Initialize and Guard the Teradata Database Devices Using the Backup/Restore Method

The Standard Initialization Method encrypts the Teradata database devices using In-place data transformation. Because Teradata Appliance models range in both storage and node sizes within a cluster, the time it takes to encrypt the existing data in-place on these large scale models may exceed the desired time frame.

To address this issue on an existing Teradata database, you can configure CTE on Teradata Appliances using the Backup and Restore method to retain existing data. The total time required to configure your Teradata Appliances with CTE using this method depends on how long your backup/restore application takes to restore the database.

To initialize and guard the devices using the selected initialization method, you must:

1. Backup the entire Teradata database, including all meta files, required for a full restore of that database.

2. Install and configure CTE on the Teradata database devices.

3. Work with Teradata Customer Support to initialize a sysinit on the Teradata Appliance cluster in preparation for a full database restore.

4. Perform a full restore of the Teradata database from the backup to the CTE protected devices. CTE automatically encrypts the data as it is restored to each protected device.

Prerequisites

Before starting this process, complete the following prerequisites:

• Make sure you have met the requirements described in Requirements and Considerations.

• Create or identify the XTS/CBC-CS1 AES 256 key that you will use for the In-Place Data Transformation policy that you will apply to the IDT-Capable GuardPoints.

• Create a Standard policy that will be used to guard the CTE Metadata Directory (/var/opt/teradata/vormetric/vte-metadata-dir).

• Create an In-Place Data Transformation policy that will be used to guard the Teradata Database Devices. This policy must use an XTS/CBC-CS1 AES 256 key.

• Identify all of the devices that need to be guarded as described in Identify the Devices to Be Guarded.

Procedure

1. Using a Teradata certified backup application, backup your entire Teradata database. The backup needs to include the Data Dictionary, the user database, and everything else that is required for a successful restore of your database. Contact your Teradata Customer Support representative for the requirements for a full backup.

2. After confirming that your backup of the Teradata database completed successfully, shutdown the Teradata database, type:

   tpareset -x -f "shutting down for CTE installation"
   

3. Install CTE in /opt/teradata/vormetric on all nodes in the Teradata cluster and register them to a CipherTrust Manager server as described in Install CTE on the Teradata Database Appliance.

   ./vee-fs-7.3.0-135-sles12-x86_64.bin -d /opt/teradata/vormetric
   

4. Create the CTE metadata directory (/var/opt/teradata/vormetric/vte-metadata-dir) on all nodes in the cluster.

   . pcl -shell "mkdir -p /var/opt/teradata/vormetric/vte-metadata-dir"
   

5. If you are using the Teradata Intelibase model, complete the following step. If you are using the Teradata Inteliflex model, proceed to Step 6.

   1. Log on to the CipherTrust Manager, click the Hosts/Clients tab, and set the GuardPoint to the CTE Metadata Directory (/var/opt/teradata/vormetric/vte-metadata-dir) using the Standard policy that was created for the metadata directory on all the nodes in the Teradata cluster.

   2. On each node, identify the list of disks that will be configured and guarded as "new" devices as described in Identify the Devices to Be Guarded.

   3. On each node, configure each disk to be guarded as a new IDT-Capable device using the voradmin idt config external new command.

      voradmin idt config -external new \
      /dev/disk/by-id/tdmp-360080e500043092c0000b46f5c34c018-part3
      

      Note

      Make sure that you configure each device using the new option. This option tells CTE to guard the device without transforming the data.

   4. Log on the CipherTrust Manager, click the Hosts/Clients tab, and select one of the host in the clique to set the GuardPoints for all the devices that have been initialized as new IDT-Capable devices using the In-Place Data Transformation policy that you created.

      Repeat this step for all other hosts until all initialized devices have been guarded with an In-Place Data Transformation policy.

6. If you are using the Teradata Inteliflex model, complete the following step. Otherwise, proceed to Step 7.

   1. Designate one of the nodes in a clique as the node on which you will perform the first-time initialization and guarding procedures for each device. For example, if you have a 4 clique cluster, you must designate a total of 4 nodes, one from each clique.

   2. Log on to the CipherTrust Manager, click the Host/Client Groups tab, and create a host group for each clique. For example, if your Inteliflex cluster has 4 cliques, you would create 4 host groups, one for each clique. For example, cluster-clique-1, cluster-clique-2, cluster-clique-3, and cluster-clique-4.

   3. On the Host/Client Groups tab, click the name of one of the client groups you just created. Click on the Members tab and add the designated node from the clique as a member of this client group.

      Repeat this step until all designated nodes have been added to the client group that matches their clique. In the previous example, you would have one designated node in each of the 4 client groups that you created.

   4. On the Host/Client Groups tab, click the name of one of the host groups that you just created. Click on the GuardPoints tab and add a GuardPoint for the CTE Metadata Directory (/var/opt/teradata/vormetric/vte-metadata-dir) using the Standard policy that was created for the metadata directory on all the nodes in the Teradata cluster.

      Repeat this step for each Host/Client Group you created for your cliques. In the previous example, you would add the metadata directory GuardPoint in each of the 4 host groups that you created.

   5. On the designated node for each clique, identify the list of disks that will be configured and guarded as a “new” IDT device as described in Identify the Devices to Be Guarded.

   6. Configure each disk device on the designated node to be guarded as a new IDT-Capable device, type:

      voradmin idt config -external new \ 
       /dev/disk/by-id/tdmp-360080e500043092c0000b46f5c34c018-part3
      

      Note

      Make sure that you configure each device using the new option. This option tells CTE to guard the device without transforming the data.

   7. For each of the other designated nodes you identified, identify the list of devices to be guarded and configure them using the voradmin idt config external new command.

   8. Repeat this configuration process until all devices on all designated nodes that you want to guard have been configured as new IDT-Capable devices.

   9. On the Host/Client Groups tab, click the name of one of the clientgroups you just created. Click on the GuardPoints tab and add a GuardPoint for each device that you initialized as a new IDT-Capable device using an In-Place Data Transformation policy.

   10. Repeat this step on each one of the host groups you created.

       The guarded devices will immediately be set as guarded on the designated node through the client group. However, as part of Teradata cluster support, each guarded device will have its metadata file replicated across all nodes in a clique as described in Replication of IDT Metadata Files Across Members of a Clique. You must wait for metadata replication to complete for each clique in a cluster before continuing to the next step. This process takes approximately 1 second per disk that was guarded. So if you guarded 10 disks, you need to wait approximately 10 seconds. Verify that the number of metadata files on each clique matches with the designated node using the following command:

       pcl -shell "ls /var/opt/teradata/vormetric/vte-metadata-dir | wc -l"
       

       The number of metadata files on each node in the clique should also match the number of devices in that clique. For example, if you have a clique with 10 devices in it, then the results of the above pcl command should show 10 metadata files on each node in the clique.

   11. After metadata replication is completed on all cliques, log on the Key Manager and click the Hosts/Client Group tab, then click the name of one of the client groups you just created. Click the Members tab and add the rest of the nodes that belong to that clique to the Host Group. After all the nodes have been added, the Key Manager automatically pushes the existing GuardPoints out to the newly added members.

   12. Repeat this step for each one of the Host Groups that you created for your cliques.

7. Verify that all of the nodes in a clique show that all of the devices as guarded.

   pcl -shell "secfsd -status guard"
   

8. Work with Teradata Customer Support to perform a sysinit of the Teradata appliances in preparation for the full database restore.

9. Restore your Teradata database from backup.