Baffle Shield enforces Data Protection Policies, encrypting the data in the databases that have been configured in Baffle Manager, as described in Connect to a Data Store.
This page walks through installing and then configuring Baffle Shield on a virtual machine (VM) or an on-prem system. You have the additional option of adding multiple Baffle Shields to the same endpoint.
IMPORTANT: The user account used to log in to the Baffle Shield host machine must have a home directory on that system.
Step 1: Install Baffle Shield
In this step, you install Baffle Shield on a host machine.
To install Baffle Shield, do the following:
- Log in to your virtual machine (VM) or host system and configure a CentOS 7 instance to run the Baffle Shield.
- Verify that the security group for your Baffle Shield allows inbound connections from Baffle Manager (on port 22) and from your own IP address (on port 8444 by default).
- Ensure that the Baffle Shield instance can communicate to Baffle Manager on port 443 and 8553.
- Ensure that Java OpenJDK 1.8 is installed on the instance.
Step 2: Configure Baffle Shield
In this step, you connect Baffle Shield to Baffle Manager and configure Baffle Shield.
To configure Baffle Shield, do the following:
- Connect the Baffle Shield to Baffle Manager. Once the instance is running, return to the Baffle Manager admin interface and click the shield icon on the left navigation panel.
A list of any existing Baffle Shields.
- Click +BAFFLE SHIELD button in the upper right corner.
- Enter a Baffle Shield Name and identifying Description in the appropriate text fields.
- Select Automated Deployment for Deployment Model and enter the Host Username to access the Baffle Shield instance. In our example, we entered centos for the Host Username.
NOTE: The user name you enter here must have a home directory on the Baffle Shield host system you are logging into.
- Enter the IP Address of the Baffle Shield you just launched. NOTE: If your Shield runs in the same subnet as your Baffle Manager instance, it is recommended that you use the Private IP address here.
- Enter a port number for Baffle Shield to listen for application connections. The default port is 8444.
- Select one of the following:
– Use SSL, if the data store connection uses SSL, and generate a self-signed certificate or upload a third-party certificate.
– Use SSH Key and upload the key you selected when setting up the Shield instance. IMPORTANT! NOTE: An SSH pem key must be used to connect to Baffle Shield.
- Optional: Enter a username and password to access the Baffle Shield.
- Click Add Baffle Shield to complete the process. The new Shield is added to the list of configured Baffle Shields.
TIP: If the Baffle Manager is unable to connect to the shield, verify that your Shield’s security group permits inbound access from Baffle Manager.
Optional – Add multiple Baffle Shields to the Same Endpoint
Follow these instructions to add multiple Baffle Shields to the same endpoint.
You assign multiple Baffle Shields to a single endpoint through the Baffle Manager admin console. When multiple Baffle Shields are assigned to the same endpoint, each shield must be listening on a different port number. For example, if the first Baffle Shield uses port 8444 (the default), a second Baffle Shield on the same endpoint would need to use port 8445, and so on.
- Continue on to Define a Data Protection Policy and Encrypt Data.