Please Note:

Integrating CTE with an Exasol Database

This document describes how to integrate CTE with an Exasol database.

Test Environment

CTE Agent: 7.2.0.128
CipherTrust Manager: 2.8.0
OS: RHEL/CentOS 7.9
Exasol DB: 7.1.12
File System: LVM (raw device)

Steps

To integrate CTE with an Exasol database:

Install and Register the CTE Agent
Configure the Client Settings
Back up the Exasol Database
Delete the Exasol Database
Create a GuardPoint
Update the Secvm Device
Restore the Exasol Database
Validations

Install and Register the CTE Agent

Install the CTE Agent on the client machine where the Exasol database is configured.
Register the CTE Agent with the CipherTrust Manager.

Refer to CTE - Agent Quick Start Guide for details.

Configure the Client Settings

Log on to the CipherTrust Manager.
Open the Transparent Encryption application.
Go to Clients > Client and select the Client. This is the client machine where the Exasol database is configured.
Click Client Settings.

In the Settings field, add the hddident and cos_storage processes as authenticators.

|authenticator|/7.1.12/image/usr/opt/EXASuite-7/EXAClusterOS-7.1.12/sbin/hddident
|authenticator|/7.1.12/image/usr/opt/EXASuite-7/EXAClusterOS-7.1.12/libexec/cos_storage

Click Apply.

Back up the Exasol Database

Now, on the CTE client (like PuTTY or MobaXterm), back up the Exasol database. To do so:

Log on to an SSH client.

Run the following commands:

cd ExasolSetup/        
ssh -i id_rsa -p 2233 localhost
dwad_client storage-backup PROD_A
dwad_client pdd-proc PROD_A
dwad_client stop-wait PROD_A

Delete the Exasol Database

After backing up, delete the Exasol database that includes the EXAStorage volumes and disks, and then stop the Exasol service. On an SSH client, run the following commands:

dwad_client stop-wait PROD_A i.e, dwad_client stop <DB_NAME>
dwad_client del PROD_A
csinfo -v
csvol -d -v 0
csinfo -H
cshdd -r -h /dev/exa1/lvol0 -n 11
logout
systemctl stop exasol

Create a GuardPoint

Create the required GuardPoint on the CTE client from the CipherTrust Manager GUI. While creating the GuardPoint:

Select the Type of the device as Auto Raw or Block Device.
Enter the Path of the logical volume, for example, /dev/exa1/lvol0.
Select the Policy Type as Standard.
Create a User Set named root and grant it the permission to perform all Actions and Effects.

Refer to Creating GuardPointsfor details.

Update the Secvm Device

On the SSH client:

Run the following command:

secfsd -status devmap

The output similar to the following is displayed:

Secvm Device                Native Device
------------                -------------

/dev/secvm/dev/exa1/lvol0   /dev/exa1/lvol0

In the above sample output, /dev/secvm/dev/exa1/lvol0 is the Secvm device.

Copy the Secvm device.
Delete the metadata from the /7.1.12/exa/metadata folder.
```
cd /7.1.12/exa/metadata/
rm -rf *
```
Note

It is recommended to delete the metadata before updating the Secvm device.

Update the Secvm device in the EXAConf file.

Navigate to /7.1.12/exa/etc/.
Open the EXAConf file in a text editor.

Search for Disk, and update the Devices entry with the copied Secvm device.

[Node : 11]
    PrivateNet = 10.164.13.247/24
    PublicNet = 
    Name = n11
    Affinity = 11
    UUID= 159D338FDBOBA36BACF2CC104224C683D33726E8
    DockerVolume = n11
    ExposedPorts = 8563:8574, 2580:2591
    [[Disk disk1]]
        Devices = /dev/secvm/dev/exa1/lvole

Search for Checksum and set the value of Checksum as COMMIT.
Save the changes and close the file.

Start the Exasol service by running systemctl start exasol.
Verify the status of the Exasol service by running systemctl status exasol. The status must be active (running).

Restore the Exasol Database

On the CTE client, restore the Exasol database by running the following commands:

dwad_client pdd-restore PROD_A
dwad_client storage-restore PROD_A
dwad_client pdd-proc PROD_A

Validations

Start a new session on the SSH client.

Encrypt the data on the initial device by running strings /dev/exa1/lvol0|more.

f~N#
pU_t
H9rg,1
UcEa
\>,u
B ~ A
9DQ&
YsE#
kel4X
=:69m
hdHA
k\$<
|HUI|
rpt7
‘YI&?
* 8!
g#,—Bzw
_w_0aV
y7zk
B#+9
--More--

Encrypt the data on the guarded device by running strings /dev/secvm/dev/exa1/lvol0|more for the following:

Policy with all_ops action, and Permit and ApplyKey effects.

ID              =159D338FDBOBA36BACF2CC104224C683D33726E8
NAME            =/dev/secvm/dev/exa1/lvolo
STORAGE         =CSR_4096_7855104_2
FORMATED        =YES
CHECKSUM        =bcc800bd0f72aee46daf4f8cdf8fef4e

persistent (256K)

Policy with all_ops action and Permit effect.

cL]b
uzx=3
-B=IQ_
1vaT#
_"a%
YkFL
3So@
g@Cp
!HtIZ}I
RA3N2V
xC~oP(
f~N#
pU_t
H9rg,1
UcEa
\>,u
B ~ A
9DQ&
YsE#
kel4X
=:69m
hdHA
k\$<
|HUI|
rpt7
‘YI&?
* 8!
g#,—Bzw
_w_0aV
y7zk
B#+9
--More--

Policy with all_ops action and Deny effect.

[root@NOIENC1PFL-IR22 ~]# strings /dev/secvm/dev/exa1/1v010[more
strings: /dev/secvm/dev/exa1/1v010: Permission denied
[r00t@NOIENC1PFL-IR22 ~]# I

Refer to Security Rules for more information on actions and effects.

Encrypt the data on the original hard disk (excluding the disk headers) by running strings /dev/sdc|more.

creation_time = 1661854578 
creation_host = "NOIENC1PFL-IR22" segment_count = 1
segment1 {
start_extent = 0
extent_count = 7680
type="striped"
stripe_count = 1
stripes "pv0", 0
[
# Generated by LVM2 version 2.02.187(2)-RHEL7 (2020-03-24): Tue Aug 30 15:46:18 2022
contents = "Text Format Volume Group"
version = 1
description=""
creation_host = "NOIENC1PFL-IR22"
creation_time = 1661854578
CLJb
uzx=3
-B=10
1wRvT#
^a%
YkFL
3So@
g@cp
;NzH <01
((6k
@x/1g
BaP>'>
tn/q
d)W2
ar1;

Note

LDT is not tested as LDT does not support raw devices.
Initial data transformation is not required as the data is deleted during the Exasol installation.

Suggest A Change

Integrating CTE with an Exasol Database

Test Environment

Steps

Install and Register the CTE Agent

Configure the Client Settings

Back up the Exasol Database

Delete the Exasol Database

Create a GuardPoint

Update the Secvm Device

Restore the Exasol Database

Validations

On this page