Using Encrypted File Systems with Caché 5.0



Similar documents
Using the Caché SQL Gateway

Caché License Management

Using the Studio Source Control Hooks

Caché Integration with a Network Appliance Filer

Identifying Memory Fragmentation within the Microsoft IIS Environment

Secure Agent Quick Start for Windows

DOCUMENTATION FILE BACKUP

SELF SERVICE RESET PASSWORD MANAGEMENT BACKUP GUIDE

StarWind iscsi SAN Software: Using StarWind with MS Cluster on Windows Server 2008

VERITAS NetBackup 6.0

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

Adobe Acrobat 9 Deployment on Microsoft Windows Group Policy and the Active Directory service

DOCUMENTATION MICROSOFT SQL BACKUP & RESTORE OPERATIONS

DOCUMENTATION SHADOWPROTECT - MICROSOFT WINDOWS SYSTEM BACKUP AND RESTORE OPERATIONS

HP ProtectTools Embedded Security Guide

NetBackup Backup, Archive, and Restore Getting Started Guide

StarWind iscsi SAN: Configuring HA File Server for SMB NAS February 2012

StarWind iscsi SAN Software: Using with Citrix XenServer

ARIS Education Package Process Design & Analysis Installation Guide. Version 7.2. Installation Guide

DOCUMENTATION LOTUS NOTES BACKUP & RESTORE OPERATIONS

Installation Guide. SyBooks 3.4. [ Windows, Linux ]

Networking Best Practices Guide. Version 6.5

Disaster Recovery. Websense Web Security Web Security Gateway. v7.6

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

PN Connect:Enterprise Secure FTP Client Release Notes Version

Ahsay Offsite Backup Server and Ahsay Replication Server

Creating IBM Cognos Controller Databases using Microsoft SQL Server

Microsoft Dynamics GP. Electronic Signatures

TestDirector Version Control Add-in Installation Guide

Installation Guide. Wyse S Class Conversion to ThinOS. Wyse Simple Imager TM Release Issue: PN: L Rev. C

Adobe Acrobat 9 Deployment on Microsoft Systems Management

VERITAS Backup Exec TM 10.0 for Windows Servers

StarWind iscsi SAN Configuring HA File Server for SMB NAS

AWS Schema Conversion Tool. User Guide Version 1.0

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

ACT! by Sage. Premium for Workgroups 2007 (9.0) Administrator s Guide to the ACT! Reader Utility

AWS Schema Conversion Tool. User Guide Version 1.0

Symantec AntiVirus Corporate Edition Patch Update

Matisse Installation Guide for MS Windows. 10th Edition

Try-Catch FAQ. Version February InterSystems Corporation 1 Memorial Drive Cambridge MA

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

Customizing Remote Desktop Web Access by Using Windows SharePoint Services Stepby-Step

SiI3132 SATARAID5 Quick Installation Guide (Windows version)

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Business Portal for Microsoft Dynamics GP. Project Time and Expense Administrator s Guide Release 10.0

Horizon Debt Collect. User s and Administrator s Guide

Novell ZENworks 10 Configuration Management SP3

Quick Start Guide. For Thick and/or Thin Client Environments. Released: February 2012

McAfee Encrypted USB Hard Disk Non-Bio Quick Start Guide

Jabber MomentIM Outlook Add-in Administrator Guide

Software Distribution Reference

Open Source Encrypted Filesystems for Free Unix Systems

Inmagic ODBC Driver 8.00 Installation and Upgrade Notes

DOCUMENTATION MICROSOFT EXCHANGE BACKUP & RESTORE OPERATIONS

Installation Guide. Wyse VX0LE Conversion to ThinOS. Wyse Simple Imager TM Release Wyse Device Manager TM Release 4.8.5

4.0. Offline Folder Wizard. User Guide

McAfee epolicy Orchestrator 4.5 Cluster Installation Guide

Dell Statistica Statistica Enterprise Installation Instructions

Feith Rules Engine Version 8.1 Install Guide

Plesk 8.3 for Linux/Unix Acronis True Image Server Module Administrator's Guide

StarWind iscsi SAN & NAS: Configuring HA Storage for Hyper-V October 2012

Integration with Active Directory

Copyright

DOCUMENTATION MICROSOFT WINDOWS SYSTEM BACKUP AND RESTORE OPERATIONS

Installing RMFT on an MS Cluster

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

IBM Lotus Protector for Mail Encryption. User's Guide

Symantec Backup Exec 2010 R2. Quick Installation Guide

Abila MIP. Installation User's Guide

Using Microsoft Windows Encrypted File System (EFS)

Abila MIP. Installation Guide

HyperFS PC Client Tools

Attix5 Pro Server Edition

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

ScriptLogic File System Auditor User Guide

Online Backup Client User Manual

DOCUMENTATION SYSTEM STATE BACKUP & RESTORE OPERATIONS

bbc Installing Your Development Environment Adobe LiveCycle ES July 2007 Version 8.0

RecoveryVault Express Client User Manual

NetIQ Sentinel Quick Start Guide

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

TIBCO ActiveMatrix BusinessWorks Plug-in for TIBCO Managed File Transfer Software Installation

How to Configure a Secure Connection to Microsoft SQL Server

DOCUMENTATION FILE RESTORE

SOS Suite Installation Guide

Symantec Backup Exec System Recovery Exchange Retrieve Option User's Guide

Symantec NetBackup Backup, Archive, and Restore Getting Started Guide. Release 7.5

StarWind Virtual SAN Installation and Configuration of Hyper-Converged 2 Nodes with Hyper-V Cluster

Online Backup Linux Client User Manual

Online Backup Client User Manual

Business Portal for Microsoft Dynamics GP. Key Performance Indicators Release 10.0

StarWind iscsi SAN & NAS: Configuring HA File Server on Windows Server 2012 for SMB NAS January 2013

StarWind iscsi SAN Software: Challenge-Handshake Authentication Protocol (CHAP) for Authentication of Users

High Availability Configuration

DIGIPASS CertiID. Getting Started 3.1.0

StarWind Virtual SAN Installing & Configuring a SQL Server 2012 Failover Cluster

DOCUMENTATION MySQL BACKUP & RESTORE OPERATIONS

Oracle Enterprise Manager

FreeFlow Accxes Print Server V15.0 August P Xerox FreeFlow Accxes Print Server Drivers and Client Tools Software Installation Guide

Transcription:

Using Encrypted File Systems with Caché 5.0 Version 5.0.17 30 June 2005 InterSystems Corporation 1 Memorial Drive Cambridge MA 02142 www.intersystems.com

Using Encrypted File Systems with Caché 5.0 InterSystems Version 5.0.17 30 June 2005 Copyright 2005 InterSystems Corporation. All rights reserved. This book was assembled and formatted in Adobe Page Description Format (PDF) using tools and information from the following sources: Sun Microsystems, RenderX, Inc., Adobe Systems, and the World Wide Web Consortium at www.w3c.org. The primary document development tools were special-purpose XML-processing applications built by InterSystems using Caché and Java. The Caché product and its logos are trademarks of InterSystems Corporation. The Ensemble product and its logos are trademarks of InterSystems Corporation. The InterSystems name and logo are trademarks of InterSystems Corporation. This document contains trade secret and confidential information which is the property of InterSystems Corporation, One Memorial Drive, Cambridge, MA 02142, or its affiliates, and is furnished for the sole purpose of the operation and maintenance of the products of InterSystems Corporation. No part of this publication is to be used for any other purpose, and this publication is not to be reproduced, copied, disclosed, transmitted, stored in a retrieval system or translated into any human or computer language, in any form, by any means, in whole or in part, without the express prior written consent of InterSystems Corporation. The copying, use and disposition of this document and the software programs described herein is prohibited except to the limited extent set forth in the standard software license agreement(s) of InterSystems Corporation covering such programs and related documentation. InterSystems Corporation makes no representations and warranties concerning such software programs other than those set forth in such standard software license agreement(s). In addition, the liability of InterSystems Corporation for any losses or damages relating to or arising out of the use of such software programs is limited in the manner set forth in such standard software license agreement(s). THE FOREGOING IS A GENERAL SUMMARY OF THE RESTRICTIONS AND LIMITATIONS IMPOSED BY INTERSYSTEMS CORPORATION ON THE USE OF, AND LIABILITY ARISING FROM, ITS COMPUTER SOFTWARE. FOR COMPLETE INFORMATION REFERENCE SHOULD BE MADE TO THE STANDARD SOFTWARE LICENSE AGREEMENT(S) OF INTERSYSTEMS CORPORATION, COPIES OF WHICH WILL BE MADE AVAILABLE UPON REQUEST. InterSystems Corporation disclaims responsibility for errors which may appear in this document, and it reserves the right, in its sole discretion and without notice, to make substitutions and modifications in the products and practices described in this document. Caché, InterSystems Caché, Caché SQL, Caché ObjectScript, Caché Object, Ensemble, InterSystems Ensemble, Ensemble Object, and Ensemble Production are trademarks of InterSystems Corporation. All other brand or product names used herein are trademarks or registered trademarks of their respective companies or organizations. For Support questions about any InterSystems products, contact: InterSystems Worldwide Customer Support Tel: +1 617 621-0700 Fax: +1 617 374-9391 Email: support@intersystems.com

Table of Contents Using Encrypted File Systems with Caché 5.0... 1 1 Encrypting Caché Files on Microsoft Windows... 1 1.1 Requirements and Recommendations... 1 1.2 Encryption Procedures... 2 1.3 Additional Resources... 4 2 Encrypting Caché Files on Red Hat Linux... 5 2.1 Requirements and Recommendations... 5 2.2 Encryption Procedure... 5 2.3 Additional Resources... 8 Using Encrypted File Systems with Caché 5.0 iii

Using Encrypted File Systems with Caché 5.0 InterSystems has tested the encryption of Caché database files in Caché 5.0. The following topics describe the requirements, recommendations, and procedures developed on each of the tested operating systems: Encrypting Caché Files on Microsoft Windows Encrypting Caché Files on Red Hat Linux 1 Encrypting Caché Files on Microsoft Windows This topic describes the basic steps for encrypting Caché files on Microsoft Windows platforms. It contains the following sections: Requirements and Recommendations Encryption Procedure Additional Resources 1.1 Requirements and Recommendations Requirements: Run Caché on a supported version of Microsoft Windows 2000, XP, or Server 2003. Use the NTFS file system. Set up the encryption after you install Caché. Encrypt the files using the same account that runs Caché. Do not encrypt the CacheSys\Bin directory and the CacheSys\Mgr directory. (CacheSys is the default Caché installation directory; your actual installation directory name may be different.) Using Encrypted File Systems with Caché 5.0 1

Encrypting Caché Files on Microsoft Windows Important: The encryption of these directories can lead to a race condition on Windows 2000 Pro involving the Caché Controller Service and Windows Encrypted File System (EFS) services that can cause an intermittent Caché startup delay of up to 30 minutes, during which time many other applications may also be subject to the same delay. Recommendations: Encrypt directories containing your database files instead of individually encrypting the database files themselves. All files that are created in or moved to encrypted directories automatically obtain the encrypted attribute. The account that encrypts the files and runs Caché should be a part of the Administrators group. See your operating system documentation for details on the relationships of users and permissions. 1.2 Encryption Procedures To encrypt the appropriate Caché database (cache.dat) files on Microsoft Windows, perform the following steps: 1. Install Caché 5.0. See the Caché Installation Guide for Windows for specific instructions. 2. Define your databases, isolating them from files in the Bin and Mgr directories of your Caché installation. See Configuring Databases in the Configuring Caché chapter of the Caché System Administration Guide for more information. 3. Shut down Caché. 4. Exit the Caché Cube and shut down the IIS Web server and any other processes that might cause sharing violations. 5. Update the Caché Controller Service. 6. Encrypt Caché database files. 7. Start the Web server. 8. Start Caché. If you do not set up the file encryption properly, an error occurs immediately when starting Caché; the ccontrol start command fails. View the console.log for error information. 2 Using Encrypted File Systems with Caché 5.0

Encrypting Caché Files on Microsoft Windows 1.2.1 Update the Caché Controller Service Edit the Caché Controller Service for proper Caché startup. 1. From the Windows Control Panel click Services from the Administrative Tools submenu. 2. For each instance of Caché on the machine, there is a service named Caché Controller for <configname>, (Caché Controller for CACHE, for example). Right-click this name and click Properties from the shortcut menu. 3. Click the Log On tab, change the Log on as property to be the same as the account that installed Caché. Click OK. 1.2.2 Encrypt Caché Database Files From Windows Explorer, perform the following on each folder you choose to encrypt: 1. Right-click the appropriate folder and click Properties from the shortcut menu: 2. From the General tab, click Advanced to display the Advanced Attributes dialog box: Using Encrypted File Systems with Caché 5.0 3

Encrypting Caché Files on Microsoft Windows 3. Select the Encrypt contents to secure data check box and click OK. Encryption and compression are mutually exclusive. 4. Repeat this process for each folder that contains files you would like to encrypt. File encryption is transparent to Caché. To undo the encryption, follow this same process and clear the encryption check box. 1.3 Additional Resources For additional information about the Windows Encrypting File System (EFS) and related topics, see the following Microsoft documents, which you can find on the Microsoft Web site, www.microsoft.com: For a general understanding of encryption on Windows: File Encryption Overview (found also in the Windows Help facility) For a list of Microsoft recommendations: Best practices for the Encrypting File System For specifics on the Windows 2000 platform: Step-by-Step Guide to Encrypting File System (EFS) For specifics on the Windows XP and Server 2003 platforms: Encrypting File System in Windows XP and Windows Server 2003 4 Using Encrypted File Systems with Caché 5.0

2 Encrypting Caché Files on Red Hat Linux This topic describes the basic steps for encrypting Caché files on the Red Hat Linux platform using loopback devices. It contains the following sections: Requirements and Recommendations Encryption Procedure Additional Resources Encrypting Caché Files on Red Hat Linux 2.1 Requirements and Recommendations Requirements Define your file system on a separate physical disk partition to hold your database files. Complete the loopback setup before you put the files on the loopback device. Recommendations You may put all, some, or none of the Caché files in the encrypted file system. If you encrypt the journal and WIJ files, put them on separate physical disks with virtual loopback devices. It is safe to keep the key file on removable media and also acceptably safe to keep it on a hard drive. If you do keep the key file on removable media; test the use of the key from the removable media, and keep it separate. If you lose the key file, you lose everything on the file system. 2.2 Encryption Procedure The Loop-AES facility is a special device that provides a fast and transparent file system and swap encryption package for Linux. The following sections describe the procedures InterSystems recommends for setting up this type of encryption: Modify User-space Tools Set Up Key Files Using Encrypted File Systems with Caché 5.0 5

Encrypting Caché Files on Red Hat Linux 2.2.1 Modify User-space Tools The Loop-AES facility requires modified user-space tools for the mount and losetup commands, as well as the latest Linux patch file. 1. Obtain the loop-aes-latest package from http://loop-aes.sourceforge.net/. Note: This example uses loop-aes-laters.tar.gz. 2. Extract the util-linux-*.diff patch file; note the version number. Note: This example uses util-linux version 2.12a. 3. Obtain the util-linux package that matches the patch file version above from ftp://ftp.kernel.org/pub/linux/utils/util-linux/. Note: This example uses util-linux-2.12a.tar.gz. 4. Extract the util-linux package. 5. Apply the util-linux-*.diff patch. 6. Read the INSTALL file for build and install notes. 7. Configure and make, but do not install, the package. 8. Copy the new losetup and mount programs to a directory. This example uses /usr/local/bin. CAUTION: Do not overwrite /bin/mount or /sbin/losetup, or you may render the system unbootable. The following is an example set of commands to perform steps 4-8: tar zxvf util-linux-2.12a.tar.gz cd util-linux-2.12a patch -p1 <../loop-aes-v2.1c/util-linux-2.12a.diff more INSTALL./configure make cd mount cp -a losetup /usr/local/bin cp -a mount /usr/local/bin 9. Test the updated tools. For example: 6 Using Encrypted File Systems with Caché 5.0

Encrypting Caché Files on Red Hat Linux /usr/local/bin/losetup -e aes /dev/loop0 /dev/sdb1 (enter password) mke2fs -j /dev/loop0 mount /dev/loop0 /mnt umount /mnt losetup -d /dev/loop0 To undo the encryption, move the files out of the partition. The encryption is transparent to Caché. Once the file system is mounted, it is readable for anyone who has permissions. 2.2.2 Set Up Key Files This section outlines a procedure for setting up key files and uses the following sample file names: a disk partition, /dev/sdb2 using a loopback device, /dev/loop0 with encryption keys stored in /keyfile.gpg mounted on /encrypted As root: 1. Create 64 random encryption keys and encrypt them to keyfile using the GNU Privacy Guard (gpg) encryption and digital signature tool: head -c 2880 /dev/random uuencode -m - head -n 65 tail -n 64 \ gpg -c -a > /keyfile.gpg Enter a passphrase at the prompt. 2. Add the following (single) line to /etc/fstab: /dev/sdb2 /encrypted ext3 defaults,noauto,loop=/dev/loop0,encryption=aes128,gpgkey=/keyfile.gpg 0 0 Important: Due to formatting limitations in some documentation output media, the previous commands may display on two lines; in practice, enter them as a single line. 3. Construct a file system on the loop back device: Using Encrypted File Systems with Caché 5.0 7

Encrypting Caché Files on Red Hat Linux losetup -F /dev/loop0 mkfs -t ext3 /dev/loop0 losetup -d /dev/loop0 At the prompt, enter the passphrase from step 1. 4. Create a mount point: mkdir /encrypted 5. Mount the file system: mount /encrypted At the prompt, enter the passphrase from step 1. The file system encryption key contains the user key. You are prompted for the user key at mount time for encrypted files. 2.3 Additional Resources For additional information about encrypting files and related topics, see the following documents: For a description of loop devices and general information about using them: http://loop-aes.sourceforge.net/loop-aes.readme. For the most recent Linux patch file: ftp://ftp.kernel.org/pub/linux/utils/util-linux/ 8 Using Encrypted File Systems with Caché 5.0