This is the multi-page printable view of this section. Click here to print.
Appendices
- 1: Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster)
- 2: Configuring Regular Expression to Extract Policy Username
- 3: Getting JWT for Service Account in Azure Active Directory
- 4: Protection Methods
- 5: ARM Template Installation - Required Permissions
- 6: Associating ESA Data Store With Cloud Protect Agent
1 - Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster)
This guide describes how to configure the Protegrity Policy Agent and Log Forwarder to connect to a Protegrity Provisioned Cluster (PPC), highlighting the differences from connecting to ESA.
Key Differences: PPC vs ESA
| Feature | ESA 10.2 | PPC (this guide) |
|---|---|---|
| Datastore Key Fingerprint | Optional/Recommended | Required |
| CA Certificate on Agent | Optional/Recommended | Optional/Recommended |
| CA Certificate on Log Forwarder | Optional/Recommended | Not supported |
| Client Certificate Authentication from Log Forwarder | Optional/Recommended | Not supported |
| IP Address | ESA IP address | PPC address |
Prerequisites
- Access to PPC and required credentials.
- Tools:
curl,kubectlinstalled.
Policy Agent Setup with PPC
Important
When connecting to PPC, the Policy Agent requires thePTY_DATASTORE_KEY fingerprint. For ESA 10.2, the fingerprint is optional but recommended. See Policy Agent Installation for general setup steps.Follow these instructions as a guide for understanding specific inputs for Policy Agent integrating with PPC:
Obtain the Datastore Key Fingerprint
To retrieve the fingerprint for your Policy Agent:
curl -k -H "Authorization: Bearer ${TOKEN}" -X POST https://${HOST}/pty/v2/pim/datastores/1/export/keys -H "Content-Type: application/json" --data '{ "algorithm": "RSA-OAEP-256", "description": "example-key-from-kms", "pem": "-----BEGIN PUBLIC KEY-----\nABC123... ...890XYZ\n-----END PUBLIC KEY-----" }'Sample Output:
{"uid":"1","algorithm":"RSA-OAEP-256","fingerprint":"4c:46:d8:05:35:2e:eb:39:4d:39:8e:6f:28:c3:ab:d3:bc:9e:7a:cb:95:cb:b1:8e:b5:90:21:0f:d3:2c:0b:27","description":"example-key-from-kms"}Record the
fingerprintand configure it as the value forPTY_DATASTORE_KEYin the Policy Agent function environment variable.Retrieve the PPC CA Certificate
To obtain the CA certificate from PPC:
kubectl -n api-gateway get secret ingress-certificate-secret -o jsonpath='{.data.ca\.crt}' | base64 -d > CA.pemUse the
CA.pemthat was returned as described in Policy Agent Installation.Configure the PPC Address
Use the PPC fqdn in place of the ESA IP address wherever required in your configuration.
Log Forwarder Setup with PPC
Note
When using PPC, certificate authentication and CA validation are not supported for the Log Forwarder. Configuration steps related to certificates in Log Forwarder Installation do not apply to PPC. If you attempt to use certificates provided by PPC, the Log Forwarder will not function correctly.- The Log Forwarder will proceed without certificates and will print a warning if
PTY_ESA_CA_SERVER_CERTis not provided. - No additional certificate or CA configuration is needed for PPC.
2 - Configuring Regular Expression to Extract Policy Username
Configuring Regular Expression to Extract Policy Username
Cloud Protect Function exposes USERNAME_REGEX configuration to allow extraction of policy username from user in the request.
USERNAME_REGEX Function Environment configuration
The USERNAME_REGEX environment variable can be set to contain regular expression with one capturing group. This group is used to extract the username. Examples below show different regular expression values and the resulting policy user.
USERNAME_REGEX | User in the request | Effective Policy User |
|---|---|---|
Not Set | ||
juliet.snow/ad_postfix | juliet.snow/ad_postfix | |
| juliet.snow | |
juliet.snow/ad_postfix | juliet.snow |
3 - Getting JWT for Service Account in Azure Active Directory
Getting JWT for Service Account in Azure Active Directory
Protect Function App can use Microsoft identity platform endpoint for identity-as-a-service, available in Azure Active Directory, to implement OpenID Connect and OAuth 2.0 authorization. This section describes how to get JWT using OAuth 2.0 client credentials grant flow in Azure Active Directory and authorize the Client ID in Protegrity Policy.
Note
Protect Function App and Azure Active Directory support more authorization methods, and the correct procedure should be chosen based on the use case.Suggested reading: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
High-level design:
- Active Directory Admin creates App registration for the service account.
- Active Directory Admin gives consent for the Service Account App ID.
- Daemon uses the Service Account App ID and the Service Account App ID Secret or Certificate, Protect Function App ID as the scope, and gets back the Access Token (JWT).
- Daemon sends the request to the Protect Function App, including the access token in the Authorization Bearer header.
Configure the Protect Function App:
From the Azure console, navigate to Function App service and select protect function app.
Navigate to Settings > Environment variables and click OPENID_ENABLED. Make sure it is set to true.
Click on OPENID_AUDIENCES, make sure it is set to the App ID recorded in EntraIDApplicationID.
Click or Add the authorization environment variable. Make sure it is set to jwt.
Click or Add on jwt_user_claim environment variable, make sure it is set to [“azp”, “appid”]. For more information on claims on AAD access token, refer:
https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
To register a Service Account:
In the Azure portal navigate to Azure Active Directory.
Under Manage, select App registrations > New registration.
Enter a Name and select Accounts in any organizational directory.
Redirect URI is set to http://localhost.
Select Register.
After registration is complete record Application ID and Directory (tenant) ID displayed in the overview window:
Service Account App ID: ___________________
Directory (tenant) ID: ___________________
In the Azure portal, in App registrations, select your application.
Select Certificates & secrets > New client secret.
Add a description for your client secret.
Select a duration.
Click Add.
Record the secret’s value for use in your client application code. This secret value is never displayed again after you leave this page.
Service Account App Secret: ___________________
For more information on app registration, see Azure documentation Quickstart Registering App
Admin Consent the Service Account:
https://login.microsoftonline.com/{tenant}/adminconsent?
client_id={Service Account App ID}
&state=12345
&redirect_uri=http://localhost
Replace the tenant and the Service Account App ID with the values recorded in the previous step. At this point, Azure AD enforces that only a tenant administrator can sign into complete the request. The administrator will be asked to approve all the direct application permissions that were requested for the app in the app registration portal.
Get the access token
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id={Service Account App ID}&scope={EntraIDApplicationID }%2F.default&client_secret={Service Account App Secret}&grant_type=client_credentials' 'https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token'
Replace Service Account App ID, EntraIDApplicationID, Service Account App Secret, and tenant with values recorded in previous steps.
Example for successful response:
{
"token_type": "Bearer",
"expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1uQ19WWmNBVGZNNXBP..."
}
\
Record the access_token from the response. access_token: ___________________
Tip
The access token content can be reviewed at https://jwt.ms.Note
Ensure that the claims azp or appid are included in the JWT and that the value exists in the policy as user with protect permissions.Use the token
curl -X POST "https://<Protect hostname>/api/v1/protect" -k \
-H 'x-functions-key: <Protect Function app key>' \
-H 'Authorization: Bearer <access_token>' \
-H 'Content-Type: application/json' \
-d '{
"data": ["hello world!"],
"data_element": "alpha"
}'
Replace the {Protect hostname}, {Protect Function app key} and {access_token} with the.
Troubleshooting:
- Service Account App ID redirect URL matches the redirect URL in the request for admin consent.
- Active Directory administrator does admin consent.
- JWT aud claim is the same as OPENID_AUDIENCES.
- JWT iss claim is the same as OPENID_ISSUERS.
- Protect Function configuration authorization=JWT
- At least one of thejwt_user_claim exists in the JWT
- The user claim in the token has permissions to make protect request.
- The data element exists in the Protect Function App current policy.
- JWT is not expired
4 - Protection Methods
Protection Methods
For more information about the protection methods supported by Protegrity, refer to the Protection Methods Reference.
Tokenization Type | Supported Input Data Types | Notes |
|---|---|---|
Numeric Credit Card Alpha Upper-case Alpha Alpha-Numeric Upper Alpha-Numeric Lower ASCII Printable Decimal Unicode Unicode Base64 Unicode Gen2 | STRING NULL | |
Integer | NUMBER NULL | |
Date Datetime | STRING NULL | For information about supported formats, refer to the Protection Methods Reference. |
Binary | STRING NULL | Must be |
Protection Method | Supported Input Data Types | Notes |
|---|---|---|
No Encryption | STRING NUMBER NULL |
Encryption Algorithm | Supported Input Data Types | Notes |
|---|---|---|
3DES AES-128 AES-256 CUSP 3DES CUSP AES-128 CUSP AES-256 | STRING | Must be |
5 - ARM Template Installation - Required Permissions
ARM Template Installation - Required Permissions
Permissions below are required to install Protegrity service using ARM template.
All permissions in the table must be granted with the Resource group scope.
Permissions | Description | Built-In Azure Role |
|---|---|---|
| Read access to monitoring data and settings | Monitoring Reader |
| Write and manage access to monitoring data and settings | Monitoring Contributor |
| Write and manage access to web apps | Website Contributor |
| Manage and assign managed identities NoteThese permissions are only required when user assigned identity is used. | Managed Identity Operator |
| Manage and validate deployments | Deployment Contributor |
Log Forwarder service ARM deployment requires additional permissions below:
Permissions | Description | Built-In Azure Role |
|---|---|---|
| Allow for the creation, update, and deletion of Event Hub namespaces, event hubs within those namespaces, and their network rule sets, enabling full management of Event Hub resources. Note: These permissions are only required when deploying new event Hub. | Event Hubs Contributor |
| Read monitoring data and metrics, including Event Hub namespace data. | Monitoring Reader |
The additional permissions listed below are required when API management is part of the deployment.
Permissions | Description | Built-In Azure Role |
|---|---|---|
| Create or update API Management service instances, APIs, diagnostics, API operations, operation policies, backends, loggers, tenant policies, and API diagnostics. | API Management Service Contributor |
| Read metadata for API Management service instances and get the status of long-running operations. | API Management Service Reader |
6 - Associating ESA Data Store With Cloud Protect Agent
Associating ESA Data Store With Cloud Protect Agent
ESA controls which policy is deployed to protector using concept of data store. A data store may contain a list of IP addresses identifying servers allowed to pull the policy associated with that specific data store. Data store may also be defined as default data store, which allows any server to pull the policy, provided it does not belong to any other data stores. Node registration occurs when the policy server (in this case the policy agent) makes a policy request to ESA, where the agent’s IP address is identified by ESA.
Note
For more information about ESA data store refer to Policy Management Section which is part of Protegrity ESA documentation.Policy agent function source IP address used for node registration on ESA depends on ESA hubcontroller configuration ASSIGN_DATASTORE_USING_NODE_IP and the PTY_ADDIPADDRESSHEADER configuration exposed by the agent function.
The function service uses multiple network interfaces, internal network interface with ephemeral IP range of 169.254.x.x and external network interface with IP range described in Function app outbound IP addresses section under function configuration. By default, when agent function is contacting ESA to register node for policy download, ESA uses agent function outbound IP address. This default behavior is caused by the default ESA hubcontroller configuration ASSIGN_DATASTORE_USING_NODE_IP=false and agent default configuration PTY_ADDIPADDRESSHEADER=yes.
In some cases, when there is a proxy server between the ESA and agent function, the desirable ESA configuration is ASSIGN_DATASTORE_USING_NODE_IP=true. and PTY_ADDIPADDRESSHEADER=no which will cause the ESA to use proxy server IP address.
The table below shows how the hubcontroller and agent settings will affect node IP registration on ESA.
| Agent source IP | Agent Function Outbound IP | Proxy IP | ESA config - ASSIGN_DATASTORE_USING_NODE_IP | Agent function config - PTY_ADDIPADDRESSHEADER | Agent node registration IP |
|---|---|---|---|---|---|
| 169.254.144.81 | 20.75.43.207 | No Proxy | true | yes | 169.254.144.81 |
| true | no | 20.75.43.207 | |||
| false | yes | 20.75.43.207 | |||
| false | no | 20.75.43.207 | |||
| 169.254.144.81 | 20.75.43.207 | 34.230.42.110 | true | yes | 169.254.144.81 |
| true | no | 34.230.42.110 | |||
| false | yes | 34.230.42.110 | |||
| false | no | 34.230.42.110 |