Please Note:

Integrations Guides
CTE Agent AIX Integration Guides
- Using CTE with Oracle
  - CTE on Oracle ACFS Overview
  - Creating an Oracle ASM Disk Group for Guarding
  - Oracle RAC ASM
    - Important ASM Commands and Concepts
    - Determining the Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Basic Troubleshooting Techniques
- Using CTE with PowerTech Antivirus
CTE Agent Linux Integration Guides
- Installing CTE on Hadoop
  - Overview
  - Implementing CTE on HDFS
    - Create an Encryption Zone in HDFS Name Space for AWS EMR
    - Using the Original Information from HDFS
    - Create an HDFS Host Group and GuardPoint in CipherTrust Manager
    - Adding a New DataNode to a CTE-protected HDFS
    - Configure NameNodes
    - Take a DataNode Offline and Perform Data Transformation
    - Implementing CTE on HDFS on a Single Host
  - Deploy Cloudera Hadoop on CTE
  - HDFS Upgrade with CTE
    - Configure the Hadoop Cluster for CTE
    - Create a CipherTrust Configuration Group
    - Update the Hadoop-env Template with CTE Settings
    - Modify the HDFS IOCTL
    - Change the HDFS File Rename Check
    - User Information Push
    - Uninstalling CTE for the Hadoop Cluster
  - CTE Installation and Configuration
    - Configuring Hadoop to Use CTE
  - Deleting Metadata in HDFS when Migrating Out of LDT
- Integrating File Activity Monitoring (FAM) with CTE Linux
- Using CTE with Oracle
  - Basic Troubleshooting Techniques
    - Verifying Database Encryption
  - Using CTE LDT with Oracle
  - Oracle RAC ASM and ASMLib
    - Important ASM Commands and Concepts
    - Determining Best Method for Encrypting Disks
    - General Prerequisites
    - Specific Prerequisites
  - Oracle RAC ASMLib Multi-Disk Online Method
  - About Oracle RAC ASM Raw Devices
  - Oracle RAC ASM Multi-Disk Online Method
  - Oracle RAC ASM Multi-Disk Offline Method (Backup/Restore)
  - Surviving the Reboot and Failover Testing
  - Using CTE with Oracle ASM Filter Driver
    - Audience
    - Enable Oracle ASMFD for CTE
    - Configure CTE and create a guarded Oracle ASMFD
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Offline method
    - Convert a baseline ASMFD disk group to a CTE guarded ASMFD disk group using the Online method
    - Uninstall/ Upgrade CTE with active ASMFD Setup
  - Using Oracle with CTE-U
- Integrating and Configuring EDB
- Integration with Pacemaker
  - Performing CTE maintenance with an LDT GuardPoint in a Pacemaker Setup
  - Using CTE with Pacemaker
- Using CTE with SQL Server on Linux on Red Hat 8
- Configuring Support for SAP HANA
- Using CTE with GlusterFS
- NetApp Snapshot Directory
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
  - Stop secfs Before Upgrading StorNext LAN Clients
- Using CTE with McAfee Endpoint Security for Linux Threat Prevention
- Using CTE and Database Activity Monitoring (DAM) Simultaneously
- Using CTE with Trend Micro Deep Security Software
- CTE for Cloud Object Storage
  - COS Overview and Requirements
  - CTE COS S3 Installation Overview
  - Configure the AWS CLI to use the COS Root CA Certificate
  - Guard an AWS Bucket
  - Using a COS Proxy Root CA Certificate Information
  - Protecting Python Programs with CTE
  - Enable COS on an Agent with no COS Service
  - Creating a COS Policy
- CTE with Teradata Database Appliances
  - IDT-Capable GuardPoints and Teradata Database Appliances
  - Requirements and Considerations
  - Guarding a Teradata Database Device
    - Install CTE on the Teradata Database Appliance
    - Identify Devices to be Guarded with IDT-Capable GuardPoints
    - Select the Initial Configuration Method
    - Initialize and Guard the Database Devices Using the Standard Initialization Method
    - Automating and Reducing the Duration of Initial Data Transformation
    - Automating and Reducing the Duration of the Subsequent Data Transformations
    - Initialize and Guard the Teradata Database Devices Using the Backup/Restore Method
  - Changing the Encryption Key on Teradata Devices
  - Access Rules to Apply on the Teradata Database Appliance
  - Replication of IDT Metadata Files Across Members of a Clique
  - Best Practices
  - Uninstalling CTE from the Teradata Cluster
  - Alerts and Errors
  - Generating IDT-capable Metadata for Teradata Storage Expansion
- Confidential Computing: Integrating Intel® Tiber™ Trust Services and Intel TDX, with Microsoft Azure or Google Cloud Platform
- Integrating with Intel® Tiber™ Trust Services and Intel TDX for Confidential Computing
CTE Agent Windows Integration Guides
- Using CTE with Microsoft SQL AlwaysOn and SQL File Tables
  - Boot Order for MSSQL with CTE for Windows
  - Using CTE with Microsoft SQL
    - Using CTE with SQL
    - Using CTE with SQL FileTables
    - Installing CTE on Microsoft SQL AlwaysOn
    - Data Transformation (Encryption in place)
    - Copy/Restore
    - SQL Server Policy Tuning
  - Using LDT with Microsoft SQL
    - Using LDT with SQL AlwaysOn
    - Using LDT with SQL FILESTREAM
    - Guarding SQL Server FileTable databases with LDT
- Integrating Imperva File Activity Monitoring (FAM) with CTE Windows
- CTE with Microsoft DFSR
  - Overview
  - Terminology and Topology
  - Configure DFS(R)
  - CTE Configuration Workflow
  - Creating Required DFS(R) Policy Components
  - Using the Standard Encryption Method
    - Creating Standard Policies for DFS(R)
    - Creating Standard GuardPoints with the DFS(R) Hub and Spoke Topology
    - Creating Standard GuardPoints with the DFS(R) Full Mesh Topology
  - Using the LDT Encryption Method
    - Creating an LDT Policy for DFS(R)
    - Creating a LDT GuardPoint for DFS(R)
    - CTE QoS Throttling and Rekey Scheduling
  - Troubleshooting
  - CTE Client Groups
- Encrypt Active Directory Database with Secure Start
  - Secure Start Overview
  - Prerequisites
  - Encrypt by Moving the AD Service into a Guarded Directory
  - Encrypt Data in Place with Offline Transformation
  - Encrypt with an LDT Transformation Policy
  - Configure the Time Out Failure
  - Recover a Server After it Loses Connection to the Key Manager
  - Other Use Cases
  - Best Practices for Encrypting and Protecting the AD Service
- Exchange DAG
  - Exchange DAG Overview
  - CTE Policies for Exchange DAG
    - Creating a Policy for LDT Encryption with CipherTrust Manager
    - Creating Policies for Standard Encryption with CipherTrust Manager
  - Encrypting with LDT in an Exchange DAG Environment
  - Encrypting with a Standard CTE Policy in the Exchange DAG Environment
  - Decrypting with LDT in an Exchange DAG Environment
- Storage Spaces Direct
- Using CTE with Quantum StorNext
  - Overview of using CTE with Quantum StorNext
  - CTE and Quantum StorNext Compatibility
  - Setting up CTE and Quantum StorNext Integration
- Setting up Microsoft DPM with CTE

Performing CTE maintenance with an LDT GuardPoint in a Pacemaker Setup

Unguard the LDT GuardPoint with Pacemaker setup

Stop the SQL server, type:
```
    sudo systemctl stop mssql-server
```

Delete the existing resource constraints from LDT and the colocation from the Pacemaker setup.

Example

A. If it exists, get the ID of the PCS constraint co-location. In the example below the, ID is: co-location_set_msmsmt

    sudo pcs constraint show --full
    .
    .
    .
    Resource Sets:
    set mssql_fs mssql_gpfs mssql_gpldt sequential=false (id:co-location_set_msmsmt_set) setoptions score=INFINITY (id:co-location_set_msmsmt)

B. Remove the PCS constraint co-location and PCS resource, type:

    sudo pcs constraint remove co-location_set_msmsmt
    sudo pcs resource delete mssql-ldtmgp

Expected Result: Current LDT GuardPoint status should be now be: unguarded.

Example

secfsd -status guard

Response

GuardPoint          Policy                          Type    ConfigState  Status       Reason
----------          ------                          ----    -----------  ------       ------
/var/opt/mssql/LDT  LDT_clear_to_CS1_aes256_onhost  manual  unguarded    not guarded  Inactive

Unguard the LDT GuardPoint from the Cluster Host Group in CipherTrust Manager.

Expected Result: The LDT GuardPoint should no longer be displayed when secfsd -status guard is executed.

Perform CTE maintenance

Now you can perform CipherTrust Transparent Encryption maintenance tasks that require stopping secfs such as:

Stop CipherTrust Transparent Encryption
Upgrade CipherTrust Transparent Encryption
Uninstall CipherTrust Transparent Encryption
Create a new baseline database for LDT on the same LDT &{gp}

See CTE Agent for Linux Advanced Configuration for more information.

Note

Before creating a new baseline database for LDT: Ensure that your target LDT GuardPoint path does not have an ldt xattr value on it so that the directory can trigger the initial rekey at the start of guarding. If it does have an ldt xattr value from a previous setup, then use the command voradmin ldt xattr delete <LDT GuardPoint> to remove the old xattr value.

Re-Enable LDT GuardPoint with Pacemaker Setup

Re-enable the LDT GuardPoint from the Cluster Host Group in CipherTrust Manager. Wait until the GuardPoint is visible again and in the unguarded state before moving to the next step below.

Example

# secfsd -status guard

Response

GuardPoint          Policy                          Type    ConfigState  Status       Reason
----------          ------                          ----    -----------  ------       ------
/var/opt/mssql/LDT  LDT_clear_to_CS1_aes256_onhost  manual  unguarded    not guarded  Inactive

Add the resource mssql-ldtmgp back into the Pacemaker setting and verify that it has started:

Example

sudo pcs resource create mssql-ldtmgp ocf:heartbeat:mgp mgpdir=/var/opt/mssql/LDT --group Apache_Grp-fs

The LDT GuardPoint should now be automatically active again in Pacemaker.

# secfsd -status guard

Response

GuardPoint          Policy                          Type    ConfigState  Status   Reason
----------          ------                          ----    -----------  ------   ------
/var/opt/mssql/LDT  LDT_clear_to_CS1_aes256_onhost  manual  guarded      guarded  N/A

Start SQL server, type:
```
sudo systemctl start mssql-server
```

Add the LDT resource constraints and co-location back into the Pacemaker setting.

Example

A. Add failover resource constraints back:

sudo pcs constraint order start mssql_gpldt then start mssql-ldtmgp

sudo pcs constraint order stop mssql-ldtmgp then stop mssql_gpldt

B. If constraint co-location was used, add it back:

sudo pcs constraint co-location set mssql_fs mssql_gpfs mssql_gpldt sequential=false

Restart Pacemaker so that it can pick up the newly created resource configurations.

A. Stop SQL server, type:
```
sudo systemctl stop mssql-server
```
B. Reboot Pacemaker, type:
```
sudo systemctl restart pacemaker
```
C. Re-start SQL server, type:
```
sudo systemctl start mssql-server
```

Suggest A Change

Performing CTE maintenance with an LDT GuardPoint in a Pacemaker Setup

Unguard the LDT GuardPoint with Pacemaker setup

Perform CTE maintenance

Re-Enable LDT GuardPoint with Pacemaker Setup

On this page