Configure Baffle Shield – VM or On-Prem

Baffle Shield enforces Data Protection Policies, encrypting the data in the databases that have been configured in Baffle Manager, as described in Connect to a Data Store.

This page walks through installing and then configuring Baffle Shield on a virtual machine (VM) or an on-prem system. You have the additional option of adding multiple Baffle Shields to the same endpoint.

IMPORTANT: The user account used to log in to the Baffle Shield host machine must have a home directory on that system.

Step 1: Install Baffle Shield

In this step, you install Baffle Shield on a host machine. 

To install Baffle Shield, do the following:

  1. Log in to your virtual machine (VM) or host system and configure a CentOS 7 instance to run the Baffle Shield.
  2. Verify that the security group for your Baffle Shield allows inbound connections from Baffle Manager (on port 22) and from your own IP address (on port 8444 by default).
  3. Ensure that the Baffle Shield instance can communicate to Baffle Manager on port 443 and 8553.
  4. Ensure that Java OpenJDK 1.8 is installed on the instance.

Step 2: Configure Baffle Shield

In this step, you connect Baffle Shield to Baffle Manager and configure Baffle Shield.

To configure Baffle Shield, do the following:

  1. Connect the Baffle Shield to Baffle Manager. Once the instance is running, return to the Baffle Manager admin interface and click the shield icon on the left navigation panel.


    A list of any existing Baffle Shields. 
  2. Click +BAFFLE SHIELD button in the upper right corner.  


  3. Enter a Baffle Shield Name and identifying Description in the appropriate text fields.
  4. Select Automated Deployment for Deployment Model and enter the Host Username to access the Baffle Shield instance. In our example, we entered centos for the Host Username.
    NOTE: The user name you enter here must have a home directory on the Baffle Shield host system you are logging into.


  5. Enter the IP Address of the Baffle Shield you just launched. NOTE: If your Shield runs in the same subnet as your Baffle Manager instance, it is recommended that you use the Private IP address here.
  6. Enter a port number for Baffle Shield to listen for application connections. The default port is 8444.
  7. Select one of the following:
    Use SSL, if the data store connection uses SSL, and generate a self-signed certificate or upload a third-party certificate.
    Use SSH Key and upload the key you selected when setting up the Shield instance. IMPORTANT! NOTE: An SSH pem key must be used to connect to Baffle Shield.
  8. Optional: Enter a username and password to access the Baffle Shield.
  9. Click Add Baffle Shield to complete the process. The new Shield is added to the list of configured Baffle Shields.

    TIP: If the Baffle Manager is unable to connect to the shield, verify that your Shield’s security group permits inbound access from Baffle Manager.

Optional – Add multiple Baffle Shields to the Same Endpoint

Follow these instructions to add multiple Baffle Shields to the same endpoint.

You assign multiple Baffle Shields to a single endpoint through the Baffle Manager admin console. When multiple Baffle Shields are assigned to the same endpoint, each shield must be listening on a different port number. For example, if the first Baffle Shield uses port 8444 (the default), a second Baffle Shield on the same endpoint would need to use port 8445, and so on.

Next Steps:


Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.