Configuring
Note
We refer to the EDB Postgres Advanced Server version 15.2 and later and EDB Postgres Extended Server version 15.2 and later products as the EDB Postgres distribution. The specific distribution type depends on your needs and preferences.
Implementing Thales CipherTrust Manager with EDB Postgres Advanced Server 15.2 and later or EDB Postgres Extended 15.2 and later requires the following components:
- EDB Postgres distribution (15.2 or later)
- Thales CipherTrust Manager
- PyKMIP
- Python
Prerequisites
- A running EDB Postgres distribution
- Thales CipherTrust Manager installed and deployed per your environment
Check/install Python on server
Many Unix-compatible operating systems, such as macOS and some Linux distributions, have Python installed by default, as it's included in a base installation.
To check the version of Python on your machine, or to see if it's installed, enter python3
, which returns the version. You can also enter ps -ef |grep python
to return a Python running process.
If you run a check and find that your system doesn't have Python installed, you can download it from Python.org. Select your specific OS, and download and install on your system.
Install PyKMIP
After your EDB repository is installed on your server, you can then install the PyKMIP utility.
As root user, issue the install python3-pykmip
command. This example uses a RHEL8 server, so the command is:
The output looks something like this:
Configure Thales CipherTrust Manager for your EDB Postgres distribution
After Thales CipherTrust Manager is up and running, create the required certificates.
Log in to Thales CipherTrust Manager and create user
When creating a key on Thales CipherTrust Manager with an EDB Postgres distribution, you need to create a user for future authentication. This process verifies the username and password against the Thales CipherTrust Manager internal database.
Log in to Thales CipherTrust Manager.
Navigate to the Access Management section, and select Users.
Select Add Users, and provide the required information:
- Username
- Password
Select Add User.
From the ellipsis menu next to the user you created, select View/Edit.
Select Expand All, and select or add the following groups for the user:
- Key Admins
- Key Users
- All Clients
The user that you created now has the appropriate settings and permissions to create and download certificates in Thales.
Create and download certificates on Thales CipherTrust Manager
You need to generate ca.pem, key.pem, and cert.pem certificates in Thales CipherTrust Manager for your KMIP server and pykmip.conf
file.
Download the CA certificate
The local CA certificate is provided by default. To access and download the certificate for your pykmip.conf
file:
On the left-hand side of Thales CipherTrust Manager, navigate to CA and select Local, which brings you to the Local Certificate Authorities page.
From the ellipses menu on the far-right side, select Download.
For your download, change the name from
Certificate.pem
toca.pem
. Keep track of where you downloaded your certificate, as you will need it later.
Create and download the key.pem and cert.pem certificates
These are the other two certificates you need for your KMIP server and pykmip.conf
file.
Navigate to the Thales CipherTrust Manager main page.
Under Products, select KMIP.
Select Client Profile > Add Profile.
Give the profile a name, and select Save. This example uses the name newtestprofile.
Select Registration Token > New Registration Token.
Select Begin, and then configure your token:
- Give the token a name. In this example, it's edbnewtoken2.
- Select local CA.
- Select the client profile you created earlier. In this example, it's newtestprofile.
- Select Create Token.
- Copy the token you created.
- Select Done.
Navigate to Registered Clients, and select Add Client.
Give the client a name.
Paste the token that you copied into the Registration Token box, and then select Save, which generates the final two certificates.
To download the final two certificates, select Save Private Key, and then select Save Certificate. Make sure to note their downloaded location for later.
You are now ready to use Thales CipherTrust Manager and your EDB Postgres distribution with TDE for key management.
Could this page be better? Report a problem or suggest an addition!