This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Configuring the Protector

1 - Working with the config.ini file

This page discusses about the config.ini file for the Teradata Data Warehouse Protector.

By default, this file is located in the /opt/protegrity/databaseprotector/teradata/data/ directory.

1.1 - Accessing the config.ini File

  1. Log in to the server as the user with the required permissions.

  2. Navigate to the directory where you have downloaded the installation package.
    For example, /opt/protegrity/databaseprotector/teradata/data/

  3. To view the contents within the directory, run the following command:

    /opt/protegrity/databaseprotector/teradata/data #  ls -ltr

  4. Press ENTER.
    The list of available configurable files appears.

    total 4
-rw-r----- 1 tdatuser tdtrusted 1058 Oct 14 01:27 config.ini

  5. To open the config.ini file, run the following command:

    /opt/protegrity/databaseprotector/teradata/data # vim config.ini

  6. Press ENTER.
    The vim utility starts and the contents of the config.ini file appears.

    ###############################################################################
# Log Provider Config
###############################################################################
[log]

# In case that connection to fluent-bit is lost, set how audits/logs are handled
# 
# drop  : (default) Protector throws logs away if connection to the fluentbit is lost
# error : Protector returns error without protecting/unprotecting 
#         data if connection to the fluentbit is lost
mode = drop

# Host/IP to fluent-bit where audits/logs will be forwarded from the protector
#
# Default localhost
host = localhost

###############################################################################
# Protector Config
###############################################################################
[protector]

# cadence is used to decide whether deployment is dynamic or immutable.
#
# '0' is used for immutable deployment.
# Non-negative values other than '0' is used as policy sync interval for dynamic deployment.
# default cadence value is '60'.
cadence = 60

    For more information about parameters in the config.ini file, refer to Parameters in the config.ini file.

  7. To close the config.ini file, run the following command:

    # :q

    Important: To reflect any changes made to the config.ini file, you must restart the Teradata Database.

  8. To restart the Teradata Database, run the following command:

    # tpareset -f <reason for restart>

  9. Press ENTER.
    A prompt to continue with restarting the database appears.

    You are about to restart the database
  on the system
     'localhost'
Do you wish to continue (default: n) [y,n]

  10. To continue with restarting the database, type y.
    The Teradata Database restarts successfully.

1.2 - Understanding the Parameters in the config.ini File

The following table consists of the config.ini parameters along with the descriptions:

Configuration ComponentParameterDescription
LogmodeSpecifies how the protector logs are handled by the Log Forwarder. If the connection to the Log Forwarder host is lost, you can set the connection mode to one of the following types:
- drop: Specifies the logs that the protector fails to record when the connection to the Log Forwarder is lost. By default, the Log Forwarder is configured to operate in the drop mode.
- error: Stops all the data security operations and throws an error when the connection to the Log Forwarder is lost.
Syntax: Parameter = Value
Example: mode = error
hostSpecifies the Log Forwarder hostname or the IP address where the logs are forwarded from the protector. The default host for the Log Forwarder is localhost.
Syntax: Parameter = Value
Example: host = <Hostname or IP Address>
ProtectorcadenceSpecifies the time interval at which the protector synchronizes with the shared memory for fetching the policy package. The default value for the cadence parameter is 60 seconds. The minimum and maximum values that can be set for the cadence parameter are 0 seconds and 86400 seconds (24 hours) respectively.
Important: If the cadence parameter value is set to 0 seconds, then the policy is fetched only once at the time of initialization. After initialization, the protector does not fetch for the new policy changes as a result of immutable deployment.
Syntax: Parameter = Value
Example: cadence = <time interval in seconds>

2 - Updating the Output Buffer for the Unicode UDFs

This page discusses the process to update the output buffer length for the Varchar Unicode UDFs.

By default, the value of the output buffer length is 500 characters. This value can be modified during the installation of the Teradata objects.

After completing the installation process, you may need to manually update the output buffer length values if necessary. For instance, if you need to protect strings longer than 500 bytes, adjust the buffer length to accommodate the largest string size. Be aware that a big buffer size slows the overall performance. Additionally, each protection method has a size limitations. For example, tokenization has a maximum size limit of 4096 bytes. The output buffer sizes for all the UDFs are stored in both, the dbpuserconf.ini and createvarcharunicode.sql files.

The process to update the output buffer length for the Varchar Unicode UDFs involves the following steps:

  1. To update the output buffer length in the dbpuserconf.ini file, refer to Updating the dbpuserconf.ini file.
  2. To update the output buffer length in the createvarcharunicode.sql file, refer to Updating the createvarcharunicode.sql file.
  3. To uninstall the Varchar Unicode UDFs using the dropvarcharunicode.sql file, refer to Uninstalling the UDFs.
  4. To re-create the Varchar Unicode UDFs using the createvarcharunicode.sql file, refer to Creating the UDFs.

2.1 - Updating the dbpuserconf.ini file

  1. Log in to the server as the user with the required permissions.

  2. Navigate to the directory where you have downloaded the dbpuserconf.ini file.
    For example, /etc/protegrity/

  3. To view the contents within the directory, run the following command:

    /etc/protegrity/ #  ls -ltr

  4. Press ENTER.
    The list of available configurable files appears.

    total 4
-rw-r----- 1 tdatuser tdtrusted 1058 Jan 28 01:27 dbpuserconf.ini

  5. To open the dbpuserconf.ini file, run the following command:

    /etc/protegrity/ # vim dbpuserconf.ini

  6. Press ENTER.
    The vim utility starts and the contents of the dbpuserconf.ini file appears.

    ###############################################################################
# Config ini
###############################################################################
[config_ini]
# path points to database protector installation directory
path = /opt/protegrity/databaseprotector/teradata/data/config.ini

###############################################################################
# Protector Varchar Sizes (set by user during installation)
###############################################################################
[varchar_sizes]
UDF_VARCHAR_MAX = 500
UDF_VARCHAR_OVERHEADMAX = 500
VARCHAR_MAX_IN_BUF_LEN_TOKEN_LATIN = 500
VARCHAR_MAX_OUT_BUF_LEN_TOKEN_LATIN = 676
VARCHAR_MAX_IN_BUF_LEN_ENC_LATIN = 500
VARCHAR_MAX_OUT_BUF_LEN_ENC_BYTES = 538
VARCHAR_MAX_IN_BUF_LEN_TOKEN_UNICODE = 500
VARCHAR_MAX_OUT_BUF_LEN_TOKEN_UNICODE = 1356
VARCHAR_MAX_IN_BUF_LEN_ENC_UNICODE = 500
VARCHAR_UNICODE_MAX_OUT_BUF_LEN_ENC_BYTES = 1038
TdvmDev2:/etc/protegrity/ #

    Important: You must update the VARCHAR_MAX_OUT_BUF_LEN_TOKEN_UNICODE parameter with the required output buffer length.

  7. To save the changes to the dbpuserconf.ini file, run the following command:

    # :wq

2.2 - Updating the createvarcharunicode.sql file

  1. Log in to the server as the user with the required permissions.

  2. Navigate to the /opt/protegrity/databaseprotector/teradata/sqlscripts/ directory.

  3. To update the output buffer length in the createvarcharunicode.sql file, run the following command:

    vim createvarcharunicode.sql

  4. Press ENTER.
    The vim utility starts and the contents of the createvarcharunicode.sql file appears.

    Ensure to update the value of the output buffer length for the PTY_VARCHARUNICODEINS, PTY_VARCHARUNICODESEL, and PTY_VARCHARUNICODESELEX UDFs as per your requirements.

  5. To save changes to the createvarcharunicode.sql file, run the following command:

    # :wq

    Important: To reflect any changes made to the createvarcharunicode file, you must restart the Teradata Database.

  6. To restart the Teradata Database, run the following command:

    # tpareset -f <reason for restart>

    Important: Updating the createvarcharunicode.sql file does not require a tpareset.

  7. Press ENTER.
    A prompt to continue with restarting the database appears.

    You are about to restart the database
  on the system
     'localhost'
Do you wish to continue (default: n) [y,n]

  8. To continue with restarting the database, type y.
    The Teradata Database restarts successfully.