This guide describes how to configure the Protegrity Policy Agent and Log Forwarder to connect to a Protegrity Provisioned Cluster (PPC), highlighting the differences from connecting to ESA.
Key Differences: PPC vs ESA
| Feature | ESA 10.2 | PPC (this guide) |
|---|---|---|
| Datastore Key Fingerprint | Optional/Recommended | Required |
| CA Certificate on Agent | Optional/Recommended | Optional/Recommended |
| CA Certificate on Log Forwarder | Optional/Recommended | Not supported |
| Client Certificate Authentication from Log Forwarder | Optional/Recommended | Not supported |
| IP Address | ESA IP address | PPC address |
Prerequisites
- Access to PPC and required credentials.
- Tools:
curl,kubectlinstalled.
Policy Agent Setup with PPC
Important
When connecting to PPC, the Policy Agent requires thePTY_DATASTORE_KEY fingerprint. For ESA 10.2, the fingerprint is optional but recommended. See Policy Agent Installation for general setup steps.Follow these instructions as a guide for understanding specific inputs for Policy Agent integrating with PPC:
Obtain the Datastore Key Fingerprint
To retrieve the fingerprint for your Policy Agent:
curl -k -H "Authorization: Bearer ${TOKEN}" -X POST https://${HOST}/pty/v2/pim/datastores/1/export/keys -H "Content-Type: application/json" --data '{ "algorithm": "RSA-OAEP-256", "description": "example-key-from-kms", "pem": "-----BEGIN PUBLIC KEY-----\nABC123... ...890XYZ\n-----END PUBLIC KEY-----" }'Sample Output:
{"uid":"1","algorithm":"RSA-OAEP-256","fingerprint":"4c:46:d8:05:35:2e:eb:39:4d:39:8e:6f:28:c3:ab:d3:bc:9e:7a:cb:95:cb:b1:8e:b5:90:21:0f:d3:2c:0b:27","description":"example-key-from-kms"}Record the
fingerprintvalue and configure it as thePTY_DATASTORE_KEYfor the Policy Agent.Retrieve the PPC CA Certificate
To obtain the CA certificate from PPC:
kubectl -n api-gateway get secret ingress-certificate-secret -o jsonpath='{.data.ca\.crt}' | base64 -d > CA.pemUse the
CA.pemthat was returned as described in Policy Agent Installation.Configure the PPC Address
Use the PPC address in place of the ESA IP address wherever required in your configuration.
Log Forwarder Setup with PPC
Note
When using PPC, certificate authentication and CA validation are not supported for the Log Forwarder. Configuration steps related to certificates in Log Forwarder Installation do not apply to PPC. If you attempt to use certificates provided by PPC, the Log Forwarder will not function correctly.- The Log Forwarder will proceed without certificates and will print a warning if
PtyEsaCaServerCertandPtyEsaClientCertificatesSecretIdare not provided. - No additional certificate or CA configuration is needed for PPC.
Troubleshooting
Protector Lambda fails with “AWS KMS Decrypt failed”
Symptom:
After a successful Policy Agent run and layer update, the Protector Lambda returns:
{
"body": "{\"error_msg\":\"Failed to open decoder: rpdecode decrypt failure: dek callback failed: AWS KMS Decrypt failed: \",\"success\":false}",
"isBase64Encoded": false,
"statusCode": 400
}
The Protector Lambda logs show:
[SEVERE] [utils.cpp:185] AWS KMS Decrypt failed:
Cause:
The public key configured in the PPC/ESA datastore does not match the KMS key pair used by the Policy Agent. The policy package is encrypted with the public key stored in the datastore. If that key does not correspond to the KMS key pair whose private key is used for decryption, the Protector Lambda will fail to decrypt the policy.
Resolution:
- Identify the KMS key pair used by the Policy Agent (the key ARN configured during pre-configuration).
- Export the public key from that KMS key pair.
- In PPC/ESA, ensure the datastore’s export key is configured with the public key from that same KMS key pair. See Obtain the Datastore Key Fingerprint above.
- Re-run the Policy Agent to generate a new policy package encrypted with the correct key.
- Test the Protector Lambda again.
Important
Always verify that the public key registered in the PPC/ESA datastore belongs to the same KMS key pair referenced by the Policy Agent. A mismatch between these keys is a common cause of AWS KMS Decrypt failed errors.
The KMS key must be an asymmetric key with the Encrypt and decrypt key usage type. Symmetric keys or asymmetric keys configured for signing will not work.
Additional Notes
- For troubleshooting, consult the Protegrity Documentation.
Feedback
Was this page helpful?