Install IBM InfoSphere Guardium Data Encryption on the IBM PureApplication System

This article focuses on deploying the IBM® InfoSphere® Guardium® data encryption software to provide data encryption for Red Hat Linux® V6.2 IBM DB2® hosts. This software provides encryption for both regular files and DB2 files. InfoSphere Guardium also provides a DB2 agent for DB2 encrypted backup and restore operations.

Share:

Alex Irazabal (irazabal@us.ibm.com), Senior Managing Consultant, IBM

Author photo.Alex Irazabal is a member of IBM for Software Services for WebSphere (ISSW). He has worked extensively with IBM customers in realizing SOA architectures and integrating with IBM Enterprise Service Bus products. This work has been done through proof of concepts, pilots, consulting projects, and architecture design workshops. Currently his focus is on the cloud, specializing in Platform as a Service (PaaS). He helps customers deploy patterns on IBM PureApplication Systems and IBM SmartCloud.



16 January 2013

Also available in Chinese

IBM InfoSphere Guardium is a software data protection and encryption system. It provides policy-specified restricted access and encryption for files and file systems as well as IBM DB2 files. Figure 1 shows the InfoSphere Guardium architecture.

Figure 1. InfoSphere Guardium architecture
Image showing the InfoSphere Guardium architecture

The InfoSphere Guardium security server, Data Security Manager (DSM), is packaged as an appliance or a software offering, independent software offering (ISO). In either case, the currently supported version of the DSM software base operating system is not compatible with the IBM PureApplication™ system base operating system (Red Hat Linux 6.2).

Because of this restriction, the best option is to install the DSM server outside the PureApplication system. The File System (FS) agent is compatible with Red Hat Linux 6.2 (currently in beta) and can be installed as part of a virtual application pattern inside the PureApplication system. Figure 2 summarizes the recommendations.

Figure 2. InfoSphere Guardium agent deployment on the PureApplication system
Image showing InfoSphere Guardium agent deployment on the PureApplication System

The DSM server stores both the keys and the policies for the agent. The agent registers with the DSM and obtains its configuration from the DSM. A guard point (GP) is a starting point at which to apply a policy. The agent intercepts any attempts of access in the GP. The agent sits between the file system and the database management system (DBMS), as shown in Figure 3.

Figure 3. Encryption agent within the system architecture
Image showing the encryption agent within the system architecture

Creating a virtual system pattern to deploy the file system agent

To demonstrate the automation of installing the agent, let's use a simple pattern with two virtual machines (VMs): one with a stand-alone web application server instance and the other one with DB2. The web application server VM is required to test the database. Let's use DayTrader to exercise the DBMS. The FS agent is on the DB2 VM, as shown in Figure 4.

Figure 4. Virtual system pattern for the FS agent
Image showing the virtual system pattern for the FS agent

The Install Vormetric VMSSC script installs the Vormetric Representational State Transfer (REST) application programming interface, Vormetric Security Server command-line interface (VMSSC). This interface enables remote configuration of the DSM before the agent is installed.

To install the agent, the requirements in Table 1 must be met.

Table 1. Server/agent installation steps
ServerAgent
Install the security server software (DSM)-
Configure the DSM network-
Log on to the DSM console by using the web interface-
Change the admin password-
Create admin accounts-
Create security keys-
Create encryption key groups (if multiple keys are required)-
Create policies-
Install VMSSC
Add a GP by using VMSSC
Install the agent and register it in the DSM

To keep the installation and configuration of the DSM FS agent simple, assume that the server (DSM) is already installed, with keys and policies in place. If required, create keys and policies using VMSSC commands.


Creating the VMSSC installation script

This script performs a silent installation of the agent. This script must be created before adding a pattern, because the pattern uses the script.

The script follows the guidelines for adding a script into the PureApplication system:

  1. Expose the variables the script needs in the file cbscript.json.
  2. Have the actual shell script and any dependencies, like .zip files.
  3. Package the .json file and the other shell scripts and .zip files into one file. Name the .zip file, vormetric-install.zip. Figure 5 shows the contents of this .zip file.
    Figure 5. Contents of the vormetric-install.zip file
    Image showing the contents of the vormetric-install.zip file

Notice that two additional files are included in the .zip file:

  • vee-fs-5.1.0-20-rh6-x86_64.bin (FS agent installation file)
  • vmssc_rh6_64_5.1.0-24.gz (the VMSSC command-line interface installation file)

To upload the vormetric-install.zip to the PureApplication system catalog:

  1. Click Catalog > Script Packages.
  2. Click the plus sign (+) to add a new script.
  3. Enter a name, and then click OK.
  4. Under Script Package File, click Browse.
  5. Select the .zip file that contains the installation script—in this case, vormetric-install.zip—and then click Upload.

The system parses through the cbscript.json file and displays the variables as you defined them. Figure 6 shows the output.

Figure 6. Environment variables from cbscript.json
Image showing environment variables from cbscript.json

You can add more variables, if you want. Notice that /tmp/VMSSC is the working directory, and installAgent.sh is the executable file. This information comes from the cbscript.json file, as shown in Listing 1.

Listing 1. The cbscript.json header
"version": "1.0.0",
"description": "This script package installs and Configures a 
     Vormetric File Agent in RH6.2",
"command": "/tmp/VMSSC/installAgent.sh",
"log": "${WAS_PROFILE_ROOT}/logs/",
"location": "/tmp/VMSSC",

The script named Install Vormetric VMSSC is created. The script is also listed in Appendix A for your reference.


Creating patterns

The first thing to do when creating a virtual pattern is to add the initial topology to the pattern by adding parts.

  1. Click the plus sign at the top of the virtual pattern page, then enter a name and description.
  2. Click Edit from the palette at the top-right of the window.
  3. In the Pattern Editor window, select a base server from the parts list, shown in Figure 7.
    Figure 7. Stand-alone server part
    Image showing the stand-alone server part
  4. Drag the base server to the canvas on the right, then select a DB2 server (Figure 8).
    Figure 8. Web application server and DB2 selected
    Image showing web application server and DB2 selected
  5. Add the scripts:
    1. To add the DB2 drivers on the web application server side, click Select Scripts from the list on the left side. Search for Install DB2, select Install DB2 Drivers, and drop them on the web application server (Figure 9).
      Figure 9. Web application server with DB2 drivers
      Image showing web application server with DB2 drivers
    2. To add the Vormetric installation script to the DB2 VM, search for Vormetric or VMSSC to narrow the list of available scripts. When you find it, drag it to the DB2 server (Figure 10).
      Figure 10. Completed pattern
      Image showing the completed pattern
  6. When the pattern is complete, test it by selecting Deploy from the window at the top. Wait for the deployment to finish, and then review the deployment history under Instances > Virtual Systems (see Table 2).
Table 2. History for DB2 instance deployment
MessageDate
The virtual System has been deployedNov 20, 2012 10:30:11 PM
Executing script package Must Gather Logs on virtual machine pure-231-Standalone-DSM_DEPLOY11-2953 Nov 20, 2012 10:29:53 PM
Executing script package Must Gather Logs on virtual machine pure-198-DB2_ESE-DSM_DEPLOY11-2952 Nov 20, 2012 10:29:40 PM
Executing script package maestro on virtual machine pure-231-Standalone-DSM_DEPLOY11-2953 Nov 20, 2012 10:29:14 PM
Executing script package maestro on virtual machine pure-198-DB2_ESE-DSM_DEPLOY11-2952 Nov 20, 2012 10:28:48 PM
Executing script package Install DB2 Drivers on virtual machine pure-231-Standalone-DSM_DEPLOY11-2953 Nov 20, 2012 10:28:14 PM
Executing script package Install Vormetric VMSSC on virtual machine pure-198-DB2_ESE-DSM_DEPLOY11-2952 Nov 20, 2012 10:27:11 PM
Executing script packagesNov 20, 2012 10:26:43 PM
Starting virtual machine pure-231-Standalone-DSM_DEPLOY11-2953 Nov 20, 2012 10:21:12 PM
Starting virtual machine pure-198-DB2_ESE-DSM_DEPLOY11-2952 Nov 20, 2012 10:16:13 PM
Starting virtual machines in virtual System DSM_DEPLOY11Nov 20, 2012 10:16:13 PM
Registering virtual System DSM_DEPLOY11Nov 20, 2012 10:10:22 PM
Transferring virtual images to hypervisorsNov 20, 2012 10:10:17 PM
Generating model for topology and networkNov 20, 2012 10:09:25 PM
Reserving cloud resourcesNov 20, 2012 10:09:20 PM
Deployment has been queued
  1. If you notice any errors and troubleshooting is required, review the log files under the DB2 VM (Figure 11).
    Figure 11. Remote logs for the DB2 instance
    Image showing remote logs for the DB2 instance
  2. Log on to the DSM, and ensure that everything is working correctly (Figure 12).
    Figure 12. DSM console showing the GP enabled
    Image of the DSM console showing the GP enabled

When the Guard Point (GP) is in place, all the data written to the GP is encrypted. All data read from the GP is decrypted and passed back as the original unencrypted data.


Appendix A: Install Vormetric VMSSC script contents

The script in Listing 2 shows the contents of the Vormetric VMSSC script.

Listing 2. InstallAgent.sh
#!/bin/sh
export AGENT_HOST=`ifconfig eth1 | grep "inet addr" | awk '{ print $2 }' | awk 'BEGIN 
{ FS=":" } { print $2 }'`
echo AGENT_HOST=
echo DSM_HOST=$DSM_HOST

#unzip agent CLI
mkdir vmssc
cd vmssc
tar -xzf ../vmssc_rh6_64_5.1.0-24.gz
chmod +x vmssc
#login to the DSM
./vmssc -s $DSM_HOST_IP -u $DSM_LOGIN_NAME -p $DSM_LOGIN_PASSWD -d $DSM_DOMAIN server 
login

./vmssc server show -h vormetric.dsm > vormetric.log
#Add Agent to the list of Hosts on the DSM
./vmssc host add -G $AGENT_HOST
./vmssc server show -h vormetric.dsm >> vormetric.log
#add policy and keys
#./vmssc key add -a -h 239-key
./vmssc key show AgentKey-256 >>vormetric.log
#./vmssc policy add 
./vmssc policy show -f policy.xml default_wide_open_policy >>vormetric.log
#set gp
mkdir ../encrypt
#Add Guard Point
./vmssc host addgp -p default_wide_open_policy -d /tmp/VMSSC/encrypt $AGENT_HOST
#Install the agent and register
cd ..
#create the silentinstall.txt file
export SERVER_HOSTNAME=$DSM_HOST_NAME
echo SERVER_HOSTNAME=$SERVER_HOSTNAME > agentSilentInstall.txt
export AGENT_HOST_NAME=$AGENT_HOST
echo AGENT_HOST_NAME=$AGENT_HOST >> agentSilentInstall.txt
#make sure we are in the hosts file
echo $DSM_HOST_IP $DSM_HOST_NAME >> /etc/hosts
#finally install and register the agent
chmod +x vee-fs-5.1.0-20-rh6-x86_64.bin
./vee-fs-5.1.0-20-rh6-x86_64.bin -s agentSilentInstall.txt

Resources

Learn

  • Learn how InfoSphere Guardium Data Encryption, can help your organization ensure that private and confidential data is strongly protected.
  • Find resources for PureApplication System on developerWorks. PureApplication System integrates servers, storage, networking, virtualization and management with application, middleware and database software.
  • In the developerWorks cloud developer resources, discover and share knowledge and experience of application and services developers building their projects for cloud deployment.
  • Follow developerWorks on Twitter.
  • Watch developerWorks on-demand demos ranging from product installation and setup demos for beginners to advanced functionality for experienced developers.

Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement service-oriented architecture efficiently.

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Cloud computing on developerWorks


  • Bluemix Developers Community

    Get samples, articles, product docs, and community resources to help build, deploy, and manage your cloud apps.

  • developerWorks Labs

    Experiment with new directions in software development.

  • DevOps Services

    Software development in the cloud. Register today to create a project.

  • Try SoftLayer Cloud

    Deploy public cloud instances in as few as 5 minutes. Try the SoftLayer public cloud instance for one month.

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Cloud computing, Information Management, Security
ArticleID=855212
ArticleTitle=Install IBM InfoSphere Guardium Data Encryption on the IBM PureApplication System
publish-date=01162013