Integrating CTE with an Exasol Database
This document describes how to integrate CTE with an Exasol database.
Test Environment
-
CTE Agent: 7.2.0.128
-
CipherTrust Manager: 2.8.0
-
OS: RHEL/CentOS 7.9
-
Exasol DB: 7.1.12
-
File System: LVM (raw device)
Steps
To integrate CTE with an Exasol database:
Install and Register the CTE Agent
-
Install the CTE Agent on the client machine where the Exasol database is configured.
-
Register the CTE Agent with the CipherTrust Manager.
Refer to CTE - Agent Quick Start Guide for details.
Configure the Client Settings
-
Log on to the CipherTrust Manager.
-
Open the Transparent Encryption application.
-
Go to Clients > Client and select the Client. This is the client machine where the Exasol database is configured.
-
Click Client Settings.
-
In the Settings field, add the
hddident
andcos_storage
processes as authenticators.|authenticator|/7.1.12/image/usr/opt/EXASuite-7/EXAClusterOS-7.1.12/sbin/hddident |authenticator|/7.1.12/image/usr/opt/EXASuite-7/EXAClusterOS-7.1.12/libexec/cos_storage
-
Click Apply.
Back up the Exasol Database
Now, on the CTE client (like PuTTY or MobaXterm), back up the Exasol database. To do so:
-
Log on to an SSH client.
-
Run the following commands:
cd ExasolSetup/ ssh -i id_rsa -p 2233 localhost dwad_client storage-backup PROD_A dwad_client pdd-proc PROD_A dwad_client stop-wait PROD_A
Delete the Exasol Database
After backing up, delete the Exasol database that includes the EXAStorage volumes and disks, and then stop the Exasol service. On an SSH client, run the following commands:
dwad_client stop-wait PROD_A i.e, dwad_client stop <DB_NAME>
dwad_client del PROD_A
csinfo -v
csvol -d -v 0
csinfo -H
cshdd -r -h /dev/exa1/lvol0 -n 11
logout
systemctl stop exasol
Create a GuardPoint
Create the required GuardPoint on the CTE client from the CipherTrust Manager GUI. While creating the GuardPoint:
-
Select the Type of the device as Auto Raw or Block Device.
-
Enter the Path of the logical volume, for example,
/dev/exa1/lvol0
. -
Select the Policy Type as Standard.
-
Create a User Set named
root
and grant it the permission to perform all Actions and Effects.
Refer to Creating GuardPoints for details.
Update the Secvm Device
On the SSH client:
-
Run the following command:
secfsd -status devmap
The output similar to the following is displayed:
Secvm Device Native Device ------------ ------------- /dev/secvm/dev/exa1/lvol0 /dev/exa1/lvol0
In the above sample output,
/dev/secvm/dev/exa1/lvol0
is the Secvm device. -
Copy the Secvm device.
-
Delete the metadata from the
/7.1.12/exa/metadata
folder.cd /7.1.12/exa/metadata/ rm -rf *
It is recommended to delete the metadata before updating the Secvm device.
-
Update the Secvm device in the
EXAConf
file.-
Navigate to
/7.1.12/exa/etc/
. -
Open the
EXAConf
file in a text editor. -
Search for
Disk
, and update the Devices entry with the copied Secvm device.[Node : 11] PrivateNet = 10.164.13.247/24 PublicNet = Name = n11 Affinity = 11 UUID= 159D338FDBOBA36BACF2CC104224C683D33726E8 DockerVolume = n11 ExposedPorts = 8563:8574, 2580:2591 [[Disk disk1]] Devices = /dev/secvm/dev/exa1/lvole
-
Search for
Checksum
and set the value of Checksum as COMMIT. -
Save the changes and close the file.
-
-
Start the Exasol service by running
systemctl start exasol
. -
Verify the status of the Exasol service by running
systemctl status exasol
. The status must beactive (running)
.
Restore the Exasol Database
On the CTE client, restore the Exasol database by running the following commands:
dwad_client pdd-restore PROD_A
dwad_client storage-restore PROD_A
dwad_client pdd-proc PROD_A
Validations
-
Start a new session on the SSH client.
-
Encrypt the data on the initial device by running
strings /dev/exa1/lvol0|more
.f~N# pU_t H9rg,1 UcEa \>,u B ~ A 9DQ& YsE# kel4X =:69m hdHA k\$< |HUI| rpt7 ‘YI&? * 8! g#,—Bzw _w_0aV y7zk B#+9 --More--
-
Encrypt the data on the guarded device by running
strings /dev/secvm/dev/exa1/lvol0|more
for the following:-
Policy with
all_ops
action, andPermit
andApplyKey
effects.ID =159D338FDBOBA36BACF2CC104224C683D33726E8 NAME =/dev/secvm/dev/exa1/lvolo STORAGE =CSR_4096_7855104_2 FORMATED =YES CHECKSUM =bcc800bd0f72aee46daf4f8cdf8fef4e persistent (256K)
-
Policy with
all_ops
action andPermit
effect.cL]b uzx=3 -B=IQ_ 1vaT# _"a% YkFL 3So@ g@Cp !HtIZ}I RA3N2V xC~oP( f~N# pU_t H9rg,1 UcEa \>,u B ~ A 9DQ& YsE# kel4X =:69m hdHA k\$< |HUI| rpt7 ‘YI&? * 8! g#,—Bzw _w_0aV y7zk B#+9 --More--
-
Policy with
all_ops
action andDeny
effect.[root@NOIENC1PFL-IR22 ~]# strings /dev/secvm/dev/exa1/1v010[more strings: /dev/secvm/dev/exa1/1v010: Permission denied [r00t@NOIENC1PFL-IR22 ~]# I
Refer to Security Rules for more information on actions and effects.
-
-
Encrypt the data on the original hard disk (excluding the disk headers) by running
strings /dev/sdc|more
.creation_time = 1661854578 creation_host = "NOIENC1PFL-IR22" segment_count = 1 segment1 { start_extent = 0 extent_count = 7680 type="striped" stripe_count = 1 stripes "pv0", 0 [ # Generated by LVM2 version 2.02.187(2)-RHEL7 (2020-03-24): Tue Aug 30 15:46:18 2022 contents = "Text Format Volume Group" version = 1 description="" creation_host = "NOIENC1PFL-IR22" creation_time = 1661854578 CLJb uzx=3 -B=10 1wRvT# ^a% YkFL 3So@ g@cp ;NzH <01 ((6k @x/1g BaP>'> tn/q d)W2 ar1;
• LDT is not tested as LDT does not support raw devices.
• Initial data transformation is not required as the data is deleted during the Exasol installation.