Thales CipherTrust Data Discovery and
Classification
ADMINISTRATOR GUIDE
Document Information
Document Information
Product Version
2.0.0
Release Date
08 December 2020
Trademarks
Thales CipherTrust Data Discovery and Classification is powered by Groundlabs.
All intellectual property is protected by copyright. All trademarks and product names used or referred to are the
copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system
or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or
otherwise without the prior written permission of Thales.
Disclaimer
Thales makes no representations or warranties with respect to the contents of this document and specifically
disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Thales
reserves the right to revise this publication and to make changes from time to time in the content hereof without
the obligation upon Thales to notify any person or organization of any such revisions or changes.
We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them
to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to
correct them in succeeding releases of the product.
You are responsible for ensuring your own compliance with various laws and regulations, including but not
limited to any data privacy or data protection regulation. You are solely responsible for obtaining advice from
competent legal counsel to assist you in the identification and interpretation of any relevant laws and
regulations that may affect your business and the implementation of any actions you may need to take to
ensure you meet your compliance obligations with respect to such laws and regulations.
The software, the products, services, and any other capabilities described or provided herein are not suitable
for all situations and may have restricted availability or applicability. Thales does not provide legal, accounting,
or auditing advice, nor does it represent or warrant that its software, services, or products will ensure that you
are in compliance with any law or regulation.
Thales invites constructive comments on the contents of this document. Send your comments, together with
your personal and/or company details to the address below.
Contact Method
Contact Information
Address
Thales
4690 Millennium Drive
Belcamp, Maryland 21017
USA
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
2
Contact Method
Contact Information
Phone
US
1-800-545-6608
International
1-410-931-7520
Email
technical.support.DIS@thalesgroup.com
Technical Support
Customer Portal
https://supportportal.thalesgroup.com
Existing customers with a Technical Support Customer Portal account can log in to manage
incidents, get the latest software upgrades, and access the Thales Knowledge Base.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
3
CONTENTS
Document Information
Preface: About this Document
Audience
What's in This Guide
Organization
Document Conventions
Hyperlinks
Notifications
Command Syntax and Typeface Conventions
Related Documents
Solution Overview
Sensitivity Levels
Information Types
Creating Custom Infotypes
Character Type Rules Explained
Examples of Custom Infotypes
Licensing
Trial License
Full License Options
Viewing the License Status
What If My License Stopped Working?
2
7
7
7
7
8
8
8
9
10
11
13
13
13
15
16
18
18
18
19
19
Encryption Keys Used by DDC
21
DDC User Groups
22
System Predefined Groups
User Defined Groups
Accessing and Interacting With DDC
Accessing DDC in the Console
Managing Branch Locations
Viewing Branch Locations
Adding Branch Locations
22
23
24
24
25
25
25
Managing Classification Profiles
27
Viewing Classification Profiles
Classification Profile Templates
27
28
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
4
Adding Classification Profiles
Select Profile Template
General Info
Select Infotypes
Apply Tags
Viewing Details of Classification Profiles
Editing Classification Profiles
Duplicating Classification Profiles
Managing Data Stores
Viewing Data Stores
Adding Local Stores
Select Store Type
Configure Connection
General Info
Add Tags & Access Control
Adding Network Stores
Prerequisites for Network Storage Data Stores
Creating a Data Store
Creating a Windows Data Store
Creating a Linux Data Store
Configuring a Data Store - General Information
Configuring a Data Store – Tags and Access Control
Adding Database Stores
Select Store Type
Configure Connection
General Info
Add Tags & Access Control
Allowing Remote Connections to PostgreSQL Server
Adding Big Data Stores
Select Store Type
Configure Connection
General Info
Add Tags & Access Control
Editing Data Stores
Automatic Agent Selection
Managing Scans
Viewing Scans
Adding Scans
General Info
Select Data Stores
Add Targets
Select Profiles
Schedule Scan
Running Scans
Scan Statuses
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
28
28
28
29
29
30
30
31
32
32
33
33
33
34
34
35
35
35
35
36
37
37
37
37
38
39
39
40
40
40
41
41
41
42
43
45
45
46
46
46
47
47
48
49
49
5
Potential Problems When Running Scans
Removing Scans
Managing Reports
Viewing Reports
Report Types
Creating Reports
General Info
Configure Content
Generating Reports
Report Details
Logging
Default Logging Level
Identifying DDC Log Messages
Security Audit Log Messages
Enabling Syslog Logging
APPENDICES
Error Messages
Error Log Messages
Reconfiguring Agents
Reconfiguring DDC Agents on Windows
Reconfiguring DDC Agents on Debian
Reconfiguring DDC Agents on RHEL
Restarting DDC Agents
Restarting Agents on Windows
Restarting Agents on Debian
Restarting Agents on RHEL
Mounting an NFS Share
REST API
Acquiring an Authorization Token
Using the Token
Making an API Call
CLI
Information Types
Supported Formats
Files
Office files
Databases
Big Data
Security Audit Log Event Messages
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
50
50
52
52
52
53
53
53
55
55
57
57
57
57
58
59
59
67
77
77
77
77
78
78
78
78
78
79
79
79
79
80
81
91
91
91
93
93
94
6
PREFACE: About this Document
This introductory section identifies the audience, provides a brief summary of the contents of this guide, and
discusses the documentation conventions used. It contains the following sections:
> "Audience" below
> "What's in This Guide" below
> "Organization" below
> "Document Conventions" on the next page
Audience
This document is intended for Thales CipherTrust Data Discovery and Classification (DDC) users responsible
for classification of data discovered on data stores. It is assumed that the users of this document are proficient
with security and data discovery concepts.
All products manufactured and distributed by Thales are designed to be installed, operated, and maintained by
personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned
to them. The information, processes, and procedures contained in this document are intended for use by
trained and qualified personnel only.
Thales designs data security products for use by file server administrators, network administrators, security
engineers, database administrators, application developers, and other technology professionals responsible
for daily operations in support of data security.
What's in This Guide
This guide explains data discovery concepts such as data stores, branch locations, classification profiles, and
data discovery scans. The document also explains how to generate scan-based reports on the discovered
data. Finally, the document describes how to read generated reports.
Organization
The Thales CipherTrust Data Discovery and Classification Administrator Guide contains the following
chapters:
1. "Solution Overview" on page 11
Describes data discovery concepts such as branch locations, classification profiles, sensitivity levels, tags,
data stores, data discovery scans, and user roles and permissions.
2. "Licensing" on page 18
Describes different types of DDC licenses.
3. "DDC User Groups" on page 22
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
7
Preface: About this Document
Describes all predefined groups of DDC users with their rights to use various product features.
4. "Accessing and Interacting With DDC" on page 24
This section introduces the primary channel to interact with DDC , the console.
5. "Managing Branch Locations" on page 25
Describes how to add and view branch locations.
6. "Managing Classification Profiles" on page 27
Describes how to add, view, and duplicate classification profiles.
7. "Managing Data Stores" on page 32
Describes how to add and edit different types of data stores. The types of data stores are local, network,
database, and big data.
8. "Managing Scans" on page 45
Describes how to add, run, and view scans.
9. "Managing Reports" on page 52
Describes how to configure and run aggregated reports on the discovered data.
10. "APPENDICES" on page 59
Additional useful information and tools related to system administration, such as system error messages,
handy commands, and additional interfaces for interacting with the product.
Document Conventions
This section describes the formatting conventions used in this user guide to indicate hyperlinks, special notes,
important information, tips, and warnings.
Hyperlinks
Hyperlinked text will, by default, appear in the shade of purple.
For example: All technical document templates can be found on the Technical Writing Community page.
Notifications
This user guide uses notes, tips, and warnings to alert you to important information that may help you to
complete your task, or prevent personal injury, damage to the equipment, or data loss.
Notes
Notes are used to alert you to important or helpful information. These elements use the following format:
NOTE Take note. Notes contain important or helpful information that you want to make
stand out to the user.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
8
Preface: About this Document
Cautions
Cautions are used to alert you to important information that may help prevent unexpected results or data loss.
These elements use the following format:
CAUTION! Exercise caution. Caution alerts contain important information that may help
prevent unexpected results or data loss.
Warnings
Warnings are used to alert you to the potential for catastrophic data loss or personal injury. These elements
use the following format:
**WARNING** Be extremely careful and obey all safety and security measures. In
this situation you might do something that could result in catastrophic data loss or
personal injury.
Command Syntax and Typeface Conventions
Convention
Description
bold
The bold attribute is used to indicate the following:
>
>
>
>
>
>
Button names (Click Save As.)
Check box and radio button names (Select the Print Duplex check box.)
Dialog box titles (On the Protect Document dialog box, click Yes.)
Field names (User Name: Enter the name of the user.)
Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.)
User input (In the Date box, type April 1.)
italic
The italic attribute is used for emphasis or to indicate a related document. (See the
Thales CipherTrust Data Discovery and Classification Customer Release Notes for
more information.)
Double quote marks
Double quote marks enclose references to other sections within the document.
For example: Refer to "Disclaimer" on page 2.
<variable>
In command descriptions, angle brackets represent variables. You must substitute a
value for command line arguments that are enclosed in angle brackets.
[ optional ]
Square brackets enclose optional keywords or <variables> in a command line
description. Optionally enter the keyword or <variable> that is enclosed in square
brackets, if it is necessary or desirable to complete the task.
[ <optional> ]
[ a | b | c ]
[<a> | <b> | <c>]
Square brackets enclose optional alternate keywords or variables in a command line
description. Choose one command line argument enclosed within the braces, if
desired. Choices are separated by vertical (OR) bars.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
9
Preface: About this Document
Convention
Description
{ a | b | c }
Braces enclose required alternate keywords or <variables> in a command line
description. You must choose one command line argument enclosed within the
braces. Choices are separated by vertical (OR) bars.
{ <a> | <b> | <c> }
Related Documents
The following documents contain related or additional information:
> Thales CipherTrust Data Discovery and Classification Deployment Guide
> Thales Data Platform Installation Guide
> Thales CipherTrust Data Discovery and Classification Customer Release Notes
You can view or download the latest version of the CRN for this release at this location:
https://supportportal.thalesgroup.com
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
10
Solution Overview
This section describes the main components of the Thales CipherTrust Data Discovery and Classification
(DDC) solution. The concepts used in this diagram are briefly discussed in this section and explained at length
in the later sections of this document.
> KeySecure, DDC Server
At the heart of the DDC solution is CipherTrust Manager on which runs the DDC Server. It is from here that
users interact with the DDC GUI or use the DDC APIs to create classification profiles, add data stores,
launch scans and generate reports.
> REST APIs, GUI
Various types of interfaces used to interact with DDC.
> Hadoop, PQS, HDFS
DDC uses Hadoop to generate reports from scans and to store their results (report data). DDC can directly
query HDFS but it requires Phoenix Query Server (PQS) to interface with Hadoop's HBase.
> DDC Agent, Proxy Agent, Local Agent
DDC Agents perform the actual scanning jobs and report the results back to the DDC Server for analysis
and processing. DDC supports two types of Agent configurations: Local Agents are installed and
configured directly on the machine that contains sensitive data; Proxy Agents are installed and configured
on a proxy machine that is used to scan sensitive data on other machines.
> Data Store
A data store is where the data actually resides. It can be a file server, a database, or a Hadoop cluster. For
more information see "Managing Data Stores" on page 32.
> Local storage
A type of a data store, a file system (Windows or Linux) that is localized to the same machine where the
Agent scanning it is installed.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
11
Solution Overview
> NFS, CIFS
A type of data store, a network share (Windows or Linux) that resides on a different machine than that
where the Agent scanning it is installed.
> Branch Locations
A branch location specifies a site where the file servers, databases, and data centers that contain data to
scan are located. Branch locations are used to indicate where different data stores are physically located.
For more information see "Managing Branch Locations" on page 25.
> Sensitivity Levels
A sensitivity level defines how sensitive the data is. Sensitivity levels are required in creating classification
profiles and data stores. For more information see "Sensitivity Levels" on the next page.
> Information Types
An information type (or infotype) categorizes data to look for during a scan. A large number of predefined
information types are available to better categorize the data. For more information see "Information
Types" on the next page.
> Tags
A tag helps group data together. Tags are used to filter data for generating reports. They can be specified
when creating data stores and classification profiles.
DDC includes a number of predefined tags. The predefined tags are APA, APPI, CCPA, FINANCIAL, GDPR,
HEALTH, HIPAA, KVKK, LEGAL, PCI, PERSONAL, PHI, PII, and SHIELD.
DDC also provides the ability to create custom tags when creating data stores and classification profiles.
> Classification Profiles
A classification profile defines what kind of sensitive information to search for during a scan. It includes
information such as a sensitivity level, information types, and tags. Classification profiles can be created
based on predefined templates or custom templates. For more information see "Managing Classification
Profiles" on page 27.
> Data Objects
A file or a database table stored in a data store is called a Data Object.
> Sensitive Data Objects
A data object that contains any data match is called a Sensitive Data Object.
> Data Matches
A concrete instance of any of the infotypes is called a Data Match.
> Risks
A risk is the presence of a sensitive data object in an unprotected data store.
> Scans
A scan is an entity that helps in scanning data stores. Each scan specifies the location to scan and what to
look for during scanning. Findings of scans can be used to generate reports for different purposes. Scans
can be either run manually (any time) or scheduled to run and stop at a specified time. For more information
"Managing Scans" on page 45.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
12
Solution Overview
Sensitivity Levels
A sensitivity level defines how sensitive the data is. Sensitivity levels are required in creating classification
profiles and data stores. Prebuilt sensitivity levels are:
> None: The sensitivity level for such data has not yet been specified.
> Public: Specifies the least sensitive data with no specific need for data security. Such data can be shared
with anybody.
> Internal: Specifies the data with low sensitivity. Exposure of such data may not affect an organization, but is
not meant for public disclosure.
> Private: Specifies that the data is personal. Such data should be protected from public viewing.
> Restricted: Specifies highly sensitive data, for example, customer's personal data and trade secrets etc.
This type of data requires the best possible data security. Disclosure of such data can lead to severe
financial and legal consequences for an organization. Businesses must prioritize remediation efforts related
to this type of data.
Information Types
An information type (infotype) categorizes data to look for during a scan. A large number of prebuilt information
types are available to better categorize the data.
Different regions and countries can have different regulatory requirements, so these information types are
categorized based on geographical regions. These regions are Global, Africa, Americas, Asia, Europe, and
Oceania. The information types can be further categorized into:
> Financial: Financial data such as credit card numbers and bank account details.
> Personal Data: Personal data such as age, gender, race, and religion.
> Medical: Medical data such as history of medical problems and disabilities.
> National ID: National identity documents such as Social Security Number (SSN).
For a list of all available predefined information types, refer to the appendix "Information Types" on page 81.
DDC also allows you to create custom information types. For more information, see "Creating Custom
Infotypes" below.
Creating Custom Infotypes
You can create a custom information type, if you require one. This can be achieved from the Infotypes screen.
To access it, click Settings and then Infotypes in the sidebar on the left.
1. Click the +Add Infotype button in the top right corner of the Infotypes screen. The Add Infotype wizard
is displayed.
a. In the General Info step of the wizard, provide the following information for your new infotype:
– Name: Choose a name for your infotype.
– Category: Select a category to which your infotype belongs (Financial, Personal Data, Medical, or
National ID).
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
13
Solution Overview
– Family: Select a family for your infotype. A family is a subcategory inside the Category and the
choice of options depends on what you selected in the Category menu. The following families are
available inside their corresponding categories:
Financial: Credit/Debit Cards; Bank Account Info
Medical: Patient Health Data
National ID: Personal Identification
Personal Data: Email addresses; Login credentials; Card Number; Ethnicity; License Number; Roll
Number; Passport Number; Date Of Birth; MAC Address; Mailing Address; Telephone Number;
Gender; Religion; IP Address; Phone Number; Name
– Region: Select the region for your infotype (Global, Africa, Americas, Asia, Europe, and Oceania).
Click Next to go to the next step of the wizard.
b. In the Infotype Definition step of the wizard, you configure the rules for your new information type. You
configure the rules in the Simple View tab, and then you can view these rules as translated into an
expression of the internal language of the DDC engine in the Expert View tab (the expression in the
Expert View is read-only).
To configure the rules for your new information type, click to expand the Add Rules menu in the Simple
View tab and select one of the following types:
– Character: Search for one or more specific characters as specified in the Select Rule menu. If the
character is found, the location will be returned as a match. For a list of available character type rules,
refer to "Character Type Rules Explained" on the next page.
Use the From and To, controls to set the number of consecutive occurrences of the selected
character.
– Phrase: Search for a specific pattern as defined in the Phrase textbox (in layman terms, it is used to
look for specific words). Searching for phrases is case insensitive.
– Built-In: Pre-defined infotypes can be used in combination with other types (Character or Phrase).
The complete list of built-in information types is available in the appendix "Information Types" on
page 81.
Use the Apply button to complete your selection. The selection is displayed in the list of defined infotype
rules. You can remove it from the list of rules by clicking the Remove link on its right.
You can use each of these types on their own, or combine them to form a more complex rule, involving
multiple types in various configurations. See "Examples of Custom Infotypes" on page 16 for some
examples.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
14
Solution Overview
NOTE
> Due to a known limitation, it is currently not possible to have two built-in infotypes, one after
the other. They must be separated by something, such as another type infotype, or even a
plain space. For example:
"american express" " " "english name"
> Due to a known limitation, when adding a range of characters, all the possible
combinations inside the range will appear as matches. For example, for a range of
numbers from 1 to 4, when in a document you have a sequence "1234", the search will
yield the following matches:
"1", "12","123" and "1234"
> When you introduce spaces at the beginning or the end of the phrase, the spaces are
removed. Also, when you introduce more than one space between words, only one space
is considered.
2. Click Save to save your new infotype. Your new information type has been added and is now listed in the
Infotypes screen, and marked 'Custom' in the Type column.
Character Type Rules Explained
Specific predefined characters are used to create custom infotypes using character based rules. They are
explained below:
Rule
Expert View Keyword
Match
Space
SPACE
Any white-space character.
Horizontal space
HSPACE
Tab characters and all Unicode "space
separator" characters.
Vertical space
VSPACE
All Unicode "line break" characters.
Any
BYTE
Wildcard character that will match any
character.
Alphanumeric
ALNUM
ASCII numerical characters and letters.
Alphabet
LETTER
ASCII alphabet characters.
Digit
DIGIT
ASCII numerical characters.
Printable
PRINTABLE
Any printable character.
Printable ASCII only
PRINTABLEASCII
Any printable ASCII character, including
horizontal and vertical white-space characters.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
15
Solution Overview
Rule
Expert View Keyword
Match
Printable non-alphabet
PRINTABLENONALPHA
Printable ASCII characters, excluding alphabet
characters and including horizontal and vertical
white-space characters.
Printable non-alphanumeric
PRINTABLENONALNUM
Printable ASCII characters, excluding
alphanumeric characters and including horizontal
and vertical white-space characters.
Graphic
GRAPHIC
Any ASCII character that is not white-space or
control character.
Same line
SAMELINE
Any printable ASCII character, including
horizontal white-space characters but excluding
vertical white-space characters.
Non-alphanumeric
NONALNUM
Symbols that are neither a number nor a letter;
e.g. apostrophes ‘, parentheses (), brackets [],
hyphens -, periods ., and commas ,.
Non-alphabet
NONALPHA
Any non-alphabet characters; e.g. ~ ` ! @ # $ %
^&*()_-+={}|[]:;"' <>?/,.123….
Non-digit
NONDIGIT
Any non-numerical character.
Examples of Custom Infotypes
Example 1. You want to search for a "Driver License Number" from Illinois, whose format is "M532-42181341". You would then create the following rule:
Character Alphabet From 1 to 1 Times
Character Digit From 3 to 3 Times
Phrase Character Digit From 4 to 4 Times
Phrase Character Digit From 4 to 4 Times
The above example will have the following syntax in the Expert View:
RANGE LETTER TIMES 1-1
THEN RANGE DIGIT TIMES 3-3
THEN WORD NOCASE '-'
THEN RANGE DIGIT TIMES 4-4
THEN WORD NOCASE '-'
THEN RANGE DIGIT TIMES 4-4
In this rule, the expression "Character Alphabet From 1 to 1 Times" means that you only expect one
alphabetic character, the expression "Character Digit From 3 to 3 Times" means that you expect exactly
three digits, and the expression "Phrase -" means that you expect to find a hyphen (-) in the sequence.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
16
Solution Overview
Example 2. You want to search for a name and last name separated by a number of spaces between 1 and 3.
To that end you would create the following rule:
Phrase John
Character Space From 1 to 3
Phrase Gordon
The above example will have the following syntax in the Expert View:
WORD NOCASE 'John'
THEN RANGE SPACE TIMES 1-3
THEN WORD NOCASE 'Gordon'
This rule will allow you to search for a combination of "John" and "Gordon" with one through three spaces
between them. By comparison, using the rule Phrase John Gordon will only allow you to search for a
combination "John Gordon", with only one space. Any additional spaces in the phrase will be truncated.
Example 3. You want to search for the Spanish NIE (foreigners identity number) preceded by the phrase
"NIE:" and a number of spaces between 0 and 5. For example, "NIE: X8691474Q".
Phrase NIE
Character Space From 0 to 5
Built-in Spanish NIE
The above example will have the following syntax in the Expert View:
INCLUDE 'DEFINE_NID'
WORD NOCASE 'NIE'
THEN RANGE SPACE TIMES 0-5
THEN REFER 'NID_SPAIN_NIE'
This rule will find both "NIE: X8691474Q" and "nie: x8691474q" since searching (regardless of the type Character, Phrase, or Built-in) is case insensitive.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
17
Licensing
Trial License
Thales CipherTrust Data Discovery and Classification (DDC) is deployed with a trial license already installed
and activated "out of the box". This allows you to enjoy a fully-functional product for 90 days and up to the 1 TB
of data allowance.
After the trial license expires, the DDC configuration in CipherTrust Manager becomes read-only. While you
still have access to your old reports you are not able to generate new ones, add new targets, or create new
scans. You have to contact Thales Group to request a full license and install it in CipherTrust Manager. For
more information on obtaining and installing licenses, refer to the "Licensing" section in the "Thales
CipherTrust Manager Administrator Guide".
CAUTION! Data allowances of the trial license and full license do not add up! After installing
a new full license your data allowance will be that of the new license only (for example, if your
trial license has 1 TB data allowance and your full license 50 TB, after installing the full license
your data allowance will be 50 TB not 51 TB).
Full License Options
Under the full license you get a fully-functional product with a specified data allowance and for a specific period
of time. The license model offers you enough flexibility to choose an option that best suits your needs in terms
of the license duration and prospective data allowance. You can choose from among these values:
> Expiration period
•
1 year
•
2 years
•
3 years
> Data allowance
•
15 TB
•
50 TB
•
100 TB
•
150 TB
•
250 TB
•
500 TB
•
1 PB
•
1.5 PB
•
3 PB
•
Unlimited
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
18
Licensing
Viewing the License Status
To view the status of your DDC license:
1. Log in to CipherTrust Manager and navigate to the licenses screen (Admin Settings > Licensing).
2. Search for DDC_Data_Allowance in the list of installed features.
TIP Use the Search box if the list is too long and you cannot quickly find the DDC_Data_
Allowance entry.
3. Having found the DDC license, you have a few options available:
•
You can quickly check its status by looking at the State column in the DDC_Data_Allowance entry. It can
be either Active or Expired.
•
You can check the license expiration date, in the Expiration column.
•
If the license is still active, you can view additional details about it. To do that, click the black arrow on the
left of DDC_Data_Allowance to expand the whole entry. This displays the Client Usage card, with the
information about the total data allowance that you have (Total), the amount of data allowance that you
have already used up (Used), and the amount of data allowance that you still have available
(Available).
NOTE If the Available figure has a negative value, it means that you have used up and
exceeded your available data allowance. However, you can still run scans and the data from
the scans is stored by DDC. The amount of this extra data stored is reflected by the negative
value. You can access this data after you install a new license.
NOTE After installing or removing a license you have to wait some time for that action to be
reflected in the licenses screen (usually, about one minute).
What If My License Stopped Working?
A license - trial or full - can stop working in one of the following cases:
> A trial license expires: you cannot run new scans. However, the data collected so far is not deleted, so
you can still generate reports based on it, and you can access it again when you install a new license.
> The data allowance of a trial license is used up: you can continue scanning but you cannot generate
reports. However, the data from scans is stored so after you install a new license you are able to access the
data and generate reports.
> A license is deleted: DDC stops working but the data is not deleted so you just have to reinstall the license
or install a new one.
> You overwrite a trial license with a full one: the new license takes over the data stored under the trial
license.
> A full license expires: it is the same case as the expired trial license above.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
19
Licensing
> The data allowance of a full license is used up: it is the same case as the trial license with data
allowance used up above.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
20
Encryption Keys Used by DDC
DDC uses AES256 encryption to protect sensitive data. For that purpose, DDC creates a number of encryption
keys that are stored in CipherTrust Manager. You can find these DDC keys in the Keys & Access
Management application in CipherTrust Manager:
> Four encryption keys to protect the Hadoop configuration before storing it inside the DDC Database. Each
key is used to protect one configuration parameter (PQS Server, PQS credentials, HDFS Server, and HDFS
credentials). These keys have the following format: citrus-<UUID> (for example, citrus-6e0cb668-3a3d4f2c-8687-17092b83b41b).
> As many encryption keys as there are data stores, and each key is used to encrypt the data store
credentials before storing them inside the DDC Database, and to encrypt the results of the scans completed
in that data store, before storing them in HDFS. These keys have the following format: d<UUID> (for
example, d8b2d8404-c9ae-4a34-800a-01258dfaa383).
> As many encryption keys as there are scans, and each key is used to encrypt the scan data before storing it
in HDFS. These keys have the following format: s<UUID> (for example, s14912791-bed5-4e73-b7336a36ecfe338f).
**WARNING** These keys must never be deleted, or DDC will not be able to
process the related scans or data stores properly.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
21
DDC User Groups
DDC User Groups
System Predefined Groups
DDC has different kinds of users with different responsibilities in administering and using the system. A number
of predefined groups are included to ensure that users are granted minimal permissions needed to perform
their tasks while ensuring flexibility to meet security requirements across industries.
The table below lists all DDC predefined groups with their rights to use various DDC features. R/W in a cell
means that the user has view and edit rights to this aspect of the product. R means that the user has only view
rights.
1. Admins can see their own and other users' reports. Admins can also decrypt scan packages from the Hadoop database.
2. DDC Admins can only see their own reports.
3. DDC Report Admins can only see their own reports.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
22
DDC User Groups
4. DDC Full Report Admins can only see their own reports.
5. The difference between Report Admins and Full Report Admins is that Full Report Admins do not need access to specific
user defined groups to be able to view or generate reports that use data stores restricted to user defined groups. For more
information, see "User Defined Groups" below.
6. Scan Viewers are allowed to run scans.
7. DDC Store Viewers, DDC Store Admins, and DDC L3 Support do not have access to custom infotypes.
The users belonging to the "L3 Support" group are DDC Support Administrators. These users can help identify
and troubleshoot issues you may encounter when using DDC. They can also can also decrypt scan packages
from the Hadoop database.
User Defined Groups
Apart from system predefined groups, DDC also allows you to create user defined groups. User defined
groups are used to prevent certain users from viewing sensitive information in reports. These groups are
defined by the CipherTrust Manager Admin in Keys & Access Management -> Groups in CipherTrust Manager.
In DDC, they are applicable when creating a Data Store, in the Data Store creation wizard when you are
granting access to selected groups. See "Managing Data Stores" on page 32 for details (the ACCESS:
Selected group/s setting in "Configuring a Data Store – Tags and Access").
In other words, a data store that is restricted to a specific user defined group is visible to all the groups with
permissions to see data stores, the same goes for scans. However, a user without a permission to see a data
store which is restricted to a group, but with a permission to create and generate reports, will not be able to
generate reports for those data stores. For this user, the scan executions will not be visible in the New Report
wizard.
NOTE The only users that do not have to belong to a specific user defined group to be able
to see reports for all the data stores are Full Report Admins and Admins.
For example, if a user created a report that has Data Store "DS1" but the data store is restricted to a specific
group, that user will see the report template, but when he tries to access the report he will get an "insufficient
permissions" error.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
23
Accessing and Interacting With DDC
The primary channel to interact with Thales CipherTrust Data Discovery and Classification (DDC) is through
the CipherTrust Manager's GUI, also called the console. The console allows you to perform the management
operations, such as managing data stores and scans.
You can also interact with DDC by using the CLI tool or REST API.
> CLI tool - The CipherTrust Manager includes a CLI tool, named ksctl, that can be downloaded and run
locally to control a remote CipherTrust Manager appliance. For more information, refer to "CLI" on page 80.
> REST API - You can use the REST interface from the API playground, or via any REST client such as curl.
For more information, refer to "REST API" on page 79.
In this guide we provide instructions to perform all management functions such as creating branch locations
and data stores only through the CipherTrust Manager console (GUI).
Accessing DDC in the Console
Use this procedure to get access to the DDC features in the GUI.
1. Open the CipherTrust Manager URL in a browser. The log in page is displayed.
2. Enter Username and Password.
3. Click Log In. The GUI of the CipherTrust Manager is displayed.
By default, the Applications page is displayed with links to various applications.
4. Click the Data Discovery link to open the Data Discovery application.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
24
Managing Branch Locations
You manage branch locations through the Branch Locations page, which is accessed by clicking the
Settings > Branch Locations link in the Data Discovery sidebar on the left.
From the Branch Locations page you can:
> View all currently available branch locations. See "Viewing Branch Locations" below.
> Create a new branch location. See "Adding Branch Locations" below.
Viewing Branch Locations
The Branch Locations page lists available branch locations. This view also shows the total number of
existing branch locations. The Branch Locations page shows the following details:
Item
Description
Site Name
Name of the branch location.
Country
Name of the country.
State/Province
Name of the state/province. This field is applicable to the United States. For other
countries, the field is unavailable, indicated by N/A.
City
Name of the city.
TIP Use the Search text box to filter branch locations. Search results display branch
locations that contain the specified text in their names.
Adding Branch Locations
Adding a branch location requires specifying the country and city where the branch is located. To add a branch
location:
1. Click + Add Location on the right of the Branch Locations page.
2. In the Add Branch Location dialog box, enter the following details:
Item
Description
Site Name
Specify a unique name for the branch location. The name must be longer than two
characters and up to 64 characters. This field is mandatory.
Country
Select the country from the drop-down list. This field is mandatory.
State/Province
Select the state/province from the drop-down list. This field is applicable to the
United States. For other countries, the field is unavailable.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
25
Managing Branch Locations
Item
Description
City
Specify name of the city. This field is mandatory.
Description
Describe the branch location (up to 250 characters).
3. Click Save.
The newly created location appears on the Branch Locations page. By default, branch locations are displayed
in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to
other pages to view the newly created branch location.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
26
Managing Classification Profiles
You manage classification profiles through the Classification Profiles page, which is accessed by clicking
the Classification Profiles link in the Data Discovery sidebar on the left.
From the Classification Profiles page you can:
> View all the available classification profiles. See "Viewing Classification Profiles" below.
> Create a new classification profile. See "Adding Classification Profiles" on the next page.
> View details of a selected classification profile. See "Viewing Details of Classification Profiles" on page 30.
> Modify an existing classification profile. See "Editing Classification Profiles" on page 30.
> Create a new classification profile from an existing one. See "Duplicating Classification Profiles" on
page 31.
Viewing Classification Profiles
The Classification Profiles page lists available classification profiles. Initially, the page shows prebuilt
classification profile templates only. Newly created and duplicate classification profiles are also shown on this
page. Duplicating classification profiles is the process of creating copies of existing profiles with identical
properties. Additionally, the page shows the total number of available profiles.
The list view of the Classification Profiles page shows the following details:
Item
Description
Name
Name of the classification profile.
Infotypes
Number of infotypes linked with the profile.
Sens. Level
Sensitivity level applied to the profile.
Modified
Time when the profile is modified.
Tags
Number of applied tags.
TIP
> Use the Search text box to filter classification profiles. Search results display classification
profiles that contain specified text in their names.
> By default, classification profiles are listed in ascending alphabetic order of their names.
Classification profiles can be sorted by their names and percentage of sensitivity levels.
> Classification profiles can be filtered using the Sens. Level filter.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
27
Managing Classification Profiles
Classification Profile Templates
Classification profiles can be created based on predefined templates or custom templates. You can use the
following predefined templates:
> Blank: Provides the ability to specify custom sensitivity level, information types, and tags for the profile. The
Blank template does not contain preselected infotypes.
> CCPA (California Consumer Privacy Act): Affects organizations that process the personal data of a
California resident, regardless of where the organization is headquartered.
> GDPR (General Data Protection Regulation): Affects organizations that process the personal data of
EU citizens, regardless of where the organization is headquartered.
> HIPAA (Health Insurance Portability and Accountability Act): Covers the healthcare information in
the US. HIPAA relates to protection, encryption, and key management.
> PCI (Payment Card Industry): Affects organizations that play a role in processing credit and debit card
payments. These organizations must comply with the strict PCI DSS (Data Security Standard) compliance
requirements for the processing, storage, and transmission of data.
> Privacy Shield: Regulates transatlantic exchanges of personal data for commercial purposes between the
European Union and United States.
Adding Classification Profiles
Use the Add Classification Profile wizard to add a classification profile. Adding a classification profile involves
the following steps:
Select Profile Template
1. In the Classification Profiles page, click the + Add Profile button on the right. The Add Classification
Profile wizard is displayed.
2. In the Select Profile Template step, select the required profile template from these options:
•
Blank
•
CCPA
•
GDPR
•
HIPAA
•
PCI
•
Privacy Shield
See "Classification Profile Templates" above for more information about these classification profile
templates.
3. Click Next to go on to the Name and Describe screen.
General Info
1. Specify a Profile Name. The name must be longer than two characters and up to 64 characters.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
28
Managing Classification Profiles
2. Provide a Description for the profile (up to 250 characters).
3. Select a Sensitivity Level from the drop-down list. A sensitivity level suggests DDC what level of sensitivity
is OK to find in this data store. For details, see "Sensitivity Levels" on page 13.
4. Click Next to go on to the Select Infotypes screen.
Select Infotypes
1. The Select Infotypes screen is displayed. The screen shows the list of available information types. The
screen shows details such as Infotype Name, Category, and Region.
NOTE Based on the selected profile template, certain information types may already be
applied/selected. The applied information types can be viewed by turning on the Selected
only toggle switch.
2. Search for the required infotypes. You can use the following options:
•
Search text box: Enter text to filter information types. Search results display information types that
contain specified text in their names.
•
Category filter: Click the filter icon, select or clear categories, and click OK.
•
Region filter: Click the filter icon, select or clear categories, and click OK.
3. Click Next to go on to the Apply Tags screen.
Apply Tags
1. The Apply Tags screen is displayed.
NOTE Based on the selected profile template, certain tags may appear already applied. You
can select existing tags, enter new tags, and remove existing tags, as appropriate.
2. Select a tag from the Add Tags (optional) drop-down list. The prebuilt tags are APA, APPI, CCPA,
FINANCIAL, GDPR, HEALTH, HIPAA, KVKK, LEGAL, PCI, PERSONAL, PHI, PII, and SHIELD.
TIP
> New tags can also be added. Start typing a new tag, and click the New: <new_tag> link
that appears below the drop-down list.
> Add as many tags as needed.
> To remove a tag, click the close icon in the tag name.
3. Click Save.
The newly created classification profile appears on the Classification Profiles page. By default, profiles are
displayed in alphabetic order by name. Depending on the number of entries per page, you might need to
navigate to other pages to view the newly created profile.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
29
Managing Classification Profiles
Viewing Details of Classification Profiles
The default view of the Classification Profiles page lists prebuilt profile templates, created profiles, and
duplicate profiles. Names of profiles and their modification times are also shown. Additionally, the view shows
infotypes, sensitivity levels, and tags applied to available classification profiles.
The edit view of the page shows additional details of each classification profile. The details include the number
of linked scans, profile name, profile description, applied sensitivity level, list of linked infotypes, and applied
tags.
To view details of a classification profile:
1. In the left pane of the Data Discovery application, click Classification Profiles. The Classification
Profiles page is displayed. This page lists available classification profiles.
2. Click the overflow icon (
) corresponding to the desired profile. A shortcut menu appears.
3. Click View. The Classification Profiles page shows additional details of the profile.
NOTE
> For new and duplicate classification profiles, the button name is View/Edit. Clicking this
button shows the edit view of the Classification Profiles page. The details can be viewed
and edited on this page. Refer to "Editing Classification Profiles" below for details.
> Only the users with appropriate rights can see the View/Edit button. For all other users,
only the View button is visible.
Editing Classification Profiles
Newly created and duplicate classification profiles can be modified to suit your requirements. Use the edit view
of the page to modify individual classification profiles. You can edit the profile name, profile description, applied
sensitivity level, linked infotypes, and applied tags.
NOTE Prebuilt classification profiles cannot be edited. However, you can duplicate them and
edit the copy to suit your requirements.
To edit a new or a duplicate classification profile:
1. In the left pane of the Data Discovery application, click Classification Profiles. The Classification
Profiles page is displayed. This page lists available classification profiles.
2. Click the overflow icon (
) corresponding to the desired profile. A shortcut menu appears.
3. Click View/Edit. The edit view of the Classification Profiles page appears.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
30
Managing Classification Profiles
NOTE
> For new and duplicate classification profiles, the button name is View/Edit. Clicking this
button shows the edit view of the Classification Profiles page. The details can be viewed
and edited on this page.
> Only the users with appropriate rights can see the View/Edit button. For all other users,
only the View button is visible.
4. Expand GENERAL. General details are displayed.
5. Modify the required details.
6. Expand INFOTYPES. The list of infotypes is displayed.
7. Select or clear infotypes, as required.
8. Expand TAGS. The applied tags, if any, are displayed.
9. Add new tags or modify existing tags, as required.
10.Click Save Changes.
The list view of the Classification Profiles page shows updated information.
Duplicating Classification Profiles
Duplicating classification profiles is the process of creating copies of existing profiles with identical properties.
This process simplifies the creation of new profiles. Duplicate profiles can be modified later to suit your
requirements, if needed.
To duplicate a classification profile:
1. In the left pane of the Data Discovery application, click Classification Profiles. The Classification
Profiles page is displayed. This page lists available classification profiles.
2. Click the overflow icon (
) corresponding to the desired profile. A shortcut menu appears.
3. Click Duplicate.
A message appears stating that the profile has been duplicated successfully. The duplicate profile with the
name <original_profile_name> - Copy appears on the Classification Profiles page. For example, if the
profile APA - Australia Privacy Amendment is duplicated, a profile named APA - Australia Privacy
Amendment - Copy is created.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
31
Managing Data Stores
You manage data stores through the Data Stores page, which is accessed by clicking the Data Stores link in
the Data Discovery sidebar on the left.
From the Data Stores page you can:
> View all the available data stores. See "Viewing Data Stores" below.
> Create a new local type data store. See "Adding Local Stores" on the next page.
> Create a new network type data store. See "Adding Network Stores" on page 35.
> Create a new database type data store. See "Adding Database Stores" on page 37.
> Create a new Big Data type data store. See "Adding Big Data Stores" on page 40.
> Edit an existing data store. See "Editing Data Stores" on page 42.
> Select an Agent for a data store. See "Automatic Agent Selection" on page 43.
Viewing Data Stores
The list view of the Data Stores page shows the number of:
> Existing data stores with the number of scanned and unscanned data stores.
> Supported data types with the number of configured data stores of each type.
> Scanned data stores with the number of data stores containing sensitive and nonsensitive data.
Click the refresh button to refresh the displayed information.
The list view of the Data Stores page shows the following details:
Item
Description
Name
Name of the data store.
Type
Type of the data store.
Sens Level
Sensitivity level applied to the data store.
Location
Location of the data store.
Tags
Number of applied tags.
%Sens. Info
Percentage of data objects in the data store that are considered as sensitive data
objects. A hyphen "-" indicates that a data store is not yet scanned.
Status
Status of the data store - enabled or disabled. During a scan, DDC searches for
agents in enabled data stores. Click the toggle switch to change the status.
The status of a data store could be disabled while it waits for an Agent or if it fails to
select an Agent. Disabled data stores are skipped during the scan.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
32
Managing Data Stores
TIP
> Use the Search text box to filter data stores. Search results display data stores that
contain specified text in their names.
> By default, data stores are listed in ascending alphabetic order of their names.
> Data stores can be sorted by their names, types, sensitivity levels, locations, and
percentage of sensitive information.
Adding Local Stores
Use the Add Data Store wizard to add a local data store. Adding a data store involves the following steps:
Select Store Type
1. In the left pane of the Data Discovery application, click Data Stores. The Data Stores page is displayed.
This page lists available data stores.
2. On the right, click + Add Data Store. The Add Data Store wizard is displayed.
The Select Data Store screen displays options to filter data store types:
•
Filter by Data Store category: Shows categories of data stores. Click a category to filter available
options under the Select Type drop-down list.
•
Select Type: Shows types of data storage. By default, the drop-down list shows all types of data stores.
When a category is selected under Filter by Data Store category, the label Select Type is changed
to reflect the selection. For example, for Local Storage, the label becomes Select Local Storage
Type.
NOTE This document uses Filter by Data Store category to filter data stores.
3. Under Filter by Data Store category, click Local Storage.
4. From the Select Local Storage Type drop-down list, select Local Storage.
5. Click Next to go on to the Configure Connection screen.
Configure Connection
1. The Configure Connection screen is displayed.
2. Specify Hostname/IP of the machine where the local data store resides. Specify a valid hostname, IP
address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a
mandatory field.
NOTE Local data stores need a DDC Agent installed on the same host.
3. Click Next to go to the General Info screen.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
33
Managing Data Stores
General Info
1. The General Info screen is displayed.
2. Specify a unique Name for the data store. The name must be longer than two characters and up to 64
characters.
3. Provide a Description for the data store (up to 250 characters).
4. Select a Branch Location from the drop-down list.
5. Select a Sensitivity Level from the drop-down list. A sensitivity level suggests to DDC what level of
sensitivity is OK to find in this data store. For details, see "Sensitivity Levels" on page 13.
NOTE The Enable Data Store check box is selected by default. This means that this data
store is available for scans. If the check box is cleared, the data store is disabled (not
available) for scans.
6. Click Next to go on to the Add Tags & Access Control screen.
Add Tags & Access Control
1. The Add Tags & Access Control screen is displayed.
2. Under ACCESS, select user groups that can access the data store. Access to a data store provides ability
to see reports that include scans of that data store.
The available options are:
•
All groups: All groups of users can access the data store through reports. This is the default setting.
•
Selected group/s: Specified user defined groups can access the data store through reports. When this
option is selected, select a group from the drop-down list. This list shows existing user defined groups.
The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist,
ask the administrator to create a group.
If needed, you can select multiple groups. Start typing the name of the desired group and select from the
suggested groups.
3. Under TAGS, select a tag from the Add Tag drop-down list. The prebuilt tags are APA, APPI, CCPA,
FINANCIAL, GDPR, HEALTH, HIPAA, KVKK, LEGAL, PCI, PERSONAL, PHI, PII, and SHIELD.
TIP
> New tags can also be added. Start typing a new tag, and click the New: <new_tag> link
that appears below the drop-down list.
> Add as many tags as needed.
> To remove a tag, click the close icon in the tag name.
4. Click Save.
The newly created data store appears on the Data Stores page. By default, data stores are displayed in
alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other
pages to view the newly created data store.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
34
Managing Data Stores
Adding Network Stores
DDC supports two types of Network Storage types as data stores: Linux Network File Share (NFS) and
Windows share (SMB/CIFS).
NOTE SMB/CIFS is supported for Windows only. Currently, the SMB implementation on
Linux (Samba) is not supported. Also, we cannot guarantee that NFS type data stores on
MAC will work properly.
Prerequisites for Network Storage Data Stores
To create a Windows Network Storage data store:
> Use a Windows Proxy Agent.
> Ensure that the target storage is accessible from the Proxy agent host.
To create a Linux Network Storage data store:
> Use a Linux Proxy Agent.
> The target storage path must be mounted on the Proxy agent host.
For both types of these data stores, the credentials to access the target storage must have the minimum
permissions required to scan it. Bear in mind that data discovery or scanning of data requires read access.
Creating a Data Store
To create a new data store, navigate to the Data Stores screen (Data Discovery > Data Stores). Click the
+Add Data Store button to open the Add Data Store wizard.
In the wizard, you have to go over four configuration steps for each data store that you create:
1. Select Store Type - Select a data store type that you want to create. Refer to individual procedures for
each data store type for details.
2. Configure Connection - provide the connection details for the data store that you selected in the previous
step. This step is different for every data store type. Refer to individual procedures for each data store type
for configuration details.
3. General Info - specify the name, description, branch location, and sensitivity level for your data store.
These settings are shared by all data store types. See "Configuring a Data Store - General Information" on
page 37 for details.
4. Add Tags & Access Control - grant access rights to your data store and add tags. These settings are
shared by all data store types. See "Configuring a Data Store – Tags and Access Control" on page 37 for
details.
Creating a Windows Data Store
1. To create a Windows Data Store, click Network Storage > SMB/CIFS Share in the Select Store Type
screen in the Add Data Store wizard. For details, refer to "Configuring a Data Store – Tags and Access
Control" on page 37.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
35
Managing Data Stores
2. In the Configure Connection screen of the wizard, provide the following configuration details for your
data store:
> Hostname/IP - a valid hostname, IP address, or URI of the data store.
> Share Name - a valid Windows share name. These characters are not allowed in the Share Name: = * ? , <
>|;:+[]"/\
CAUTION! Do not confuse the Share Name with the Network Path. In Windows, the
Share Name is typically set in the Advanced Sharing settings in the folder sharing
properties.
> Credentials - provide a valid username and password. Use the appropriate user name format for the
target Windows hosts credentials:
•
<domain\username> - target host resides in the same Active Directory domain as the Windows proxy
agent.
•
<target_hostname\username> - target host does not reside in the same Active Directory domain as the
Windows proxy agent.
3. In the General Info screen of the wizard, specify the name, description, branch location, and sensitivity
level for your data store. See "Configuring a Data Store - General Information" on the next page for details.
4. In the Add Tags & Access Control screen of the wizard, grant access rights to your data store and add
metadata. See "Configuring a Data Store – Tags and Access Control" on the next page for details.
5. Click Save to create the data store. At any time during the configuration you can click Back to go to any of
the previous wizard screens to update the configuration.
Creating a Linux Data Store
1. To create a Linux Data Store, click Network Storage > NFS Share in the Select Store Type screen in
the Add Data Store wizard. For details, refer to "Configuring a Data Store – Tags and Access Control" on
the next page.
2. In the Configure Connection screen of the wizard, provide the following configuration details for your
data store:
> Hostname/IP - a valid hostname, IP address, or URI of the data store.
> Share Path - a valid NFS path, it must begin with a slash (“/”). The path must be set to the mount path on
the Proxy host.
> Agent Hostname/IP - a valid hostname, IP address, or URI of the host where the DDC agent resides.
> Mount Point (On Proxy Agent) - the mount path on the Proxy host (for the Share Path above). See also
"Mounting an NFS Share" on page 78.
3. In the General Info screen of the wizard, specify the name, description, branch location, and sensitivity
level for your data store. See "Configuring a Data Store - General Information" on the next page for details.
4. In the Add Tags & Access Control screen of the wizard, grant access rights to your data store and add
metadata. See "Configuring a Data Store – Tags and Access Control" on the next page for details.
5. Click Save to create the data store. At any time during the configuration you can click Back to go to any of
the previous wizard screens to update the configuration.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
36
Managing Data Stores
Configuring a Data Store - General Information
The General Info screen in the Add Data Store wizard allows you to specify the name, description, branch
location, and sensitivity level of your data store. More details below:
> Name - the name of your data store. The name must be longer than two characters and up to 64
characters.
> Description - the description for the data store (up to 250 characters).
> Branch Location - select a branch location from the drop-down list. If no branch location is available, you
have to create it. See "Managing Branch Locations" on page 25 for details.
> Sensitivity Level - select a sensitivity level from the drop-down list. A sensitivity level suggests to DDC
what level of sensitivity is acceptable to find in this data store. For details, see "Sensitivity Levels" on
page 13.
> Enable Data Store - when selected it means that this data store is available for scans. The Enable Data
Store check box is selected by default. If the check box is cleared, the data store is disabled (not available)
for scans.
Configuring a Data Store – Tags and Access Control
The Add Tags & Access Control screen in the Add Data Store wizard allows you to grant access rights to
your data store and add tags. More details below:
> ACCESS - select user groups that can access the data store. Access to a data store provides ability to see
reports that include scans of that data store. The available options are:
•
All groups: All groups of users can access the data store through reports. This is the default setting.
•
Selected group/s: Specified user defined groups can access the data store through reports. When this
option is selected, select a group from the drop-down list. This list shows existing user defined groups.
The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist,
ask the administrator to create a group. If needed, you can select multiple groups. Start typing the name
of the desired group and select from the suggested groups.
> TAGS - select a tag from the Add Tag drop-down list. The predefined tags are: APA, APPI, CCPA,
FINANCIAL, GDPR, HEALTH, HIPAA, KVKK, LEGAL, PCI, PERSONAL, PHI, PII, and SHIELD.
TIP New tags can also be added. Start typing a new tag, and click the New: <new_tag> link
that appears below the drop-down list. Add as many tags as needed. To remove a tag, click
the close icon in the tag name.
Adding Database Stores
Use the Add Data Store wizard to add a database type data store. Adding a data store involves the following
steps:
Select Store Type
1. In the left pane of the Data Discovery application, click Data Stores. The Data Stores page is displayed.
This page lists available data stores.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
37
Managing Data Stores
2. On the right, click + Add Data Store. The Add Data Store wizard is displayed.
The Select Data Store screen displays the following options to filter data store types:
•
Filter by Data Store category: Shows categories of data stores. Click a category to filter available
options under the Select Type drop-down list.
•
Select Type: Shows types of data storage. By default, the drop-down list shows all types of data stores.
The label Select Type changes to reflect the category selected under Filter by Data Store category.
For example, for Database, the label becomes Select Database Type.
NOTE This document uses Filter by Data Store category to filter data stores.
3. Under Filter by Data Store category, click Database.
4. From the Select Database Type drop-down list, select a database. The available options are:
•
IBM DB2: Select to add an IBM DB2 database.
•
Oracle: Select to add an Oracle database
•
Microsoft SQL: Select to add a Microsoft SQL database.
•
PostgreSQL: Select to add a PostgreSQL database.
NOTE PostgreSQL by default blocks remote connections to the PostgreSQL server. For
instructions to configure the PostgreSQL to allow remote connections, see "Allowing Remote
Connections to PostgreSQL Server" on page 40.
5. Click Next to go on to the Configure Connection screen.
Configure Connection
1. The Configure Connection screen is displayed.
2. Specify Hostname/IP of the database server. Specify a valid hostname, IP address, or Uniform Resource
Identifier (URI). The hostname must be longer than two characters. This is a mandatory field.
3. Specify Port of the database server. The port must be a number between 1 and 65535. The default ports
are 50000 for IBM DB2, 1521 for Oracle, 1433 for Microsoft SQL, and 5432 for PostgreSQL. This is a
mandatory field.
4. Specify name of the Database service. This is a mandatory field. For an Oracle database, specify
Database or SID.
NOTE If you are using Oracle 12x, or if the Oracle database displays a “TNS: protocol
adapter error”, you must specify a SERVICE_NAME in the Database or SID field. For
example: HR(SERVICE_NAME=XE)
5. Select an authentication method to connect to the database. The available options are:
•
Credentials: Select for password-based authentication. This is the default setting. Specify valid user
credentials (User and Password) to access the network storage. For password-based authentication,
valid user credentials are mandatory.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
38
Managing Data Stores
•
Certificate: Select for certificate-based authentication. Click Choose File to upload a valid certificate
file. For certificate-based authentication, uploading a valid certificate is mandatory.
NOTE
> The certificate must be in either PEM or .p12 format.
> The certificate size must be less than 30 KB.
6. Click Next to go on to the General Info screen.
General Info
1. The General Info screen is displayed.
2. Specify a unique Name for the data store. The name must be longer than two characters and up to 64
characters.
3. Provide a Description for the data store (up to 250 characters).
4. Select a Branch Location from the drop-down list.
5. Select a Sensitivity Level from the drop-down list. A sensitivity level suggests to DDC what level of
sensitivity is OK to find in this data store. For details, see "Sensitivity Levels" on page 13.
6. Click Next to go on to the Add Tags & Access Control screen.
Add Tags & Access Control
1. The Add Tags & Access Control screen is displayed.
2. Under ACCESS, select user groups that can access the data store. Access to a data store provides ability
to see reports that include scans of that data store.
The available options are:
•
All groups: All groups of users can access the data store through reports. This is the default setting.
•
Selected group/s: Specified user defined groups can access the data store through reports. When this
option is selected, select a group from the drop-down list. This list shows existing user defined groups.
The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist,
ask the administrator to create a group.
If needed, you can select multiple groups. Start typing the name of the desired group and select from the
suggested groups.
3. Under TAGS, select a tag from the Add Tag drop-down list. The prebuilt tags are APA, APPI, CCPA,
FINANCIAL, GDPR, HEALTH, HIPAA, KVKK, LEGAL, PCI, PERSONAL, PHI, PII, and SHIELD.
TIP
> New tags can also be added. Start typing a new tag, and click the New: <new_tag> link
that appears below the drop-down list.
> Add as many tags as needed.
> To remove a tag, click the close icon in the tag name.
4. Click Save.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
39
Managing Data Stores
The newly created data store appears on the Data Stores page. By default, data stores are displayed in
alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other
pages to view the newly created data store.
Allowing Remote Connections to PostgreSQL Server
PostgreSQL by default blocks all connections that are not from the PostgreSQL database server itself. This
means that to scan a PostgreSQL database, the Agent must either be installed on the PostgreSQL database
server itself (not recommended), or the PostgreSQL server must be configured to allow remote connections.
To configure a PostgreSQL server to allow remote connections:
1. On the PostgreSQL database server, locate the pg_hba.conf configuration file. On a Unix-based server,
the file is usually found in the /var/lib/postgresql/data directory.
2. Open pg_hba.conf in a text editor, as root.
3. Add the following to the end of the file:
# Syntax:
# host <database_name> <postgresql_user_name> <agent_host_address> <auth-method>
host all all all md5
NOTE The above configuration allows any remote client to connect to the PostgreSQL
server if a correct user name and password is provided. For a more secure configuration, use
configuration statements that are specific to a database, user or IP address. For example:
host database_A scan_user 172.17.0.0/24 md5
4. Save the file and restart the PostgreSQL service.
Adding Big Data Stores
Use the Add Data Store wizard to add a big data type data store. Adding a data store involves the following
steps:
NOTE In a Hadoop cluster:
> Nodes where data blocks distributed by HDFS are stored are called DataNodes.
DataNodes are treated as “slaves” in a Hadoop cluster.
> A node that maintains the index of directories and files and manages data blocks stored on
DataNodes is called a NameNode. A NameNode is treated as “master” in a Hadoop
cluster.
Select Store Type
1. In the left pane of the Data Discovery application, click Data Stores. The Data Stores page is displayed.
This page lists available data stores.
2. On the right, click + Add Data Store. The Select Data Store screen of the Add Data Store wizard is
displayed.
The Select Data Store screen displays the following options to filter data store types:
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
40
Managing Data Stores
•
Filter by Data Store category: Shows categories of data stores. Click a category to filter available
options under the Select Type drop-down list.
•
Select Type: Shows types of data storage. By default, the drop-down list shows all types of data stores.
The label Select Type changes to reflect the category selected under Filter by Data Store category.
For example, for Big Data, the label becomes Select Big Data Type.
NOTE This document uses Filter by Data Store category to filter data stores.
3. Under Filter by Data Store category, click Big Data.
4. From the Select Big Data Type drop-down list, select Hadoop Cluster.
5. Click Next to go on to the Configure Connection screen.
Configure Connection
1. The Configure Connection screen is displayed.
2. Specify Hostname/IP of the Hadoop cluster's active NameNode. Specify a valid hostname, IP address, or
Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory
field.
1. Click Next to go on to the General Info screen.
General Info
1. The General Info screen is displayed.
2. Specify a unique Name for the data store. The name must be longer than two characters and up to 64
characters.
3. Provide a Description for the data store (up to 250 characters).
4. Select a Branch Location from the drop-down list.
5. Select a Sensitivity Level from the drop-down list. A sensitivity level suggests to DDC what level of
sensitivity is OK to find in this data store. For details, see "Sensitivity Levels" on page 13.
6. Click Next to go on to the Add Tags & Access Control screen.
Add Tags & Access Control
1. The Add Tags & Access Control screen is displayed.
2. Under ACCESS, select user groups that can access the data store. Access to a data store provides ability
to see reports that include scans of that data store.
The available options are:
•
All groups: All groups of users can access the data store through reports. This is the default setting.
•
Selected group/s: Specified user defined groups can access the data store through reports. When this
option is selected, select a group from the drop-down list. This list shows existing user defined groups.
The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist,
ask the administrator to create a group.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
41
Managing Data Stores
If needed, you can select multiple groups. Start typing the name of the desired group and select from the
suggested groups.
3. Under TAGS, select a tag from the Add Tag drop-down list. The prebuilt tags are APA, APPI, CCPA,
FINANCIAL, GDPR, HEALTH, HIPAA, KVKK, LEGAL, PCI, PERSONAL, PHI, PII, and SHIELD.
TIP
> New tags can also be added. Start typing a new tag, and click the New: <new_tag> link
that appears below the drop-down list.
> Add as many tags as needed.
> To remove a tag, click the close icon in the tag name.
4. Click Save.
The newly created data store appears on the Data Stores page. By default, data stores are displayed in
alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other
pages to view the newly created data store.
Editing Data Stores
Existing data stores can be modified to suit your requirements. Use the edit view of the page to modify
properties of data stores. You can edit the data store name, description, linked branch location, and applied
sensitivity level. Additionally, connection settings, access rights, and tags can be modified.
To edit a data store:
1. In the left pane of the Data Discovery application, click Data Stores. The Data Stores page is displayed.
This page lists available data stores.
2. Click the overflow icon (
) corresponding to the desired data store. A shortcut menu appears.
TIP Alternatively, to open the edit view a data store, click the Name link of the desired data
store. Only the users with appropriate rights can see edit data store settings. All other users
can only the settings.
3. Click View/Edit. The edit view of the Data Stores page appears.
NOTE Only the users with appropriate rights can see the View/Edit button. For all other
users, only the View button is visible.
4. Expand GENERAL. General details are displayed.
5. Modify the required information.
NOTE The current data store type, which is displayed under Select Type, cannot be
changed.
6. Expand CONNECTION. Connection settings are displayed. Based on the storage type, the displayed fields
can be different.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
42
Managing Data Stores
7. Modify the required information.
NOTE When using the Authentication method, specify valid credentials in User and
Password. To change the existing password, unlock the Password field by clicking the lock
icon and enter the new password.
8. Click Test Connection to test the modified connection settings. If any error occurs, correct the connection
settings and retry.
NOTE The Test Connection button is available only if a compatible Agent is found.
9. Expand ACCESS. The granted access rights are displayed.
10.Modify access rights under Grant Access to, if required.
11.Expand TAGS. The applied tags, if any, are displayed.
12.Add new tags or modify existing tags, as required.
13.Click Save Changes.
The list view of the Data Stores page shows updated information.
Automatic Agent Selection
Data stores that do not have a DDC Agent installed on the same host require using a DDC Agent as a proxy to
get from the CipherTrust Manager appliance to the data store endpoint. To achieve this, data stores select
agents automatically.
When a data store is added, the following situations can occur:
> DDC searches for a compatible agent: When DDC searches for a compatible Agent, a rotating spinner
next to the data store's name is displayed. If you hover the mouse over the spinner, "Waiting for Agent" is
shown.
> DDC finds a compatible agent: When a compatible agent is found, no spinner is seen next to the name.
You can now test its connectivity with the Agent by clicking the "Test Connection" button inside the data
store's settings. Refer to "Editing Data Stores" on the previous page for details.
> DDC does not find a compatible agent: DDC retries the agent selection for seven days. If cannot find a
compatible agent in seven days, an error icon is displayed. If you hover the mouse over the icon, it states
"Agent not available". The "Find Agent" button to relaunch the Agent selection is visible on clicking the
overflow icon (
) next to the data store.
To relaunch automatic agent selection for a data store:
1. In the Data Discovery application, click the overflow icon (
shortcut menu appears.
) corresponding to the desired data store. A
2. Click Find Agent.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
43
Managing Data Stores
NOTE
> Instructions to install and configure DDC Agents can be found in the Thales CipherTrust
Data Discovery and Classification Deployment Guide.
> Port 11117 on the CipherTrust Manager appliance must be accessible from DDC Agent
hosts.
> Data store endpoint needs to be accessible from DDC Agent hosts.
> To proxy requests to database stores, a Windows-based DDC Agent is required.
> To proxy requests to Hadoop data stores, a Linux-based DDC Agent is required.
> When the DDC Agent is properly identified, the data store status changes to ready. At this
point, it is now possible to run scans against this data store.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
44
Managing Scans
You manage scans through the Scans page, which is accessed by clicking the Scans link in the Data
Discovery sidebar on the left.
From the Scans page you can:
> View all currently availablae scans. See "Viewing Scans" below.
> Create a new scan. See "Adding Scans" on the next page.
> Execute a scan. See "Running Scans" on page 49.
> Delete a scan. See "Removing Scans" on page 50.
Viewing Scans
The list view of the Scans page shows the number of:
> Scans with the number of executed and unexecuted scans.
> Executed scans with the number of scans containing sensitive and non-sensitive data.
> Scanned data objects with the number of sensitive and other data objects.
Click the refresh button to refresh the displayed information.
The list view of the Scans page shows the following details:
Item
Description
Name
Name of the scan.
Profile
Number of classification profiles.
Schedule
Schedule of the scan.
Last Scan
Time when the scan last ran.
Duration
Time taken to complete the run.
Status
Status of the scan. The status could be Completed, Processing, Failed, Stopped,
Unscanned, Validating, or Pending.
TIP
> Use the Search text box to filter scans. Search results display scans that contain specified
text in their names.
> By default, scans are listed in ascending alphabetic order of their names.
> Scans can be sorted by their name, last scan time, duration, and status.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
45
Managing Scans
Adding Scans
To add a scan, navigate to the Scans screen (Data Discovery > Scans). Click the +Add Scan button to
open the Add Scan wizard.
In the wizard, you have to go over these configuration steps for each scan that you add:
1. "General Info" below - Name the scan and give a short description.
2. "Select Data Stores" below - Select which data stores will be scanned.
3. "Add Targets" on the next page - Narrow down the scan scope by selecting specific scan targets.
4. "Select Profiles" on the next page - Choose which Classification Profile you want to scan for.
5. "Schedule Scan" on page 48 - Configure when you want your scan to run.
General Info
1. In the General Info screen, the wizard asks you to specify a unique name for the scan and to give it a short
description:
•
Name - The name must be longer than two characters and up to 64 characters.
•
Description - optional description of up to 250 characters.
2. Click Next to move on to the Select Data Stores screen.
Select Data Stores
The Select Data Stores screen lists all data stores in tabular form. By default, no data stores are selected.
The table has three columns:
•
Data Store Name: Lists available data stores (with their number).
•
Type: The type of the data store, such as Local Storage, Network Share, etc.
•
Agent: Displays the Agent that is connected to that data store. In this column, you can also see if the
Agent is ready (that is, if the data store is ready).
To select a data store to scan:
1. Search for the desired data stores by specifying the search criteria in the Search box. The search results
will be displayed in the table under it.
2. Select a data store for the scan by selecting the corresponding check box. Similarly, select multiple data
stores, if needed.
TIP Use the Selected only toggle switch to display only the selected data stores or all data
stores (if the switch is 'off' all data sources are displayed).
3. Click Next to move on to the Add Targets screen .
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
46
Managing Scans
Add Targets
In the Add Targets screen you can review a list of the data stores that you selected for the scan. By default,
the scan will scan the entire data store, and this wizard step allows you to narrow down the scan scope by
selecting specific targets for your selected data stores. The Add Targets screen is divided into three columns:
•
Data Store: The list of selected data stores.
•
Targets: Any selected specific target for the listed data store. "Full DS" indicates that no specific target
has been selected, that is, the entire data store will be scanned. If you have added a scan target for the
data store, it will be listed after you expand the data store row (by clicking the arrow button next to the
data store name, on the left).
•
Add Target Path: In this field you can type in a specific target and add it to the scan parameters.
Scanning of this data store will be limited to the added target only.
NOTE
Any scan target that you add must be valid, otherwise the scan will fail. What is a valid scan
target depends on the data store type, but here are a few tips to have in mind:
> When adding scan targets for database data sources (IBM DB, Oracle, andMS-SQL):
• Note that table names are case sensitive but schema names are not case sensitive.
• Oracle data stores accept only tables as scan targets.
• IBM DB and MS-SQL data stores accept schemas or tables as scan targets.
> For Hadoop type data stores, you can configure a scan to use a specific Hadoop file as a
scan target.
> To add a scan target for a selected data store:
a. Type your scan target in the Add Target Path field.
b. Click the Apply button on the right to add the target.
Repeat this to add more scan targets for that data store, if needed.
> To remove a scan target for a selected data store:
a. Click the arrow button next to the data store name for which you want to remove a scan target.
b. Click the Remove link on the right of the scan target to remove it.
> Use the Enable Remediation toggle switch to enable remediation for the selected target. For more
information refer to the "CipherTrust Auto-Remediation User Guide".
> To move on to the Select Profiles screen, click Next.
TIP Make sure that you do not have nested target paths in a scan for the same data store.
This can affect the performance of the scan and you can get duplicated data in the reports.
Select Profiles
The Select Profiles screen lists all classification profiles in tabular form. By default, no profiles are selected.
The table has three columns:
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
47
Managing Scans
•
Classification Profile Name: Lists available profiles. Items marked with a letter "T" are predefined
classification profile templates. For more information about these templates, see "Classification Profile
Templates" on page 28. The other items are custom classification profiles.
•
Infotypes: Displays the number of information types associated with the profile.
•
Sensitivity: Displays the sensitivity level assigned to this classification profile. See "Sensitivity
Levels" on page 13 for more information.
To select a classification profile for the scan:
1. Search for the desired profiles by specifying the search criteria in the search box. The search results are
displayed in the table under it.
2. Select profiles for the scan by selecting the check boxes corresponding to desired profiles.
TIP Use the Selected only toggle switch to display only the selected classification profiles or
all classification profiles (if the switch is 'off' all classification profiles are displayed).
3. Click Next to move on to the Schedule screen.
Schedule Scan
1. In the Schedule screen select the frequency with which you want the scan to run. The options are:
•
Manual: Select to run the scan manually. This is the default setting. In this case the scan will be run
whenever you manually launch it from the Scans screen. For more information about running a scan
manually, see "Running Scans" on the next page.
NOTE If you select Run Now, the scan will be run just once after the scan is added
successfully.
•
Scheduled: Select to specify a schedule for the run. The scan will be run automatically on the specified
schedule. When Scheduled is selected, the following fields appear on the screen:
– Increment: Select the increment pattern of the run. This is a mandatory field. The options are Daily,
Weekly, and Monthly. By default, Daily is selected.
– Every: Specify when the run should repeat. This is a mandatory field.
For example, if Daily is selected as Increment, enter 2 to run the scan once every two days. If Weekly
is selected as Increment, enter 2 to run the scan once every two weeks. Similarly, if Monthly is
selected as Increment, enter 2 to run the scan once every two months.
– Time: Specify the time when the run should start. This is a mandatory field. Specify the time in 12hour format.
– Time Zone: Select a time zone form the drop-down list.
– Starting: Specify the day when the schedule should start. This is a mandatory field. By default,
Today is selected. To specify a particular start date, select On this date, click the calendar icon, and
select the date.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
48
Managing Scans
– Ending: Specify the day when the schedule should end. This is a mandatory field. By default, No
End is selected. To specify a particular end date, select On this date, click the calendar icon, and
select the date.
NOTE A scan cannot run unless there is an identified Agent for every data store included in
the scan. If it fails to run, check the status of different data stores included in the scan.
2. Click Save to complete adding the scan.
As a result, the newly created scan appears on the Scans page. By default, scans are displayed in alphabetic
order by name. Depending on the number of entries per page, you might need to navigate to other pages to
view the newly created scan. By default, the Status of a newly created scan is Unscanned.
NOTE If your CipherTrust Manager system clock does not match the Agent's system clock,
your scans will not run as scheduled, so it is highly recommended to set up a NTP server to
synchronize the clocks. This can be achieved in CipherTrust Manager through the Admin
Settings -> System -> NTP. For details, refer to the "Thales CipherTrust Manager
Administrator Guide".
Running Scans
To run a scan, navigate to the Scans screen (Data Discovery > Scans). Scans can be run either manually or
automatically at a scheduled time.
> To run a scan manually:
a. Search for the scan to run.
TIP
> Use the Search text box to filter scans. Search results display scans that contain specified
text in their names.
> By default, scans are listed in ascending alphabetic order of their names.
> Scans can be sorted by their name, last scan time, duration, and status.
b. Move the mouse pointer to the row that contains the scan. The Run Now button appears. This button
disappears as soon as the mouse pointer is moved out of the row.
c. Click Run Now.
As soon as the scan is initiated, its status becomes Pending.
> To configure a scan to run automatically, refer to the information in "Schedule Scan" on the previous page.
Scan Statuses
The status of the scan changes in the sequence: Unscanned > Validating > Pending > Running now / Paused /
Stopped > Processing > Completed / Failed.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
49
Managing Scans
Status
Description
Validating
Checking if all the data stores are ready.
Pending
Scan is pending and the linked data stores are being contacted. Depending on factors
such as the network connectivity, this stage may:
•
•
Complete in a flash. You may not see it on the Scans page.
Remain for some time in this state.
Running now / Paused /
Stopped
Scan is running, or is paused or stopped.
Processing
Scan is processing the collected data.
Completed / Failed
Scan run is successful or has failed.
Potential Problems When Running Scans
> Ready/Not Ready data store: A scan cannot run unless there is an identified Agent for every data store
included in the scan. Such a data store has the status Ready. A scan that has at least one data store that is
Not Ready will fail to run, and display an error. If more than one data stores associated with a scan are Not
Ready the system will fail on the first scanned data store that is Not Ready and will not check the remaining
data stores.
> Disabled/Enabled data store: You can manually deactivate a data store. Such a data store has a status
Disabled and it will not be scanned. A scan that has several data stores associated will still run (without an
error) even if one or more data stores are Disabled as long as at least one data store is enabled, but it will
only scan the enabled data stores. A scan with all data stores Disabled will not run at all.
> Hadoop file access rights: You get a "data store path not accessible" error when scanning a Hadoop
data store that has a Hadoop file configured as its scan target, if you do not have access rights to that file.
> IBM, Oracle and MS-SQL - empty table or schema: You get a "table or schema not accessible"
error when scanning an empty table or schema.
> IBM, Oracle y MS-SQL - case sensitive table name: In these data stores database schema names are
not case sensitive, but table names are case sensitive.
Removing Scans
1. In the Scans screen, use the Search text box to filter scans and search for the scan that you want to
remove.
2. Click the overflow icon (
) corresponding to the desired scan. An overflow menu is displayed, with a
View/Edit and Remove options available.
NOTE The Remove option is not always available in the menu, only if a scan is Failed,
Completed, Stopped, or Disabled.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
50
Managing Scans
3. Click Remove in the menu. As a result, a warning message "Remove Scan? Are you sure you want to
remove this scan?" is displayed.
4. Click the Remove button in the warning message window to confirm the removal of the selected scan.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
51
Managing Reports
You manage reports through the Reports page, which is accessed by clicking the Reports link in the Data
Discovery sidebar on the left.
From the Reports page you can:
> View all existing reports. See "Viewing Reports" below.
> Create a new report. See "Creating Reports" on the next page.
> Generate a report. See "Generating Reports" on page 55.
> View details of a selected report. See "Report Details" on page 55.
Viewing Reports
The Reports page displayed lists available reports. Initially, the page shows no reports. Newly configured
reports are shown on this page. Additionally, the page shows the total number of available reports.
By default, reports are listed in ascending alphabetic order of their names. The list view of the Reports page
shows the following details:
Item
Description
Name
Name of reports.
Type
Type of reports.
Analysis
Analysis type is Aggregated.
Last Run
Time when the report was run.
Schedule
Schedule of the report run is Manual.
Status
Status of the report. The status could be Pending, Running now, Stopped,
Processing, Completed, or Failed.
> Use the Search text box to filter reports. Search results display reports that contain specified text in their
names.
> Reports can be sorted by their name, type (Scans), analysis (Aggregated), the last time that the scan was
run, schedule, and status.
> Click the link embedded in the report name to display the details of that report. For more information, see
"Report Details" on page 55.
Report Types
There are two different types of reports:
•
Static report: This report is based on a scan run on a specific date.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
52
Managing Reports
– The report is 'frozen' with the last successful scan that has been executed up to now.
– In the case of multiple executions of the scan for the selected day, the report will include the
information for the latest execution on that day.
•
Dynamic report: This report is always showing the information found on the latest scan execution, so
the results will change if the underlying data in the Data Store or the Classification Profile is modified. In
other words, such a report is dynamic, it will be regularly updated whenever:
– There are changes in the machine, such as the quantity of data has changed (increased or
decreased).
– There are changes in any aspect of the DDC configuration in DDC, such as when the classification
profiles have been modified.
NOTE
> For one report, it is possible to select scans in a dynamic and static manner. This would
result in one report that is 'frozen' and another that is not 'frozen'.
> In order to see an updated report you must run the scan since the report reflects the scan
information.
Creating Reports
To create a report you aggregate data from multiple sources. When a report is generated it contains the results
of executed scans.
To create a report use the New Report wizard described in the following sections. To launch the wizard, click
the + Add Report button in the Reports page on the right.
General Info
Provide the following information in the General Info screen of the New Report wizard:
> A unique Name for the report. The name must be longer than two characters and up to 64 characters. This
field is mandatory.
> An optional Description for the report (up to 250 characters).
Click Next to go on to the Configure Content step of the wizard.
Configure Content
This Configure Content screen shows available scans with their number and the number of selected scans.
1. Use the Search text box to filter available scans. Search results display scans that contain specified text in
their names.
2. Select the Scan Name check boxes corresponding to desired scans.
3. You can create two different types of reports:
– A static report is based on a scan run on a specific date. For a static report, click "Latest Execution"
and select the date of the scan that you wish to use.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
53
Managing Reports
– A dynamic report can change if the underlying data store or protection profile is modified and a
scan is run again. For a dynamic report leave "Scan Execution" as "Latest Execution".
See "Report Types" on page 52 for more information on these reports.
4. Click Save and a message will appear stating that the report has been created successfully.
The content identified in this step will be merged in a single report. This is called an aggregated report.
To create a report use the New Report wizard described in the following sections.
Name and Describe
1. In the Reports page on the right, click New Report. The Name and Describe screen of the New Report
wizard is displayed.
2. Specify a unique Name for the report. The name must be longer than two characters and up to 64
characters. This field is mandatory.
3. Provide a Description for the report (up to 250 characters).
Configure Content
NOTE Content identified in this step will be merged in a single report. This is called an
aggregated report.
1. Click Next. The Configure Content screen is displayed. This screen shows available scans with their
number and the number of selected scans.
2. Use the Search text box to filter available scans. Search results display scans that contain specified text in
their names.
3. Select the Scan Name check boxes corresponding to desired scans.
4. Create a static report or dynamic report:
•
For a static report - click Latest Execution and select the date of the scan that you wish to use.
•
For a dynamic report - leave Scan Execution as Latest Execution.
For information on these report types, see "Report Types" on page 52.
5. Click Save and a message will appear stating that the report has been created successfully.
As soon as a new scan-based report is created, it is automatically run and results are visible. For
information on the details of the report, see "Report Details" on the next page.
NOTE
> Scan-based reports are for personal use only. Users can only access the scan-based
reports that they create. No user can access the scan-based reports created by others.
> Selecting a scan forces DDC to retrieve the results discovered during the last execution of
the given scan. As different scans may be taken into account, different runs of the same
scan-based report may provide different results.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
54
Managing Reports
Generating Reports
After you have configured a report, it can be generated at anytime. Configured reports can be generated any
number of times.
To generate a report:
1. In the Reports page, search for the report that you want to generate.
TIP
> Use the Search text box to filter reports. Search results display reports that contain
specified text in their names.
> By default, reports are listed in ascending alphabetic order of their names.
> Reports can be sorted by their name, type (Scans), analysis (Aggregated), last run time,
schedule, and status.
2. Click the overflow icon (
) corresponding to the desired report. A shortcut menu appears.
3. Click Run report.
As soon as the report starts to run, its status becomes Pending. The status of the report changes in the
sequence: Pending > Running now / Stopped > Processing > Completed / Failed.
NOTE Permissions to access the data stores accessed by the scans included in a scanbased report are checked every time the report is run. If the current user no longer has the
correct permission for any of them, an error is displayed.
Report Details
The report details page displays such information about the report as the report name, the number of scans,
data stores, and data objects. The page also shows the total data objects scanned, sensitive data objects
found, sensitive data matches, and selected infotypes found.
NOTE There may be a mismatch between the number of objects scanned as shown in the
Total Data Objects Scanned info card, top left of the Data Objects page and the number
of objects listed in the table at the bottom ("Showing _ of _"). This is because the table also
lists all so called "inaccessible" items that have been found in the scan.
Inaccessible items are data objects that could not be scanned because the Agent could not
access their contents. The main reasons for this is a lack of permissions at the OS level (that
is, the Agent is not able to read the file) and/or issues encountered when extracting the text
data, such as file contents protected with a password, corrupted files, and the like.
The table in the report details lists the following findings distributed among these columns:
•
Object Name - The name of the data object scanned and listed in the report details.
•
Risk - The number of risks founds by the report in the given scanned data object. A risk is the presence
of a sensitive item of data.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
55
Managing Reports
•
Type - The type of the scanned data object listed in the report details, such as "File" or "Folder".
•
Path - The path to the object that is listed in the report details.
•
Store - The name of the data store where the object listed in the report details was found.
•
Owner - The owner of the listed object.
•
Modified - The date of the last modification of the scanned and reported data object.
•
Infotypes - The number of information types found in the data object that is listed in the report.
NOTE Due to a known limitation of the processing engine, the information on the Owner and
Modified is usually not listed in the report details.
> To print the report, click the Print Preview button in the top right corner of the screen and then Print. The
report will be saved in PDF format to the location that you selected. To return to the report, click the < Exit
Print View link in the top left corner of the screen.
NOTE For the best experience of exporting reports to PDF use Chrome or Firefox.
> To return to the Reports page, click All Reports at the top of the report details page.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
56
Logging
DDC prints out its log messages to the CipherTrust Manager logs. CipherTrust Manager logs are located in the
/opt/keysecure/logs directory. The CipherTrust Manager System Administrator (ksadmin) can log in using
ssh to retrieve CipherTrust Manager logs. Also the DDC Application Administrators have access to the logs.
For more details on collecting DDC logs, see "Troubleshooting Issues in Conjunction with Customer Support"
in the “Thales CipherTrust Manager Administrator Guide”.
Default Logging Level
By default, log level setting for DDC is INFO. With this log level set DDC prints out the INFO and ERROR level
messages to the log. Among the various messages that DDC prints to the logs, the error messages and
security audit messages are the most useful for troubleshooting DDC issues and securing the deployment.
Identifying DDC Log Messages
The microservices behind DDC are Oleander and Sundew and the messages coming to the CipherTrust
Manager log from DDC can be identified by those names.
Additionally, Oleander has these three modules:
> Clustering
> Agent_Selection
> Scan_watcher
Each of these modules will generate its own error messages, each in its separate log.[ ] log file.
The logging service responsible for collecting and processing these messages is FLUENTD. It is capable of
displaying those messages to the terminal through the log command. Here's an example of such a command:
> log | grep oleander | grep "clustering"
This command would display all messages coming from the Oleander's Clustering module.
For a complete list of error messages that DDC sends to the CipherTrust Manager log, see the appendix "Error
Log Messages" on page 67.
Security Audit Log Messages
The DDC security audit messages can be identified by the Oleander | INFO [security] bit that they contain.
The full format of such a log message (or log line) is:
<date> | Oleander | INFO [security] <event> <error (if any)> <details (if any)>
For example:
2020-06-29 | Oleander | INFO | [security] DDCScanClientUnexpectedErrorProbe “error: error
probing scan client” “details: [scan_id:5432-5432-543254-2-5432]”
Usually, only the event type is printed out to the log (in the example above, it would be
DCScanClientUnexpectedErrorProbe). You can find the full list of events with explanations in the appendix
"Security Audit Log Event Messages" on page 94.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
57
Enabling Syslog Logging
Audit records are logged to a local database by default. This is suitable for production systems and clusters
with a limited load. However, for clusters that support a large number of transactions, it is recommended to
configure the CipherTrust Manager Manager to disable logging to a local database and enable logging using a
remote Syslog server. This significantly reduces cluster traffic and disk usage. For more information, refer to
the following sections in the “Thales CipherTrust Manager Administrator Guide”:
> “Disabling local database audit logging”
> “Configuring remote Syslog server”
> “Configuring Connection to a Syslog Server”
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
58
APPENDICES
Error Messages
This section lists the various error messages that the system can display, with explanations and solutions (if
available).
Error Message
Explanation
Branch Locations
"Branch Location name already exists"
(message on toast)
You tried to create a branch location with a name that is already taken
by another branch location.
SOLUTION: Choose another name.
Data Stores
"Data Store name already exists"
(message on toast)
You tried to create a data store with a name that is already taken by
another data store.
SOLUTION: Choose another name.
"A valid agent could not be found"
(Agent selection - on mouse-over on the data
store)
There is no active agent for this data store that the automatic agent
selection process has been able to detect.
SOLUTION: This requires additional research, such as checking if
the agent is installed on the data store, if it has the right type
(local/proxy), if it is of the right OS “flavor” (Linux, Windows), or of the
right type (e.g. database). Refer to the "Deployment Guide" for more
information on troubleshooting this issue.
Scans
"Scan name already exists"
(message on toast)
You tried to create a scan with a name that is already taken by
another scan.
SOLUTION: Choose another name.
"All Data Stores are disabled"
You attempted to run a scan that has all data stores disabled.
(message on toast)
SOLUTION: Enable at least one data store for the scan. Refer to the
"Managing Scans" on page 45 chapter for instructions.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
59
APPENDICES
Error Message
Explanation
"The following Data Stores are not
accessible: <xyz>"
You tried to scan a data store that is not accessible. The scan is
marked as Failed, and includes a warning icon with the message
"The data store <xyz> included in the scan is not accessible" on
mouse-over.
(message on toast)
SOLUTION: Verify the connectivity from the agent to the data store.
Verify the data store configuration.
"One or more Data Stores are not
accessible."
The scan failed because the data store that is configured is
inaccessible. The data store failed after the scan was launched.
(on mouse-over on the scan fail icon)
SOLUTION: There may be a number of reasons for this. To
troubleshoot a failed data store refer to "Managing Data Stores" on
page 32.
"The following Data Stores have no
agent available: <xyz>"
(on mouse-over on the scan fail icon)
You tried to scan a data store that had no agent available when the
scan was executed. There is a problem with the agent. The data
stores that failed are listed.
SOLUTION: This requires additional research, such as checking if
the agent is installed on the data store, if it has the right type
(local/proxy), if it is of the right OS “flavor” (Linux, Windows), or of the
right type (e.g. database). Refer to the "Deployment Guide" for more
information on troubleshooting this issue.
"Data Store has incorrect credentials"
(on mouse-over on the scan fail icon)
Data store credentials provided are incorrect so the scan cannot be
executed. These data stores are listed.
SOLUTION: Update the server credentials for the data store.
"One or more Data Stores have incorrect
credentials"
(message on toast)
The credentials for one or more data stores are no longer valid
(credentials modified, user deleted, and so on) preventing the scan
from completing.
SOLUTION: Reconfigure the data store and re-launch the scan.
"The scanner service is not available"
You tried to run a scan with the scan engine unavailable.
(message on toast)
SOLUTION: Check the status of the scan engine (the KeySecure
server).
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
60
APPENDICES
Error Message
Explanation
"The following Data Stores have missing
agents: <xyz>"
This happens when an agent was assigned to the listed data store(s)
and then when a scan was launched, for some reason the assigned
agent could not be found on the server.
(message on toast)
SOLUTION: Try to re-assign the agent in the data stores screen. If
this does not work, check the agent assigned to the <xyz> data
store.
"The following Data Stores have agent
errors: <xyz>"
(message on toast)
This happens when a management request for an agent fails (for
example, at verification or when setting it as a proxy) during the scan
execution.
SOLUTION: It is usually a transient issue. Wait a few minutes and
run the scan again. If it still fails, check the agent status.
"Error processing scan"
(message on toast)
This happens when the scan fails in the processing stage, that is
when the scan results are being processed by DDC.
SOLUTION: Run the scan again. If the error persists, contact Thales
support.
"Error connecting to HDFS"
(message on toast)
This happens when the scan fails because there is no HDFS
connectivity.
SOLUTION: Check the HDFS configuration in DDC (Hadoop
Services). Refer to the "Deployment Guide" for information on
configuring the DDC-HDFS connection.
"Error connecting to PQS"
(message on toast)
This happens when the scan fails because there is no PQS
connectivity.
SOLUTION: Check the HDFS configuration in DDC (Hadoop
Services) or PQS/Hadoop configuration in your Hadoop deployment.
Refer to the "Deployment Guide" for information on configuring the
DDC-PQS connection.
"Error checking the data allowance"
(message on toast)
This happens when DDC is not licensed. DDC sends a request for
data allowance to the license server and the server responds that
there is no license.
SOLUTION: Obtain and install a valid DDC license.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
61
APPENDICES
Error Message
Explanation
"One target path is missing"
A scan failed because one or more target paths are missing.
(on mouse-over on the scan fail icon)
SOLUTION: Open the scan for editing, by following the Edit link
embedded in the error message, and check which target path is
missing (it will be indicated by a yellow exclamation mark in the
Targets section).
"One database target has incorrect
schema"
A scan failed because one or more database targets have an
incorrect schema.
(on mouse-over on the scan fail icon)
SOLUTION: Open the scan for editing, by following the Edit link
embedded in the error message, and check which target has an
incorrect schema (it will be indicated by a yellow exclamation mark in
the Targets section).
"One database target has incorrect table"
(on mouse-over on the scan fail icon)
A scan failed because one or more database targets have an
incorrect table.
SOLUTION: Open the scan for editing, by following the Edit link
embedded in the error message, and check which target has an
incorrect table (it will be indicated by a yellow exclamation mark in
the Targets section).
"One target has incorrect file extension"
(on mouse-over on the scan fail icon)
A scan failed because one or more targets have an incorrect file
extension.
SOLUTION: Open the scan for editing, by following the Edit link
embedded in the error message, and check which target has an
incorrect file extension (it will be indicated by a yellow exclamation
mark in the Targets section).
"One target has nested paths"
A scan failed because one or more targets have nested paths.
(on mouse-over on the scan fail icon)
SOLUTION: Open the scan for editing, by following the Edit link
embedded in the error message, and check which target has a nested
path (it will be indicated by a yellow exclamation mark in the Targets
section).
"The target <PATH> for Data Store
<DATASTORENAME> is a file"
A file cannot be a target of a data store.
(on mouse-over on the scan fail icon)
SOLUTION: Open the scan for editing, by following the Edit link
embedded in the error message, and put a directory as the target path
(the failing target path will be indicated by a yellow exclamation mark
in the Targets section).
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
62
APPENDICES
Error Message
Explanation
"The target <PATH> for Data Store
<DATASTORENAME> is not a valid
directory"
The specified directory used as the target path is invalid.
(on mouse-over on the scan fail icon)
"The target <PATH> for Data Store
<DATASTORENAME> cannot be
accessed"
(on mouse-over on the scan fail icon)
SOLUTION: Open the scan for editing, by following the Edit link
embedded in the error message, and check the directory. The invalid
directory will be indicated by a yellow exclamation mark in the
Targets section.
The specified path used ad the target path in inaccessible.
SOLUTION: Open the scan for editing, by following the Edit link
embedded in the error message, and check the path. The
inaccessible path will be indicated by a yellow exclamation mark in
the Targets section.
Reports
"Report name already exists"
(message on toast)
You tried to create a report with a name that is already used in
another report.
SOLUTION: Choose another name.
"The version of the scan that was used
to generate the report can no longer be
found."
(message on toast)
Backup restore error. You tried to create a report using a scan that
cannot be found after restoring the system from backup. This
happens for older reports created before the backup when some data
is lost after restoring the system from backup. This error indicates
that some data was lost after restoring the system and as a result
there are some inconsistencies in the environment. In this case, the
scan version has been deleted in PostgreSQL or it cannot be found.
SOLUTION: None.
"The report template is configured with a
scan execution that can no longer be
found."
(message on toast)
Backup restore error. You tried to create a report based on a scan
execution that cannot be found after restoring the system from
backup. This happens for older reports created before the backup
when some data is lost after restoring the system from backup. This
error indicates that some data was lost after restoring the system and
as a result there are some inconsistencies in the environment. In this
case, the scan execution id cannot be found in PQS.
SOLUTION: None.
Classification Profiles
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
63
APPENDICES
Error Message
Explanation
"Classification Profile name already
exists"
You tried to create a classification profile with a name that is already
taken by another classification profile.
(message on toast)
SOLUTION: Choose another name.
Licensing
"DDC License not found - try again in a
few minutes if you recently inserted one"
Any action performed in the UI results in this message, because
there is no valid DDC license installed.
(message on toast)
SOLUTION: Obtain and install a valid license.
"DDC License expired"
(message on toast)
Any action performed in the UI results in this message, because your
DDC license has expired.
SOLUTION: Obtain and install a valid license.
Hadoop Configuration
"Hadoop is not active. Please go to DDC
Settings --> Hadoop"
Problem communicating with Hadoop or DDC has not been
configured with Hadoop.
(message on toast)
SOLUTION: Assuming that you have Hadoop deployed in your
environment, configure DDC to use it (DDC Settings --> Hadoop in
the KeySecure UI). For a detailed procedure, refer to the
"Deployment Guide".
"Error connecting to the PQS database"
(message on toast)
Problem communicating with the Phoenix Query Server database
(i.e. HBase).
SOLUTION: Check the PQS configuration in DDC (Hadoop
Services) or PQS/Hadoop configuration in your Hadoop deployment.
Refer to the "Deployment Guide" for information on configuring the
DDC-PQS connection.
"Error creating the PQS database
schema"
Problem communicating with the Phoenix Query Server database.
(message on toast)
SOLUTION: Check the PQS configuration in DDC (Hadoop
Services) or PQS/Hadoop configuration in your Hadoop deployment.
Refer to the "Deployment Guide" for information on configuring the
DDC-PQS connection.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
64
APPENDICES
Error Message
Explanation
"Error using the PQS database schema"
Problem communicating with the Phoenix Query Server database.
(message on toast)
SOLUTION: Check the PQS configuration in DDC (Hadoop
Services) or PQS/Hadoop configuration in your Hadoop deployment.
Refer to the "Deployment Guide" for information on configuring the
DDC-PQS connection.
"Error connecting to HDFS"
(message on toast)
"Invalid HDFS directory path: Not a
directory"
(message on toast)
"Incorrect credentials in the HDFS
connection"
(message on toast)
"Incorrect HDFS URI"
(message on toast)
"Invalid HDFS folder: the path to the
folder does not exist"
(message on toast)
"Invalid server certificate in the HDFS
request"
(message on toast)
"Incorrect credentials in the PQS
connection"
(message on toast)
"Invalid server certificate in the PQS
request"
(message on toast)
SOLUTION: Check the HDFS configuration in DDC (Hadoop
Services). Refer to the "Deployment Guide" for information on
configuring the DDC-HDFS connection.
SOLUTION: Check the HDFS configuration in DDC (Hadoop
Services). Refer to the "Deployment Guide" for information on
configuring the DDC-HDFS connection.
SOLUTION:
1. Check the HDFS configuration in DDC (Hadoop Services). Refer
to the "Deployment Guide" for information on configuring the
DDC-HDFS connection.
2. Check that the authentication service is up and running.
SOLUTION: Check the HDFS configuration in DDC (Hadoop
Services). Refer to the "Deployment Guide" for information on
configuring the DDC-HDFS connection.
SOLUTION: Check the HDFS configuration in DDC (Hadoop
Services). Refer to the "Deployment Guide" for information on
configuring the DDC-HDFS connection.
SOLUTION: Check the HDFS configuration in DDC (Hadoop
Services). Refer to the "Deployment Guide" for information on
configuring the DDC-HDFS connection.
SOLUTION:
1. Check the PQS configuration in DDC (Hadoop Services) or
PQS/Hadoop configuration in your Hadoop deployment. Refer to
the "Deployment Guide" for information on configuring the DDCPQS connection.
2. Check that the authentication service is up and running.
SOLUTION: Check the PQS configuration in DDC (Hadoop
Services) or PQS/Hadoop configuration in your Hadoop deployment.
Refer to the "Deployment Guide" for information on configuring the
DDC-PQS connection.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
65
APPENDICES
Error Message
Explanation
"Your system does not meet the 16GB
RAM minimum"
DDC requires at least 16GB of RAM to be able to run properly.
(message displayed across the bottom of all
DDC screens)
SOLUTION: Increase the RAM memory on board to at least the
required minumum of 16GB.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
66
Error Log Messages
This section lists the various error messages that DDC sends to the KeySecure log.
Error Message
Comment/Explanation
OLEANDER ERRORS
2020-02-20 19:53:08 | oleander | Error connecting to
the scan service
This error means a connectivity issue between the oleander
and the sundew/ER2 .
2020-02-13 08:50:17 | oleander | DDC Error creating
the database schema.: error executing http request.
Code: 500 - Body:<html>
To check the connectivity with Hadoop external data base a
schema is created. So this means that there is no
connectivity with Hadoop. (also, possibly related to "Error
creating the PQS database schema" in the UI)
"CLIENT_CREDENTIAL_PARTITION is not set"
CLIENT_CREDENTIAL_PARTITION variable is not set in
the config object.
"[Background-Processes] Error retrieving license
from DMV", "error", err
Oleander GetLicenses request against DMV has failed. This
error could have been caused by DMV being down.
"[Background-Processes] Error killing all agents
selections"
When the oleander instance loses its license or the current
license expires, all ongoing agent selections will stop. This
error is caused by an internal Oleander issue while this agent
selections are being shut down.
"[Background-Processes] Error killing all scan
watchers"
When the oleander instance loses its license or the current
license expires, all ongoing scan tracking will stop. This error
is caused by an internal Oleander issue during this scan
tracking shut down.
"[Background-Processes] Error removing all scan
schedules due to DDC not licensed"
When the oleander instance loses its license or the current
license expires, all scheduled scans will be stopped. This
error is caused by an internal Oleander issue during this
scheduled scans stopping.
"[Background-Processes] Error starting agent
selection for datastores"
The listed Data Stores have no agent available.
"[Background-Processes] Error starting scans
watchers"
When the oleander instance receives a valid license from
DMV, all stopped agent selections must be resumed. This
error is caused by an internal Oleander issue during this agent
selections resuming.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
67
Error Message
Comment/Explanation
"[Background-Processes] Error starting cron
schedules"
When the oleander instance receives a valid license from
DMV, all stopped scheduled scans must be resumed. This
error is caused by an internal Oleander issue during this
scheduled scans resuming.
"[Background-Processes] Error trying to migrate the
PQS database"
During the PQS configuration, an error occurred trying to
apply the changesets to update the Database, create the
tables, etc...
"[Background-Processes] Error creating cron",
"error", err
Background_processes service constantly creates crons for
license status checking against DMV, this error is caused by
an internal Oleander issue during the creation of one of this
crons.
"[Background-Processes] Error with unmarshal."
Any "unmarshal/unmarshalling" error is caused by an internal
Oleander issue converting a golang object to JSON format or
vice versa.
"[Background-Processes] Error while trying to
update status to FAILED for datastore.", "name",
ds.Name, "error", err
When background_process services gets an invalid or
expired license from DMV all running scans must be stopped
and set as FAILED, this message indicates an internal
Oleander error changing the scan status for some scan.
"[Background-Processes] Error while trying to
retrieve scans from background processes table"
When the oleander instance receives a valid license from
DMV, all stopped normal scans must be resumed. This error
is caused by an internal Oleander issue accessing the
background processes table, which contains all the
information for the scans resuming.
"[Background-Processes] Watcher has failed
updating scan status for scan", "name",
sc.Scan.Name, "error", err
background_processes service has the responsibility to track
the running scans and update their Oleander status, this error
message indicates an internal Oleander issue updating the
scan_process table.
"Cannot retrieve the HDFS settings", "error", err
Connectivity or internal Oleander error trying to retrieve
HDFS settings from Citrus.
"Cannot retrieve the PQS settings", "error", err
Connectivity or internal Oleander error trying to retrieve PQS
settings from Citrus.
"Cannot find the country", "error", err
When a user creates a BranchLocation and he sets a country
that is not registered in our DB.
"Cannot find the state", "error", err
When a user creates a BranchLocation and he sets a state ID
that is not registered in our DB.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
68
Error Message
Comment/Explanation
"Trying to verify if the country has states", "error", err
When a user creates a BranchLocation and he sets a state
"Name" that is not registered in our DB.
"Missing tag %s for the default classification
profiles", r
When inserting default classification profiles, there is no tag
that matches the correct Regulation
"[Datastores] Error encrypting connection for
datastore: ", "Name", d.Name
Error when calling Scrim Helper for the encryption of the
Connection field for a datastore.
"[Datastores] Error while trying to create background
process resource for datastore: ", "Name", d.Name
When a datastore is created, a new row is inserted into the
Background Processes table for further tracking, this error
message indicates an internal Oleander issue inserting that
row.
"[Datastores] Error selecting agent for datastore ",
"Name", dsAAS.Name, "error", err
No suitable agent has been found for this datastore.
"[Datastores] Error while trying to retrieve datastore
for background process, agent selection might fail: ",
"error", err
Error retrieving a datastore from DB for background
processes purposes in a datastore.update operation.
"[Datastores] Error running automatic agent
selection", "error", errAgentUpdate
An internal Oleander error has occurred while trying to update
the status of a datastore during the automatic agent
selection.
"[Datastores] Error while trying to unmarshal
datastore from background processes"
An internal Oleander error has occurred while trying to
translate a JSON object to a golang object while recovering
the automatic agent selections.
"Error closing the json file", "error", err
Oleander failed trying to close a JSON file.
"Error trying to close the families json file"
Oleander reads a families JSON file for startup DB
population. This error message indicates an internal Oleander
error while closing this file.
"Error initializing the account", "error", *errPtr
Oleander failed trying to set the initialization status to the
accounts map.
"Error closing oleander", "error", err
Oleander service could not be closed.
"Error starting background processes", "error", err
Some error has occurred trying to execute all background
processes.
"Error connecting to HDFS", "error", err
This happens when the scan fails because there is no HDFS
connectivity.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
69
Error Message
Comment/Explanation
"Error trying to close the info types json file"
Oleander reads an infotypes JSON file for startup DB
population. This error message indicates an internal Oleander
error while closing this file.
"Error connecting to PQS", "error", err
This happens when the scan fails because there is no PQS
connectivity.
"Error closing the temporary file", "FileName",
f.Name(), "error", err
Oleander failed closing the temporary file used for decrypting
the raw data file.
"Error deleting the temporary file", "FileName",
f.Name(), "error", err
Oleander failed deleting the temporary file used for decrypting
the raw data file.
"Error trying to close the zip file", "error", merry.Wrap
(err).WithHTTPCode(http.StatusBadRequest)
Oleander failed closing the zip file used for decrypting the raw
data file.
"Error changing the scan status", "error", err
Internal Oleander error while trying to update the scan status
in the Scan Process table.
"[Scan-Launcher] Error while trying to create
background process resource for datastore",
"name", rsc.Name
Oleander inserts a row in the Background Processes table for
further scan tracking - this message indicates an internal
Oleander error while performing this insert.
"[Scan-Launcher] The scan watcher returned an
error", "error", err
Generic error message for any issue during the scan watcher
process.
"[Scan-Launcher] Agent not found for datastore",
"DS name", s.ScanDatastores[i].Datastore.Name,
"error", err
The listed Data Stores have no agent available.
"[Scan-Launcher] Error getting absolute paths", "DS
name", s.ScanDatastores[i].Datastore.Name,
"error", err
Oleander was unable to retrieve the absolute paths of the
mentioned datastore for further scan execution.
"[Scan-Launcher] Error getting connection path",
"DS name", s.ScanDatastores[i].Datastore.Name,
"error", err
Oleander was unable to retrieve the connection paths of the
mentioned datastore for further scan execution.
"[Scan-Launcher] Error retrieving the oleander
context"
Error while generating the Oleander service user. (this is the
context for executing actions on behalf of the itself, instead of
a specific user).
"[Scan-Launcher] Error while validating the scan"
This is a generic error, one of the steps of the validation has
failed. (could be that some datastores are not ready, a probe
has failed, etc)
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
70
Error Message
Comment/Explanation
"[Scan-Launcher] Error while retrieving extensions"
The extensions necessary for the scan execution could not
be retrieved from the DB.
"[Scan-Launcher] Unable to initialize background
process"
The background process object could not be initialized so the
scan watcher cannot start.
"[Scan-Actions] Error found while trying to delete
background process resource"
When Oleander has finished tracking a scan it removes the
corresponding row from background processes table - this
error message indicates an internal Oleander issue removing
that row.
"[Scan-Actions] Error trying to execute the Scan
scheduled run", "error", err
Oleander failed trying to add a scan schedule for a scan.
"Error changing the scan status", "error", err
Generic error message for an issue during the update of the
scan status.
"[Scan-Watchers] Watcher has failed getting scan
status from scanned service", "scan",
sc.Scan.Name, "error", err
This indicates an underlying connectivity issue with Sundew.
"[Scan-Watchers] Watcher has failed updating scan
status", "scan", sc.Scan.Name, "error", err
Error updating the scan status in the scan process table.
"[Scan-Watchers] Error processing the report: ",
"error", err
Oleander scan collector has failed trying to create the scan
collector background process for the mentioned scan.
"[Scan-Watchers] Scan aborted, maximum wait for
scan results exceeded", "MaxTimeInterruptedState
(minutes)", o.Config.Er2MaxInterruptedTime/60,
"scan", sc.Scan.Name, "current status",
sc.Scan.ScanProcess.Status, "scan service
status", er2MappedStatus
The scan has been in INTERRUPTED er2 state for too long,
when it exceeds the timeout the status is changed to FAILED
in DDC.
"Error trying to parse er2 polling frequency from env"
Oleander failed trying to read the ER2 POLLING
FREQUENCY env variable from the config object.
"Error while trying to retrieve scans from background
processes table", "error", err
Oleander tried to retrieve all SCAN rows in the background
processes table but it failed.
"Error trying to recover the scan watchers", "error",
err
One of the scan watchers instantiated by the recovery
system has returned an error and stopped working.
"Wrong datastore credentials"
Oleander was unable to reach a datastore due to credentials
failure.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
71
Error Message
Comment/Explanation
"Wrong target path defined"
A scan has failed because the target path defined was not
valid.
"Wrong db schema in target path"
A scan has failed because the db schema defined was not
valid.
"Wrong db table in target path"
A scan has failed because the DB defined was not valid.
"Wrong defined file extension in target path"
A scan has failed because a file was specified without an
extension.
"Error connecting to the scan service"
Oleander is unable to connect with ER2.
"Error processing the scan reports"
Generic error while trying to process a scan report.
"No Data Allowance Licensing detected"
Oleander does not have a Data Allowance record.
"Error reading the scan report"
Generic error while trying to read a scan report.
"Probing path can be launched only on folders. Files
are not supported"
Scan failed because a file was specified as target instead of
a folder.
"Probing a File or Directory that does not exist"
Scan failed because the specified directory does not exist.
OLEANDER INFO
"[Background-Processes] This node was NOT
selected as active node. Turning off background
processes"
Related to clustering, self-explanatory error.
"[Background-Processes] This node was selected
as active node. Turning on background processes"
Related to clustering, self-explanatory error.
"[Background-Processes] Recovering collectors"
Oleander has received a valid license and recovers the
collector processes that were stopped.
"[Background-Processes] Updating license from
DMV"
Oleander is requesting from DMV the licenses available for
DDC.
"[Background-Processes] Global license status set
to nil"
Oleander is unlicensed.
"[Background-Processes] Global license status set
to ", "newLicenseStatus", *newLicenseStatus
Oleander license status is whatever newLicenseStatus is.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
72
Error Message
Comment/Explanation
"[Background-Processes] Checking HDFS
connectivity
Oleander is sending a ping to HDFS to check the
connectivity.
"[Background-Processes] Cannot connect with
HDFS", "error", err
Oleander's ping against HDFS has failed. Oleander has no
connectivity with HDFS.
"[Background-Processes] HDFS connectivity
successful"
Oleander has successfully performed a ping against HDFS.
Oleander has connectivity with HDFS.
"[Background-Processes] Checking PQS
connectivity"
Oleander is sending a ping to PQS to check the connectivity.
"[Background-Processes] Cannot connect with
PQS", "error", err
Oleander's ping against PQS has failed. Oleander has no
connectivity with PQS.
"[Background-Processes] PQS connectivity
successful"
Oleander has successfully performed a ping against PQS.
Oleander has connectivity with PQS.
"[Background-Processes] License status has
changed"
Oleander license status has changed since the last license
cron execution.
"[Background-Processes] Initializing fast cron:
Oleander unlicensed","UnlicensedCronFrequency",
o.Config.UnlicensedCronFrequency
Oleander is unlicensed so the license cron (which asks DMV
for a DDC license) increments its frequency. The frequency
is defined in the docker-compose file.
"[Background-Processes] Initializing fast cron:
waiting for Hadoop
connectivity","HadoopConnectivityCronFrequency",
o.Config.HadoopConnectivityCronFrequency
Oleander has a valid license but does not have connectivity
with Hadoop.
"[Background-Processes] Initializing slow cron:
Oleander licensed and Hadoop connectivity
successful", "RunningCronFrequency",
o.Config.RunningCronFrequency
Oleander has a valid license and has connectivity with
Hadoop, the license cron decrements its frequency. The
frequency is defined in the docker-compose file.
"[Background-Processes] About to run NO
LICENSE scenario"
Oleander has no valid license so it will stop all running scan
watchers, automatic agent selections and scan schedules.
"[Background-Processes] About to run VALID
LICENSE scenario"
Oleander didn't have a valid license but now it has one so all
scan watchers, automatic agent selections and scan
schedules that were stopped are being resumed.
"[Background-Processes] Recovering automatic
agent selection"
Part of the VALID LICENSE scenario above.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
73
Error Message
Comment/Explanation
"[Background-Processes] Starting automatic agent
selection for pending datastores", "pending
datastores", strings.Join(ds, ", ")
Part of the VALID LICENSE scenario above.
"[Background-Processes] Recovering watchers"
Part of the VALID LICENSE scenario above.
"[Background-Processes] Starting watchers for
ongoing scans", "ongoing scans", strings.Join(ss, ",
")
Part of the VALID LICENSE scenario above.
"[Background-Processes] Recovering scan
schedules"
Part of the VALID LICENSE scenario above.
"[Background-Processes] Migrating PQS database"
Self-explanatory message.
"[Background-Processes] Deleting background
process for scan", "name", sc.Scan.Name
Oleander has no valid license so all scans are being stopped
as well as their corresponding background processes.
"[Background-Processes] Updating status to
FAILED for scan", "name", sc.Scan.Name
Oleander has no valid license so all scans are being stopped
(with status FAILED).
"Cannot connect to HDFS", "settings",
hdfsSettings, "error", err
Oleander's ping against HDFS has failed. Oleander has no
connectivity with HDFS.
"Cannot connect to PQS", "Settings", pqsSettings,
"error", err
Oleander's ping against PQS has failed. Oleander has no
connectivity with PQS.
"[Datastores] Agent selected: ", "Name", a.Name
Oleander has found and assigned a suitable agent for the
mentioned datastore.
"Unable to connect with datastore", "datastore
name", d.Name, "error", err
A probe against the mentioned datastore has failed during a
test connectivity check.
"Instantiating new scrim helper"
Oleander is instantiating a new ScrimHelper object which is
used for communication with Scrim, Minerva, Sallyport and
DMV.
"Instantiating new hdfs scan collector"
Oleander is instantiating a new HDFSCollector object which
is used for communication and processing with HDFS.
"Instantiating scheduler cron"
Oleander is instantiating a new SchedulerCron and starting
the background processes.
"[WARNING] PQS connector can not be closed in
GetSummaryReport service"
Oleander was unable to close the PQS connector while
executing a GetSummaryReport operation.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
74
Error Message
Comment/Explanation
"[WARNING] PQS connector can not be closed in
GetDatastoresDetailsReport service"
Oleander was unable to close the PQS connector while
executing a GetDatastoresDetailsReport operation.
"[WARNING] PQS connector can not be closed in
GetReportTemplate service"
Oleander was unable to close the PQS connector while
executing a GetReportTemplate operation.
"[Scan-Actions] [WARNING] PQS connector can
not be closed in GetScanExecutions service"
Oleander was unable to close the PQS connector while
executing a GetScanExecutions operation.
"[Scan-Watchers] Stop watcher signal received",
"scan", sc.Scan.Name
A running scan watcher has received a STOP signal and the
current execution is cancelled.
"[Scan-Watchers] Watcher has failed stopping scan
from scanned service"
The scan has been in an INTERRUPTED status for too long
so Oleander has tried to stop the scan in ER2 but the request
was unsuccessful.
"[Scan-Watchers] Watcher has detected different
status", "scan", sc.Scan.Name, "current status",
sc.Scan.ScanProcess.Status, "scan service
status", er2MappedStatus
The scan watcher has detected a change in the scan status,
scan status will be updated in DDC.
"[Scan-Watchers] Interrupted status received",
"MaxTimeInterruptedState",
o.Config.Er2MaxInterruptedTime, "scan",
sc.Scan.Name, "current status",
sc.Scan.ScanProcess.Status, "scan service
Mapped status", er2MappedStatus, "scan service
status", er2Status, "InterruptedTimestamp",
sc.InterruptedTimestamp
The scan watcher has received an INTERRUPTED status
for the scan, the scan watcher will continue asking until the
status changes or the timeout is exceeded.
"[Scan-Watchers] Scan has finished... collector
starting", "scan", sc.Scan.Name
The scan watcher has received a COMPLETED status for
the scan, the scan status is set to PROCESSING in DDC
and the scan collector starts.
SUNDEW INFO
"Asking for license status"
Sundew is requesting from Oleander the DDC license status.
"Active license information received", "http ret
code", c
Sundew has received a valid license status from Oleander.
"Starting scan service..."
Sundew is launching ER2.
"Connectivity test successful, scan service is up"
Sundew confirms that ER2 is up-and-running.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
75
Error Message
Comment/Explanation
"Generating scan service license...", "ID",
s.er2Status.lastIssuedLicenseID
Sundew is generating a license for ER2.
"Injecting license into scan service"
Sundew is injecting the generated license into ER2.
"License won't be generated/refreshed in this
iteration", "ID", s.er2Status.lastIssuedLicenseID,
"checks (intervals)",
s.Config.GeneratingLicenseItervals.er2Status.lastIssuedLicense
No action is required from Sundew for this iteration regarding
licensing.
"Not active license or product not licensed response
received", "http ret code", c
Sundew has received an invalid license status from
Oleander.
"Scan service stopped"
Sundew is stopping ER2.
"Unexpected error code in response for
/license/status", "http ret code", c
Sundew asked Oleander for the license status but got an
unexpected response.
SUNDEW ERROR
"CLIENT_CREDENTIAL_PARTITION is not set."
CLIENT_CREDENTIAL_PARTITION variable is not set in
the config object.
"Error trying to ask for license status", "error", err
Sundew failed trying to request DDC status from Oleander.
"Error trying to start the scan service", "error", err
Sundew failed trying to start ER2.
"Connectivity test to the scan service failed", "error",
conErr
Sundew failed trying to ping ER2. ER2 is down.
"Error during validation of received license", "error",
err
Sundew failed trying to validate the DDC license retrieved
from Oleander.
"Error parsing the license ID", "error", err
Sundew failed trying to parse the DDC license ID received
from Oleander.
"Error while injecting license inside scan service",
"error", err
Sundew failed trying to inject the generated license into ER2.
"Error stopping scan service", "error", err
Sundew failed trying to stop ER2.
"Error closing the response body", "error", err
Sundew failed trying to close the HTTP response body from a
request.
"Error closing sundew", "error", err
Error when trying to close the Sundew service.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
76
Reconfiguring Agents
In some situations, for example, if the hostname or IP address of the CipherTrust Manager appliance changes,
Agents' connection with DDC must be reconfigured with the new hostname or IP address.
Reconfiguring DDC Agents on Windows
To reconfigure a DDC Agent:
1. Log on to the host machine as administrator.
2. Open Enterprise Recon Configuration Tool (er2_config_cmd.exe).
By default, the tool is available at C:\Program Files (x86)\Ground Labs\Enterprise Recon 2\.
3. In the Master server IP address or host name field, specify the new hostname or IP address of the
CipherTrust Manager.
4. Click Test Connection. A message stating "Connectivity test is successful" confirms successful
reconfiguration.
5. Click Finish.
Reconfiguring DDC Agents on Debian
To reconfigure a DDC Agent:
1. Log on to the host machine as a user with root privileges.
2. Reconfigure connection with DDC on the CipherTrust Manager appliance.
sudo er2-config -i <hostname|ip_address>
Here, <hostname|ip_address> represents the new IP address or hostname of the CipherTrust
Manager appliance.
3. Restart the Agent service. Configuration settings will be effective after the Agent restarts.
sudo /etc/init.d/er2-agent -restart
Reconfiguring DDC Agents on RHEL
To reconfigure a DDC Agent:
1. Log on to the host machine as a user with root privileges.
2. Reconfigure connection with DDC on the CipherTrust Manager appliance.
er2-config -i <hostname|ip_address>
Here, <hostname|ip_address> represents the new IP address or hostname of the CipherTrust
Manager appliance.
3. Restart the Agent service. Configuration settings will be effective after the Agent restarts.
/etc/init.d/er2-agent restart
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
77
Restarting DDC Agents
Restarting Agents on Windows
To restart a DDC Agent, run the following commands:
net stop "Enterprise Recon 2 Agent (<ARCH>)"
net start "Enterprise Recon 2 Agent (<ARCH>)"
Here, <ARCH> represents the Windows architecture - x32 or x64.
Restarting Agents on Debian
To restart a DDC Agent, run: sudo /etc/init.d/er2-agent restart
TIP Alternatively, restart the Agent service by stopping it and again starting it manually. Run
the following commands:
sudo /etc/init.d/er2-agent stop
sudo /etc/init.d/er2-agent start
Restarting Agents on RHEL
To restart a DDC Agent, run: #/etc/init.d/er2-agent restart
TIP Alternatively, restart the Agent service by stopping it and again starting it manually. Run
the following commands:
#/etc/init.d/er2-agent stop
#/etc/init.d/er2-agent start
Mounting an NFS Share
To mount an NFS share on a Proxy agent, run this command as root:
# mount <nfs-server-hostname|nfs-server-ipaddress>:</target/directory/share-name>
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
78
REST API
You can use the REST interface from the API playground, or via any REST client such as curl. To use the
REST interface from the API playground, acquire an authorization token and use it when making API calls.
Acquiring an Authorization Token
To acquire a token:
1. Open the CipherTrust Manager URL in a browser. The login page is displayed.
2. Click the API & CLI Documentation link. The API playground is displayed.
3. At the top right, click Authenticate.
4. Enter username and password.
5. Click POST.
NOTE This acquires an API token and prefills it in the playground examples. The token
expires in 300 seconds (5 minutes). When it expires, use this process again to acquire a new
token.
On successful token generation, the remaining token expiry time in seconds is displayed. Two new buttons,
Clear Credentials and Re Authenticate, are also displayed at the top right.
Using the Token
The authorization token acquired above is used in examples in the API playground. The token expires in 5
minutes; if expired, generate a new token, as described in "Acquiring an Authorization Token" above.
Making an API Call
To make an API call, in the left pane, find the API and click it. In the right pane, specify the values of the required
parameters, and click appropriate button (for example, POST, GET, DELETE, and Curl, as appropriate) in
the playground. For example, to create a branch location on the CipherTrust Manager:
1. In the left pane of the API playground, click DDC.
2. Under ddc/system-settings/branch-locations, click Create. The Create section of the API playground
is displayed in the right pane.
3. In the body field, specify the parameters with their values, as shown below.
{
"name": "mybranch",
"city": "Paris",
"countryId": "18faaf74-c511-4086-a5fb-8062ecf2d8f4",
"stateId": ""
}
Expand schema under the body field for names and types of fields. Mouse over each field to view its
description. The parameter names and casing in the body field must match with those shown in the
schema. Also, ensure that parameters and their values are specified in double quotes.
4. Click POST.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
79
Alternatively, to get an equivalent curl command, click the Curl button. The curl equivalent will be
shown in the text field below. Use the curl tool to run the command to make the REST API call.
Similarly, all API calls can be made by referring to the schema shown in the playground.
CLI
The CipherTrust Manager includes a CLI tool, named ksctl, that can be downloaded and run locally to control
a remote CipherTrust Manager appliance. ksctl exclusively uses the REST API to communicate with the
CipherTrust Manager, so anything that you can do with the tool, you can also do directly with the REST API.
Conversely, ksctl exposes most of the functionality of the REST API. It can perform management functions,
such as managing registration tokens and clients. ksctl is designed to be run from a remote system, not on
CipherTrust Manager itself.
To use the CLI:
1. Open the CipherTrust Manager URL in a browser.
2. Click the API & CLI Documentation link. The API playground is displayed.
3. At the top left, click CLI Guide. The CLI documentation is displayed.
4. At the top right, click the CLI download button. This downloads the ksctl_images.zip file.
5. Unzip the ksctl_images.zip file.
6. Set up the ksctl-os file for your system.
7. Run ksctl ddc to run Thales CipherTrust Data Discovery and Classification specific commands.
Refer to the CipherTrust Manager documentation for details. For details on commands related to Thales
CipherTrust Data Discovery and Classification, refer to the online documentation of ksctl ddc.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
80
Information Types
Infotype Name
Category
Region
American Express
Financial
Global
Australian Bank Account Number
Financial
Oceania
Australian Business Number
Financial
Oceania
Australian Company Number
Financial
Oceania
Australian Driver License Number
Personal Data
Oceania
Australian Healthcare Identifier - Organisation
Medical
Oceania
Australian Individual Healthcare Identifier
Medical
Oceania
Australian Mailing Address
Personal Data
Oceania
Australian Medicare Card
Medical
Oceania
Australian Medicare Provider
Medical
Oceania
Australian Passport Number
Personal Data
Oceania
Australian Tax File Number
National ID
Oceania
Australian Telephone Number
Personal Data
Oceania
Austrian Driver License Number
Personal Data
Europe
Austrian Mailing Address
Personal Data
Europe
Austrian Passport Number
Personal Data
Europe
Austrian Personalausweis
National ID
Europe
Austrian SSN
National ID
Europe
Austrian Telephone Number
Personal Data
Europe
Belgian Driver License Number
Personal Data
Europe
Belgian eID
National ID
Europe
Belgian National Number
National ID
Europe
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
81
Infotype Name
Category
Region
Belgian Passport Number
Personal Data
Europe
Belgian Telephone Number
Personal Data
Europe
Brazilian CPF
National ID
Americas
Brazilian Registro Geral
National ID
Americas
Bulgarian EGN
National ID
Europe
Canadian Bank Account Number
Financial
Americas
Canadian Health Service Number
Medical
Americas
Canadian Mailing Address
Personal Data
Americas
Canadian Passport Number
Personal Data
Americas
Canadian Personal Health Identification Number (PHIN)
Medical
Americas
Canadian Social Insurance Number
National ID
Americas
Canadian Telephone Number
Personal Data
Americas
Chilean RUN
National ID
Americas
China Union Pay
Financial
Global
Credentials username
Personal Details
Global
Credentials password
Personal Details
Global
Croatian OIB
National ID
Europe
Cypriot Passport Number
Personal Data
Europe
Czech Republic RC
National ID
Europe
Danish CPR
National ID
Europe
Danish Driver License Number
Personal Data
Europe
Danish Passport Number
Personal Data
Europe
Date Of Birth
Personal Data
Global
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
82
Infotype Name
Category
Region
Date Of Birth (under 18)
Personal Data
Global
Diners Club
Financial
Global
Discover
Financial
Global
Drug Enforcement Agency Number
Medical
Americas
Dutch Burgerservicenummer
National ID
Europe
Dutch Driver License Number
Personal Data
Europe
Dutch NIK
National ID
Europe
Dutch Passport Number
Personal Data
Europe
Dutch Telephone Number
Personal Data
Europe
Email addresses
Personal Data
Global
Ethnicity (English)
Personal Data
Global
European EHIC
Medical
Europe
Finnish HETU
National ID
Europe
French Carte Vitale
National ID
Europe
French CNI
National ID
Europe
French Driver License Number
Personal Data
Europe
French INSEE
National ID
Europe
French Mailing Address
Personal Data
Europe
French Passport Number
Personal Data
Europe
French Telephone Number
Personal Data
Europe
Gambian National Identification Number
National ID
Africa
Gender (English)
Personal Data
Global
Generic Bank Account Number
Financial
Global
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
83
Infotype Name
Category
Region
German Driver License Number
Personal Data
Europe
German Mailing Address
Personal Data
Europe
German Passport Number
Personal Data
Europe
German Personalausweis
National ID
Europe
German Telephone Number
Personal Data
Europe
Greek AFM
National ID
Europe
Greek AMKA
National ID
Europe
Greek Passport Number
Personal Details
Europe
Hong Kong ID
National ID
Asia
Hungarian Personal ID
National ID
Europe
Icelandish Kennitala
National ID
Europe
International Bank Account Number (IBAN)
Financial
Global
IP Address
Personal Data
Global
Iranian National Identification Number
National ID
Asia
Irish Driver License Number
Personal Data
Europe
Irish Passport Card Number
Personal Data
Europe
Irish Passport Number
Personal Data
Europe
Irish Personal Public Service Number
National ID
Europe
Irish Telephone Number
Personal Data
Europe
ISO8583 message with PAN
Financial
Global
Israeli Bank Account Number
Financial
Asia
Israeli Identity Number
National ID
Asia
Italian CARTA D'IDENTITÀ
National ID
Europe
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
84
Infotype Name
Category
Region
Italian Codice Fiscale
National ID
Europe
Italian Driver License Number
Personal Data
Europe
Italian Mailing Address
Personal Data
Europe
Italian Passport
Personal Data
Europe
Italian Telephone Number
Personal Data
Europe
Japanese Bank Account Number
Financial
Asia
Japanese Driver License Number
Personal Data
Asia
Japanese Passport Number
Personal Data
Asia
Japanese Resident Registration Number
National ID
Asia
Japanese Social Insurance Number (SIN)
National ID
Asia
JCB
Financial
Global
Laser
Financial
Global
Latvian Personas Kods
National ID
Europe
License Number
Personal Data
Global
Login credentials
Personal Data
Global
Luxembourg Driver License Number
Personal Data
Europe
Luxembourg ID
National ID
Europe
Luxembourg Passport Number
Personal Data
Europe
Luxembourg Phone Number
Personal Data
Europe
MAC Address
Personal Data
Global
Macedonian UMCN
National ID
Europe
Maestro
Financial
Global
Malaysian NRIC
National ID
Asia
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
85
Infotype Name
Category
Region
Maltese eID
National ID
Europe
Mastercard
Financial
Global
Medicare Beneficiary Identifier (MBI)
Patient Health Data
North America
Mexican CURP
National ID
Americas
New Zealand Inland Revenue Number
National ID
Oceania
New Zealand Mailing Address
Personal Data
Oceania
New Zealand Passport Number
Personal Details
Oceania
New Zealand Telephone Number
Personal Data
Oceania
Norwegian Birth Number
National ID
Europe
Norwegian Driver License Number
Personal Data
Europe
Norwegian Passport Number
Personal Data
Europe
Passport Number
Personal Data
Global
Peoples Republic of China ID
National ID
Asia
Personal Names (Austrian)
Personal Data
Europe
Personal Names (Belgian)
Personal Data
Europe
Personal Names (English)
Personal Data
Global
Personal Names (French)
Personal Data
Europe
Personal Names (German)
Personal Data
Europe
Personal Names (Italian)
Personal Data
Europe
Personal Names (Netherlands)
Personal Data
Europe
Personal Names (Polish)
Personal Data
Europe
Personal Names (Portuguese)
Personal Data
Europe
Polish Driver License Number
Personal Data
Europe
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
86
Infotype Name
Category
Region
Polish Identity Card
National ID
Europe
Polish Mailing Address
Personal Data
Europe
Polish Passport Number
Personal Data
Europe
Polish PESEL
National ID
Europe
Polish Telephone Number
Personal Data
Europe
Portuguese Citizen's Card
National ID
Europe
Portuguese Driver License Number
Personal Data
Europe
Portuguese Fiscal Number
National ID
Europe
Portuguese Identity Number
National ID
Europe
Portuguese Mailing Address
Personal Data
Europe
Portuguese Passport Number
Personal Data
Europe
Portuguese Phone Number
Personal Data
Europe
Private Label Card
Financial
Global
Profanity (English)
Personal Details
Global
Religion (English)
Personal Data
Global
Romanian Identity Card
National ID
Europe
Romanian Numerical Personal Code
National ID
Europe
Saudi Arabia National ID
National ID
Asia
Serbian UMCN
National ID
Europe
Singaporean NRIC
National ID
Asia
Slovakian RC
National ID
Europe
Slovenian EMSO
National ID
Europe
South African Identity Number
National ID
Africa
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
87
Infotype Name
Category
Region
South Korean Corporation Registration Number (법인등록번호)
Financial
Asia
South Korean Driver License Number
Personal Data
Asia
South Korean Foreigner Number
National ID
Asia
South Korean Gwangju Bank (광주은행) Account Number
Financial
Asia
South Korean Jeju Bank (제주은행) Account Number
Financial
Asia
South Korean Jeonbuk Bank (전북은행) Account Number
Financial
Asia
South Korean KB Bank (국민은행) Account Number
Financial
Asia
South Korean KEB Hana Bank (KEB하나은행) Account Number
Financial
Asia
South Korean NH Bank (농협은행) Account Number
Financial
Asia
South Korean Passport
Personal Data
Asia
South Korean Phone Number
Personal Data
Asia
South Korean RRN
National ID
Asia
South Korean Shinhan Bank (신한은행) Account Number
Financial
Asia
South Korean Taxpayer Identification Number (사업자등록번호)
Financial
Asia
Spanish DNI
National ID
Europe
Spanish Driver License Number
Personal Data
Europe
Spanish NIE
National ID
Europe
Spanish Passport Number
Personal Data
Europe
Spanish Social Security Number
National ID
Europe
Spanish Telephone Number
Personal Data
Europe
Sri Lankan National Identity Card
National ID
Asia
Swedish Driver License Number
Personal Data
Europe
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
88
Infotype Name
Category
Region
Swedish Nationellt ID-kort
National ID
Europe
Swedish Passport Number
Personal Data
Europe
Swedish Personnummer
National ID
Europe
SWIFT Code
Financial
Global
Swiss Social Security Number
National ID
Europe
Taiwanese ID
National ID
Asia
Thai Population Identification Code
National ID
Asia
Troy
Financial
Global
Turkish Identification Number
National ID
Europe
Turkish Telephone Number
Personal Data
Europe
United Arab Emirates ID
National ID
Asia
United Kingdom Community Health Index
Medical
Europe
United Kingdom Driver License Number
Personal Data
Europe
United Kingdom Electoral Roll Number
Personal Data
Europe
United Kingdom Health and Care Number
Medical
Europe
United Kingdom Mailing Address
Personal Data
Europe
United Kingdom National Health Service Number
Medical
Europe
United Kingdom NI Number
National ID
Europe
United Kingdom Passport Number
Personal Data
Europe
United Kingdom Self Assessment UTR Number
National ID
Europe
United Kingdom Telephone Number
Personal Data
Europe
United Kingdom VAT Number
Financial
Europe
United States Bank Account Number
Financial
Americas
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
89
Infotype Name
Category
Region
United States Driver License Number
Personal Data
Americas
United States Health Insurance Claim Number
Medical
Americas
United States Health Plan Identifier
Medical
Americas
United States Individual Taxpayer Identification Number (ITIN)
National ID
Americas
United States Mailing Address
Personal Data
Americas
United States National Provider Identifier
Medical
Americas
United States Passport Number
Personal Details
North America
United States Routing Transit Number
Financial
Americas
United States Social Security Number
National ID
Americas
United States Telephone Number
Personal Data
Americas
Visa
Financial
Global
Yugoslavia UMCN
National ID
Europe
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
90
Supported Formats
Files
Type
Format
Compressed
bzip2, Gzip (all types), TAR, Zip (all types)
Databases
Access, DBase, SQLite, MSSQL MDF & LDF
Images
BMP, FAX, GIF, JPG, PDF (embedded), PNG, TIF
Microsoft Backup Archive
Microsoft Binary / BKF
Microsoft Office
v5, 6, 95, 97, 2000, XP, 2003 onwards
Open Source
Star Office / Open Office / Libre Office
Open Standards
PDF, RTF, HTML, XML, CSV, TXT
Office files
WORD
> Legacy: Legacy filename extensions denote binary Microsoft Word formatting that became outdated with
the release of Microsoft Office 2007. Although the latest version of Microsoft Word can still open them, they
are no longer developed. Legacy filename extensions include:
•
.doc – Legacy Word document; Microsoft Office refers to them as "Microsoft Word 97 – 2003 Document"
•
.dot – Legacy Word templates; officially designated "Microsoft Word 97 – 2003 Template"
•
.wbk – Legacy Word document backup; referred as "Microsoft Word Backup Document"
> OOXML: Office Open XML (OOXML) format was introduced with Microsoft Office 2007 and became the
default format of Microsoft Word ever since. Pertaining file extensions include:
•
.docx – Word document
•
.docm – Word macro-enabled document; same as docx, but may contain macros and scripts
•
.dotx – Word template
•
.dotm – Word macro-enabled template; same as dotx, but may contain macros and scripts
•
.docb – Word binary document introduced in Microsoft Office 2007
EXCEL
> Legacy: Legacy filename extensions denote binary Microsoft Excel formats that became outdated with the
release of Microsoft Office 2007. Although the latest version of Microsoft Excel can still open them, they are
no longer developed. Legacy filename extensions include:
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
91
•
.xls – Legacy Excel worksheets; officially designated "Microsoft Excel 97-2003 Worksheet"
•
.xlt – Legacy Excel templates; officially designated "Microsoft Excel 97-2003 Template"
•
.xlm – Legacy Excel macro
> OOXML: Office Open XML (OOXML) format was introduced with Microsoft Office 2007 and became the
default format of Microsoft Excel ever since. Excel-related file extensions of this format include:
•
.xlsx – Excel workbook
•
.xlsm – Excel macro-enabled workbook; same as xlsx but may contain macros and scripts
•
.xltx – Excel template
•
.xltm – Excel macro-enabled template; same as xltx but may contain macros and scripts
POWERPOINT
> Legacy:
•
.ppt – Legacy PowerPoint presentation
•
.pot – Legacy PowerPoint template
•
.pps – Legacy PowerPoint slideshow
> OOXML:
•
.pptx – PowerPoint presentation
•
.pptm – PowerPoint macro-enabled presentation
•
.potx – PowerPoint template
•
.potm – PowerPoint macro-enabled template
•
.ppam – PowerPoint add-in
•
.ppsx – PowerPoint slideshow
•
.ppsm – PowerPoint macro-enabled slideshow
•
.sldx – PowerPoint slide
•
.sldm – PowerPoint macro-enabled slide
ACCESS
> Legacy:
•
.ade – Protected Access Data Project (not supported in 2013)
•
.adp - Access Data Project (not supported in 2013)
•
.mdb - Access Database (2003 and earlier)
•
.cdb - Access Database (Pocket Access for Windows CE)
•
.mda - Access Database, used for addins (Access 2, 95, 97), previously used for workgroups (Access 2)
•
.mdt - Access Add-in Data (2003 and earlier)
•
.mdf - Access (SQL Server) detached database (2000)
•
.mde - Protected Access Database, with compiled VBA and macros (2003 and earlier)
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
92
•
.ldb - Access lock files (associated with .mdb)
> Available formats since Access 2007:
•
.accdb – The file extension for the new Office Access 2007 file format. This takes the place of the MDB
file extension
•
.accde – The file extension for Office Access 2007 files that are in "execute only" mode. ACCDE files
have all Visual Basic for Applications (VBA) source code hidden. A user of an ACCDE file can only
execute VBA code, but not view or modify it. ACCDE takes the place of the MDE file extension
•
.accdt – The file extension for Access Database Templates
•
.accdr – is a new file extension that enables you to open a database in runtime mode. By simply
changing a database's file extension from .accdb to .accdr, you can create a "locked-down" version of
your Office Access database. You can change the file extension back to .accdb to restore full
functionality
OTHER
•
.pub – a Microsoft Publisher publication
•
.xps – a XML-based document format used for printing (on Windows Vista and later) and preserving
documents
Databases
> Microsoft SQL
> Oracle
> DB2
Big Data
> Hadoop
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
93
Security Audit Log Event Messages
The following table contains a complete list of security audit log event messages that DDC prints in the log file.
Message
Explanation
DDCScanClientInvalidCredentialsProbe
A probe with invalid credentials.
DDCScanClientUnexpectedErrorProbe
An unknown probe error.
DDCPhoenixBackgroundProcessAuthenticationError
A failed authentication against PQS in background
processes.
DDCPhoenixUpdatePQSSettingsAuthenticationError
A failed authentication against PQS updating PQS
settings.
DDCHDFSUpdateHDFSettingsAuthenticationError
A failed authentication against HDFS updating
HDFS settings.
DDCHDFSBackgroundProcessAuthenticationError
A failed authentication against HDFS in background
processes.
DDCUnauthorizedCloneRequest
An unauthorized CLONE request.
DDCUnauthorizedGetRequest
An unauthorized GET request.
DDCUnauthorizedListRequest
An unauthorized LIST request.
DDCUnauthorizedListPaginatedRequestWithContext
An unauthorized LIST PAGINATED request with
context.
DDCUnauthorizedCreateRequest
An unauthorized CREATE request.
DDCUnauthorizedUpdateRequest
An unauthorized UPDATE request.
DDCUnauthorizedListProvisionedRequest
An unauthorized LIST PROVISIONED request.
DDCUnauthorizedGetProvisionedRequest
An unauthorized GET PROVISIONED request.
DDCUnauthorizedGetActiveNodeRequest
An unauthorized GET ACTIVE NODE request.
DDCUnauthorizedTestConnectivityRequest
An unauthorized TEST CONNECTIVITY request.
DDCUnauthorizedGetLicenseRequest
An unauthorized GET LICENSE request.
DDCUnauthorizedDecryptRawDataFileRequest
An unauthorized DECRYPT RAW DATA FILE
request.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
94
Message
Explanation
DDCUnauthorizedGetDatastoreReportRequest
An unauthorized GET DATASTORE REPORT
request.
DDCUnauthorizedFindScanRequest
An unauthorized FIND SCAN request.
DDCUnauthorizedScanActionRequest
An unauthorized SCAN ACTION request.
DDCPQSUnaccessibleGetSummaryReportError
An inaccessible PQS in GET SUMMARY
REPORT request.
DDCPQSUnaccessibleGetDatastoreDetailReportError
An inaccessible PQS in GET DATASTORE
DETAIL REPORT request.
DDCPQSUnaccessibleGetDataObjectsDetailsReportError
An inaccessible PQS in GET DATAOBJECTS
DETAIL REPORT request.
DDCPQSUnaccessibleGetInfotypesSummaryReportError
An inaccessible PQS in GET INFOTYPES
SUMMARY REPORT request.
DDCPQSUnaccessibleGetDataObjectsSummaryReportError
An inaccessible PQS in GET DATAOBJECTS
SUMMARY REPORT request.
DDCPQSUnaccessibleGetScanDetailsReportError
An inaccessible PQS in GET SCAN DETAILS
REPORT request.
DDCPQSUnaccessibleCreateReportTemplateError
An inaccessible PQS in CREATE REPORT
TEMPLATE request.
DDCPQSUnaccessibleGetReportTemplateError
An inaccessible PQS in GET REPORT
TEMPLATE request.
DDCPQSUnaccessibleFindReportTemplatesError
An inaccessible PQS in FIND REPORT
TEMPLATE request.
DDCPQSUnaccessibleUpdateReportTemplateError
An inaccessible PQS in UPDATE REPORT
TEMPLATE request.
DDCPQSUnaccessibleGetScanExecutionsError
An inaccessible PQS in GET SCAN
EXECUTIONS request.
DDCResourceRetrievalGenericCloneError
A GENERIC CLONE request.
DDCResourceRetrievalGenericGetError
A GENERIC GET request.
DDCResourceRetrievalGenericListError
A GENERIC GET request.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
95
Message
Explanation
DDCResourceRetrievalGenericListPaginatedRequestError
A GENERIC LIST PAGINATED request.
DDCResourceRetrievalGenericCreateError
A GENERIC CREATE request.
DDCResourceRetrievalGenericUpdateError
A GENERIC UPDATE request.
DDCResourceRetrievalGenericListProvisionError
A GENERIC LIST PROVISION request.
DDCDatastoreDecryptDataEncryptionKeyNotFoundError
A GET KEY request.
DDCDatastoreEncryptDataError
An ENCRYPT DATA request.
DDCScanWatcherInterruptedTimeout
An INTERRUPTED TIMEOUT request.
DDCScanClientRetrieveScanTimeout
A RETRIEVE SCAN TIMEOUT request.
DDCScanActionRequest
A SCAN ACTION request.
DDCDatastoreUpdateRequest
A DATASTORE UPDATE request.
DDCDatastoreCreateRequest
A DATASTORE CREATE request.
DDCScanDeleteRequest
A SCAN DELETE request.
DDCSummaryReportGetRequest
A GET SUMMARY REPORT request.
DDCDatastoreDetailReportGetRequest
A GET DATASTORE DETAILS REPORT request.
DDCDataObjectsDetailReportGetRequest
A GET DATASTORE DETAILS REPORT request.
DDCInfotypesSummaryReportGetRequest
A GET INFOTYPES SUMMARY REPORT
request.
DDCDataObjectsSummaryReportGetRequest
A GET DATAOBJECTS SUMMARY REPORT
request.
DDCScanDetailsReportGetRequest
A GET SCAN DETAILS REPORT request.
Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide
08 December 2020, Copyright © 2020 Thales Group. All rights reserved.
96