. The Parallel Upgrade Tool (PUT) component of Teradata (TDput) must be version TDput-03.09.06.09 or higher. This PUT component must be available in your Teradata Database.
    • The Parallel Database Extensions (PDE) component of Teradata (ppde) must be version ppde-16.20.53.07 or higher. This PDE component must be available in your Teradata Database.
    • The Teradata I/O Scheduler (tdsched) component must be version 01.04.02.02-1 or higher. This I/O Scheduler component must be available in your Teradata Database.
    • Contact your Teradata Customer Support Representative if you are unsure of the availability of this functionality in your Teradata cluster.

  • The CTE Agent must be installed in /opt/teradata/vormetric on every node in the Teradata cluster. In order to specify this location, use the -d option when installing CTE. For example:

     ./vee-fs-7.3.0-135-sles12-x86_64.bin -d /opt/teradata/vormetric

    The CTE Agent can be installed without stopping the Teradata Database service.

  • The CTE metadata directory /var/opt/teradata/vormetric/vte-metadata-dir must be guarded by the DSM/CM Administrator to prevent accidental modification or deletion of the CTE metadata files. If the CTE metadata directory is not guarded, any attempt to configure or enable an IDT-Capable GuardPoint on the Teradata appliance will be rejected.

    The standard CTE policy associated with the metadata directory must:

    • Deny all users (including the root user) the ability to modify or remove any files in the metadata directory.

    • Specify the key clear_key in the key rule so that the metadata is stored in clear text.

    • The following table displays how to set up your policy for guarding the CTE metadata directory:
      Security Rules
      Action Effect
      Read Permit, Audit
      all_ops Deny, Audit
      Key Selection Rules
      Key
      clear_key

  • Stop the Teradata Database service when upgrading an existing CTE Agent installation, type:

     tpareset -x Stopping Database

  • Stop the Teradata Database service so that CTE can rekey any guarded devices. The service must remain stopped until CTE has finished rekeying all of the guarded devices on the appliance.

On this page