Installing and Configuring Vormetric Transparent Encryption for Pivotal Platform (Beta)

This topic describes how to install and configure the Vormetric Transparent Encryption (VTE) for Pivotal Cloud Foundry (Pivotal Platform) tile. Users of the tile are assumed to be familiar with Vormetric security concepts and configuration of DSM.

Before Installing and Configuring the VTE Tile

The following steps are a high-level workflow to enabling the VTE tile:

  1. Choose a mapping strategy to support multi-tenancy and get familiar with the naming conventions used in the tile. Review both the Mapping Pivotal Platform Organizations and Spaces to Vormetric Domains and the Configuring Vormetric DSM sections.

  2. Configure the VTE tile so that it conforms to the mapping strategy in the previous step.

  3. For each tenant:

    • Map out a Pivotal organization and space to a Vormetric domain. Prepare for the host group name and the shared secret for the host group.
    • Create the domain in the previous step. Log in to the domain and create the host group and the shared secret in the previous step. Configure a security policy for the domain, host settings, and guard path for the host group as described in Configuring Vormetric DSM.
    • Create the organization and space in Apps Manager. Create an application instance, such as the On-demand MySQL, in the organization and space.
    • Upon completion of the previous step, the VTE instance protecting the application instance should be registered with the DSM with a successful guard status.

Install and Configure the VTE Tile

To install and configure the VTE tile, do the following:

  1. Download the product file from Pivotal Network.

  2. Navigate to the Ops Manager Installation Dashboard and click Import a Product to upload the product file.

  3. Under the Import a Product button, click + next to the version number of the product. This adds the tile to your staging area.

  4. Click the newly added Vormetric Transparent Encryption for Pivotal Platform tile.

  5. From the Settings tab, select Registration Service Config. The configuration parameters for the Registration Service, which maps Pivotal organizations and spaces to Vormetric domains, are displayed as in the image below. Registration Service Config

  6. For Data Security Manager (DSM) host name, enter the fully qualified domain name (FQDN) of the DSM with which the VTE instances register.

  7. For DSM Domain Mapping, select how Pivotal organizations and spaces map to Vormetric domains. See the Mapping Pivotal Platform Organizations and Spaces to Vormetric Domains section for details on the mapping options.

  8. For Shared Secret for VTE registration with DSM, enter the shared secret of the host group to which the VTE instances belong.

    Note: This shared secret must be the same for all host groups configured to work with Pivotal Platform.

  9. Click Save. This completes the configuration for the Registration Service.

  10. From the Settings tab, select Default Registration Config. The default registration parameters, which are necessary to ensure VTE instances can still register with a DSM in case of Registration Service failure, are displayed as in the image below. Default Registration Config

  11. For Default Data Security Manager (DSM) host name, enter the FQDN of the DSM.

  12. For Default Domain, enter the name of the default domain to which the VTE instances belong.

  13. For Default Host Group, enter the host group in the default domain to which the VTE instances belong.

  14. For Shared Secret for VTE registration with DSM, enter the shared secret for the default host group.

  15. Click Save. This completes the configuration for the default registration.

  16. Return to the Ops Manager Installation Dashboard and click Apply Changes to complete the installation of the VTE tile.

Mapping Pivotal Platform Organizations and Spaces to Vormetric Domains

The following table explains the mapping options to support multi-tenancy. Follow the naming convention below when provisioning DSM domains.

Mapping DSM Domain Name Format Description Example
Organization Pivotal Platform.<organization> The sanitized organization name* prefixed with Pivotal Platform.. ThalesPivotal Platform.Thales
Organization Space Pivotal Platform.<organization>.<space> The sanitized space name* is limited to 20 characters. The sanitized organization name* is limited to 60 characters. Thales DevPivotal Platform.Thales.Dev
Single Fixed Domain n/a The preconfigured domain name for VTE that protect all application instances. n/a
*The domain name is limited to 64 characters. The name must consist of alphanumeric characters and must start with an alpha character. The only non-alphanumeric characters allowed are the dot ( . ), the underscore ( _ ), and the dash ( - ).

The naming convention for host group is Pivotal Platform_<UPPER-CASE-OF-DEPLOYMENT-APP-NAME>. For example, For example, MySQLPivotal Platform_MYSQL. Host descriptions are automatically generated in the format of /<organization>/<space>/<service_instance_name>.

Configuring Vormetric DSM

This section summarizes the necessary configuration in DSM to work with the VTE tile. Each step includes the recommended DSM administrator role for performing the task. See the matching version of the DSM Administrator Guide for descriptions of each configuration, information about the administrator roles and responsibilities, and the separation of administrative duties.

To configure the DSM, do the following:

  1. (System Security administrator) Create a domain that maps to the configured Pivotal organization and space in which the service instances will reside (for example, MySQL service instances). See the Mapping Pivotal Platform Organizations and Spaces to Vormetric Domains section for the naming convention for the domain name.

  2. (System administrator) Create a Domain administrator for the domain created in the previous step.

  3. (Domain administrator) Create a Domain Security administrator with all privileges.

  4. (Domain Security administrator) Configure the following:

    • Agent Key — Create a versioned symmetric encryption key using a strong key algorithm, such as AES256.
    • Policy — Create a security policy of the Live Data Transformation (LDT) type. Refer to the matching version of the Vormetric Transparent Encryption (VTE), Live Data Transformation Guide for more information.

A policy consists of two rules: the Security Rules and the Key Selection Rules. A complete Security Rules must be configured as shown in Figure 3. Configurations of all subcomponents in the Rules are illustrated in the subsequent illustrations.

Security Rules of an LDT Security Policy mysqlldtsecpolicy

Detailed view of the Security Rules mysqlldtsecpolicydetails

User Set configurations in the Security Rules usersetconfigs

Detailed view of the User Set configurations usersetconfigs

Process Set configurations in the Security Rules processsetconfigs

Detailed view of Process Set configurations processsetconfigs

The Key Selection Rules for an LDT policy must use a symmetric versioned key for the Transformation Key. Create a key rule using the symmetric key created at the beginning of this step.

Key Selection Rules of an LDT Security Policy usersetconfigs

Detailed view of the Key Selection Rules usersetconfigs

  • Host Group — Create a host group following the naming convention described in the Mapping Pivotal Platform Organizations and Spaces to Vormetric Domains section. Make sure the Enable FS Agent Communication option for the host group is selected.

  • Host Settings — Configure the host settings for the host group with the following rules:

    |authenticator|/usr/sbin/sshd
    |authenticator|/bin/login
    |authenticator|/var/vcap/bosh/bin/bosh-agent
    |authenticator|/var/vcap/bosh/bin/monit
    |su_root_no_auth|/usr/bin/sudo
    |trust+arg=-p /var/vcap/store/mysql/|/bin/mkdir
    |trust+arg=/var/vcap/store/mysql/data|/bin/mkdir
    |trust+arg=vcap:vcap /var/vcap/store/mysql|/bin/chown
    |trust+arg=vcap:vcap /var/vcap/store/mysql/data|/bin/chown
    |authenticator_euid|/var/vcap/packages/percona-server/bin/mysqld
    

Host Settings for the Host Group hostsettings

  • Shared Secret — Create the same shared secret for ALL host groups configured to work with Pivotal Platform.

Shared Secret for the Host Group hostgroup-regsecret

  • GuardPoint — Create a GuardPoint of the Directory (Auto Guard) type for the host group. Use the LDT policy created previously. Enter /var/vcap/store as the guard path.

GuardPoint for the Host Group hostgroup-guardpath