CipherTrust Manager - Hands-On - CTM Database Protection (CDP)

CipherTrust Manager Professional Certification Course
HANDS-ON: CIPHERTRUST DATABASE PROTECTION

(CDP)
CPL Technical Training

Revision History
Revision Date Reason
B 9 February 2023 Initial release
Trademarks, Copyrights, and Third-Party Software

Copyright © 2023 Thales Group. All rights reserved. Thales and the Thales logo are trademarks and
service marks of Thales and/or its subsidiaries and affiliates and are registered in certain countries. All
other trademarks and service marks, whether registered or not in specific countries, are the properties
of their respective owners.
CPL Technical Training Documentation
The information contained in this document is intended solely for your personal reference and for
learning purposes and is provided AS IS and with no warranties. Such information is subject to
change without notice, its accuracy is not guaranteed, and it may not contain all material/information
concerning Thales (the ‘Company’). The Company makes no representation regarding, and assumes
no responsibility or liability for, the accuracy or completeness of, or any errors or omissions in, any
information contained herein. The Company may update or supplement the information at any time.
In addition, the information contains projections and forward-looking statements that may reflect the
Company’s current views with respect to future events. These views are based on current
assumptions which are subject to various risks and which may change over time.
Disclaimer
All information herein is either public information or is the property of and owned solely by Thales DIS
France S.A. and/or its subsidiaries or affiliates who shall have and keep the sole right to file patent
applications or any other kind of intellectual property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or
otherwise, under any intellectual and/or industrial property rights of or concerning any of Thales DIS
France S.A. and any of its subsidiaries and affiliates (collectively referred to herein after as “Thales”)
information.
This document to be solely used for informational, non-commercial, internal and personal use only
provided that: (a) The copyright notice below, the confidentiality and proprietary legend and this full
warning notice appear in all copies; (b) document shall not be posted on any network computer or
broadcast in any media and no modification of any part of this document shall be made; and (c) is not
relied upon for any other reason other than use described above. Use for any other purpose is
expressly prohibited and may result in severe civil and criminal liabilities.
Thales hereby disclaims all warranties and conditions with regard to the information contained herein,
including all implied warranties of merchantability, fitness for a particular purpose, title and non-
infringement. In no event shall Thales be liable, whether in contract, tort or otherwise, for any indirect,
special or consequential damages or any damages whatsoever including but not limited to damages
resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with
the use or performance of information contained in this document.

CipherTrust Manager Professional Certification Course - Hands-On: CipherTrust Database Protection (CDP) Rev. B 2
Copyright © 2023 Thales Group. All rights reserved.
Contents
Contents
Part 1: Overview .................................................................................................................... 4

Prerequisites ...................................................................................................................................................... 4
Duration .............................................................................................................................................................. 4
Objectives .......................................................................................................................................................... 4
Part 2: Configuring MSSQL Database ................................................................................... 5

Section 1: Creating a Test Database ................................................................................................................. 5
Section 2: Creating the Customer Table and Importing Data ............................................................................ 8
Part 3: Installing CipherTrust Database Protection (CDP) Client ......................................... 10

Section 1: Installing CipherTrust Database Protection Client .......................................................................... 10
Part 4: Configuring CipherTrust Manager ............................................................................ 12

Section 1: Adding the Database to CipherTrust Manager ............................................................................... 12
Section 2: Viewing Metadata Tables ................................................................................................................ 14
Section 3: Creating Local CipherTrust Manager Users ................................................................................... 15
Section 4: Creating CipherTrust Keys to Encrypt the Data .............................................................................. 16
Section 5: Mapping Users and Tables on CipherTrust Web UI ....................................................................... 17
Part 5: Using the pdbctl Utility.............................................................................................. 20

Section 1: Extracting and Running the pdbctl Utility ........................................................................................ 20
Section 2: Setting pdbctl Tool Environment Variables ..................................................................................... 21
Section 3: Viewing Command Lists ................................................................................................................. 22
Section 4: Connecting pdbctl to the Database ................................................................................................. 22
Section 5: Viewing the Date as an Unauthorized User .................................................................................... 24

Part 1: Overview
Part 1: Overview
Prerequisites
For this exercise, you will need:
 Access to the training platform
Duration
This training course will take approximately 2.0 hours.
Objectives
In this exercise, you will:
 Install and configure CipherTrust Database Protection (CDP)
 Encrypt database
.

Part 2: Configuring MSSQL Database
In part one you will create a new MSSQL database, as well as prepare the tables and the users that will be
used in the encryption process.
Section 1: Creating a Test Database

1. Log in to Windows Server.
2. Open the MS SQL Management Console, the shortcut is placed in the Taskbar.
3. Click the Authentication drop-down list and select SQL Server Authentication.
4. Enter the following:
User sa
Password Thales123!
5. Create a new empty database.

6. Right-click Databases and select New Database.
7. Type the name demo and click OK.
8. Create a new empty database for holding the CipherTrust metadata.
9. Right-click Databases and select New Database.

10. Type the name demo_meta, for the new database and then click OK.
11. Right-click Security, select New Login, and then configure the following:
Login name demo
SQL Server Authentication Select this option
Password Thales123! Enter the password twice
Enforce Password policy Clear this check box
Enforce Password expiration Clear this check box
User Must change password at next login Clear this check box

12. On the left pane, select User Mapping:

Select the following:
User mapped to this login: demo_meta
Database Role Membership for: db_owner, public
And then select the following:
User mapped to this login: demo
Database Role Membership for: public
13. Click OK.

Section 2: Creating the Customer Table and Importing Data

1. Return to the SQL Server Management Studio console’s main page.
2. Expand the demo database node. Notice how no tables have been created.
3. Right-click on the Tables tab, and from the drop-down menu, select New > Table.
4. Enter the following: and then close the table.
[S.No] nvarchar(50)
Email nvarchar(50
SSN nvarchar(50)
5. In the window that opens, type the table name: customer and click OK (the table is saved with the
name customer).
6. Right-click the customer table and select Edit top 200 Rows to add some test data to this table.

7. Enter test data as defined below.

This can be any data. (You will encrypt the SSN column).
8. Right-click your customer table under the demo database, and then select Select top 1000 rows – this
will allow you to see your data.

Part 3: Installing CipherTrust Database Protection (CDP) Client
Part 3: Installing CipherTrust Database

Protection (CDP) Client
In part three, you will install the CDP Client on the MSSQL Server.
Section 1: Installing CipherTrust Database Protection Client

1. On Windows Server desktop, open the Training folder, an then open the CipherTrust Database
Protection Client folder.
2. Right-click the setup.exe file and then click Run As Administrator.
3. Click Next, accept the license terms and then click Next.
4. Select the Complete Install – Includes DB and Files check box, and then click Next.
5. Click Next again.
6. In the Instance ID window click Next, DO NOT CHANGE THE INSTANCE ID.
7. In the Database connection window enter the following:
Server host name or IP local (default)
Instance name MSSQLSERVER (default)
SQL Server Authentication Select this option
Database User Name sa
Database Password Thales123!
Confirm Database Password Thales123!

Part 3: Installing CipherTrust Database Protection (CDP) Client
8. Click Next.
The Select Database window opens.
9. From the Database Name drop-down list, select demo_meta.

This is where the CDP metadata and stored procedures are installed
Click Next.
The NAE Server Configuration window opens.
10. Specify the IP Address of NAE Server(s) by entering the following:
CipherTrust Appliance IP address 10.160.10.10
NAE Server Port 9000
Connection Protocol TCP/IP
11. Click Next.

The Provider Configuration window opens.
12. Leave all default values, and click Next.

13. Click Install to continue with the CDP installation, and then restart the SQL Server when prompted.
The CDP Client is now installed..

Part 4: Configuring CipherTrust Manager
In part four, you will learn how to configure the CipherTrust connection to the database using the CM Web
UI as well as the CLI Tool.
Section 1: Adding the Database to CipherTrust Manager

In this session, you will configure the CM Database Protection Manager. This involves the process of
adding a new database to the system, local user/key creation, and user mapping of roles required for CDP
functionality.
1. Log in to the CipherTrust Web UI:
User admin
Password Thales123!
2. Click the CDP application tile.
3. On the left pane, select the Databases tab, and then in the right pane, click +Database > SQLServer.
4. On the Connection Information page enter the following:
Name (Alias) Enter any name
Host 10.160.10.5 (SQL Server’s IP address)
Connect with Port Number
Port Number/Instance Name 1433 Do not change this.
Database User Name sa
Database User Password Thales123!

MetaDatabase User Name demo
MetaDatabase User Password Thales123!
Database Name demo
Meta-Database Name demo_meta
Schema Name dbo

5. Click Save.
When the configuration is complete, the status changes to Success.
Section 2: Viewing Metadata Tables

In this section, you will learn how to view metadata tables in SQL Management Studio.
1. Return to the SQL Server Management Studio console.
2. Expand the demo_meta database node.
The new tables are created.

Section 3: Creating Local CipherTrust Manager Users

In order to manage the database, a local user must be created in CipherTrust Manager. Existing users can
be used, as long as permissions are granted to them as described in this section.
1. Log in to the CM Web UI.
2. On the left pane, select the Access Management.
3. Click Users and then select Add user.
User name db_user
Password dbThales123!
Ensure all other options are cleared and click Add.

5. Click on the user created above, and then click Groups.
6. Add the following groups:
 Key Admins
 Key Users
 ProtectDB Users

Section 4: Creating CipherTrust Keys to Encrypt the Data

1. On the left pane, click Keys.
2. Click Add Key.
3. Type db_key as the key name.
Don’t change the Algorithm.
4. Click Add Key.
5. In the Key Owner field select db_user.
6. Enable the Exportable option.
7. Extend the Access Key option.
8. Enable Show All Groups.
9. Under Group add the PretectDB Users group and select all the permissions options.
10. check the All box.
11. Click Update.

Section 5: Mapping Users and Tables on CipherTrust Web UI

1. Go back to your database connection located under the CDP tile application tab and click Manage
User Mapping on the CDP connection that was created in the step above.
2. Click Map User and enter the following:
Database User sa
Local User db_user
Local Password dbThales123!
Database User demo
Local User db_user
Local Password dbThales123!

3. Go back to the CDP tile, click the 3 dots on the right, and then select Manage Tables.
4. Click Add Table.

Your database table is automatically displayed in the drop-down, select the customer table.
5. Click Save.
The list of columns from the database appear.

6. Click SSN.
7. Select the following algorithm and keys to be used for encryption:
Encryption Type Standard
Algorithm AES-256
Key db_key
Leave all other settings as default.

8. Click Save.

Part 5: Using the pdbctl Utility
The pdbctl tool is an external tool that needs to be used to encrypt the data in the database.
For additional information regarding the pdbctl tool, refer to the User Guide included in the tool package.
Section 1: Extracting and Running the pdbctl Utility

1. To use the pdbctl tool, JDK must be installed on the machine (JDK is installed on the lab server).
2. Log in to Windows Server and then open the Training folder on the desktop.
3. Open the pdbctl folder and copy the pdbctl.exe tool to the classes folder under:
C:\Users\administrator\Desktop\Training\pdbctl\classes
4. Set the parameters in the IngrianNAE.properties file for the pdbctl utility. The file location:
C:\Users\administrator\Desktop\Training\pdbctl\classes\IngrianNAE.properties
5. Edit the following:
NAE_IP CipherTrust IP address
NAE_Port CipherTrust Port Number

Section 2: Setting pdbctl Tool Environment Variables

In this section, you will set the Environment Variables to the pdbctl location.
1. On Windows Server, click Start and then Search.
2. Type env and select Edit the system environment variables.

The System Properties window opens.
3. Click Environment Variables.
4. Click New under User Variables for Administrator.
Variable name PDB_MUTIL_PATH
Variable value type C:\Users\Administrator\Desktop\Training\pdbctl
6. Click OK.
7. Click New under System Variables.
Variable name PDB_MUTIL_PATH
Variable value type C:\Users\Administrator\Desktop\Training\pdbctl
9. Click OK.

Section 3: Viewing Command Lists

Run the pdbctl command to view the available pdbctl utility commands.
Enter the following:
 cd Desktop\Training\pdbctl
 pdbctl.exe (used to inspect available commands)
Section 4: Connecting pdbctl to the Database

1. Run the adddb command to initialize the database connection and provide the required parameters.
pdbctl adddb -a <demoalias> -u <database_user> -d <database_name> -p
<database_password> -t db_type -i <DB IP Address(Windows server Ip
address)> -m <meta_user_password> -o <port> -b <naeuser> -c
<naepassword> -l <meta_database user> -n <metadatabase_name>
demoalias Any parameter, in our lab - call it mssqldemo
database_user MSSQL user name – sa
database_name MSSQL Server Database name - demo
database_password User sa password – Thales123!
db_type Type of the database – SQLServer
DB IP Address Windows Server IP – 10.160.10.5
meta_user_password Meta user password from the database – Thales123!
Port 1433
Naeuser CipherTrust username - db_user
Naepassword CipherTrust user password – dbThales123!
meta_database user Meta database user - demo
metadatabase_name Meta database name – demo_meta

pdbctl adddb -a mssqldemo -u sa -d demo -p Thales123! -t SQLServer -i

10.160.10.5 -m Thales123! -o 1433 -b db_user -c dbThales123! –n demo_meta –l
demo
2. To view the newly added database, or to check if the database was added successfully or not, run the
following command: pdbctl listdb
3. List User Map. This allows us to see which users are mapped on the database and the CM:
pdbctl listusermap –a mssqldemo
4. To view the tables in a database associated with a database alias, run the following command:
pdbctl listtables -a <database_user_alias>
5. To view the columns in a table associated with a database alias, run the following command:
pdbctl listcolumns -a <database_user_alias> -t <column>.
The following sample command lists the tables associated with the alias, test:
pdbctl listcolumns -a mssqldemo -t customer

6. Run the following command for migrating data into encrypted format :
pdbctl migrate -a <database_alias> -t <table_name>
pdbctl migrate -a mssqldemo -t customer
7. Verify encryption status:

pdbctl listcolumns -a mssqldemo -t customer
Section 5: Viewing the Date as an Unauthorized User

1. On Windows Server, open the MSSQL management tool.
2. Log in as follows:
User sa
Password Thales123!
3. On the left pane, select Databases > Demo > Tables.

4. Right-click customer table.

5. Click Select top 1000 Rows.

The SSN new columns will be encrypted.
Note: The pdbtool creates a new column with the encrypted data.


CipherTrust Manager - Hands-On - CTM Database Protection (CDP)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CipherTrust Manager - Hands-On - CTM Database Protection (CDP)

Uploaded by

Copyright:

Available Formats

CipherTrust Manager Professional Certification Course

HANDS-ON: CIPHERTRUST DATABASE PROTECTION

CPL Technical Training

Revision Date Reason

B 9 February 2023 Initial release

Trademarks, Copyrights, and Third-Party Software

CPL Technical Training Documentation

Part 1: Overview .................................................................................................................... 4

Part 2: Configuring MSSQL Database ................................................................................... 5

Part 3: Installing CipherTrust Database Protection (CDP) Client ......................................... 10

Part 4: Configuring CipherTrust Manager ............................................................................ 12

Part 5: Using the pdbctl Utility.............................................................................................. 20

CPL Technical Training Documentation

CPL Technical Training Documentation

Part 2: Configuring MSSQL Database

Section 1: Creating a Test Database

5. Create a new empty database.

CPL Technical Training Documentation

Login name demo

SQL Server Authentication Select this option

Password Thales123! Enter the password twice

Enforce Password policy Clear this check box

Enforce Password expiration Clear this check box

CPL Technical Training Documentation

12. On the left pane, select User Mapping:

User mapped to this login: demo_meta

Database Role Membership for: db_owner, public

And then select the following:

User mapped to this login: demo

Database Role Membership for: public

13. Click OK.

CPL Technical Training Documentation

Section 2: Creating the Customer Table and Importing Data

4. Enter the following: and then close the table.

CPL Technical Training Documentation

7. Enter test data as defined below.

CPL Technical Training Documentation

Part 3: Installing CipherTrust Database

Section 1: Installing CipherTrust Database Protection Client

Server host name or IP local (default)

Instance name MSSQLSERVER (default)

SQL Server Authentication Select this option

Database User Name sa

Database Password Thales123!

Confirm Database Password Thales123!

CPL Technical Training Documentation

9. From the Database Name drop-down list, select demo_meta.

CipherTrust Appliance IP address 10.160.10.10

NAE Server Port 9000

Connection Protocol TCP/IP

11. Click Next.

12. Leave all default values, and click Next.

CPL Technical Training Documentation

Part 4: Configuring CipherTrust Manager

Section 1: Adding the Database to CipherTrust Manager

2. Click the CDP application tile.

4. On the Connection Information page enter the following:

Name (Alias) Enter any name

Host 10.160.10.5 (SQL Server’s IP address)

Connect with Port Number

Port Number/Instance Name 1433 Do not change this.

Database User Name sa

Database User Password Thales123!

CPL Technical Training Documentation