Baffle Shield enforces Data Protection Policies, encrypting the data in the databases that have been configured in Baffle Manager, as described in Connect to a Data Store.
This page walks through installing and then configuring Baffle Shield on a virtual machine (VM) or an on-prem system. You have the additional option of adding multiple Baffle Shields to the same endpoint.
IMPORTANT: The user account used to log in to the Baffle Shield host machine must have a home directory on that system.
Step 1: Install Baffle Shield
In this step, you install Baffle Shield on a host machine.
To install Baffle Shield, do the following:
- Log in to your virtual machine (VM) or host system and configure a CentOS 7 instance to run the Baffle Shield.
- Verify that the security group for your Baffle Shield allows inbound connections from Baffle Manager (on port 22) and from your own IP address (on port 8444 by default).
- Ensure that the Baffle Shield instance can communicate to Baffle Manager on port 443 and 8553.
- Ensure that Java OpenJDK 1.8 is installed on the instance.
Step 2: Configure Baffle Shield
In this step, you connect Baffle Shield to Baffle Manager and configure Baffle Shield.
NOTE: A Baffle Shield can only be enrolled with one application.
To configure Baffle Shield, do the following:
- Connect the Baffle Shield to Baffle Manager. Once the instance is running, return to the Baffle Manager admin interface and click the shield icon on the left navigation panel.
A list of any existing Baffle Shields.
- Click +BAFFLE SHIELD button in the upper right corner.
- Enter a Baffle Shield Name and identifying Description in the appropriate text fields.
- Enter the Host Username to access the Baffle Shield instance. In our example, we entered centos for the Host Username.
- Enter the IP Address of the Baffle Shield you just launched. NOTE: If your Shield runs in the same subnet as your Baffle Manager instance, it is recommended that you use the Private IP address here.
- Specify a temporary directory for Shield installation. By default, the path is /tmp. This directory will store temporary files during the installation process, and is automatically cleaned up afterwards. NOTE: this directory must have execute permissions in order to install Baffle Shield.
- Enter a port number on which Baffle Shield can listen for application connections. The default port is 8444.
- Check the appropriate box based on your intended deployment configuration:
– Use SSL: Check this box if you require the use of SSL for the connection between the application and the data store. The data store must already be configured for SSL. After selecting, also choose whether to have Baffle Manager generate a self-signed certificate for Baffle Shield or upload your own certificate.
– Use SSH Key: Check this box if you would like Baffle Manager to use a SSH key instead of password credentials to authenticate to the Baffle Shield machine for deployment. Also choose to upload a new key or select a previously uploaded key to use. IMPORTANT! NOTE: The SSH key must be in the .pem format.
- Optional: Enter a username and password to access the Baffle Shield.
- Click Add Baffle Shield to complete the process. The new Shield is added to the list of configured Baffle Shields.
TIP: If the Baffle Manager is unable to connect to the shield, verify that your Shield’s security group permits inbound access from Baffle Manager.
Optional – Add multiple Baffle Shields to the Same Endpoint
Follow these instructions to add multiple Baffle Shields to the same endpoint.
You assign multiple Baffle Shields to a single endpoint through the Baffle Manager admin console. When multiple Baffle Shields are assigned to the same endpoint, each shield must be listening on a different port number. For example, if the first Baffle Shield uses port 8444 (the default), a second Baffle Shield on the same endpoint would need to use port 8445, and so on.
- Continue on to Define a Data Protection Policy and Encrypt Data.