Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

CTE Use Cases

Using CTE with an Exasol Database

search

Please Note:

printsuggest an editpdf paneldownload

Using CTE with an Exasol Database

This document describes how to integrate CTE with an Exasol database.

copy link to clipboardTest Environment

  • CTE Agent: 7.2.0.128

  • CipherTrust Manager: 2.8.0

  • OS: RHEL/CentOS 7.9

  • Exasol DB: 7.1.12

  • File System: LVM (raw device)

copy link to clipboardSteps

To integrate CTE with an Exasol database:

  1. Install and Register the CTE Agent

  2. Configure the Client Settings

  3. Back up the Exasol Database

  4. Delete the Exasol Database

  5. Create a GuardPoint

  6. Update the Secvm Device

  7. Restore the Exasol Database

  8. Validations

copy link to clipboardInstall and Register the CTE Agent

  1. Install the CTE Agent on the client machine where the Exasol database is configured.

  2. Register the CTE Agent with the CipherTrust Manager.

Refer to CTE - Agent Quick Start Guide for details.

copy link to clipboardConfigure the Client Settings

  1. Log on to the CipherTrust Manager.

  2. Open the Transparent Encryption application.

  3. Go to Clients > Client and select the Client. This is the client machine where the Exasol database is configured.

  4. Click Client Settings.

  5. In the Settings field, add the hddident and cos_storage processes as authenticators.

    |authenticator|/7.1.12/image/usr/opt/EXASuite-7/EXAClusterOS-7.1.12/sbin/hddident
|authenticator|/7.1.12/image/usr/opt/EXASuite-7/EXAClusterOS-7.1.12/libexec/cos_storage

  6. Click Apply.

copy link to clipboardBack up the Exasol Database

Now, on the CTE client (like PuTTY or MobaXterm), back up the Exasol database. To do so:

  1. Log on to an SSH client.

  2. Run the following commands:

    cd ExasolSetup/
ssh -i id_rsa -p 2233 localhost
dwad_client storage-backup PROD_A
dwad_client pdd-proc PROD_A
dwad_client stop-wait PROD_A

copy link to clipboardDelete the Exasol Database

After backing up, delete the Exasol database that includes the EXAStorage volumes and disks, and then stop the Exasol service. On an SSH client, run the following commands:

dwad_client stop-wait PROD_A i.e, dwad_client stop <DB_NAME>
dwad_client del PROD_A
csinfo -v
csvol -d -v 0
csinfo -H
cshdd -r -h /dev/exa1/lvol0 -n 11
logout
systemctl stop exasol

copy link to clipboardCreate a GuardPoint

Create the required GuardPoint on the CTE client from the CipherTrust Manager GUI. While creating the GuardPoint:

  • Select the Type of the device as Auto Raw or Block Device.

  • Enter the Path of the logical volume, for example, /dev/exa1/lvol0.

  • Select the Policy Type as Standard.

  • Create a User Set named root and grant it the permission to perform all Actions and Effects.

Refer to Creating GuardPointsfor details.

copy link to clipboardUpdate the Secvm Device

On the SSH client:

  1. Run the following command:

    secfsd -status devmap

    The output similar to the following is displayed:

    Secvm Device                Native Device
------------                -------------

/dev/secvm/dev/exa1/lvol0   /dev/exa1/lvol0

    In the above sample output, /dev/secvm/dev/exa1/lvol0 is the Secvm device.

  2. Copy the Secvm device.

  3. Delete the metadata from the /7.1.12/exa/metadata folder.

    cd /7.1.12/exa/metadata/
rm -rf *

    Note

    It is recommended to delete the metadata before updating the Secvm device.

  4. Update the Secvm device in the EXAConf file.

    1. Navigate to /7.1.12/exa/etc/.

    2. Open the EXAConf file in a text editor.

    3. Search for Disk, and update the Devices entry with the copied Secvm device.

      [Node : 11]
    PrivateNet = 10.164.13.247/24
    PublicNet =
    Name = n11
    Affinity = 11
    UUID= 159D338FDBOBA36BACF2CC104224C683D33726E8
    DockerVolume = n11
    ExposedPorts = 8563:8574, 2580:2591
    [[Disk disk1]]
        Devices = /dev/secvm/dev/exa1/lvole

    4. Search for Checksum and set the value of Checksum as COMMIT.

    5. Save the changes and close the file.

  5. Start the Exasol service by running systemctl start exasol.

  6. Verify the status of the Exasol service by running systemctl status exasol. The status must be active (running).

copy link to clipboardRestore the Exasol Database

On the CTE client, restore the Exasol database by running the following commands:

dwad_client pdd-restore PROD_A
dwad_client storage-restore PROD_A
dwad_client pdd-proc PROD_A

copy link to clipboardValidations

  1. Start a new session on the SSH client.

  2. Encrypt the data on the initial device by running strings /dev/exa1/lvol0|more.

    f~N#
pU_t
H9rg,1
UcEa
\>,u
B ~ A
9DQ&
YsE#
kel4X
=:69m
hdHA
k\$<
|HUI|
rpt7
‘YI&?
* 8!
g#,—Bzw
_w_0aV
y7zk
B#+9
--More--

  3. Encrypt the data on the guarded device by running strings /dev/secvm/dev/exa1/lvol0|more for the following:

    • Policy with all_ops action, and Permit and ApplyKey effects.

      ID              =159D338FDBOBA36BACF2CC104224C683D33726E8
NAME            =/dev/secvm/dev/exa1/lvolo
STORAGE         =CSR_4096_7855104_2
FORMATED        =YES
CHECKSUM        =bcc800bd0f72aee46daf4f8cdf8fef4e

persistent (256K)

    • Policy with all_ops action and Permit effect.

      cL]b
uzx=3
-B=IQ_
1vaT#
_"a%
YkFL
3So@
g@Cp
!HtIZ}I
RA3N2V
xC~oP(
f~N#
pU_t
H9rg,1
UcEa
\>,u
B ~ A
9DQ&
YsE#
kel4X
=:69m
hdHA
k\$<
|HUI|
rpt7
‘YI&?
* 8!
g#,—Bzw
_w_0aV
y7zk
B#+9
--More--

    • Policy with all_ops action and Deny effect.

      [root@123]# strings /dev/secvm/dev/exa1/1v010[more
strings: /dev/secvm/dev/exa1/1v010: Permission denied
[r00t@123]# I

    Refer to Security Rules for more information on actions and effects.

  4. Encrypt the data on the original hard disk (excluding the disk headers) by running strings /dev/sdc|more.

    creation_time = 1661854578
creation_host = "NOIENC1PFL-IR22" segment_count = 1
segment1 {
start_extent = 0
extent_count = 7680
type="striped"
stripe_count = 1
stripes "pv0", 0
[
# Generated by LVM2 version 2.02.187(2)-RHEL9 (2020-03-24): Tue Aug 30 15:46:18 2022
contents = "Text Format Volume Group"
version = 1
description=""
creation_host = "NOIENC1PFL-IR22"
creation_time = 1661854578
CLJb
uzx=3
-B=10
1wRvT#
^a%
YkFL
3So@
g@cp
;NzH <01
((6k
@x/1g
BaP>'>
tn/q
d)W2
ar1;

Note

  • LDT is not tested as LDT does not support raw devices.

  • Initial data transformation is not required as the data is deleted during the Exasol installation.

On this page