Your suggested change has been received. Thank you.

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Getting Started
Administration
Reference
Release Notes

All

All

Administration

Application Data Protection Administration

Please Note:

Administration
CipherTrust Manager Administration
- Password Policy
- Users
- Key Policies
- Certificate Based Authentication
- Changing Passwords
- Domain Management
- Groups
- LDAP Group Mapping
- Services
- Root of Trust Hardware Security Module
- Clusters and Nodes
- CipherTrust Manager System Monitoring
  - Records
  - Alarms
  - Syslogs
  - Debug Logs
  - Log Forwarding
  - Prometheus Metrics Endpoint
- Policies
- Tokens
- Banners
- Interfaces
- Proxy Configuration
- Quorums
- SNMP
- SMTP
- Backups
- Scheduling Backups
- Disk Encryption After Initial Deployment
- Scheduler
- Connection Manager
  - Connections
  - Amazon Web Services (AWS)
  - Google Cloud Platform (GCP)
  - Secure Copy Protocol (SCP)
  - Microsoft Azure
  - Hadoop Knox
  - Loki
  - Salesforce
  - Luna Network HSM
  - Elasticsearch
  - SAP Data Custodian
  - CIFS/SMB
  - Syslog
  - Oracle Cloud Infrastructure (OCI)
  - DSM Connection
  - OIDC
  - LDAP
- Browsing LDAP Users and Groups
- System Upgrade/Downgrade
- Client Management
- Configuring DNS Hosts
- CLI Toolkit
  - CLI Toolkit Installation
  - Batching Commands with Tokens
  - Example CLI User Set Up
  - Support CLI
- Keys
- Key Rotation
- Crypto Operations
- MKEK Rotation
- Certificate Authority
- Data Protection
  - Protection Profiles
  - BDT Policies
  - BDT Containers
- REST API
- System Properties
- Integrating Logging with Splunk App
- Return Material Authorization (RMA) Guidance
Application Data Protection Administration
- Overview
- Interfaces
- Managing Applications
  - Defining Applications
  - Modifying Applications
  - Deleting Applications
  - Viewing Application Details
  - Viewing Registration Token
  - DPG Policies
- Managing Character Sets
  - Creating Character Sets
  - Modifying Character Sets
  - Deleting Character Sets
- Managing Protection Policy
  - Viewing protection policy
  - Creating protection policy
  - Modifying protection policy
  - Deleting protection policy
- Managing Access Policy
  - Viewing access policy
  - Creating access policy
  - Modifying access policy
  - Deleting access policy
- Managing User Set
  - Viewing user set
  - Creating user set
  - Deleting user set
- Managing Masking Formats
  - Viewing masking format
  - Creating masking formats
  - Modifying masking format
  - Deleting masking format
- Single Pane of Glass
- Heartbeat Configuration
- Frequently Asked Questions
CCKM Administration
- Overview
- Interfaces
- AWS Resources
  - Managing AWS Accounts
  - Managing AWS Keys
  - Scheduling Operations
  - Managing AWS Reports
  - Managing Policies
- Azure Resources
  - Prerequisites
    - Prerequisites for Azure Cloud
    - Prerequisites for Azure Stack Cloud with Azure AD
    - Prerequisites for Azure Stack Cloud with Azure ADFS
  - Managing Azure Vaults
  - Managing Azure Keys
  - Managing Azure Certificates
  - Managing Azure Secrets
  - Scheduling Operations
  - Managing Azure Reports
  - Viewing Azure Subscriptions
  - Performance Summary
- AWS External Key Store Resources
  - Managing External Key Store Resources
  - AWS XKS Performance Summary
- AWS CloudHSM Key Store Resources
  - Managing an AWS CloudHSM Key Store from CCKM
- Luna HSM Resources
  - Managing Luna HSM Partitions
  - Managing Luna HSM Keys
  - Scheduling Operations
- DSM Resources
  - Managing DSM Domains
  - Managing DSM Keys
  - Scheduling Operations
- Google Cloud Resources
  - Google Cloud Projects
  - Google Cloud Key Rings
  - Google Cloud Keys
  - Google Cloud Reports
  - Scheduling Operations
  - Performance Summary
- Google Cloud External Key Manager Resources
  - Managing Google EKM Endpoints
  - Managing Google EKM Endpoint Policies
  - Google EKM Performance Summary
- Google Workspace CSE Resources
  - Access Policies
  - High Level Architecture
  - Licensing
  - Prerequisites
  - Communication with KACLS
  - Clustering for Google Workspace
  - Encrypting Data Encryption Keys
  - Decrypting Data Encryption Keys
  - Endpoints
  - Identity Providers
  - Viewing Google Workspace CSE Records
  - Performance Summary
    - Google Calendar
    - Google Drive
    - Google Meet
- Salesforce Resources
  - Managing Salesforce Organizations
  - Managing Salesforce Tenant Secrets
  - Scheduling Operations
  - Managing Salesforce Reports
  - Managing Salesforce Cache-Only Key Endpoints
  - Managing Certificates from Salesforce Organizations
- SAP Resources
  - Managing SAP Groups
  - Managing SAP Keys
  - Scheduling Operations
  - Managing SAP Reports
  - Viewing Linked SAP Applications
  - Performance Summary
- Oracle Cloud Resources
  - Managing Oracle Vaults
  - Managing Oracle Keys
  - Scheduling Operations
  - Managing Oracle Reports
  - Managing Oracle Compartments
- Migrate from CCKM Appliance
  - Migrate Cloud Keys Only
  - Migrate DSM Source Keys
- Migrate from CCKM Appliance with CipherTrust Manager as Key Source
- Migration from CCKM Appliance to Child Domain
- Backup and Restore
- Key Material Export and Upload
CDP Administration
- Interfaces
- Concepts
- Configuring Oracle Databases
- Configuring DB2 Databases
- Configuring SQL Server Databases
- Configuring Teradata Databases
- Tasks
  - View Job History
  - Delete Views and Triggers
  - Create Views and Trigger
  - Delete Old Data
  - Create Domain Index
  - Encrypt a Column
  - Decrypt a Column
  - Configure Migration Server
- SSL Connection Over JDBC
  - SSL Connection Over JDBC for Oracle
  - SSL Connection Over JDBC for DB2
- Troubleshooting
CipherTrust Intelligent Protection
- Overview
- Configuration
- Concepts
- Scans
- Reports
- CTE Policies
- File Operations with CIP
- Backup and Restore
- Troubleshooting
CTE UserSpace Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Collecting Agent Information
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
- Sharing Resources Across Domains
- Communication with CipherTrust Manager
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Permissions
- Quorum Control
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - Creating GuardPoints
- API Response Codes
CTE Administration
- Overview
- Interfaces
- Concepts
- Data Transformation
- Managing Profiles
- Managing Clients
  - Enabling Live Data Transformation
  - Setting Client Locks
  - Client Settings
  - CTE Linux Authentication and Client Settings
  - Changing Client Password
  - Managing Membership
  - Deleting Clients
  - Kernel Compatibility Matrix
  - Collecting Agent Information
- Managing LDT Communication Groups
- Managing Client Groups
- Managing Signature Sets
- Managing Policies
  - Creating Policy Elements
  - Viewing Policy Elements
  - Creating Policies
  - Modifying Policies and Rules
- Managing GuardPoints
  - Secure Start GuardPoints
  - Considerations Before Creating GuardPoints
  - Creating GuardPoints
    - Creating Standard GuardPoints
    - Creating LDT GuardPoints
    - Creating Cloud Object Storage GuardPoints
    - Creating IDT GuardPoints
    - Creating GuardPoints for Efficient Storage Devices
  - Enabling Secure Start for GuardPoints
  - Protecting Teradata Appliances
  - Automatic and Manual GuardPoints
  - Viewing GuardPoints
  - Viewing GuardPoint Status
  - Changing SMB Connection
  - Removing GuardPoints
  - Disabling GuardPoints
  - Enabling GuardPoints
  - Enabling and Disabling MFA on GuardPoints
- Managing Kubernetes Storage Groups and Clients
  - Managing Kubernetes Storage Groups
  - Managing Kubernetes Clients
  - Protecting Kubernetes Clients
- Sharing Resources Across Domains
- Multifactor Authentication
- Communication with CipherTrust Manager
- Configuring Cluster Node Preference
- Backup and Restore
- Integrating CTE Logging with Splunk
- Migrating CTE Configuration from Data Security Manager
- Migration Summary
- Permissions
- Quorum Control
- Operations
- Common Scenarios
- Reports
  - Clients Health Report
  - Clients Keys Report
  - Clients Profiles Report
  - Clients Policies Report
  - Policies Keys Report
  - GuardPoints Report
  - Clients GuardPoint Status Report
- Troubleshooting
- API Examples
  - Creating Keys
  - Creating Policy Elements
  - Creating Policies
  - LDT Use Cases
  - Creating GuardPoints
- API Response Codes
DDC Administration
- Solution Architecture
- Interfaces
- Concepts
- User Groups
- Managing Branch Locations
- Managing Information Types
- Managing Classification Profiles
- Managing Data Stores
- Local Data Stores
- Network Storage Data Stores
- Database Data Stores
- Big Data Data Stores
- Cloud Data Stores
- Server Data Stores
- Office365: Exchange Online
- Managing Scans
- Managing Reports
- Managing Agents
- Logging
- Operations
- Troubleshooting
- Appendix
- Deployment Security
ProtectFile Administration
- Interfaces
- Client Profiles
- Clients
- Access
- Keys
- Rules
- Client-Rule Associations
- Network Shares
- Clusters
- Operations
- Migration from KeySecure Classic to CipherTrust Manager
- Migrating ProtectFile to CipherTrust Transparent Encryption

CipherTrust Manager
Administration
Application Data Protection Administration

Application Data Protection Administration

The Application Data Protection tile in CipherTrust Manager Products list provides centralized configuration and policy management as well as a unified display for all the application configurations with their associated data protection connector on the CipherTrust Manager. Currently, the Application Data Protection tile provides central management only for CipherTrust Data Protection Gateway (DPG).

The Application Data Protection tile consists of:

Central management: a single place to configure data protection for applications and databases.
Single pane of glass: a dashboard that quickly shows the current status of all the applications or databases under protection. It also displays the status of each connector in use.

Central Management

Application Data Protection tile in CipherTrust Manager Products stores the configurations and policies for all the applications and databases under protection. These configurations and policies are created and managed by the Application Data Protection Administrator. They are shared with the associated clients when a new connector is registered or a running connector is notified of change through the heartbeat mechanism. To use centralized management, the connectors must be registered on CipherTrust Manager.

Let's consider a scenario where the user's environment has 10 instances of application protected by CipherTrust Data Protection Gateway (DPG). Now, the admin wants to update the symmetric cache expiry interval for all these nodes. In the past, the admin would have to manually change every configuration file, which is a tedious task, but with central management in picture, the symmetric cache expiry interval is updated in the configuration and, upon save, is updated in all running instances of the connector mapped to that configuration. Central management minimizes manual intervention.

The main objectives of central management are:

Defining application or database to be protected
Generating a registration token
Registering connector on the CipherTrust Manager using the registration token
Retrieving configurations and policies for the the connector the from CipherTrust Manager and using them for any cryptographic operations
Updating configuration and policies as needed

How it works

The following diagram shows the basic flow of Application Data Protection solution:

Application Data Protection Workflow

The Application Data Protection Administrator defines an application and how to protect data associated to that application.
The Administrator receives a registration token when configuration is done.
The Application Data Protection Administrator gives the registration token to the DevOps team to insert it into their orchestrator configuration for application deployment.
The orchestrator deploys application with its associated connector (in this case, DPG). The connector uses the registration token to register with CipherTrust Manager.
The connector fetches the configuration and policies associated to the application.

Single pane of glass

The Application Data Protection tile in CipherTrust Manager Products provides a unified view for all the applications that are defined on the CipherTrust Manager. With all the associated connectors (protecting applications) at one place, it becomes easy for the Application Data Protection Administrator to manage and keep track of them. To know more about this topic, refer to Single Pane of Glass.

User Roles

The Application Data Protection tile has the following users/groups with different responsibilities in administering and using the system.

Application Data Protection Admins

There is a group named Application Data Protection Admins. Users within this group are Application Data Protection Administrators.

The Application Data Protection Administrator is responsible for creating and managing the following resources:

Defining application which includes:
- configuring connector settings
- configuring protection policy
- creating user sets
- configuring access policies
- creating character set

Application Data Protection clients

There is a group named Application Data Protection Connectors. Users who are part of this group only have read access to the Application Data Protection pages.

What's Next

In the following sections, you will learn about:

Interfaces: Provides an overview of the CipherTrust Manager interfaces - REST Application Programming Interface (REST API) and Graphical User Interface (GUI).
Managing Applications: Describes what Application is and how to create, modify, and delete an Application on the CipherTrust Manager. This section also describes about DPG Policy and how to retrieve Registration token.
Managing Character Sets: Describes how to create, modify, and delete character sets.
Managing Protection Polices: Describes what protection policy is and how to create, modify, and delete these policies.
Managing Access Polices: Describes what access policy is and how to create, modify, and delete these policies.
Managing User Set: Describes how to create and delete user set.
Managing Masking Formats: Describes how to use the predefined maksing formats and how to create your own masking format.
Single Pane of Glass: How to manage all the application and its associated connectors on the CipherTrust Manager.
Heartbeat Configuration: Describes the concept of heartbeat.

On this page

CipherTrust Manager

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal

© Copyright 2019-2024, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com