Integrating Cloud Protect with PPC (Protegrity Provisioned Cluster)
Key Differences: PPC vs ESA
| Feature | ESA 10.2 | PPC (this guide) |
|---|---|---|
| Datastore Key Fingerprint | Optional/Recommended | Required |
| CA Certificate on Agent | Optional/Recommended | Optional/Recommended |
| CA Certificate on Log Forwarder | Optional/Recommended | Not supported |
| Client Certificate Authentication from Log Forwarder | Optional/Recommended | Not supported |
| IP Address | ESA IP address | PPC address |
Prerequisites
- Access to PPC and required credentials.
- Tools:
curl,kubectlinstalled.
Policy Agent Setup with PPC
Important
When connecting to PPC, the Policy Agent requires use of a datastore key fingerprint. For connecting to ESA 10.2 with Cloud Protect Policy Agent, the fingerprint is optional but recommended. See Policy Agent Installation for general setup steps.Follow these instructions as a guide for understanding specific inputs for Policy Agent integrating with PPC:
Obtain the Datastore Key Fingerprint
To retrieve the fingerprint for your Policy Agent:
Retrieve public key from the Cloud Provider Key Management service for the policy encryption key created in pre-configuration:
- Navigate to the Key Management Service in AWS console and open Customer Managed Keys
- Select the desired key
- Select the Public Key tab
- Select Download
- Navigate to the Key Vault in Azure console and open Objects>Keys
- Select the desired key
- Select the key indicated as CURRENT VERSION
- Select Download public key
- Navigate to Key Management in GCP console
- Select the desired key and open the Versions tab
- Select Get public key from the Actions column menu
- Select Download
Escape the new line characters in the downloaded public key for use in the next step - for example:
awk 'NF {printf "%s\\n",$0}' "<public_key_file>" > "new-line-escaped-public-key.pem" cat new-line-escaped-public-key.pemExport key fingerprint using the PPC API as indicated in the curl example below:
curl -k -H "Authorization: Bearer ${TOKEN}" -X POST https://${HOST}/pty/v2/pim/datastores/1/export/keys -H "Content-Type: application/json" --data '{ "algorithm": "RSA-OAEP-256", "description": "example-key-from-key-management", "pem": "<value of new-line-escaped-public-key>" }'Sample Output:
{"uid":"1","algorithm":"RSA-OAEP-256","fingerprint":"4c:46:d8:05:35:2e:eb:39:4d:39:8e:6f:28:c3:ab:d3:bc:9e:7a:cb:95:cb:b1:8e:b5:90:21:0f:d3:2c:0b:27","description":"example-key-from-kms"}Note
Alternatively, set using the PPC CLI utility. See the export key example in Create Datastores KeyRecord the value for
fingerprintand configure the Policy Agent:Set the environment variable
PTY_DATASTORE_KEYin the Policy Agent Lambda function to thefingerprintvalue.Set the environment variable
PTY_DATASTORE_KEYin the Policy Agent Function App to thefingerprintvalue.Set the variable in Policy Agent main.tf
pty_datastore_keyto thefingerprintvalue and apply the changes.
Retrieve the PPC CA Certificate
To obtain the CA certificate from PPC:
kubectl -n api-gateway get secret ingress-certificate-secret -o jsonpath='{.data.ca\.crt}' | base64 -d > CA.pemUse the
ProtegrityCA.pemthat was returned as described in Policy Agent Installation.Configure the PPC Address
Use the PPC address in place of the ESA IP address wherever required in your configuration.
Note
Use FQDN as described in the PPC Rest API documentation
Log Forwarder Setup with PPC
Note
When using PPC, certificate authentication and CA validation are not supported for the Log Forwarder. Configuration steps related to certificates in Log Forwarder Installation do not apply to PPC. If you attempt to use certificates provided by PPC, the Log Forwarder will not function correctly.- The Log Forwarder will proceed without certificates and will print a warning if
PTY_ESA_CA_SERVER_CERTis not provided. - No additional certificate or CA configuration is needed for PPC.
Feedback
Was this page helpful?