Additional Topics on

Memory Usage of the AP Java

Mon, 01 Jan 0001 00:00:00 +0000

The memory used for the different policy sizes using a sample HelloWorld java application is described in this section. This is a sample memory usage. You can use this as a reference for memory usage in the AP Java for different policy sizes.

Sample application

Before running the following program, update the HelloWorld.java file with the policy username and data element name.

Compile and Run the Sample Application

Compile the sample application using the following command.

DevOps Approach for Application Protector Java

Mon, 01 Jan 0001 00:00:00 +0000

The DevOps approach enables immutable package deployment. It uses a REST API call to download packages from the ESA in an encrypted format.

Note: The RP Agent should not be installed for immutable package deployments using DevOps.

For more information about package deployment approaches, refer to Resilient Package Deployment.

A REST API call is used to download the package on your local machine. Configure the package path in the config.ini file within the DevOps section and the decryptor class.

Application Protector API Return Codes

Mon, 01 Jan 0001 00:00:00 +0000

When an application is developed using the APIs of the Protegrity Application Protector Suite, you may encounter the Application Protector API Return Codes. For more information about log return codes, refer to Log return codes.

Sample Log for AP Return Codes

The following is a sample log generated in Discover on the Audit Store Dashboards in the ESA.

Protection audit logs are stored in the Audit Store. Select the pty_insight_*audit* index to view the protection logs.

Config.ini file for Application Protector

Mon, 01 Jan 0001 00:00:00 +0000

The Application Protector can be configured using the config.ini file. By default, this file is located in the <installation directory>/sdk/<protector>/data/ directory.

The various configurations required for setting up the Application Protector are described in this section.

Sample config.ini file

The following represents a sample config.ini file.

# -----------------------------
# Protector configuration
# ----------------------------- 
[protector]

# Cadence determines how often the protector connects with shared memory to fetch the policy updates in background.
# Default is 60 seconds. So by default, every 60 seconds protector tries to fetch the policy updates.
#
# Default 60.
cadence = 60

# The time during which an session object is valid. Default = 15 minutes.
session.sessiontimeout = 15

###############################################################################
# Log Provider Config
###############################################################################
[log]

# In case that connection to fluent-bit is lost, set how audits/logs are handled
# 
# drop : (default) Protector throws logs away if connection to the fluentbit is lost
# error : Protector returns error without protecting/unprotecting 
# data if connection to the fluentbit is lost
mode = drop

# Host/IP to fluent-bit where audits/logs will be forwarded from the protector
#
# Default localhost
host = localhost

Different configurations for Application Protector

The following are the various configurations:

Multi-node Application Protector Architecture

Mon, 01 Jan 0001 00:00:00 +0000

The multi-node Application Protector (AP) architecture, its individual components, and how logs are collected using the Log Forwarder are described in this section.

The following figure describes the multi-node AP architecture.

For example, some AP nodes are connected to an ESA, which includes the Audit Store component. Each AP node contains a Log Forwarder, RP Agent, and AP instance for sending logs to the ESA.

Protector: The AP can be configured using the config.ini file.
For more information about the configurations, refer to Config.ini file for Application Protector.

Installation Directory Structure Overview

Mon, 01 Jan 0001 00:00:00 +0000

The installation directory is organized into clearly defined subdirectories. This directory structure applies specifically to the /opt/protegrity/upgrade directory. Each directory has a specific role during installation, upgrade, rollback, and runtime operations.

`bin/` Directory

The bin directory contains the executable component required to perform upgrade and rollback operations. This directory includes:

The sdkupgrd binary, which is the primary executable used for upgrade and rollback workflows.
The 10.0.gpg file must be manually added to this directory from ESA and is required for verification purposes.

SDK Upgrader Agent Configuration File

Mon, 01 Jan 0001 00:00:00 +0000

Note: All configuration file parameters must be reviewed and updated as needed prior to upgrade or rollback, except for new-logforwarder-path.

# ==============================================================================
# SDK Upgrader Agent Configuration File
# ==============================================================================
# This file contains all configuration parameters for the SDK Upgrader Agent.
# The agent reads values from this file instead of command-line arguments.
#
# Format: key = value
# Lines starting with '#' are comments and ignored.
# Empty lines are ignored.
# Leading/trailing whitespace around keys and values is trimmed.
# ==============================================================================

# ------------------------------------------------------------------------------
# Build Location (REQUIRED)
# URL or local path to the build file
# Examples:
# location-of-build = https://example.com/build/sdk-10.1.0.tgz
# location-of-build = /tmp/sdk-10.1.0.tgz
# ------------------------------------------------------------------------------
location-of-build =

# ------------------------------------------------------------------------------
# Upgrade Mode
# Set to "yes" to enable offline upgrade mode (default: no)
# ------------------------------------------------------------------------------
offline = no

# ------------------------------------------------------------------------------
# RPAgent Configuration
# Path to RPAgent installation directory
# Default: /opt/protegrity/rpagent
# ------------------------------------------------------------------------------
rpagent-path = /opt/protegrity/rpagent

# ------------------------------------------------------------------------------
# LogForwarder Configuration
# Path to LogForwarder installation directory
# Default: /opt/protegrity/logforwarder
# ------------------------------------------------------------------------------
logforwarder-path = /opt/protegrity/logforwarder

# ------------------------------------------------------------------------------
# LogForwarder Endpoints
# Comma-separated list of LogForwarder endpoints (host[:port])
# Default port is 9200 if not specified
# Example: endpoints = eshost1:9200,eshost2:9200
# ------------------------------------------------------------------------------
endpoints =

# ------------------------------------------------------------------------------
# ESA (Enterprise Security Administrator) Configuration
# Note: ESA username and password are NOT stored in this file for security.
# They will be prompted interactively (password hidden) or can be passed
# via --esa-user and --esa-password command-line arguments.
# ------------------------------------------------------------------------------
esa-host =
esa-port = 25400

# ------------------------------------------------------------------------------
# DevOps Mode
# When enabled, skips RPAgent installation
# Values: yes | no (default: no)
# ------------------------------------------------------------------------------
devops = no

# ------------------------------------------------------------------------------
# LogForwarder Upgrade
# Enable or disable LogForwarder upgrade
# Values: yes | no (default: yes)
# ------------------------------------------------------------------------------
isFluentBit = yes

# ------------------------------------------------------------------------------
# Insecure Mode
# RPAgent with insecure mode
# Values: yes | no (default: no)
# ------------------------------------------------------------------------------
insecure = no

# ------------------------------------------------------------------------------
# Protector Paths
# Comma-separated list of protector installation paths
# Example: protector-paths = /opt/protegrity/sdk/java,/opt/protegrity/sdk/python
# Default: /opt/protegrity/sdk/java
# ------------------------------------------------------------------------------
protector-paths = /opt/protegrity/sdk/java

# ------------------------------------------------------------------------------
# New LogForwarder Path (Error Mode)
# Path to install new logforwarder for error mode parallel upgrade.
# The {version} placeholder will be replaced with the actual build version at runtime.
# Default is derived from logforwarder-path by stripping the trailing directory
# name and appending logforwarder_{version}. For example:
# logforwarder-path = /opt/protegrity/logforwarder
# → new-logforwarder-path = /opt/protegrity/logforwarder_{version}
# logforwarder-path = /root/abcc/logforwarder
# → new-logforwarder-path = /root/abcc/logforwarder_{version}
# ------------------------------------------------------------------------------
new-logforwarder-path =

# ------------------------------------------------------------------------------
# Logging Options
# ------------------------------------------------------------------------------
# Print logs to console (yes | no, default: no)
stdout = no

# Enable debug logging (yes | no, default: no)
debug = no

Troubleshooting for AP Java Upgrade

Mon, 01 Jan 0001 00:00:00 +0000

This section describes common issues that may occur during AP Java upgrades and how to resolve them.

Issue	Symptom	Resolution
Offline upgrade fails due to a running process error	The offline upgrade fails with an error indicating that a process is still running, even though no AP Java process is active.	1. Navigate to the `<INSTALL_DIR>/upgrader/active_processes` directory. 2. Check for any stale PID files. 3. Remove the stale PID files. 4. Retry the offline upgrade.
Upgrade fails during build extraction when using a local build file	The upgrade fails during the build extraction phase when a local build file path `.tgz` is provided to the Agent. This happens if an extracted build directory or an inner `.tgz` file is passed instead of the original build archive.	Ensure that: - You pass only the unextracted build file (`.tgz`) to the Agent. - The path does not point to any inner or manually extracted `.tgz` file. Retry the upgrade after correcting the build file path.
Upgrade or auto-rollback fails	The upgrade or the automatic rollback operation does not complete successfully.	- Perform an offline rollback to recover the system state. - After the offline rollback completes, verify system stability before retrying the upgrade.
“Upgrade is still in progress” error when starting AP Java	AP Java fails to start and reports that an upgrade is still in progress.	1. Open the `<INSTALL_DIR>/upgrader/data/metadata.ini` file. 2. Verify that the `IsUpgradeInProgress` parameter value is set to `false`. 3. If the value is set to `true`, update it to `false`. 4. Save the file. 5. Restart the AP Java application.

Uninstalling the Application Protector

Mon, 01 Jan 0001 00:00:00 +0000

Uninstalling Application Protector (AP) Java from Linux

This section outlines the steps to uninstall the various components of AP Java from a Linux platform.

Uninstalling the Log Forwarder from Linux

Note: To preserve all the configurations while upgrading the Log Forwarder, ensure all the files present under the /opt/protegrity/logforwarder/data/config.d directory are backed up.

To uninstall the Log Forwarder from a Linux platform:

Navigate to the /opt/protegrity/logforwarder/bin directory.
Stop the Log Forwarder using the following command.

Additional Topics on

Memory Usage of the AP Java

Sample application

Compile and Run the Sample Application

DevOps Approach for Application Protector Java

Application Protector API Return Codes

Sample Log for AP Return Codes

Config.ini file for Application Protector

Sample config.ini file

Different configurations for Application Protector

Multi-node Application Protector Architecture

Installation Directory Structure Overview

bin/ Directory

SDK Upgrader Agent Configuration File

Troubleshooting for AP Java Upgrade

Uninstalling the Application Protector

Uninstalling Application Protector (AP) Java from Linux

Uninstalling the Log Forwarder from Linux

`bin/` Directory