Thales CipherTrust Data Discovery and Classification ADMINISTRATOR GUIDE Document Information Document Information Product Version 2.0.0 Release Date 08 December 2020 Trademarks Thales CipherTrust Data Discovery and Classification is powered by Groundlabs. All intellectual property is protected by copyright. All trademarks and product names used or referred to are the copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording or otherwise without the prior written permission of Thales. Disclaimer Thales makes no representations or warranties with respect to the contents of this document and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Thales reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon Thales to notify any person or organization of any such revisions or changes. We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product. You are responsible for ensuring your own compliance with various laws and regulations, including but not limited to any data privacy or data protection regulation. You are solely responsible for obtaining advice from competent legal counsel to assist you in the identification and interpretation of any relevant laws and regulations that may affect your business and the implementation of any actions you may need to take to ensure you meet your compliance obligations with respect to such laws and regulations. The software, the products, services, and any other capabilities described or provided herein are not suitable for all situations and may have restricted availability or applicability. Thales does not provide legal, accounting, or auditing advice, nor does it represent or warrant that its software, services, or products will ensure that you are in compliance with any law or regulation. Thales invites constructive comments on the contents of this document. Send your comments, together with your personal and/or company details to the address below. Contact Method Contact Information Address Thales 4690 Millennium Drive Belcamp, Maryland 21017 USA Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 2 Contact Method Contact Information Phone US 1-800-545-6608 International 1-410-931-7520 Email technical.support.DIS@thalesgroup.com Technical Support Customer Portal https://supportportal.thalesgroup.com Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the Thales Knowledge Base. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 3 CONTENTS Document Information Preface: About this Document Audience What's in This Guide Organization Document Conventions Hyperlinks Notifications Command Syntax and Typeface Conventions Related Documents Solution Overview Sensitivity Levels Information Types Creating Custom Infotypes Character Type Rules Explained Examples of Custom Infotypes Licensing Trial License Full License Options Viewing the License Status What If My License Stopped Working? 2 7 7 7 7 8 8 8 9 10 11 13 13 13 15 16 18 18 18 19 19 Encryption Keys Used by DDC 21 DDC User Groups 22 System Predefined Groups User Defined Groups Accessing and Interacting With DDC Accessing DDC in the Console Managing Branch Locations Viewing Branch Locations Adding Branch Locations 22 23 24 24 25 25 25 Managing Classification Profiles 27 Viewing Classification Profiles Classification Profile Templates 27 28 Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 4 Adding Classification Profiles Select Profile Template General Info Select Infotypes Apply Tags Viewing Details of Classification Profiles Editing Classification Profiles Duplicating Classification Profiles Managing Data Stores Viewing Data Stores Adding Local Stores Select Store Type Configure Connection General Info Add Tags & Access Control Adding Network Stores Prerequisites for Network Storage Data Stores Creating a Data Store Creating a Windows Data Store Creating a Linux Data Store Configuring a Data Store - General Information Configuring a Data Store – Tags and Access Control Adding Database Stores Select Store Type Configure Connection General Info Add Tags & Access Control Allowing Remote Connections to PostgreSQL Server Adding Big Data Stores Select Store Type Configure Connection General Info Add Tags & Access Control Editing Data Stores Automatic Agent Selection Managing Scans Viewing Scans Adding Scans General Info Select Data Stores Add Targets Select Profiles Schedule Scan Running Scans Scan Statuses Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 28 28 28 29 29 30 30 31 32 32 33 33 33 34 34 35 35 35 35 36 37 37 37 37 38 39 39 40 40 40 41 41 41 42 43 45 45 46 46 46 47 47 48 49 49 5 Potential Problems When Running Scans Removing Scans Managing Reports Viewing Reports Report Types Creating Reports General Info Configure Content Generating Reports Report Details Logging Default Logging Level Identifying DDC Log Messages Security Audit Log Messages Enabling Syslog Logging APPENDICES Error Messages Error Log Messages Reconfiguring Agents Reconfiguring DDC Agents on Windows Reconfiguring DDC Agents on Debian Reconfiguring DDC Agents on RHEL Restarting DDC Agents Restarting Agents on Windows Restarting Agents on Debian Restarting Agents on RHEL Mounting an NFS Share REST API Acquiring an Authorization Token Using the Token Making an API Call CLI Information Types Supported Formats Files Office files Databases Big Data Security Audit Log Event Messages Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 50 50 52 52 52 53 53 53 55 55 57 57 57 57 58 59 59 67 77 77 77 77 78 78 78 78 78 79 79 79 79 80 81 91 91 91 93 93 94 6 PREFACE: About this Document This introductory section identifies the audience, provides a brief summary of the contents of this guide, and discusses the documentation conventions used. It contains the following sections: > "Audience" below > "What's in This Guide" below > "Organization" below > "Document Conventions" on the next page Audience This document is intended for Thales CipherTrust Data Discovery and Classification (DDC) users responsible for classification of data discovered on data stores. It is assumed that the users of this document are proficient with security and data discovery concepts. All products manufactured and distributed by Thales are designed to be installed, operated, and maintained by personnel who have the knowledge, training, and qualifications required to safely perform the tasks assigned to them. The information, processes, and procedures contained in this document are intended for use by trained and qualified personnel only. Thales designs data security products for use by file server administrators, network administrators, security engineers, database administrators, application developers, and other technology professionals responsible for daily operations in support of data security. What's in This Guide This guide explains data discovery concepts such as data stores, branch locations, classification profiles, and data discovery scans. The document also explains how to generate scan-based reports on the discovered data. Finally, the document describes how to read generated reports. Organization The Thales CipherTrust Data Discovery and Classification Administrator Guide contains the following chapters: 1. "Solution Overview" on page 11 Describes data discovery concepts such as branch locations, classification profiles, sensitivity levels, tags, data stores, data discovery scans, and user roles and permissions. 2. "Licensing" on page 18 Describes different types of DDC licenses. 3. "DDC User Groups" on page 22 Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 7 Preface: About this Document Describes all predefined groups of DDC users with their rights to use various product features. 4. "Accessing and Interacting With DDC" on page 24 This section introduces the primary channel to interact with DDC , the console. 5. "Managing Branch Locations" on page 25 Describes how to add and view branch locations. 6. "Managing Classification Profiles" on page 27 Describes how to add, view, and duplicate classification profiles. 7. "Managing Data Stores" on page 32 Describes how to add and edit different types of data stores. The types of data stores are local, network, database, and big data. 8. "Managing Scans" on page 45 Describes how to add, run, and view scans. 9. "Managing Reports" on page 52 Describes how to configure and run aggregated reports on the discovered data. 10. "APPENDICES" on page 59 Additional useful information and tools related to system administration, such as system error messages, handy commands, and additional interfaces for interacting with the product. Document Conventions This section describes the formatting conventions used in this user guide to indicate hyperlinks, special notes, important information, tips, and warnings. Hyperlinks Hyperlinked text will, by default, appear in the shade of purple. For example: All technical document templates can be found on the Technical Writing Community page. Notifications This user guide uses notes, tips, and warnings to alert you to important information that may help you to complete your task, or prevent personal injury, damage to the equipment, or data loss. Notes Notes are used to alert you to important or helpful information. These elements use the following format: NOTE Take note. Notes contain important or helpful information that you want to make stand out to the user. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 8 Preface: About this Document Cautions Cautions are used to alert you to important information that may help prevent unexpected results or data loss. These elements use the following format: CAUTION! Exercise caution. Caution alerts contain important information that may help prevent unexpected results or data loss. Warnings Warnings are used to alert you to the potential for catastrophic data loss or personal injury. These elements use the following format: **WARNING** Be extremely careful and obey all safety and security measures. In this situation you might do something that could result in catastrophic data loss or personal injury. Command Syntax and Typeface Conventions Convention Description bold The bold attribute is used to indicate the following: > > > > > > Button names (Click Save As.) Check box and radio button names (Select the Print Duplex check box.) Dialog box titles (On the Protect Document dialog box, click Yes.) Field names (User Name: Enter the name of the user.) Menu names (On the File menu, click Save.) (Click Menu > Go To > Folders.) User input (In the Date box, type April 1.) italic The italic attribute is used for emphasis or to indicate a related document. (See the Thales CipherTrust Data Discovery and Classification Customer Release Notes for more information.) Double quote marks Double quote marks enclose references to other sections within the document. For example: Refer to "Disclaimer" on page 2. <variable> In command descriptions, angle brackets represent variables. You must substitute a value for command line arguments that are enclosed in angle brackets. [ optional ] Square brackets enclose optional keywords or <variables> in a command line description. Optionally enter the keyword or <variable> that is enclosed in square brackets, if it is necessary or desirable to complete the task. [ <optional> ] [ a | b | c ] [<a> | <b> | <c>] Square brackets enclose optional alternate keywords or variables in a command line description. Choose one command line argument enclosed within the braces, if desired. Choices are separated by vertical (OR) bars. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 9 Preface: About this Document Convention Description { a | b | c } Braces enclose required alternate keywords or <variables> in a command line description. You must choose one command line argument enclosed within the braces. Choices are separated by vertical (OR) bars. { <a> | <b> | <c> } Related Documents The following documents contain related or additional information: > Thales CipherTrust Data Discovery and Classification Deployment Guide > Thales Data Platform Installation Guide > Thales CipherTrust Data Discovery and Classification Customer Release Notes You can view or download the latest version of the CRN for this release at this location: https://supportportal.thalesgroup.com Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 10 Solution Overview This section describes the main components of the Thales CipherTrust Data Discovery and Classification (DDC) solution. The concepts used in this diagram are briefly discussed in this section and explained at length in the later sections of this document. > KeySecure, DDC Server At the heart of the DDC solution is CipherTrust Manager on which runs the DDC Server. It is from here that users interact with the DDC GUI or use the DDC APIs to create classification profiles, add data stores, launch scans and generate reports. > REST APIs, GUI Various types of interfaces used to interact with DDC. > Hadoop, PQS, HDFS DDC uses Hadoop to generate reports from scans and to store their results (report data). DDC can directly query HDFS but it requires Phoenix Query Server (PQS) to interface with Hadoop's HBase. > DDC Agent, Proxy Agent, Local Agent DDC Agents perform the actual scanning jobs and report the results back to the DDC Server for analysis and processing. DDC supports two types of Agent configurations: Local Agents are installed and configured directly on the machine that contains sensitive data; Proxy Agents are installed and configured on a proxy machine that is used to scan sensitive data on other machines. > Data Store A data store is where the data actually resides. It can be a file server, a database, or a Hadoop cluster. For more information see "Managing Data Stores" on page 32. > Local storage A type of a data store, a file system (Windows or Linux) that is localized to the same machine where the Agent scanning it is installed. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 11 Solution Overview > NFS, CIFS A type of data store, a network share (Windows or Linux) that resides on a different machine than that where the Agent scanning it is installed. > Branch Locations A branch location specifies a site where the file servers, databases, and data centers that contain data to scan are located. Branch locations are used to indicate where different data stores are physically located. For more information see "Managing Branch Locations" on page 25. > Sensitivity Levels A sensitivity level defines how sensitive the data is. Sensitivity levels are required in creating classification profiles and data stores. For more information see "Sensitivity Levels" on the next page. > Information Types An information type (or infotype) categorizes data to look for during a scan. A large number of predefined information types are available to better categorize the data. For more information see "Information Types" on the next page. > Tags A tag helps group data together. Tags are used to filter data for generating reports. They can be specified when creating data stores and classification profiles. DDC includes a number of predefined tags. The predefined tags are APA, APPI, CCPA, FINANCIAL, GDPR, HEALTH, HIPAA, KVKK, LEGAL, PCI, PERSONAL, PHI, PII, and SHIELD. DDC also provides the ability to create custom tags when creating data stores and classification profiles. > Classification Profiles A classification profile defines what kind of sensitive information to search for during a scan. It includes information such as a sensitivity level, information types, and tags. Classification profiles can be created based on predefined templates or custom templates. For more information see "Managing Classification Profiles" on page 27. > Data Objects A file or a database table stored in a data store is called a Data Object. > Sensitive Data Objects A data object that contains any data match is called a Sensitive Data Object. > Data Matches A concrete instance of any of the infotypes is called a Data Match. > Risks A risk is the presence of a sensitive data object in an unprotected data store. > Scans A scan is an entity that helps in scanning data stores. Each scan specifies the location to scan and what to look for during scanning. Findings of scans can be used to generate reports for different purposes. Scans can be either run manually (any time) or scheduled to run and stop at a specified time. For more information "Managing Scans" on page 45. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 12 Solution Overview Sensitivity Levels A sensitivity level defines how sensitive the data is. Sensitivity levels are required in creating classification profiles and data stores. Prebuilt sensitivity levels are: > None: The sensitivity level for such data has not yet been specified. > Public: Specifies the least sensitive data with no specific need for data security. Such data can be shared with anybody. > Internal: Specifies the data with low sensitivity. Exposure of such data may not affect an organization, but is not meant for public disclosure. > Private: Specifies that the data is personal. Such data should be protected from public viewing. > Restricted: Specifies highly sensitive data, for example, customer's personal data and trade secrets etc. This type of data requires the best possible data security. Disclosure of such data can lead to severe financial and legal consequences for an organization. Businesses must prioritize remediation efforts related to this type of data. Information Types An information type (infotype) categorizes data to look for during a scan. A large number of prebuilt information types are available to better categorize the data. Different regions and countries can have different regulatory requirements, so these information types are categorized based on geographical regions. These regions are Global, Africa, Americas, Asia, Europe, and Oceania. The information types can be further categorized into: > Financial: Financial data such as credit card numbers and bank account details. > Personal Data: Personal data such as age, gender, race, and religion. > Medical: Medical data such as history of medical problems and disabilities. > National ID: National identity documents such as Social Security Number (SSN). For a list of all available predefined information types, refer to the appendix "Information Types" on page 81. DDC also allows you to create custom information types. For more information, see "Creating Custom Infotypes" below. Creating Custom Infotypes You can create a custom information type, if you require one. This can be achieved from the Infotypes screen. To access it, click Settings and then Infotypes in the sidebar on the left. 1. Click the +Add Infotype button in the top right corner of the Infotypes screen. The Add Infotype wizard is displayed. a. In the General Info step of the wizard, provide the following information for your new infotype: – Name: Choose a name for your infotype. – Category: Select a category to which your infotype belongs (Financial, Personal Data, Medical, or National ID). Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 13 Solution Overview – Family: Select a family for your infotype. A family is a subcategory inside the Category and the choice of options depends on what you selected in the Category menu. The following families are available inside their corresponding categories: Financial: Credit/Debit Cards; Bank Account Info Medical: Patient Health Data National ID: Personal Identification Personal Data: Email addresses; Login credentials; Card Number; Ethnicity; License Number; Roll Number; Passport Number; Date Of Birth; MAC Address; Mailing Address; Telephone Number; Gender; Religion; IP Address; Phone Number; Name – Region: Select the region for your infotype (Global, Africa, Americas, Asia, Europe, and Oceania). Click Next to go to the next step of the wizard. b. In the Infotype Definition step of the wizard, you configure the rules for your new information type. You configure the rules in the Simple View tab, and then you can view these rules as translated into an expression of the internal language of the DDC engine in the Expert View tab (the expression in the Expert View is read-only). To configure the rules for your new information type, click to expand the Add Rules menu in the Simple View tab and select one of the following types: – Character: Search for one or more specific characters as specified in the Select Rule menu. If the character is found, the location will be returned as a match. For a list of available character type rules, refer to "Character Type Rules Explained" on the next page. Use the From and To, controls to set the number of consecutive occurrences of the selected character. – Phrase: Search for a specific pattern as defined in the Phrase textbox (in layman terms, it is used to look for specific words). Searching for phrases is case insensitive. – Built-In: Pre-defined infotypes can be used in combination with other types (Character or Phrase). The complete list of built-in information types is available in the appendix "Information Types" on page 81. Use the Apply button to complete your selection. The selection is displayed in the list of defined infotype rules. You can remove it from the list of rules by clicking the Remove link on its right. You can use each of these types on their own, or combine them to form a more complex rule, involving multiple types in various configurations. See "Examples of Custom Infotypes" on page 16 for some examples. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 14 Solution Overview NOTE > Due to a known limitation, it is currently not possible to have two built-in infotypes, one after the other. They must be separated by something, such as another type infotype, or even a plain space. For example: "american express" " " "english name" > Due to a known limitation, when adding a range of characters, all the possible combinations inside the range will appear as matches. For example, for a range of numbers from 1 to 4, when in a document you have a sequence "1234", the search will yield the following matches: "1", "12","123" and "1234" > When you introduce spaces at the beginning or the end of the phrase, the spaces are removed. Also, when you introduce more than one space between words, only one space is considered. 2. Click Save to save your new infotype. Your new information type has been added and is now listed in the Infotypes screen, and marked 'Custom' in the Type column. Character Type Rules Explained Specific predefined characters are used to create custom infotypes using character based rules. They are explained below: Rule Expert View Keyword Match Space SPACE Any white-space character. Horizontal space HSPACE Tab characters and all Unicode "space separator" characters. Vertical space VSPACE All Unicode "line break" characters. Any BYTE Wildcard character that will match any character. Alphanumeric ALNUM ASCII numerical characters and letters. Alphabet LETTER ASCII alphabet characters. Digit DIGIT ASCII numerical characters. Printable PRINTABLE Any printable character. Printable ASCII only PRINTABLEASCII Any printable ASCII character, including horizontal and vertical white-space characters. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 15 Solution Overview Rule Expert View Keyword Match Printable non-alphabet PRINTABLENONALPHA Printable ASCII characters, excluding alphabet characters and including horizontal and vertical white-space characters. Printable non-alphanumeric PRINTABLENONALNUM Printable ASCII characters, excluding alphanumeric characters and including horizontal and vertical white-space characters. Graphic GRAPHIC Any ASCII character that is not white-space or control character. Same line SAMELINE Any printable ASCII character, including horizontal white-space characters but excluding vertical white-space characters. Non-alphanumeric NONALNUM Symbols that are neither a number nor a letter; e.g. apostrophes ‘, parentheses (), brackets [], hyphens -, periods ., and commas ,. Non-alphabet NONALPHA Any non-alphabet characters; e.g. ~ ` ! @ # $ % ^&*()_-+={}|[]:;"' <>?/,.123…. Non-digit NONDIGIT Any non-numerical character. Examples of Custom Infotypes Example 1. You want to search for a "Driver License Number" from Illinois, whose format is "M532-42181341". You would then create the following rule: Character Alphabet From 1 to 1 Times Character Digit From 3 to 3 Times Phrase Character Digit From 4 to 4 Times Phrase Character Digit From 4 to 4 Times The above example will have the following syntax in the Expert View: RANGE LETTER TIMES 1-1 THEN RANGE DIGIT TIMES 3-3 THEN WORD NOCASE '-' THEN RANGE DIGIT TIMES 4-4 THEN WORD NOCASE '-' THEN RANGE DIGIT TIMES 4-4 In this rule, the expression "Character Alphabet From 1 to 1 Times" means that you only expect one alphabetic character, the expression "Character Digit From 3 to 3 Times" means that you expect exactly three digits, and the expression "Phrase -" means that you expect to find a hyphen (-) in the sequence. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 16 Solution Overview Example 2. You want to search for a name and last name separated by a number of spaces between 1 and 3. To that end you would create the following rule: Phrase John Character Space From 1 to 3 Phrase Gordon The above example will have the following syntax in the Expert View: WORD NOCASE 'John' THEN RANGE SPACE TIMES 1-3 THEN WORD NOCASE 'Gordon' This rule will allow you to search for a combination of "John" and "Gordon" with one through three spaces between them. By comparison, using the rule Phrase John Gordon will only allow you to search for a combination "John Gordon", with only one space. Any additional spaces in the phrase will be truncated. Example 3. You want to search for the Spanish NIE (foreigners identity number) preceded by the phrase "NIE:" and a number of spaces between 0 and 5. For example, "NIE: X8691474Q". Phrase NIE Character Space From 0 to 5 Built-in Spanish NIE The above example will have the following syntax in the Expert View: INCLUDE 'DEFINE_NID' WORD NOCASE 'NIE' THEN RANGE SPACE TIMES 0-5 THEN REFER 'NID_SPAIN_NIE' This rule will find both "NIE: X8691474Q" and "nie: x8691474q" since searching (regardless of the type Character, Phrase, or Built-in) is case insensitive. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 17 Licensing Trial License Thales CipherTrust Data Discovery and Classification (DDC) is deployed with a trial license already installed and activated "out of the box". This allows you to enjoy a fully-functional product for 90 days and up to the 1 TB of data allowance. After the trial license expires, the DDC configuration in CipherTrust Manager becomes read-only. While you still have access to your old reports you are not able to generate new ones, add new targets, or create new scans. You have to contact Thales Group to request a full license and install it in CipherTrust Manager. For more information on obtaining and installing licenses, refer to the "Licensing" section in the "Thales CipherTrust Manager Administrator Guide". CAUTION! Data allowances of the trial license and full license do not add up! After installing a new full license your data allowance will be that of the new license only (for example, if your trial license has 1 TB data allowance and your full license 50 TB, after installing the full license your data allowance will be 50 TB not 51 TB). Full License Options Under the full license you get a fully-functional product with a specified data allowance and for a specific period of time. The license model offers you enough flexibility to choose an option that best suits your needs in terms of the license duration and prospective data allowance. You can choose from among these values: > Expiration period • 1 year • 2 years • 3 years > Data allowance • 15 TB • 50 TB • 100 TB • 150 TB • 250 TB • 500 TB • 1 PB • 1.5 PB • 3 PB • Unlimited Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 18 Licensing Viewing the License Status To view the status of your DDC license: 1. Log in to CipherTrust Manager and navigate to the licenses screen (Admin Settings > Licensing). 2. Search for DDC_Data_Allowance in the list of installed features. TIP Use the Search box if the list is too long and you cannot quickly find the DDC_Data_ Allowance entry. 3. Having found the DDC license, you have a few options available: • You can quickly check its status by looking at the State column in the DDC_Data_Allowance entry. It can be either Active or Expired. • You can check the license expiration date, in the Expiration column. • If the license is still active, you can view additional details about it. To do that, click the black arrow on the left of DDC_Data_Allowance to expand the whole entry. This displays the Client Usage card, with the information about the total data allowance that you have (Total), the amount of data allowance that you have already used up (Used), and the amount of data allowance that you still have available (Available). NOTE If the Available figure has a negative value, it means that you have used up and exceeded your available data allowance. However, you can still run scans and the data from the scans is stored by DDC. The amount of this extra data stored is reflected by the negative value. You can access this data after you install a new license. NOTE After installing or removing a license you have to wait some time for that action to be reflected in the licenses screen (usually, about one minute). What If My License Stopped Working? A license - trial or full - can stop working in one of the following cases: > A trial license expires: you cannot run new scans. However, the data collected so far is not deleted, so you can still generate reports based on it, and you can access it again when you install a new license. > The data allowance of a trial license is used up: you can continue scanning but you cannot generate reports. However, the data from scans is stored so after you install a new license you are able to access the data and generate reports. > A license is deleted: DDC stops working but the data is not deleted so you just have to reinstall the license or install a new one. > You overwrite a trial license with a full one: the new license takes over the data stored under the trial license. > A full license expires: it is the same case as the expired trial license above. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 19 Licensing > The data allowance of a full license is used up: it is the same case as the trial license with data allowance used up above. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 20 Encryption Keys Used by DDC DDC uses AES256 encryption to protect sensitive data. For that purpose, DDC creates a number of encryption keys that are stored in CipherTrust Manager. You can find these DDC keys in the Keys & Access Management application in CipherTrust Manager: > Four encryption keys to protect the Hadoop configuration before storing it inside the DDC Database. Each key is used to protect one configuration parameter (PQS Server, PQS credentials, HDFS Server, and HDFS credentials). These keys have the following format: citrus-<UUID> (for example, citrus-6e0cb668-3a3d4f2c-8687-17092b83b41b). > As many encryption keys as there are data stores, and each key is used to encrypt the data store credentials before storing them inside the DDC Database, and to encrypt the results of the scans completed in that data store, before storing them in HDFS. These keys have the following format: d<UUID> (for example, d8b2d8404-c9ae-4a34-800a-01258dfaa383). > As many encryption keys as there are scans, and each key is used to encrypt the scan data before storing it in HDFS. These keys have the following format: s<UUID> (for example, s14912791-bed5-4e73-b7336a36ecfe338f). **WARNING** These keys must never be deleted, or DDC will not be able to process the related scans or data stores properly. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 21 DDC User Groups DDC User Groups System Predefined Groups DDC has different kinds of users with different responsibilities in administering and using the system. A number of predefined groups are included to ensure that users are granted minimal permissions needed to perform their tasks while ensuring flexibility to meet security requirements across industries. The table below lists all DDC predefined groups with their rights to use various DDC features. R/W in a cell means that the user has view and edit rights to this aspect of the product. R means that the user has only view rights. 1. Admins can see their own and other users' reports. Admins can also decrypt scan packages from the Hadoop database. 2. DDC Admins can only see their own reports. 3. DDC Report Admins can only see their own reports. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 22 DDC User Groups 4. DDC Full Report Admins can only see their own reports. 5. The difference between Report Admins and Full Report Admins is that Full Report Admins do not need access to specific user defined groups to be able to view or generate reports that use data stores restricted to user defined groups. For more information, see "User Defined Groups" below. 6. Scan Viewers are allowed to run scans. 7. DDC Store Viewers, DDC Store Admins, and DDC L3 Support do not have access to custom infotypes. The users belonging to the "L3 Support" group are DDC Support Administrators. These users can help identify and troubleshoot issues you may encounter when using DDC. They can also can also decrypt scan packages from the Hadoop database. User Defined Groups Apart from system predefined groups, DDC also allows you to create user defined groups. User defined groups are used to prevent certain users from viewing sensitive information in reports. These groups are defined by the CipherTrust Manager Admin in Keys & Access Management -> Groups in CipherTrust Manager. In DDC, they are applicable when creating a Data Store, in the Data Store creation wizard when you are granting access to selected groups. See "Managing Data Stores" on page 32 for details (the ACCESS: Selected group/s setting in "Configuring a Data Store – Tags and Access"). In other words, a data store that is restricted to a specific user defined group is visible to all the groups with permissions to see data stores, the same goes for scans. However, a user without a permission to see a data store which is restricted to a group, but with a permission to create and generate reports, will not be able to generate reports for those data stores. For this user, the scan executions will not be visible in the New Report wizard. NOTE The only users that do not have to belong to a specific user defined group to be able to see reports for all the data stores are Full Report Admins and Admins. For example, if a user created a report that has Data Store "DS1" but the data store is restricted to a specific group, that user will see the report template, but when he tries to access the report he will get an "insufficient permissions" error. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 23 Accessing and Interacting With DDC The primary channel to interact with Thales CipherTrust Data Discovery and Classification (DDC) is through the CipherTrust Manager's GUI, also called the console. The console allows you to perform the management operations, such as managing data stores and scans. You can also interact with DDC by using the CLI tool or REST API. > CLI tool - The CipherTrust Manager includes a CLI tool, named ksctl, that can be downloaded and run locally to control a remote CipherTrust Manager appliance. For more information, refer to "CLI" on page 80. > REST API - You can use the REST interface from the API playground, or via any REST client such as curl. For more information, refer to "REST API" on page 79. In this guide we provide instructions to perform all management functions such as creating branch locations and data stores only through the CipherTrust Manager console (GUI). Accessing DDC in the Console Use this procedure to get access to the DDC features in the GUI. 1. Open the CipherTrust Manager URL in a browser. The log in page is displayed. 2. Enter Username and Password. 3. Click Log In. The GUI of the CipherTrust Manager is displayed. By default, the Applications page is displayed with links to various applications. 4. Click the Data Discovery link to open the Data Discovery application. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 24 Managing Branch Locations You manage branch locations through the Branch Locations page, which is accessed by clicking the Settings > Branch Locations link in the Data Discovery sidebar on the left. From the Branch Locations page you can: > View all currently available branch locations. See "Viewing Branch Locations" below. > Create a new branch location. See "Adding Branch Locations" below. Viewing Branch Locations The Branch Locations page lists available branch locations. This view also shows the total number of existing branch locations. The Branch Locations page shows the following details: Item Description Site Name Name of the branch location. Country Name of the country. State/Province Name of the state/province. This field is applicable to the United States. For other countries, the field is unavailable, indicated by N/A. City Name of the city. TIP Use the Search text box to filter branch locations. Search results display branch locations that contain the specified text in their names. Adding Branch Locations Adding a branch location requires specifying the country and city where the branch is located. To add a branch location: 1. Click + Add Location on the right of the Branch Locations page. 2. In the Add Branch Location dialog box, enter the following details: Item Description Site Name Specify a unique name for the branch location. The name must be longer than two characters and up to 64 characters. This field is mandatory. Country Select the country from the drop-down list. This field is mandatory. State/Province Select the state/province from the drop-down list. This field is applicable to the United States. For other countries, the field is unavailable. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 25 Managing Branch Locations Item Description City Specify name of the city. This field is mandatory. Description Describe the branch location (up to 250 characters). 3. Click Save. The newly created location appears on the Branch Locations page. By default, branch locations are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created branch location. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 26 Managing Classification Profiles You manage classification profiles through the Classification Profiles page, which is accessed by clicking the Classification Profiles link in the Data Discovery sidebar on the left. From the Classification Profiles page you can: > View all the available classification profiles. See "Viewing Classification Profiles" below. > Create a new classification profile. See "Adding Classification Profiles" on the next page. > View details of a selected classification profile. See "Viewing Details of Classification Profiles" on page 30. > Modify an existing classification profile. See "Editing Classification Profiles" on page 30. > Create a new classification profile from an existing one. See "Duplicating Classification Profiles" on page 31. Viewing Classification Profiles The Classification Profiles page lists available classification profiles. Initially, the page shows prebuilt classification profile templates only. Newly created and duplicate classification profiles are also shown on this page. Duplicating classification profiles is the process of creating copies of existing profiles with identical properties. Additionally, the page shows the total number of available profiles. The list view of the Classification Profiles page shows the following details: Item Description Name Name of the classification profile. Infotypes Number of infotypes linked with the profile. Sens. Level Sensitivity level applied to the profile. Modified Time when the profile is modified. Tags Number of applied tags. TIP > Use the Search text box to filter classification profiles. Search results display classification profiles that contain specified text in their names. > By default, classification profiles are listed in ascending alphabetic order of their names. Classification profiles can be sorted by their names and percentage of sensitivity levels. > Classification profiles can be filtered using the Sens. Level filter. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 27 Managing Classification Profiles Classification Profile Templates Classification profiles can be created based on predefined templates or custom templates. You can use the following predefined templates: > Blank: Provides the ability to specify custom sensitivity level, information types, and tags for the profile. The Blank template does not contain preselected infotypes. > CCPA (California Consumer Privacy Act): Affects organizations that process the personal data of a California resident, regardless of where the organization is headquartered. > GDPR (General Data Protection Regulation): Affects organizations that process the personal data of EU citizens, regardless of where the organization is headquartered. > HIPAA (Health Insurance Portability and Accountability Act): Covers the healthcare information in the US. HIPAA relates to protection, encryption, and key management. > PCI (Payment Card Industry): Affects organizations that play a role in processing credit and debit card payments. These organizations must comply with the strict PCI DSS (Data Security Standard) compliance requirements for the processing, storage, and transmission of data. > Privacy Shield: Regulates transatlantic exchanges of personal data for commercial purposes between the European Union and United States. Adding Classification Profiles Use the Add Classification Profile wizard to add a classification profile. Adding a classification profile involves the following steps: Select Profile Template 1. In the Classification Profiles page, click the + Add Profile button on the right. The Add Classification Profile wizard is displayed. 2. In the Select Profile Template step, select the required profile template from these options: • Blank • CCPA • GDPR • HIPAA • PCI • Privacy Shield See "Classification Profile Templates" above for more information about these classification profile templates. 3. Click Next to go on to the Name and Describe screen. General Info 1. Specify a Profile Name. The name must be longer than two characters and up to 64 characters. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 28 Managing Classification Profiles 2. Provide a Description for the profile (up to 250 characters). 3. Select a Sensitivity Level from the drop-down list. A sensitivity level suggests DDC what level of sensitivity is OK to find in this data store. For details, see "Sensitivity Levels" on page 13. 4. Click Next to go on to the Select Infotypes screen. Select Infotypes 1. The Select Infotypes screen is displayed. The screen shows the list of available information types. The screen shows details such as Infotype Name, Category, and Region. NOTE Based on the selected profile template, certain information types may already be applied/selected. The applied information types can be viewed by turning on the Selected only toggle switch. 2. Search for the required infotypes. You can use the following options: • Search text box: Enter text to filter information types. Search results display information types that contain specified text in their names. • Category filter: Click the filter icon, select or clear categories, and click OK. • Region filter: Click the filter icon, select or clear categories, and click OK. 3. Click Next to go on to the Apply Tags screen. Apply Tags 1. The Apply Tags screen is displayed. NOTE Based on the selected profile template, certain tags may appear already applied. You can select existing tags, enter new tags, and remove existing tags, as appropriate. 2. Select a tag from the Add Tags (optional) drop-down list. The prebuilt tags are APA, APPI, CCPA, FINANCIAL, GDPR, HEALTH, HIPAA, KVKK, LEGAL, PCI, PERSONAL, PHI, PII, and SHIELD. TIP > New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list. > Add as many tags as needed. > To remove a tag, click the close icon in the tag name. 3. Click Save. The newly created classification profile appears on the Classification Profiles page. By default, profiles are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created profile. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 29 Managing Classification Profiles Viewing Details of Classification Profiles The default view of the Classification Profiles page lists prebuilt profile templates, created profiles, and duplicate profiles. Names of profiles and their modification times are also shown. Additionally, the view shows infotypes, sensitivity levels, and tags applied to available classification profiles. The edit view of the page shows additional details of each classification profile. The details include the number of linked scans, profile name, profile description, applied sensitivity level, list of linked infotypes, and applied tags. To view details of a classification profile: 1. In the left pane of the Data Discovery application, click Classification Profiles. The Classification Profiles page is displayed. This page lists available classification profiles. 2. Click the overflow icon ( ) corresponding to the desired profile. A shortcut menu appears. 3. Click View. The Classification Profiles page shows additional details of the profile. NOTE > For new and duplicate classification profiles, the button name is View/Edit. Clicking this button shows the edit view of the Classification Profiles page. The details can be viewed and edited on this page. Refer to "Editing Classification Profiles" below for details. > Only the users with appropriate rights can see the View/Edit button. For all other users, only the View button is visible. Editing Classification Profiles Newly created and duplicate classification profiles can be modified to suit your requirements. Use the edit view of the page to modify individual classification profiles. You can edit the profile name, profile description, applied sensitivity level, linked infotypes, and applied tags. NOTE Prebuilt classification profiles cannot be edited. However, you can duplicate them and edit the copy to suit your requirements. To edit a new or a duplicate classification profile: 1. In the left pane of the Data Discovery application, click Classification Profiles. The Classification Profiles page is displayed. This page lists available classification profiles. 2. Click the overflow icon ( ) corresponding to the desired profile. A shortcut menu appears. 3. Click View/Edit. The edit view of the Classification Profiles page appears. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 30 Managing Classification Profiles NOTE > For new and duplicate classification profiles, the button name is View/Edit. Clicking this button shows the edit view of the Classification Profiles page. The details can be viewed and edited on this page. > Only the users with appropriate rights can see the View/Edit button. For all other users, only the View button is visible. 4. Expand GENERAL. General details are displayed. 5. Modify the required details. 6. Expand INFOTYPES. The list of infotypes is displayed. 7. Select or clear infotypes, as required. 8. Expand TAGS. The applied tags, if any, are displayed. 9. Add new tags or modify existing tags, as required. 10.Click Save Changes. The list view of the Classification Profiles page shows updated information. Duplicating Classification Profiles Duplicating classification profiles is the process of creating copies of existing profiles with identical properties. This process simplifies the creation of new profiles. Duplicate profiles can be modified later to suit your requirements, if needed. To duplicate a classification profile: 1. In the left pane of the Data Discovery application, click Classification Profiles. The Classification Profiles page is displayed. This page lists available classification profiles. 2. Click the overflow icon ( ) corresponding to the desired profile. A shortcut menu appears. 3. Click Duplicate. A message appears stating that the profile has been duplicated successfully. The duplicate profile with the name <original_profile_name> - Copy appears on the Classification Profiles page. For example, if the profile APA - Australia Privacy Amendment is duplicated, a profile named APA - Australia Privacy Amendment - Copy is created. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 31 Managing Data Stores You manage data stores through the Data Stores page, which is accessed by clicking the Data Stores link in the Data Discovery sidebar on the left. From the Data Stores page you can: > View all the available data stores. See "Viewing Data Stores" below. > Create a new local type data store. See "Adding Local Stores" on the next page. > Create a new network type data store. See "Adding Network Stores" on page 35. > Create a new database type data store. See "Adding Database Stores" on page 37. > Create a new Big Data type data store. See "Adding Big Data Stores" on page 40. > Edit an existing data store. See "Editing Data Stores" on page 42. > Select an Agent for a data store. See "Automatic Agent Selection" on page 43. Viewing Data Stores The list view of the Data Stores page shows the number of: > Existing data stores with the number of scanned and unscanned data stores. > Supported data types with the number of configured data stores of each type. > Scanned data stores with the number of data stores containing sensitive and nonsensitive data. Click the refresh button to refresh the displayed information. The list view of the Data Stores page shows the following details: Item Description Name Name of the data store. Type Type of the data store. Sens Level Sensitivity level applied to the data store. Location Location of the data store. Tags Number of applied tags. %Sens. Info Percentage of data objects in the data store that are considered as sensitive data objects. A hyphen "-" indicates that a data store is not yet scanned. Status Status of the data store - enabled or disabled. During a scan, DDC searches for agents in enabled data stores. Click the toggle switch to change the status. The status of a data store could be disabled while it waits for an Agent or if it fails to select an Agent. Disabled data stores are skipped during the scan. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 32 Managing Data Stores TIP > Use the Search text box to filter data stores. Search results display data stores that contain specified text in their names. > By default, data stores are listed in ascending alphabetic order of their names. > Data stores can be sorted by their names, types, sensitivity levels, locations, and percentage of sensitive information. Adding Local Stores Use the Add Data Store wizard to add a local data store. Adding a data store involves the following steps: Select Store Type 1. In the left pane of the Data Discovery application, click Data Stores. The Data Stores page is displayed. This page lists available data stores. 2. On the right, click + Add Data Store. The Add Data Store wizard is displayed. The Select Data Store screen displays options to filter data store types: • Filter by Data Store category: Shows categories of data stores. Click a category to filter available options under the Select Type drop-down list. • Select Type: Shows types of data storage. By default, the drop-down list shows all types of data stores. When a category is selected under Filter by Data Store category, the label Select Type is changed to reflect the selection. For example, for Local Storage, the label becomes Select Local Storage Type. NOTE This document uses Filter by Data Store category to filter data stores. 3. Under Filter by Data Store category, click Local Storage. 4. From the Select Local Storage Type drop-down list, select Local Storage. 5. Click Next to go on to the Configure Connection screen. Configure Connection 1. The Configure Connection screen is displayed. 2. Specify Hostname/IP of the machine where the local data store resides. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field. NOTE Local data stores need a DDC Agent installed on the same host. 3. Click Next to go to the General Info screen. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 33 Managing Data Stores General Info 1. The General Info screen is displayed. 2. Specify a unique Name for the data store. The name must be longer than two characters and up to 64 characters. 3. Provide a Description for the data store (up to 250 characters). 4. Select a Branch Location from the drop-down list. 5. Select a Sensitivity Level from the drop-down list. A sensitivity level suggests to DDC what level of sensitivity is OK to find in this data store. For details, see "Sensitivity Levels" on page 13. NOTE The Enable Data Store check box is selected by default. This means that this data store is available for scans. If the check box is cleared, the data store is disabled (not available) for scans. 6. Click Next to go on to the Add Tags & Access Control screen. Add Tags & Access Control 1. The Add Tags & Access Control screen is displayed. 2. Under ACCESS, select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store. The available options are: • All groups: All groups of users can access the data store through reports. This is the default setting. • Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group. If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups. 3. Under TAGS, select a tag from the Add Tag drop-down list. The prebuilt tags are APA, APPI, CCPA, FINANCIAL, GDPR, HEALTH, HIPAA, KVKK, LEGAL, PCI, PERSONAL, PHI, PII, and SHIELD. TIP > New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list. > Add as many tags as needed. > To remove a tag, click the close icon in the tag name. 4. Click Save. The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 34 Managing Data Stores Adding Network Stores DDC supports two types of Network Storage types as data stores: Linux Network File Share (NFS) and Windows share (SMB/CIFS). NOTE SMB/CIFS is supported for Windows only. Currently, the SMB implementation on Linux (Samba) is not supported. Also, we cannot guarantee that NFS type data stores on MAC will work properly. Prerequisites for Network Storage Data Stores To create a Windows Network Storage data store: > Use a Windows Proxy Agent. > Ensure that the target storage is accessible from the Proxy agent host. To create a Linux Network Storage data store: > Use a Linux Proxy Agent. > The target storage path must be mounted on the Proxy agent host. For both types of these data stores, the credentials to access the target storage must have the minimum permissions required to scan it. Bear in mind that data discovery or scanning of data requires read access. Creating a Data Store To create a new data store, navigate to the Data Stores screen (Data Discovery > Data Stores). Click the +Add Data Store button to open the Add Data Store wizard. In the wizard, you have to go over four configuration steps for each data store that you create: 1. Select Store Type - Select a data store type that you want to create. Refer to individual procedures for each data store type for details. 2. Configure Connection - provide the connection details for the data store that you selected in the previous step. This step is different for every data store type. Refer to individual procedures for each data store type for configuration details. 3. General Info - specify the name, description, branch location, and sensitivity level for your data store. These settings are shared by all data store types. See "Configuring a Data Store - General Information" on page 37 for details. 4. Add Tags & Access Control - grant access rights to your data store and add tags. These settings are shared by all data store types. See "Configuring a Data Store – Tags and Access Control" on page 37 for details. Creating a Windows Data Store 1. To create a Windows Data Store, click Network Storage > SMB/CIFS Share in the Select Store Type screen in the Add Data Store wizard. For details, refer to "Configuring a Data Store – Tags and Access Control" on page 37. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 35 Managing Data Stores 2. In the Configure Connection screen of the wizard, provide the following configuration details for your data store: > Hostname/IP - a valid hostname, IP address, or URI of the data store. > Share Name - a valid Windows share name. These characters are not allowed in the Share Name: = * ? , < >|;:+[]"/\ CAUTION! Do not confuse the Share Name with the Network Path. In Windows, the Share Name is typically set in the Advanced Sharing settings in the folder sharing properties. > Credentials - provide a valid username and password. Use the appropriate user name format for the target Windows hosts credentials: • <domain\username> - target host resides in the same Active Directory domain as the Windows proxy agent. • <target_hostname\username> - target host does not reside in the same Active Directory domain as the Windows proxy agent. 3. In the General Info screen of the wizard, specify the name, description, branch location, and sensitivity level for your data store. See "Configuring a Data Store - General Information" on the next page for details. 4. In the Add Tags & Access Control screen of the wizard, grant access rights to your data store and add metadata. See "Configuring a Data Store – Tags and Access Control" on the next page for details. 5. Click Save to create the data store. At any time during the configuration you can click Back to go to any of the previous wizard screens to update the configuration. Creating a Linux Data Store 1. To create a Linux Data Store, click Network Storage > NFS Share in the Select Store Type screen in the Add Data Store wizard. For details, refer to "Configuring a Data Store – Tags and Access Control" on the next page. 2. In the Configure Connection screen of the wizard, provide the following configuration details for your data store: > Hostname/IP - a valid hostname, IP address, or URI of the data store. > Share Path - a valid NFS path, it must begin with a slash (“/”). The path must be set to the mount path on the Proxy host. > Agent Hostname/IP - a valid hostname, IP address, or URI of the host where the DDC agent resides. > Mount Point (On Proxy Agent) - the mount path on the Proxy host (for the Share Path above). See also "Mounting an NFS Share" on page 78. 3. In the General Info screen of the wizard, specify the name, description, branch location, and sensitivity level for your data store. See "Configuring a Data Store - General Information" on the next page for details. 4. In the Add Tags & Access Control screen of the wizard, grant access rights to your data store and add metadata. See "Configuring a Data Store – Tags and Access Control" on the next page for details. 5. Click Save to create the data store. At any time during the configuration you can click Back to go to any of the previous wizard screens to update the configuration. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 36 Managing Data Stores Configuring a Data Store - General Information The General Info screen in the Add Data Store wizard allows you to specify the name, description, branch location, and sensitivity level of your data store. More details below: > Name - the name of your data store. The name must be longer than two characters and up to 64 characters. > Description - the description for the data store (up to 250 characters). > Branch Location - select a branch location from the drop-down list. If no branch location is available, you have to create it. See "Managing Branch Locations" on page 25 for details. > Sensitivity Level - select a sensitivity level from the drop-down list. A sensitivity level suggests to DDC what level of sensitivity is acceptable to find in this data store. For details, see "Sensitivity Levels" on page 13. > Enable Data Store - when selected it means that this data store is available for scans. The Enable Data Store check box is selected by default. If the check box is cleared, the data store is disabled (not available) for scans. Configuring a Data Store – Tags and Access Control The Add Tags & Access Control screen in the Add Data Store wizard allows you to grant access rights to your data store and add tags. More details below: > ACCESS - select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store. The available options are: • All groups: All groups of users can access the data store through reports. This is the default setting. • Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group. If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups. > TAGS - select a tag from the Add Tag drop-down list. The predefined tags are: APA, APPI, CCPA, FINANCIAL, GDPR, HEALTH, HIPAA, KVKK, LEGAL, PCI, PERSONAL, PHI, PII, and SHIELD. TIP New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list. Add as many tags as needed. To remove a tag, click the close icon in the tag name. Adding Database Stores Use the Add Data Store wizard to add a database type data store. Adding a data store involves the following steps: Select Store Type 1. In the left pane of the Data Discovery application, click Data Stores. The Data Stores page is displayed. This page lists available data stores. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 37 Managing Data Stores 2. On the right, click + Add Data Store. The Add Data Store wizard is displayed. The Select Data Store screen displays the following options to filter data store types: • Filter by Data Store category: Shows categories of data stores. Click a category to filter available options under the Select Type drop-down list. • Select Type: Shows types of data storage. By default, the drop-down list shows all types of data stores. The label Select Type changes to reflect the category selected under Filter by Data Store category. For example, for Database, the label becomes Select Database Type. NOTE This document uses Filter by Data Store category to filter data stores. 3. Under Filter by Data Store category, click Database. 4. From the Select Database Type drop-down list, select a database. The available options are: • IBM DB2: Select to add an IBM DB2 database. • Oracle: Select to add an Oracle database • Microsoft SQL: Select to add a Microsoft SQL database. • PostgreSQL: Select to add a PostgreSQL database. NOTE PostgreSQL by default blocks remote connections to the PostgreSQL server. For instructions to configure the PostgreSQL to allow remote connections, see "Allowing Remote Connections to PostgreSQL Server" on page 40. 5. Click Next to go on to the Configure Connection screen. Configure Connection 1. The Configure Connection screen is displayed. 2. Specify Hostname/IP of the database server. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field. 3. Specify Port of the database server. The port must be a number between 1 and 65535. The default ports are 50000 for IBM DB2, 1521 for Oracle, 1433 for Microsoft SQL, and 5432 for PostgreSQL. This is a mandatory field. 4. Specify name of the Database service. This is a mandatory field. For an Oracle database, specify Database or SID. NOTE If you are using Oracle 12x, or if the Oracle database displays a “TNS: protocol adapter error”, you must specify a SERVICE_NAME in the Database or SID field. For example: HR(SERVICE_NAME=XE) 5. Select an authentication method to connect to the database. The available options are: • Credentials: Select for password-based authentication. This is the default setting. Specify valid user credentials (User and Password) to access the network storage. For password-based authentication, valid user credentials are mandatory. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 38 Managing Data Stores • Certificate: Select for certificate-based authentication. Click Choose File to upload a valid certificate file. For certificate-based authentication, uploading a valid certificate is mandatory. NOTE > The certificate must be in either PEM or .p12 format. > The certificate size must be less than 30 KB. 6. Click Next to go on to the General Info screen. General Info 1. The General Info screen is displayed. 2. Specify a unique Name for the data store. The name must be longer than two characters and up to 64 characters. 3. Provide a Description for the data store (up to 250 characters). 4. Select a Branch Location from the drop-down list. 5. Select a Sensitivity Level from the drop-down list. A sensitivity level suggests to DDC what level of sensitivity is OK to find in this data store. For details, see "Sensitivity Levels" on page 13. 6. Click Next to go on to the Add Tags & Access Control screen. Add Tags & Access Control 1. The Add Tags & Access Control screen is displayed. 2. Under ACCESS, select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store. The available options are: • All groups: All groups of users can access the data store through reports. This is the default setting. • Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group. If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups. 3. Under TAGS, select a tag from the Add Tag drop-down list. The prebuilt tags are APA, APPI, CCPA, FINANCIAL, GDPR, HEALTH, HIPAA, KVKK, LEGAL, PCI, PERSONAL, PHI, PII, and SHIELD. TIP > New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list. > Add as many tags as needed. > To remove a tag, click the close icon in the tag name. 4. Click Save. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 39 Managing Data Stores The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store. Allowing Remote Connections to PostgreSQL Server PostgreSQL by default blocks all connections that are not from the PostgreSQL database server itself. This means that to scan a PostgreSQL database, the Agent must either be installed on the PostgreSQL database server itself (not recommended), or the PostgreSQL server must be configured to allow remote connections. To configure a PostgreSQL server to allow remote connections: 1. On the PostgreSQL database server, locate the pg_hba.conf configuration file. On a Unix-based server, the file is usually found in the /var/lib/postgresql/data directory. 2. Open pg_hba.conf in a text editor, as root. 3. Add the following to the end of the file: # Syntax: # host <database_name> <postgresql_user_name> <agent_host_address> <auth-method> host all all all md5 NOTE The above configuration allows any remote client to connect to the PostgreSQL server if a correct user name and password is provided. For a more secure configuration, use configuration statements that are specific to a database, user or IP address. For example: host database_A scan_user 172.17.0.0/24 md5 4. Save the file and restart the PostgreSQL service. Adding Big Data Stores Use the Add Data Store wizard to add a big data type data store. Adding a data store involves the following steps: NOTE In a Hadoop cluster: > Nodes where data blocks distributed by HDFS are stored are called DataNodes. DataNodes are treated as “slaves” in a Hadoop cluster. > A node that maintains the index of directories and files and manages data blocks stored on DataNodes is called a NameNode. A NameNode is treated as “master” in a Hadoop cluster. Select Store Type 1. In the left pane of the Data Discovery application, click Data Stores. The Data Stores page is displayed. This page lists available data stores. 2. On the right, click + Add Data Store. The Select Data Store screen of the Add Data Store wizard is displayed. The Select Data Store screen displays the following options to filter data store types: Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 40 Managing Data Stores • Filter by Data Store category: Shows categories of data stores. Click a category to filter available options under the Select Type drop-down list. • Select Type: Shows types of data storage. By default, the drop-down list shows all types of data stores. The label Select Type changes to reflect the category selected under Filter by Data Store category. For example, for Big Data, the label becomes Select Big Data Type. NOTE This document uses Filter by Data Store category to filter data stores. 3. Under Filter by Data Store category, click Big Data. 4. From the Select Big Data Type drop-down list, select Hadoop Cluster. 5. Click Next to go on to the Configure Connection screen. Configure Connection 1. The Configure Connection screen is displayed. 2. Specify Hostname/IP of the Hadoop cluster's active NameNode. Specify a valid hostname, IP address, or Uniform Resource Identifier (URI). The hostname must be longer than two characters. This is a mandatory field. 1. Click Next to go on to the General Info screen. General Info 1. The General Info screen is displayed. 2. Specify a unique Name for the data store. The name must be longer than two characters and up to 64 characters. 3. Provide a Description for the data store (up to 250 characters). 4. Select a Branch Location from the drop-down list. 5. Select a Sensitivity Level from the drop-down list. A sensitivity level suggests to DDC what level of sensitivity is OK to find in this data store. For details, see "Sensitivity Levels" on page 13. 6. Click Next to go on to the Add Tags & Access Control screen. Add Tags & Access Control 1. The Add Tags & Access Control screen is displayed. 2. Under ACCESS, select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store. The available options are: • All groups: All groups of users can access the data store through reports. This is the default setting. • Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 41 Managing Data Stores If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups. 3. Under TAGS, select a tag from the Add Tag drop-down list. The prebuilt tags are APA, APPI, CCPA, FINANCIAL, GDPR, HEALTH, HIPAA, KVKK, LEGAL, PCI, PERSONAL, PHI, PII, and SHIELD. TIP > New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list. > Add as many tags as needed. > To remove a tag, click the close icon in the tag name. 4. Click Save. The newly created data store appears on the Data Stores page. By default, data stores are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created data store. Editing Data Stores Existing data stores can be modified to suit your requirements. Use the edit view of the page to modify properties of data stores. You can edit the data store name, description, linked branch location, and applied sensitivity level. Additionally, connection settings, access rights, and tags can be modified. To edit a data store: 1. In the left pane of the Data Discovery application, click Data Stores. The Data Stores page is displayed. This page lists available data stores. 2. Click the overflow icon ( ) corresponding to the desired data store. A shortcut menu appears. TIP Alternatively, to open the edit view a data store, click the Name link of the desired data store. Only the users with appropriate rights can see edit data store settings. All other users can only the settings. 3. Click View/Edit. The edit view of the Data Stores page appears. NOTE Only the users with appropriate rights can see the View/Edit button. For all other users, only the View button is visible. 4. Expand GENERAL. General details are displayed. 5. Modify the required information. NOTE The current data store type, which is displayed under Select Type, cannot be changed. 6. Expand CONNECTION. Connection settings are displayed. Based on the storage type, the displayed fields can be different. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 42 Managing Data Stores 7. Modify the required information. NOTE When using the Authentication method, specify valid credentials in User and Password. To change the existing password, unlock the Password field by clicking the lock icon and enter the new password. 8. Click Test Connection to test the modified connection settings. If any error occurs, correct the connection settings and retry. NOTE The Test Connection button is available only if a compatible Agent is found. 9. Expand ACCESS. The granted access rights are displayed. 10.Modify access rights under Grant Access to, if required. 11.Expand TAGS. The applied tags, if any, are displayed. 12.Add new tags or modify existing tags, as required. 13.Click Save Changes. The list view of the Data Stores page shows updated information. Automatic Agent Selection Data stores that do not have a DDC Agent installed on the same host require using a DDC Agent as a proxy to get from the CipherTrust Manager appliance to the data store endpoint. To achieve this, data stores select agents automatically. When a data store is added, the following situations can occur: > DDC searches for a compatible agent: When DDC searches for a compatible Agent, a rotating spinner next to the data store's name is displayed. If you hover the mouse over the spinner, "Waiting for Agent" is shown. > DDC finds a compatible agent: When a compatible agent is found, no spinner is seen next to the name. You can now test its connectivity with the Agent by clicking the "Test Connection" button inside the data store's settings. Refer to "Editing Data Stores" on the previous page for details. > DDC does not find a compatible agent: DDC retries the agent selection for seven days. If cannot find a compatible agent in seven days, an error icon is displayed. If you hover the mouse over the icon, it states "Agent not available". The "Find Agent" button to relaunch the Agent selection is visible on clicking the overflow icon ( ) next to the data store. To relaunch automatic agent selection for a data store: 1. In the Data Discovery application, click the overflow icon ( shortcut menu appears. ) corresponding to the desired data store. A 2. Click Find Agent. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 43 Managing Data Stores NOTE > Instructions to install and configure DDC Agents can be found in the Thales CipherTrust Data Discovery and Classification Deployment Guide. > Port 11117 on the CipherTrust Manager appliance must be accessible from DDC Agent hosts. > Data store endpoint needs to be accessible from DDC Agent hosts. > To proxy requests to database stores, a Windows-based DDC Agent is required. > To proxy requests to Hadoop data stores, a Linux-based DDC Agent is required. > When the DDC Agent is properly identified, the data store status changes to ready. At this point, it is now possible to run scans against this data store. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 44 Managing Scans You manage scans through the Scans page, which is accessed by clicking the Scans link in the Data Discovery sidebar on the left. From the Scans page you can: > View all currently availablae scans. See "Viewing Scans" below. > Create a new scan. See "Adding Scans" on the next page. > Execute a scan. See "Running Scans" on page 49. > Delete a scan. See "Removing Scans" on page 50. Viewing Scans The list view of the Scans page shows the number of: > Scans with the number of executed and unexecuted scans. > Executed scans with the number of scans containing sensitive and non-sensitive data. > Scanned data objects with the number of sensitive and other data objects. Click the refresh button to refresh the displayed information. The list view of the Scans page shows the following details: Item Description Name Name of the scan. Profile Number of classification profiles. Schedule Schedule of the scan. Last Scan Time when the scan last ran. Duration Time taken to complete the run. Status Status of the scan. The status could be Completed, Processing, Failed, Stopped, Unscanned, Validating, or Pending. TIP > Use the Search text box to filter scans. Search results display scans that contain specified text in their names. > By default, scans are listed in ascending alphabetic order of their names. > Scans can be sorted by their name, last scan time, duration, and status. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 45 Managing Scans Adding Scans To add a scan, navigate to the Scans screen (Data Discovery > Scans). Click the +Add Scan button to open the Add Scan wizard. In the wizard, you have to go over these configuration steps for each scan that you add: 1. "General Info" below - Name the scan and give a short description. 2. "Select Data Stores" below - Select which data stores will be scanned. 3. "Add Targets" on the next page - Narrow down the scan scope by selecting specific scan targets. 4. "Select Profiles" on the next page - Choose which Classification Profile you want to scan for. 5. "Schedule Scan" on page 48 - Configure when you want your scan to run. General Info 1. In the General Info screen, the wizard asks you to specify a unique name for the scan and to give it a short description: • Name - The name must be longer than two characters and up to 64 characters. • Description - optional description of up to 250 characters. 2. Click Next to move on to the Select Data Stores screen. Select Data Stores The Select Data Stores screen lists all data stores in tabular form. By default, no data stores are selected. The table has three columns: • Data Store Name: Lists available data stores (with their number). • Type: The type of the data store, such as Local Storage, Network Share, etc. • Agent: Displays the Agent that is connected to that data store. In this column, you can also see if the Agent is ready (that is, if the data store is ready). To select a data store to scan: 1. Search for the desired data stores by specifying the search criteria in the Search box. The search results will be displayed in the table under it. 2. Select a data store for the scan by selecting the corresponding check box. Similarly, select multiple data stores, if needed. TIP Use the Selected only toggle switch to display only the selected data stores or all data stores (if the switch is 'off' all data sources are displayed). 3. Click Next to move on to the Add Targets screen . Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 46 Managing Scans Add Targets In the Add Targets screen you can review a list of the data stores that you selected for the scan. By default, the scan will scan the entire data store, and this wizard step allows you to narrow down the scan scope by selecting specific targets for your selected data stores. The Add Targets screen is divided into three columns: • Data Store: The list of selected data stores. • Targets: Any selected specific target for the listed data store. "Full DS" indicates that no specific target has been selected, that is, the entire data store will be scanned. If you have added a scan target for the data store, it will be listed after you expand the data store row (by clicking the arrow button next to the data store name, on the left). • Add Target Path: In this field you can type in a specific target and add it to the scan parameters. Scanning of this data store will be limited to the added target only. NOTE Any scan target that you add must be valid, otherwise the scan will fail. What is a valid scan target depends on the data store type, but here are a few tips to have in mind: > When adding scan targets for database data sources (IBM DB, Oracle, andMS-SQL): • Note that table names are case sensitive but schema names are not case sensitive. • Oracle data stores accept only tables as scan targets. • IBM DB and MS-SQL data stores accept schemas or tables as scan targets. > For Hadoop type data stores, you can configure a scan to use a specific Hadoop file as a scan target. > To add a scan target for a selected data store: a. Type your scan target in the Add Target Path field. b. Click the Apply button on the right to add the target. Repeat this to add more scan targets for that data store, if needed. > To remove a scan target for a selected data store: a. Click the arrow button next to the data store name for which you want to remove a scan target. b. Click the Remove link on the right of the scan target to remove it. > Use the Enable Remediation toggle switch to enable remediation for the selected target. For more information refer to the "CipherTrust Auto-Remediation User Guide". > To move on to the Select Profiles screen, click Next. TIP Make sure that you do not have nested target paths in a scan for the same data store. This can affect the performance of the scan and you can get duplicated data in the reports. Select Profiles The Select Profiles screen lists all classification profiles in tabular form. By default, no profiles are selected. The table has three columns: Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 47 Managing Scans • Classification Profile Name: Lists available profiles. Items marked with a letter "T" are predefined classification profile templates. For more information about these templates, see "Classification Profile Templates" on page 28. The other items are custom classification profiles. • Infotypes: Displays the number of information types associated with the profile. • Sensitivity: Displays the sensitivity level assigned to this classification profile. See "Sensitivity Levels" on page 13 for more information. To select a classification profile for the scan: 1. Search for the desired profiles by specifying the search criteria in the search box. The search results are displayed in the table under it. 2. Select profiles for the scan by selecting the check boxes corresponding to desired profiles. TIP Use the Selected only toggle switch to display only the selected classification profiles or all classification profiles (if the switch is 'off' all classification profiles are displayed). 3. Click Next to move on to the Schedule screen. Schedule Scan 1. In the Schedule screen select the frequency with which you want the scan to run. The options are: • Manual: Select to run the scan manually. This is the default setting. In this case the scan will be run whenever you manually launch it from the Scans screen. For more information about running a scan manually, see "Running Scans" on the next page. NOTE If you select Run Now, the scan will be run just once after the scan is added successfully. • Scheduled: Select to specify a schedule for the run. The scan will be run automatically on the specified schedule. When Scheduled is selected, the following fields appear on the screen: – Increment: Select the increment pattern of the run. This is a mandatory field. The options are Daily, Weekly, and Monthly. By default, Daily is selected. – Every: Specify when the run should repeat. This is a mandatory field. For example, if Daily is selected as Increment, enter 2 to run the scan once every two days. If Weekly is selected as Increment, enter 2 to run the scan once every two weeks. Similarly, if Monthly is selected as Increment, enter 2 to run the scan once every two months. – Time: Specify the time when the run should start. This is a mandatory field. Specify the time in 12hour format. – Time Zone: Select a time zone form the drop-down list. – Starting: Specify the day when the schedule should start. This is a mandatory field. By default, Today is selected. To specify a particular start date, select On this date, click the calendar icon, and select the date. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 48 Managing Scans – Ending: Specify the day when the schedule should end. This is a mandatory field. By default, No End is selected. To specify a particular end date, select On this date, click the calendar icon, and select the date. NOTE A scan cannot run unless there is an identified Agent for every data store included in the scan. If it fails to run, check the status of different data stores included in the scan. 2. Click Save to complete adding the scan. As a result, the newly created scan appears on the Scans page. By default, scans are displayed in alphabetic order by name. Depending on the number of entries per page, you might need to navigate to other pages to view the newly created scan. By default, the Status of a newly created scan is Unscanned. NOTE If your CipherTrust Manager system clock does not match the Agent's system clock, your scans will not run as scheduled, so it is highly recommended to set up a NTP server to synchronize the clocks. This can be achieved in CipherTrust Manager through the Admin Settings -> System -> NTP. For details, refer to the "Thales CipherTrust Manager Administrator Guide". Running Scans To run a scan, navigate to the Scans screen (Data Discovery > Scans). Scans can be run either manually or automatically at a scheduled time. > To run a scan manually: a. Search for the scan to run. TIP > Use the Search text box to filter scans. Search results display scans that contain specified text in their names. > By default, scans are listed in ascending alphabetic order of their names. > Scans can be sorted by their name, last scan time, duration, and status. b. Move the mouse pointer to the row that contains the scan. The Run Now button appears. This button disappears as soon as the mouse pointer is moved out of the row. c. Click Run Now. As soon as the scan is initiated, its status becomes Pending. > To configure a scan to run automatically, refer to the information in "Schedule Scan" on the previous page. Scan Statuses The status of the scan changes in the sequence: Unscanned > Validating > Pending > Running now / Paused / Stopped > Processing > Completed / Failed. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 49 Managing Scans Status Description Validating Checking if all the data stores are ready. Pending Scan is pending and the linked data stores are being contacted. Depending on factors such as the network connectivity, this stage may: • • Complete in a flash. You may not see it on the Scans page. Remain for some time in this state. Running now / Paused / Stopped Scan is running, or is paused or stopped. Processing Scan is processing the collected data. Completed / Failed Scan run is successful or has failed. Potential Problems When Running Scans > Ready/Not Ready data store: A scan cannot run unless there is an identified Agent for every data store included in the scan. Such a data store has the status Ready. A scan that has at least one data store that is Not Ready will fail to run, and display an error. If more than one data stores associated with a scan are Not Ready the system will fail on the first scanned data store that is Not Ready and will not check the remaining data stores. > Disabled/Enabled data store: You can manually deactivate a data store. Such a data store has a status Disabled and it will not be scanned. A scan that has several data stores associated will still run (without an error) even if one or more data stores are Disabled as long as at least one data store is enabled, but it will only scan the enabled data stores. A scan with all data stores Disabled will not run at all. > Hadoop file access rights: You get a "data store path not accessible" error when scanning a Hadoop data store that has a Hadoop file configured as its scan target, if you do not have access rights to that file. > IBM, Oracle and MS-SQL - empty table or schema: You get a "table or schema not accessible" error when scanning an empty table or schema. > IBM, Oracle y MS-SQL - case sensitive table name: In these data stores database schema names are not case sensitive, but table names are case sensitive. Removing Scans 1. In the Scans screen, use the Search text box to filter scans and search for the scan that you want to remove. 2. Click the overflow icon ( ) corresponding to the desired scan. An overflow menu is displayed, with a View/Edit and Remove options available. NOTE The Remove option is not always available in the menu, only if a scan is Failed, Completed, Stopped, or Disabled. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 50 Managing Scans 3. Click Remove in the menu. As a result, a warning message "Remove Scan? Are you sure you want to remove this scan?" is displayed. 4. Click the Remove button in the warning message window to confirm the removal of the selected scan. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 51 Managing Reports You manage reports through the Reports page, which is accessed by clicking the Reports link in the Data Discovery sidebar on the left. From the Reports page you can: > View all existing reports. See "Viewing Reports" below. > Create a new report. See "Creating Reports" on the next page. > Generate a report. See "Generating Reports" on page 55. > View details of a selected report. See "Report Details" on page 55. Viewing Reports The Reports page displayed lists available reports. Initially, the page shows no reports. Newly configured reports are shown on this page. Additionally, the page shows the total number of available reports. By default, reports are listed in ascending alphabetic order of their names. The list view of the Reports page shows the following details: Item Description Name Name of reports. Type Type of reports. Analysis Analysis type is Aggregated. Last Run Time when the report was run. Schedule Schedule of the report run is Manual. Status Status of the report. The status could be Pending, Running now, Stopped, Processing, Completed, or Failed. > Use the Search text box to filter reports. Search results display reports that contain specified text in their names. > Reports can be sorted by their name, type (Scans), analysis (Aggregated), the last time that the scan was run, schedule, and status. > Click the link embedded in the report name to display the details of that report. For more information, see "Report Details" on page 55. Report Types There are two different types of reports: • Static report: This report is based on a scan run on a specific date. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 52 Managing Reports – The report is 'frozen' with the last successful scan that has been executed up to now. – In the case of multiple executions of the scan for the selected day, the report will include the information for the latest execution on that day. • Dynamic report: This report is always showing the information found on the latest scan execution, so the results will change if the underlying data in the Data Store or the Classification Profile is modified. In other words, such a report is dynamic, it will be regularly updated whenever: – There are changes in the machine, such as the quantity of data has changed (increased or decreased). – There are changes in any aspect of the DDC configuration in DDC, such as when the classification profiles have been modified. NOTE > For one report, it is possible to select scans in a dynamic and static manner. This would result in one report that is 'frozen' and another that is not 'frozen'. > In order to see an updated report you must run the scan since the report reflects the scan information. Creating Reports To create a report you aggregate data from multiple sources. When a report is generated it contains the results of executed scans. To create a report use the New Report wizard described in the following sections. To launch the wizard, click the + Add Report button in the Reports page on the right. General Info Provide the following information in the General Info screen of the New Report wizard: > A unique Name for the report. The name must be longer than two characters and up to 64 characters. This field is mandatory. > An optional Description for the report (up to 250 characters). Click Next to go on to the Configure Content step of the wizard. Configure Content This Configure Content screen shows available scans with their number and the number of selected scans. 1. Use the Search text box to filter available scans. Search results display scans that contain specified text in their names. 2. Select the Scan Name check boxes corresponding to desired scans. 3. You can create two different types of reports: – A static report is based on a scan run on a specific date. For a static report, click "Latest Execution" and select the date of the scan that you wish to use. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 53 Managing Reports – A dynamic report can change if the underlying data store or protection profile is modified and a scan is run again. For a dynamic report leave "Scan Execution" as "Latest Execution". See "Report Types" on page 52 for more information on these reports. 4. Click Save and a message will appear stating that the report has been created successfully. The content identified in this step will be merged in a single report. This is called an aggregated report. To create a report use the New Report wizard described in the following sections. Name and Describe 1. In the Reports page on the right, click New Report. The Name and Describe screen of the New Report wizard is displayed. 2. Specify a unique Name for the report. The name must be longer than two characters and up to 64 characters. This field is mandatory. 3. Provide a Description for the report (up to 250 characters). Configure Content NOTE Content identified in this step will be merged in a single report. This is called an aggregated report. 1. Click Next. The Configure Content screen is displayed. This screen shows available scans with their number and the number of selected scans. 2. Use the Search text box to filter available scans. Search results display scans that contain specified text in their names. 3. Select the Scan Name check boxes corresponding to desired scans. 4. Create a static report or dynamic report: • For a static report - click Latest Execution and select the date of the scan that you wish to use. • For a dynamic report - leave Scan Execution as Latest Execution. For information on these report types, see "Report Types" on page 52. 5. Click Save and a message will appear stating that the report has been created successfully. As soon as a new scan-based report is created, it is automatically run and results are visible. For information on the details of the report, see "Report Details" on the next page. NOTE > Scan-based reports are for personal use only. Users can only access the scan-based reports that they create. No user can access the scan-based reports created by others. > Selecting a scan forces DDC to retrieve the results discovered during the last execution of the given scan. As different scans may be taken into account, different runs of the same scan-based report may provide different results. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 54 Managing Reports Generating Reports After you have configured a report, it can be generated at anytime. Configured reports can be generated any number of times. To generate a report: 1. In the Reports page, search for the report that you want to generate. TIP > Use the Search text box to filter reports. Search results display reports that contain specified text in their names. > By default, reports are listed in ascending alphabetic order of their names. > Reports can be sorted by their name, type (Scans), analysis (Aggregated), last run time, schedule, and status. 2. Click the overflow icon ( ) corresponding to the desired report. A shortcut menu appears. 3. Click Run report. As soon as the report starts to run, its status becomes Pending. The status of the report changes in the sequence: Pending > Running now / Stopped > Processing > Completed / Failed. NOTE Permissions to access the data stores accessed by the scans included in a scanbased report are checked every time the report is run. If the current user no longer has the correct permission for any of them, an error is displayed. Report Details The report details page displays such information about the report as the report name, the number of scans, data stores, and data objects. The page also shows the total data objects scanned, sensitive data objects found, sensitive data matches, and selected infotypes found. NOTE There may be a mismatch between the number of objects scanned as shown in the Total Data Objects Scanned info card, top left of the Data Objects page and the number of objects listed in the table at the bottom ("Showing _ of _"). This is because the table also lists all so called "inaccessible" items that have been found in the scan. Inaccessible items are data objects that could not be scanned because the Agent could not access their contents. The main reasons for this is a lack of permissions at the OS level (that is, the Agent is not able to read the file) and/or issues encountered when extracting the text data, such as file contents protected with a password, corrupted files, and the like. The table in the report details lists the following findings distributed among these columns: • Object Name - The name of the data object scanned and listed in the report details. • Risk - The number of risks founds by the report in the given scanned data object. A risk is the presence of a sensitive item of data. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 55 Managing Reports • Type - The type of the scanned data object listed in the report details, such as "File" or "Folder". • Path - The path to the object that is listed in the report details. • Store - The name of the data store where the object listed in the report details was found. • Owner - The owner of the listed object. • Modified - The date of the last modification of the scanned and reported data object. • Infotypes - The number of information types found in the data object that is listed in the report. NOTE Due to a known limitation of the processing engine, the information on the Owner and Modified is usually not listed in the report details. > To print the report, click the Print Preview button in the top right corner of the screen and then Print. The report will be saved in PDF format to the location that you selected. To return to the report, click the < Exit Print View link in the top left corner of the screen. NOTE For the best experience of exporting reports to PDF use Chrome or Firefox. > To return to the Reports page, click All Reports at the top of the report details page. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 56 Logging DDC prints out its log messages to the CipherTrust Manager logs. CipherTrust Manager logs are located in the /opt/keysecure/logs directory. The CipherTrust Manager System Administrator (ksadmin) can log in using ssh to retrieve CipherTrust Manager logs. Also the DDC Application Administrators have access to the logs. For more details on collecting DDC logs, see "Troubleshooting Issues in Conjunction with Customer Support" in the “Thales CipherTrust Manager Administrator Guide”. Default Logging Level By default, log level setting for DDC is INFO. With this log level set DDC prints out the INFO and ERROR level messages to the log. Among the various messages that DDC prints to the logs, the error messages and security audit messages are the most useful for troubleshooting DDC issues and securing the deployment. Identifying DDC Log Messages The microservices behind DDC are Oleander and Sundew and the messages coming to the CipherTrust Manager log from DDC can be identified by those names. Additionally, Oleander has these three modules: > Clustering > Agent_Selection > Scan_watcher Each of these modules will generate its own error messages, each in its separate log.[ ] log file. The logging service responsible for collecting and processing these messages is FLUENTD. It is capable of displaying those messages to the terminal through the log command. Here's an example of such a command: > log | grep oleander | grep "clustering" This command would display all messages coming from the Oleander's Clustering module. For a complete list of error messages that DDC sends to the CipherTrust Manager log, see the appendix "Error Log Messages" on page 67. Security Audit Log Messages The DDC security audit messages can be identified by the Oleander | INFO [security] bit that they contain. The full format of such a log message (or log line) is: <date> | Oleander | INFO [security] <event> <error (if any)> <details (if any)> For example: 2020-06-29 | Oleander | INFO | [security] DDCScanClientUnexpectedErrorProbe “error: error probing scan client” “details: [scan_id:5432-5432-543254-2-5432]” Usually, only the event type is printed out to the log (in the example above, it would be DCScanClientUnexpectedErrorProbe). You can find the full list of events with explanations in the appendix "Security Audit Log Event Messages" on page 94. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 57 Enabling Syslog Logging Audit records are logged to a local database by default. This is suitable for production systems and clusters with a limited load. However, for clusters that support a large number of transactions, it is recommended to configure the CipherTrust Manager Manager to disable logging to a local database and enable logging using a remote Syslog server. This significantly reduces cluster traffic and disk usage. For more information, refer to the following sections in the “Thales CipherTrust Manager Administrator Guide”: > “Disabling local database audit logging” > “Configuring remote Syslog server” > “Configuring Connection to a Syslog Server” Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 58 APPENDICES Error Messages This section lists the various error messages that the system can display, with explanations and solutions (if available). Error Message Explanation Branch Locations "Branch Location name already exists" (message on toast) You tried to create a branch location with a name that is already taken by another branch location. SOLUTION: Choose another name. Data Stores "Data Store name already exists" (message on toast) You tried to create a data store with a name that is already taken by another data store. SOLUTION: Choose another name. "A valid agent could not be found" (Agent selection - on mouse-over on the data store) There is no active agent for this data store that the automatic agent selection process has been able to detect. SOLUTION: This requires additional research, such as checking if the agent is installed on the data store, if it has the right type (local/proxy), if it is of the right OS “flavor” (Linux, Windows), or of the right type (e.g. database). Refer to the "Deployment Guide" for more information on troubleshooting this issue. Scans "Scan name already exists" (message on toast) You tried to create a scan with a name that is already taken by another scan. SOLUTION: Choose another name. "All Data Stores are disabled" You attempted to run a scan that has all data stores disabled. (message on toast) SOLUTION: Enable at least one data store for the scan. Refer to the "Managing Scans" on page 45 chapter for instructions. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 59 APPENDICES Error Message Explanation "The following Data Stores are not accessible: <xyz>" You tried to scan a data store that is not accessible. The scan is marked as Failed, and includes a warning icon with the message "The data store <xyz> included in the scan is not accessible" on mouse-over. (message on toast) SOLUTION: Verify the connectivity from the agent to the data store. Verify the data store configuration. "One or more Data Stores are not accessible." The scan failed because the data store that is configured is inaccessible. The data store failed after the scan was launched. (on mouse-over on the scan fail icon) SOLUTION: There may be a number of reasons for this. To troubleshoot a failed data store refer to "Managing Data Stores" on page 32. "The following Data Stores have no agent available: <xyz>" (on mouse-over on the scan fail icon) You tried to scan a data store that had no agent available when the scan was executed. There is a problem with the agent. The data stores that failed are listed. SOLUTION: This requires additional research, such as checking if the agent is installed on the data store, if it has the right type (local/proxy), if it is of the right OS “flavor” (Linux, Windows), or of the right type (e.g. database). Refer to the "Deployment Guide" for more information on troubleshooting this issue. "Data Store has incorrect credentials" (on mouse-over on the scan fail icon) Data store credentials provided are incorrect so the scan cannot be executed. These data stores are listed. SOLUTION: Update the server credentials for the data store. "One or more Data Stores have incorrect credentials" (message on toast) The credentials for one or more data stores are no longer valid (credentials modified, user deleted, and so on) preventing the scan from completing. SOLUTION: Reconfigure the data store and re-launch the scan. "The scanner service is not available" You tried to run a scan with the scan engine unavailable. (message on toast) SOLUTION: Check the status of the scan engine (the KeySecure server). Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 60 APPENDICES Error Message Explanation "The following Data Stores have missing agents: <xyz>" This happens when an agent was assigned to the listed data store(s) and then when a scan was launched, for some reason the assigned agent could not be found on the server. (message on toast) SOLUTION: Try to re-assign the agent in the data stores screen. If this does not work, check the agent assigned to the <xyz> data store. "The following Data Stores have agent errors: <xyz>" (message on toast) This happens when a management request for an agent fails (for example, at verification or when setting it as a proxy) during the scan execution. SOLUTION: It is usually a transient issue. Wait a few minutes and run the scan again. If it still fails, check the agent status. "Error processing scan" (message on toast) This happens when the scan fails in the processing stage, that is when the scan results are being processed by DDC. SOLUTION: Run the scan again. If the error persists, contact Thales support. "Error connecting to HDFS" (message on toast) This happens when the scan fails because there is no HDFS connectivity. SOLUTION: Check the HDFS configuration in DDC (Hadoop Services). Refer to the "Deployment Guide" for information on configuring the DDC-HDFS connection. "Error connecting to PQS" (message on toast) This happens when the scan fails because there is no PQS connectivity. SOLUTION: Check the HDFS configuration in DDC (Hadoop Services) or PQS/Hadoop configuration in your Hadoop deployment. Refer to the "Deployment Guide" for information on configuring the DDC-PQS connection. "Error checking the data allowance" (message on toast) This happens when DDC is not licensed. DDC sends a request for data allowance to the license server and the server responds that there is no license. SOLUTION: Obtain and install a valid DDC license. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 61 APPENDICES Error Message Explanation "One target path is missing" A scan failed because one or more target paths are missing. (on mouse-over on the scan fail icon) SOLUTION: Open the scan for editing, by following the Edit link embedded in the error message, and check which target path is missing (it will be indicated by a yellow exclamation mark in the Targets section). "One database target has incorrect schema" A scan failed because one or more database targets have an incorrect schema. (on mouse-over on the scan fail icon) SOLUTION: Open the scan for editing, by following the Edit link embedded in the error message, and check which target has an incorrect schema (it will be indicated by a yellow exclamation mark in the Targets section). "One database target has incorrect table" (on mouse-over on the scan fail icon) A scan failed because one or more database targets have an incorrect table. SOLUTION: Open the scan for editing, by following the Edit link embedded in the error message, and check which target has an incorrect table (it will be indicated by a yellow exclamation mark in the Targets section). "One target has incorrect file extension" (on mouse-over on the scan fail icon) A scan failed because one or more targets have an incorrect file extension. SOLUTION: Open the scan for editing, by following the Edit link embedded in the error message, and check which target has an incorrect file extension (it will be indicated by a yellow exclamation mark in the Targets section). "One target has nested paths" A scan failed because one or more targets have nested paths. (on mouse-over on the scan fail icon) SOLUTION: Open the scan for editing, by following the Edit link embedded in the error message, and check which target has a nested path (it will be indicated by a yellow exclamation mark in the Targets section). "The target <PATH> for Data Store <DATASTORENAME> is a file" A file cannot be a target of a data store. (on mouse-over on the scan fail icon) SOLUTION: Open the scan for editing, by following the Edit link embedded in the error message, and put a directory as the target path (the failing target path will be indicated by a yellow exclamation mark in the Targets section). Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 62 APPENDICES Error Message Explanation "The target <PATH> for Data Store <DATASTORENAME> is not a valid directory" The specified directory used as the target path is invalid. (on mouse-over on the scan fail icon) "The target <PATH> for Data Store <DATASTORENAME> cannot be accessed" (on mouse-over on the scan fail icon) SOLUTION: Open the scan for editing, by following the Edit link embedded in the error message, and check the directory. The invalid directory will be indicated by a yellow exclamation mark in the Targets section. The specified path used ad the target path in inaccessible. SOLUTION: Open the scan for editing, by following the Edit link embedded in the error message, and check the path. The inaccessible path will be indicated by a yellow exclamation mark in the Targets section. Reports "Report name already exists" (message on toast) You tried to create a report with a name that is already used in another report. SOLUTION: Choose another name. "The version of the scan that was used to generate the report can no longer be found." (message on toast) Backup restore error. You tried to create a report using a scan that cannot be found after restoring the system from backup. This happens for older reports created before the backup when some data is lost after restoring the system from backup. This error indicates that some data was lost after restoring the system and as a result there are some inconsistencies in the environment. In this case, the scan version has been deleted in PostgreSQL or it cannot be found. SOLUTION: None. "The report template is configured with a scan execution that can no longer be found." (message on toast) Backup restore error. You tried to create a report based on a scan execution that cannot be found after restoring the system from backup. This happens for older reports created before the backup when some data is lost after restoring the system from backup. This error indicates that some data was lost after restoring the system and as a result there are some inconsistencies in the environment. In this case, the scan execution id cannot be found in PQS. SOLUTION: None. Classification Profiles Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 63 APPENDICES Error Message Explanation "Classification Profile name already exists" You tried to create a classification profile with a name that is already taken by another classification profile. (message on toast) SOLUTION: Choose another name. Licensing "DDC License not found - try again in a few minutes if you recently inserted one" Any action performed in the UI results in this message, because there is no valid DDC license installed. (message on toast) SOLUTION: Obtain and install a valid license. "DDC License expired" (message on toast) Any action performed in the UI results in this message, because your DDC license has expired. SOLUTION: Obtain and install a valid license. Hadoop Configuration "Hadoop is not active. Please go to DDC Settings --> Hadoop" Problem communicating with Hadoop or DDC has not been configured with Hadoop. (message on toast) SOLUTION: Assuming that you have Hadoop deployed in your environment, configure DDC to use it (DDC Settings --> Hadoop in the KeySecure UI). For a detailed procedure, refer to the "Deployment Guide". "Error connecting to the PQS database" (message on toast) Problem communicating with the Phoenix Query Server database (i.e. HBase). SOLUTION: Check the PQS configuration in DDC (Hadoop Services) or PQS/Hadoop configuration in your Hadoop deployment. Refer to the "Deployment Guide" for information on configuring the DDC-PQS connection. "Error creating the PQS database schema" Problem communicating with the Phoenix Query Server database. (message on toast) SOLUTION: Check the PQS configuration in DDC (Hadoop Services) or PQS/Hadoop configuration in your Hadoop deployment. Refer to the "Deployment Guide" for information on configuring the DDC-PQS connection. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 64 APPENDICES Error Message Explanation "Error using the PQS database schema" Problem communicating with the Phoenix Query Server database. (message on toast) SOLUTION: Check the PQS configuration in DDC (Hadoop Services) or PQS/Hadoop configuration in your Hadoop deployment. Refer to the "Deployment Guide" for information on configuring the DDC-PQS connection. "Error connecting to HDFS" (message on toast) "Invalid HDFS directory path: Not a directory" (message on toast) "Incorrect credentials in the HDFS connection" (message on toast) "Incorrect HDFS URI" (message on toast) "Invalid HDFS folder: the path to the folder does not exist" (message on toast) "Invalid server certificate in the HDFS request" (message on toast) "Incorrect credentials in the PQS connection" (message on toast) "Invalid server certificate in the PQS request" (message on toast) SOLUTION: Check the HDFS configuration in DDC (Hadoop Services). Refer to the "Deployment Guide" for information on configuring the DDC-HDFS connection. SOLUTION: Check the HDFS configuration in DDC (Hadoop Services). Refer to the "Deployment Guide" for information on configuring the DDC-HDFS connection. SOLUTION: 1. Check the HDFS configuration in DDC (Hadoop Services). Refer to the "Deployment Guide" for information on configuring the DDC-HDFS connection. 2. Check that the authentication service is up and running. SOLUTION: Check the HDFS configuration in DDC (Hadoop Services). Refer to the "Deployment Guide" for information on configuring the DDC-HDFS connection. SOLUTION: Check the HDFS configuration in DDC (Hadoop Services). Refer to the "Deployment Guide" for information on configuring the DDC-HDFS connection. SOLUTION: Check the HDFS configuration in DDC (Hadoop Services). Refer to the "Deployment Guide" for information on configuring the DDC-HDFS connection. SOLUTION: 1. Check the PQS configuration in DDC (Hadoop Services) or PQS/Hadoop configuration in your Hadoop deployment. Refer to the "Deployment Guide" for information on configuring the DDCPQS connection. 2. Check that the authentication service is up and running. SOLUTION: Check the PQS configuration in DDC (Hadoop Services) or PQS/Hadoop configuration in your Hadoop deployment. Refer to the "Deployment Guide" for information on configuring the DDC-PQS connection. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 65 APPENDICES Error Message Explanation "Your system does not meet the 16GB RAM minimum" DDC requires at least 16GB of RAM to be able to run properly. (message displayed across the bottom of all DDC screens) SOLUTION: Increase the RAM memory on board to at least the required minumum of 16GB. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 66 Error Log Messages This section lists the various error messages that DDC sends to the KeySecure log. Error Message Comment/Explanation OLEANDER ERRORS 2020-02-20 19:53:08 | oleander | Error connecting to the scan service This error means a connectivity issue between the oleander and the sundew/ER2 . 2020-02-13 08:50:17 | oleander | DDC Error creating the database schema.: error executing http request. Code: 500 - Body:<html> To check the connectivity with Hadoop external data base a schema is created. So this means that there is no connectivity with Hadoop. (also, possibly related to "Error creating the PQS database schema" in the UI) "CLIENT_CREDENTIAL_PARTITION is not set" CLIENT_CREDENTIAL_PARTITION variable is not set in the config object. "[Background-Processes] Error retrieving license from DMV", "error", err Oleander GetLicenses request against DMV has failed. This error could have been caused by DMV being down. "[Background-Processes] Error killing all agents selections" When the oleander instance loses its license or the current license expires, all ongoing agent selections will stop. This error is caused by an internal Oleander issue while this agent selections are being shut down. "[Background-Processes] Error killing all scan watchers" When the oleander instance loses its license or the current license expires, all ongoing scan tracking will stop. This error is caused by an internal Oleander issue during this scan tracking shut down. "[Background-Processes] Error removing all scan schedules due to DDC not licensed" When the oleander instance loses its license or the current license expires, all scheduled scans will be stopped. This error is caused by an internal Oleander issue during this scheduled scans stopping. "[Background-Processes] Error starting agent selection for datastores" The listed Data Stores have no agent available. "[Background-Processes] Error starting scans watchers" When the oleander instance receives a valid license from DMV, all stopped agent selections must be resumed. This error is caused by an internal Oleander issue during this agent selections resuming. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 67 Error Message Comment/Explanation "[Background-Processes] Error starting cron schedules" When the oleander instance receives a valid license from DMV, all stopped scheduled scans must be resumed. This error is caused by an internal Oleander issue during this scheduled scans resuming. "[Background-Processes] Error trying to migrate the PQS database" During the PQS configuration, an error occurred trying to apply the changesets to update the Database, create the tables, etc... "[Background-Processes] Error creating cron", "error", err Background_processes service constantly creates crons for license status checking against DMV, this error is caused by an internal Oleander issue during the creation of one of this crons. "[Background-Processes] Error with unmarshal." Any "unmarshal/unmarshalling" error is caused by an internal Oleander issue converting a golang object to JSON format or vice versa. "[Background-Processes] Error while trying to update status to FAILED for datastore.", "name", ds.Name, "error", err When background_process services gets an invalid or expired license from DMV all running scans must be stopped and set as FAILED, this message indicates an internal Oleander error changing the scan status for some scan. "[Background-Processes] Error while trying to retrieve scans from background processes table" When the oleander instance receives a valid license from DMV, all stopped normal scans must be resumed. This error is caused by an internal Oleander issue accessing the background processes table, which contains all the information for the scans resuming. "[Background-Processes] Watcher has failed updating scan status for scan", "name", sc.Scan.Name, "error", err background_processes service has the responsibility to track the running scans and update their Oleander status, this error message indicates an internal Oleander issue updating the scan_process table. "Cannot retrieve the HDFS settings", "error", err Connectivity or internal Oleander error trying to retrieve HDFS settings from Citrus. "Cannot retrieve the PQS settings", "error", err Connectivity or internal Oleander error trying to retrieve PQS settings from Citrus. "Cannot find the country", "error", err When a user creates a BranchLocation and he sets a country that is not registered in our DB. "Cannot find the state", "error", err When a user creates a BranchLocation and he sets a state ID that is not registered in our DB. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 68 Error Message Comment/Explanation "Trying to verify if the country has states", "error", err When a user creates a BranchLocation and he sets a state "Name" that is not registered in our DB. "Missing tag %s for the default classification profiles", r When inserting default classification profiles, there is no tag that matches the correct Regulation "[Datastores] Error encrypting connection for datastore: ", "Name", d.Name Error when calling Scrim Helper for the encryption of the Connection field for a datastore. "[Datastores] Error while trying to create background process resource for datastore: ", "Name", d.Name When a datastore is created, a new row is inserted into the Background Processes table for further tracking, this error message indicates an internal Oleander issue inserting that row. "[Datastores] Error selecting agent for datastore ", "Name", dsAAS.Name, "error", err No suitable agent has been found for this datastore. "[Datastores] Error while trying to retrieve datastore for background process, agent selection might fail: ", "error", err Error retrieving a datastore from DB for background processes purposes in a datastore.update operation. "[Datastores] Error running automatic agent selection", "error", errAgentUpdate An internal Oleander error has occurred while trying to update the status of a datastore during the automatic agent selection. "[Datastores] Error while trying to unmarshal datastore from background processes" An internal Oleander error has occurred while trying to translate a JSON object to a golang object while recovering the automatic agent selections. "Error closing the json file", "error", err Oleander failed trying to close a JSON file. "Error trying to close the families json file" Oleander reads a families JSON file for startup DB population. This error message indicates an internal Oleander error while closing this file. "Error initializing the account", "error", *errPtr Oleander failed trying to set the initialization status to the accounts map. "Error closing oleander", "error", err Oleander service could not be closed. "Error starting background processes", "error", err Some error has occurred trying to execute all background processes. "Error connecting to HDFS", "error", err This happens when the scan fails because there is no HDFS connectivity. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 69 Error Message Comment/Explanation "Error trying to close the info types json file" Oleander reads an infotypes JSON file for startup DB population. This error message indicates an internal Oleander error while closing this file. "Error connecting to PQS", "error", err This happens when the scan fails because there is no PQS connectivity. "Error closing the temporary file", "FileName", f.Name(), "error", err Oleander failed closing the temporary file used for decrypting the raw data file. "Error deleting the temporary file", "FileName", f.Name(), "error", err Oleander failed deleting the temporary file used for decrypting the raw data file. "Error trying to close the zip file", "error", merry.Wrap (err).WithHTTPCode(http.StatusBadRequest) Oleander failed closing the zip file used for decrypting the raw data file. "Error changing the scan status", "error", err Internal Oleander error while trying to update the scan status in the Scan Process table. "[Scan-Launcher] Error while trying to create background process resource for datastore", "name", rsc.Name Oleander inserts a row in the Background Processes table for further scan tracking - this message indicates an internal Oleander error while performing this insert. "[Scan-Launcher] The scan watcher returned an error", "error", err Generic error message for any issue during the scan watcher process. "[Scan-Launcher] Agent not found for datastore", "DS name", s.ScanDatastores[i].Datastore.Name, "error", err The listed Data Stores have no agent available. "[Scan-Launcher] Error getting absolute paths", "DS name", s.ScanDatastores[i].Datastore.Name, "error", err Oleander was unable to retrieve the absolute paths of the mentioned datastore for further scan execution. "[Scan-Launcher] Error getting connection path", "DS name", s.ScanDatastores[i].Datastore.Name, "error", err Oleander was unable to retrieve the connection paths of the mentioned datastore for further scan execution. "[Scan-Launcher] Error retrieving the oleander context" Error while generating the Oleander service user. (this is the context for executing actions on behalf of the itself, instead of a specific user). "[Scan-Launcher] Error while validating the scan" This is a generic error, one of the steps of the validation has failed. (could be that some datastores are not ready, a probe has failed, etc) Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 70 Error Message Comment/Explanation "[Scan-Launcher] Error while retrieving extensions" The extensions necessary for the scan execution could not be retrieved from the DB. "[Scan-Launcher] Unable to initialize background process" The background process object could not be initialized so the scan watcher cannot start. "[Scan-Actions] Error found while trying to delete background process resource" When Oleander has finished tracking a scan it removes the corresponding row from background processes table - this error message indicates an internal Oleander issue removing that row. "[Scan-Actions] Error trying to execute the Scan scheduled run", "error", err Oleander failed trying to add a scan schedule for a scan. "Error changing the scan status", "error", err Generic error message for an issue during the update of the scan status. "[Scan-Watchers] Watcher has failed getting scan status from scanned service", "scan", sc.Scan.Name, "error", err This indicates an underlying connectivity issue with Sundew. "[Scan-Watchers] Watcher has failed updating scan status", "scan", sc.Scan.Name, "error", err Error updating the scan status in the scan process table. "[Scan-Watchers] Error processing the report: ", "error", err Oleander scan collector has failed trying to create the scan collector background process for the mentioned scan. "[Scan-Watchers] Scan aborted, maximum wait for scan results exceeded", "MaxTimeInterruptedState (minutes)", o.Config.Er2MaxInterruptedTime/60, "scan", sc.Scan.Name, "current status", sc.Scan.ScanProcess.Status, "scan service status", er2MappedStatus The scan has been in INTERRUPTED er2 state for too long, when it exceeds the timeout the status is changed to FAILED in DDC. "Error trying to parse er2 polling frequency from env" Oleander failed trying to read the ER2 POLLING FREQUENCY env variable from the config object. "Error while trying to retrieve scans from background processes table", "error", err Oleander tried to retrieve all SCAN rows in the background processes table but it failed. "Error trying to recover the scan watchers", "error", err One of the scan watchers instantiated by the recovery system has returned an error and stopped working. "Wrong datastore credentials" Oleander was unable to reach a datastore due to credentials failure. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 71 Error Message Comment/Explanation "Wrong target path defined" A scan has failed because the target path defined was not valid. "Wrong db schema in target path" A scan has failed because the db schema defined was not valid. "Wrong db table in target path" A scan has failed because the DB defined was not valid. "Wrong defined file extension in target path" A scan has failed because a file was specified without an extension. "Error connecting to the scan service" Oleander is unable to connect with ER2. "Error processing the scan reports" Generic error while trying to process a scan report. "No Data Allowance Licensing detected" Oleander does not have a Data Allowance record. "Error reading the scan report" Generic error while trying to read a scan report. "Probing path can be launched only on folders. Files are not supported" Scan failed because a file was specified as target instead of a folder. "Probing a File or Directory that does not exist" Scan failed because the specified directory does not exist. OLEANDER INFO "[Background-Processes] This node was NOT selected as active node. Turning off background processes" Related to clustering, self-explanatory error. "[Background-Processes] This node was selected as active node. Turning on background processes" Related to clustering, self-explanatory error. "[Background-Processes] Recovering collectors" Oleander has received a valid license and recovers the collector processes that were stopped. "[Background-Processes] Updating license from DMV" Oleander is requesting from DMV the licenses available for DDC. "[Background-Processes] Global license status set to nil" Oleander is unlicensed. "[Background-Processes] Global license status set to ", "newLicenseStatus", *newLicenseStatus Oleander license status is whatever newLicenseStatus is. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 72 Error Message Comment/Explanation "[Background-Processes] Checking HDFS connectivity Oleander is sending a ping to HDFS to check the connectivity. "[Background-Processes] Cannot connect with HDFS", "error", err Oleander's ping against HDFS has failed. Oleander has no connectivity with HDFS. "[Background-Processes] HDFS connectivity successful" Oleander has successfully performed a ping against HDFS. Oleander has connectivity with HDFS. "[Background-Processes] Checking PQS connectivity" Oleander is sending a ping to PQS to check the connectivity. "[Background-Processes] Cannot connect with PQS", "error", err Oleander's ping against PQS has failed. Oleander has no connectivity with PQS. "[Background-Processes] PQS connectivity successful" Oleander has successfully performed a ping against PQS. Oleander has connectivity with PQS. "[Background-Processes] License status has changed" Oleander license status has changed since the last license cron execution. "[Background-Processes] Initializing fast cron: Oleander unlicensed","UnlicensedCronFrequency", o.Config.UnlicensedCronFrequency Oleander is unlicensed so the license cron (which asks DMV for a DDC license) increments its frequency. The frequency is defined in the docker-compose file. "[Background-Processes] Initializing fast cron: waiting for Hadoop connectivity","HadoopConnectivityCronFrequency", o.Config.HadoopConnectivityCronFrequency Oleander has a valid license but does not have connectivity with Hadoop. "[Background-Processes] Initializing slow cron: Oleander licensed and Hadoop connectivity successful", "RunningCronFrequency", o.Config.RunningCronFrequency Oleander has a valid license and has connectivity with Hadoop, the license cron decrements its frequency. The frequency is defined in the docker-compose file. "[Background-Processes] About to run NO LICENSE scenario" Oleander has no valid license so it will stop all running scan watchers, automatic agent selections and scan schedules. "[Background-Processes] About to run VALID LICENSE scenario" Oleander didn't have a valid license but now it has one so all scan watchers, automatic agent selections and scan schedules that were stopped are being resumed. "[Background-Processes] Recovering automatic agent selection" Part of the VALID LICENSE scenario above. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 73 Error Message Comment/Explanation "[Background-Processes] Starting automatic agent selection for pending datastores", "pending datastores", strings.Join(ds, ", ") Part of the VALID LICENSE scenario above. "[Background-Processes] Recovering watchers" Part of the VALID LICENSE scenario above. "[Background-Processes] Starting watchers for ongoing scans", "ongoing scans", strings.Join(ss, ", ") Part of the VALID LICENSE scenario above. "[Background-Processes] Recovering scan schedules" Part of the VALID LICENSE scenario above. "[Background-Processes] Migrating PQS database" Self-explanatory message. "[Background-Processes] Deleting background process for scan", "name", sc.Scan.Name Oleander has no valid license so all scans are being stopped as well as their corresponding background processes. "[Background-Processes] Updating status to FAILED for scan", "name", sc.Scan.Name Oleander has no valid license so all scans are being stopped (with status FAILED). "Cannot connect to HDFS", "settings", hdfsSettings, "error", err Oleander's ping against HDFS has failed. Oleander has no connectivity with HDFS. "Cannot connect to PQS", "Settings", pqsSettings, "error", err Oleander's ping against PQS has failed. Oleander has no connectivity with PQS. "[Datastores] Agent selected: ", "Name", a.Name Oleander has found and assigned a suitable agent for the mentioned datastore. "Unable to connect with datastore", "datastore name", d.Name, "error", err A probe against the mentioned datastore has failed during a test connectivity check. "Instantiating new scrim helper" Oleander is instantiating a new ScrimHelper object which is used for communication with Scrim, Minerva, Sallyport and DMV. "Instantiating new hdfs scan collector" Oleander is instantiating a new HDFSCollector object which is used for communication and processing with HDFS. "Instantiating scheduler cron" Oleander is instantiating a new SchedulerCron and starting the background processes. "[WARNING] PQS connector can not be closed in GetSummaryReport service" Oleander was unable to close the PQS connector while executing a GetSummaryReport operation. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 74 Error Message Comment/Explanation "[WARNING] PQS connector can not be closed in GetDatastoresDetailsReport service" Oleander was unable to close the PQS connector while executing a GetDatastoresDetailsReport operation. "[WARNING] PQS connector can not be closed in GetReportTemplate service" Oleander was unable to close the PQS connector while executing a GetReportTemplate operation. "[Scan-Actions] [WARNING] PQS connector can not be closed in GetScanExecutions service" Oleander was unable to close the PQS connector while executing a GetScanExecutions operation. "[Scan-Watchers] Stop watcher signal received", "scan", sc.Scan.Name A running scan watcher has received a STOP signal and the current execution is cancelled. "[Scan-Watchers] Watcher has failed stopping scan from scanned service" The scan has been in an INTERRUPTED status for too long so Oleander has tried to stop the scan in ER2 but the request was unsuccessful. "[Scan-Watchers] Watcher has detected different status", "scan", sc.Scan.Name, "current status", sc.Scan.ScanProcess.Status, "scan service status", er2MappedStatus The scan watcher has detected a change in the scan status, scan status will be updated in DDC. "[Scan-Watchers] Interrupted status received", "MaxTimeInterruptedState", o.Config.Er2MaxInterruptedTime, "scan", sc.Scan.Name, "current status", sc.Scan.ScanProcess.Status, "scan service Mapped status", er2MappedStatus, "scan service status", er2Status, "InterruptedTimestamp", sc.InterruptedTimestamp The scan watcher has received an INTERRUPTED status for the scan, the scan watcher will continue asking until the status changes or the timeout is exceeded. "[Scan-Watchers] Scan has finished... collector starting", "scan", sc.Scan.Name The scan watcher has received a COMPLETED status for the scan, the scan status is set to PROCESSING in DDC and the scan collector starts. SUNDEW INFO "Asking for license status" Sundew is requesting from Oleander the DDC license status. "Active license information received", "http ret code", c Sundew has received a valid license status from Oleander. "Starting scan service..." Sundew is launching ER2. "Connectivity test successful, scan service is up" Sundew confirms that ER2 is up-and-running. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 75 Error Message Comment/Explanation "Generating scan service license...", "ID", s.er2Status.lastIssuedLicenseID Sundew is generating a license for ER2. "Injecting license into scan service" Sundew is injecting the generated license into ER2. "License won't be generated/refreshed in this iteration", "ID", s.er2Status.lastIssuedLicenseID, "checks (intervals)", s.Config.GeneratingLicenseItervals.er2Status.lastIssuedLicense No action is required from Sundew for this iteration regarding licensing. "Not active license or product not licensed response received", "http ret code", c Sundew has received an invalid license status from Oleander. "Scan service stopped" Sundew is stopping ER2. "Unexpected error code in response for /license/status", "http ret code", c Sundew asked Oleander for the license status but got an unexpected response. SUNDEW ERROR "CLIENT_CREDENTIAL_PARTITION is not set." CLIENT_CREDENTIAL_PARTITION variable is not set in the config object. "Error trying to ask for license status", "error", err Sundew failed trying to request DDC status from Oleander. "Error trying to start the scan service", "error", err Sundew failed trying to start ER2. "Connectivity test to the scan service failed", "error", conErr Sundew failed trying to ping ER2. ER2 is down. "Error during validation of received license", "error", err Sundew failed trying to validate the DDC license retrieved from Oleander. "Error parsing the license ID", "error", err Sundew failed trying to parse the DDC license ID received from Oleander. "Error while injecting license inside scan service", "error", err Sundew failed trying to inject the generated license into ER2. "Error stopping scan service", "error", err Sundew failed trying to stop ER2. "Error closing the response body", "error", err Sundew failed trying to close the HTTP response body from a request. "Error closing sundew", "error", err Error when trying to close the Sundew service. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 76 Reconfiguring Agents In some situations, for example, if the hostname or IP address of the CipherTrust Manager appliance changes, Agents' connection with DDC must be reconfigured with the new hostname or IP address. Reconfiguring DDC Agents on Windows To reconfigure a DDC Agent: 1. Log on to the host machine as administrator. 2. Open Enterprise Recon Configuration Tool (er2_config_cmd.exe). By default, the tool is available at C:\Program Files (x86)\Ground Labs\Enterprise Recon 2\. 3. In the Master server IP address or host name field, specify the new hostname or IP address of the CipherTrust Manager. 4. Click Test Connection. A message stating "Connectivity test is successful" confirms successful reconfiguration. 5. Click Finish. Reconfiguring DDC Agents on Debian To reconfigure a DDC Agent: 1. Log on to the host machine as a user with root privileges. 2. Reconfigure connection with DDC on the CipherTrust Manager appliance. sudo er2-config -i <hostname|ip_address> Here, <hostname|ip_address> represents the new IP address or hostname of the CipherTrust Manager appliance. 3. Restart the Agent service. Configuration settings will be effective after the Agent restarts. sudo /etc/init.d/er2-agent -restart Reconfiguring DDC Agents on RHEL To reconfigure a DDC Agent: 1. Log on to the host machine as a user with root privileges. 2. Reconfigure connection with DDC on the CipherTrust Manager appliance. er2-config -i <hostname|ip_address> Here, <hostname|ip_address> represents the new IP address or hostname of the CipherTrust Manager appliance. 3. Restart the Agent service. Configuration settings will be effective after the Agent restarts. /etc/init.d/er2-agent restart Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 77 Restarting DDC Agents Restarting Agents on Windows To restart a DDC Agent, run the following commands: net stop "Enterprise Recon 2 Agent (<ARCH>)" net start "Enterprise Recon 2 Agent (<ARCH>)" Here, <ARCH> represents the Windows architecture - x32 or x64. Restarting Agents on Debian To restart a DDC Agent, run: sudo /etc/init.d/er2-agent restart TIP Alternatively, restart the Agent service by stopping it and again starting it manually. Run the following commands: sudo /etc/init.d/er2-agent stop sudo /etc/init.d/er2-agent start Restarting Agents on RHEL To restart a DDC Agent, run: #/etc/init.d/er2-agent restart TIP Alternatively, restart the Agent service by stopping it and again starting it manually. Run the following commands: #/etc/init.d/er2-agent stop #/etc/init.d/er2-agent start Mounting an NFS Share To mount an NFS share on a Proxy agent, run this command as root: # mount <nfs-server-hostname|nfs-server-ipaddress>:</target/directory/share-name> Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 78 REST API You can use the REST interface from the API playground, or via any REST client such as curl. To use the REST interface from the API playground, acquire an authorization token and use it when making API calls. Acquiring an Authorization Token To acquire a token: 1. Open the CipherTrust Manager URL in a browser. The login page is displayed. 2. Click the API & CLI Documentation link. The API playground is displayed. 3. At the top right, click Authenticate. 4. Enter username and password. 5. Click POST. NOTE This acquires an API token and prefills it in the playground examples. The token expires in 300 seconds (5 minutes). When it expires, use this process again to acquire a new token. On successful token generation, the remaining token expiry time in seconds is displayed. Two new buttons, Clear Credentials and Re Authenticate, are also displayed at the top right. Using the Token The authorization token acquired above is used in examples in the API playground. The token expires in 5 minutes; if expired, generate a new token, as described in "Acquiring an Authorization Token" above. Making an API Call To make an API call, in the left pane, find the API and click it. In the right pane, specify the values of the required parameters, and click appropriate button (for example, POST, GET, DELETE, and Curl, as appropriate) in the playground. For example, to create a branch location on the CipherTrust Manager: 1. In the left pane of the API playground, click DDC. 2. Under ddc/system-settings/branch-locations, click Create. The Create section of the API playground is displayed in the right pane. 3. In the body field, specify the parameters with their values, as shown below. { "name": "mybranch", "city": "Paris", "countryId": "18faaf74-c511-4086-a5fb-8062ecf2d8f4", "stateId": "" } Expand schema under the body field for names and types of fields. Mouse over each field to view its description. The parameter names and casing in the body field must match with those shown in the schema. Also, ensure that parameters and their values are specified in double quotes. 4. Click POST. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 79 Alternatively, to get an equivalent curl command, click the Curl button. The curl equivalent will be shown in the text field below. Use the curl tool to run the command to make the REST API call. Similarly, all API calls can be made by referring to the schema shown in the playground. CLI The CipherTrust Manager includes a CLI tool, named ksctl, that can be downloaded and run locally to control a remote CipherTrust Manager appliance. ksctl exclusively uses the REST API to communicate with the CipherTrust Manager, so anything that you can do with the tool, you can also do directly with the REST API. Conversely, ksctl exposes most of the functionality of the REST API. It can perform management functions, such as managing registration tokens and clients. ksctl is designed to be run from a remote system, not on CipherTrust Manager itself. To use the CLI: 1. Open the CipherTrust Manager URL in a browser. 2. Click the API & CLI Documentation link. The API playground is displayed. 3. At the top left, click CLI Guide. The CLI documentation is displayed. 4. At the top right, click the CLI download button. This downloads the ksctl_images.zip file. 5. Unzip the ksctl_images.zip file. 6. Set up the ksctl-os file for your system. 7. Run ksctl ddc to run Thales CipherTrust Data Discovery and Classification specific commands. Refer to the CipherTrust Manager documentation for details. For details on commands related to Thales CipherTrust Data Discovery and Classification, refer to the online documentation of ksctl ddc. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 80 Information Types Infotype Name Category Region American Express Financial Global Australian Bank Account Number Financial Oceania Australian Business Number Financial Oceania Australian Company Number Financial Oceania Australian Driver License Number Personal Data Oceania Australian Healthcare Identifier - Organisation Medical Oceania Australian Individual Healthcare Identifier Medical Oceania Australian Mailing Address Personal Data Oceania Australian Medicare Card Medical Oceania Australian Medicare Provider Medical Oceania Australian Passport Number Personal Data Oceania Australian Tax File Number National ID Oceania Australian Telephone Number Personal Data Oceania Austrian Driver License Number Personal Data Europe Austrian Mailing Address Personal Data Europe Austrian Passport Number Personal Data Europe Austrian Personalausweis National ID Europe Austrian SSN National ID Europe Austrian Telephone Number Personal Data Europe Belgian Driver License Number Personal Data Europe Belgian eID National ID Europe Belgian National Number National ID Europe Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 81 Infotype Name Category Region Belgian Passport Number Personal Data Europe Belgian Telephone Number Personal Data Europe Brazilian CPF National ID Americas Brazilian Registro Geral National ID Americas Bulgarian EGN National ID Europe Canadian Bank Account Number Financial Americas Canadian Health Service Number Medical Americas Canadian Mailing Address Personal Data Americas Canadian Passport Number Personal Data Americas Canadian Personal Health Identification Number (PHIN) Medical Americas Canadian Social Insurance Number National ID Americas Canadian Telephone Number Personal Data Americas Chilean RUN National ID Americas China Union Pay Financial Global Credentials username Personal Details Global Credentials password Personal Details Global Croatian OIB National ID Europe Cypriot Passport Number Personal Data Europe Czech Republic RC National ID Europe Danish CPR National ID Europe Danish Driver License Number Personal Data Europe Danish Passport Number Personal Data Europe Date Of Birth Personal Data Global Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 82 Infotype Name Category Region Date Of Birth (under 18) Personal Data Global Diners Club Financial Global Discover Financial Global Drug Enforcement Agency Number Medical Americas Dutch Burgerservicenummer National ID Europe Dutch Driver License Number Personal Data Europe Dutch NIK National ID Europe Dutch Passport Number Personal Data Europe Dutch Telephone Number Personal Data Europe Email addresses Personal Data Global Ethnicity (English) Personal Data Global European EHIC Medical Europe Finnish HETU National ID Europe French Carte Vitale National ID Europe French CNI National ID Europe French Driver License Number Personal Data Europe French INSEE National ID Europe French Mailing Address Personal Data Europe French Passport Number Personal Data Europe French Telephone Number Personal Data Europe Gambian National Identification Number National ID Africa Gender (English) Personal Data Global Generic Bank Account Number Financial Global Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 83 Infotype Name Category Region German Driver License Number Personal Data Europe German Mailing Address Personal Data Europe German Passport Number Personal Data Europe German Personalausweis National ID Europe German Telephone Number Personal Data Europe Greek AFM National ID Europe Greek AMKA National ID Europe Greek Passport Number Personal Details Europe Hong Kong ID National ID Asia Hungarian Personal ID National ID Europe Icelandish Kennitala National ID Europe International Bank Account Number (IBAN) Financial Global IP Address Personal Data Global Iranian National Identification Number National ID Asia Irish Driver License Number Personal Data Europe Irish Passport Card Number Personal Data Europe Irish Passport Number Personal Data Europe Irish Personal Public Service Number National ID Europe Irish Telephone Number Personal Data Europe ISO8583 message with PAN Financial Global Israeli Bank Account Number Financial Asia Israeli Identity Number National ID Asia Italian CARTA D'IDENTITÀ National ID Europe Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 84 Infotype Name Category Region Italian Codice Fiscale National ID Europe Italian Driver License Number Personal Data Europe Italian Mailing Address Personal Data Europe Italian Passport Personal Data Europe Italian Telephone Number Personal Data Europe Japanese Bank Account Number Financial Asia Japanese Driver License Number Personal Data Asia Japanese Passport Number Personal Data Asia Japanese Resident Registration Number National ID Asia Japanese Social Insurance Number (SIN) National ID Asia JCB Financial Global Laser Financial Global Latvian Personas Kods National ID Europe License Number Personal Data Global Login credentials Personal Data Global Luxembourg Driver License Number Personal Data Europe Luxembourg ID National ID Europe Luxembourg Passport Number Personal Data Europe Luxembourg Phone Number Personal Data Europe MAC Address Personal Data Global Macedonian UMCN National ID Europe Maestro Financial Global Malaysian NRIC National ID Asia Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 85 Infotype Name Category Region Maltese eID National ID Europe Mastercard Financial Global Medicare Beneficiary Identifier (MBI) Patient Health Data North America Mexican CURP National ID Americas New Zealand Inland Revenue Number National ID Oceania New Zealand Mailing Address Personal Data Oceania New Zealand Passport Number Personal Details Oceania New Zealand Telephone Number Personal Data Oceania Norwegian Birth Number National ID Europe Norwegian Driver License Number Personal Data Europe Norwegian Passport Number Personal Data Europe Passport Number Personal Data Global Peoples Republic of China ID National ID Asia Personal Names (Austrian) Personal Data Europe Personal Names (Belgian) Personal Data Europe Personal Names (English) Personal Data Global Personal Names (French) Personal Data Europe Personal Names (German) Personal Data Europe Personal Names (Italian) Personal Data Europe Personal Names (Netherlands) Personal Data Europe Personal Names (Polish) Personal Data Europe Personal Names (Portuguese) Personal Data Europe Polish Driver License Number Personal Data Europe Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 86 Infotype Name Category Region Polish Identity Card National ID Europe Polish Mailing Address Personal Data Europe Polish Passport Number Personal Data Europe Polish PESEL National ID Europe Polish Telephone Number Personal Data Europe Portuguese Citizen's Card National ID Europe Portuguese Driver License Number Personal Data Europe Portuguese Fiscal Number National ID Europe Portuguese Identity Number National ID Europe Portuguese Mailing Address Personal Data Europe Portuguese Passport Number Personal Data Europe Portuguese Phone Number Personal Data Europe Private Label Card Financial Global Profanity (English) Personal Details Global Religion (English) Personal Data Global Romanian Identity Card National ID Europe Romanian Numerical Personal Code National ID Europe Saudi Arabia National ID National ID Asia Serbian UMCN National ID Europe Singaporean NRIC National ID Asia Slovakian RC National ID Europe Slovenian EMSO National ID Europe South African Identity Number National ID Africa Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 87 Infotype Name Category Region South Korean Corporation Registration Number (법인등록번호) Financial Asia South Korean Driver License Number Personal Data Asia South Korean Foreigner Number National ID Asia South Korean Gwangju Bank (광주은행) Account Number Financial Asia South Korean Jeju Bank (제주은행) Account Number Financial Asia South Korean Jeonbuk Bank (전북은행) Account Number Financial Asia South Korean KB Bank (국민은행) Account Number Financial Asia South Korean KEB Hana Bank (KEB하나은행) Account Number Financial Asia South Korean NH Bank (농협은행) Account Number Financial Asia South Korean Passport Personal Data Asia South Korean Phone Number Personal Data Asia South Korean RRN National ID Asia South Korean Shinhan Bank (신한은행) Account Number Financial Asia South Korean Taxpayer Identification Number (사업자등록번호) Financial Asia Spanish DNI National ID Europe Spanish Driver License Number Personal Data Europe Spanish NIE National ID Europe Spanish Passport Number Personal Data Europe Spanish Social Security Number National ID Europe Spanish Telephone Number Personal Data Europe Sri Lankan National Identity Card National ID Asia Swedish Driver License Number Personal Data Europe Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 88 Infotype Name Category Region Swedish Nationellt ID-kort National ID Europe Swedish Passport Number Personal Data Europe Swedish Personnummer National ID Europe SWIFT Code Financial Global Swiss Social Security Number National ID Europe Taiwanese ID National ID Asia Thai Population Identification Code National ID Asia Troy Financial Global Turkish Identification Number National ID Europe Turkish Telephone Number Personal Data Europe United Arab Emirates ID National ID Asia United Kingdom Community Health Index Medical Europe United Kingdom Driver License Number Personal Data Europe United Kingdom Electoral Roll Number Personal Data Europe United Kingdom Health and Care Number Medical Europe United Kingdom Mailing Address Personal Data Europe United Kingdom National Health Service Number Medical Europe United Kingdom NI Number National ID Europe United Kingdom Passport Number Personal Data Europe United Kingdom Self Assessment UTR Number National ID Europe United Kingdom Telephone Number Personal Data Europe United Kingdom VAT Number Financial Europe United States Bank Account Number Financial Americas Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 89 Infotype Name Category Region United States Driver License Number Personal Data Americas United States Health Insurance Claim Number Medical Americas United States Health Plan Identifier Medical Americas United States Individual Taxpayer Identification Number (ITIN) National ID Americas United States Mailing Address Personal Data Americas United States National Provider Identifier Medical Americas United States Passport Number Personal Details North America United States Routing Transit Number Financial Americas United States Social Security Number National ID Americas United States Telephone Number Personal Data Americas Visa Financial Global Yugoslavia UMCN National ID Europe Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 90 Supported Formats Files Type Format Compressed bzip2, Gzip (all types), TAR, Zip (all types) Databases Access, DBase, SQLite, MSSQL MDF & LDF Images BMP, FAX, GIF, JPG, PDF (embedded), PNG, TIF Microsoft Backup Archive Microsoft Binary / BKF Microsoft Office v5, 6, 95, 97, 2000, XP, 2003 onwards Open Source Star Office / Open Office / Libre Office Open Standards PDF, RTF, HTML, XML, CSV, TXT Office files WORD > Legacy: Legacy filename extensions denote binary Microsoft Word formatting that became outdated with the release of Microsoft Office 2007. Although the latest version of Microsoft Word can still open them, they are no longer developed. Legacy filename extensions include: • .doc – Legacy Word document; Microsoft Office refers to them as "Microsoft Word 97 – 2003 Document" • .dot – Legacy Word templates; officially designated "Microsoft Word 97 – 2003 Template" • .wbk – Legacy Word document backup; referred as "Microsoft Word Backup Document" > OOXML: Office Open XML (OOXML) format was introduced with Microsoft Office 2007 and became the default format of Microsoft Word ever since. Pertaining file extensions include: • .docx – Word document • .docm – Word macro-enabled document; same as docx, but may contain macros and scripts • .dotx – Word template • .dotm – Word macro-enabled template; same as dotx, but may contain macros and scripts • .docb – Word binary document introduced in Microsoft Office 2007 EXCEL > Legacy: Legacy filename extensions denote binary Microsoft Excel formats that became outdated with the release of Microsoft Office 2007. Although the latest version of Microsoft Excel can still open them, they are no longer developed. Legacy filename extensions include: Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 91 • .xls – Legacy Excel worksheets; officially designated "Microsoft Excel 97-2003 Worksheet" • .xlt – Legacy Excel templates; officially designated "Microsoft Excel 97-2003 Template" • .xlm – Legacy Excel macro > OOXML: Office Open XML (OOXML) format was introduced with Microsoft Office 2007 and became the default format of Microsoft Excel ever since. Excel-related file extensions of this format include: • .xlsx – Excel workbook • .xlsm – Excel macro-enabled workbook; same as xlsx but may contain macros and scripts • .xltx – Excel template • .xltm – Excel macro-enabled template; same as xltx but may contain macros and scripts POWERPOINT > Legacy: • .ppt – Legacy PowerPoint presentation • .pot – Legacy PowerPoint template • .pps – Legacy PowerPoint slideshow > OOXML: • .pptx – PowerPoint presentation • .pptm – PowerPoint macro-enabled presentation • .potx – PowerPoint template • .potm – PowerPoint macro-enabled template • .ppam – PowerPoint add-in • .ppsx – PowerPoint slideshow • .ppsm – PowerPoint macro-enabled slideshow • .sldx – PowerPoint slide • .sldm – PowerPoint macro-enabled slide ACCESS > Legacy: • .ade – Protected Access Data Project (not supported in 2013) • .adp - Access Data Project (not supported in 2013) • .mdb - Access Database (2003 and earlier) • .cdb - Access Database (Pocket Access for Windows CE) • .mda - Access Database, used for addins (Access 2, 95, 97), previously used for workgroups (Access 2) • .mdt - Access Add-in Data (2003 and earlier) • .mdf - Access (SQL Server) detached database (2000) • .mde - Protected Access Database, with compiled VBA and macros (2003 and earlier) Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 92 • .ldb - Access lock files (associated with .mdb) > Available formats since Access 2007: • .accdb – The file extension for the new Office Access 2007 file format. This takes the place of the MDB file extension • .accde – The file extension for Office Access 2007 files that are in "execute only" mode. ACCDE files have all Visual Basic for Applications (VBA) source code hidden. A user of an ACCDE file can only execute VBA code, but not view or modify it. ACCDE takes the place of the MDE file extension • .accdt – The file extension for Access Database Templates • .accdr – is a new file extension that enables you to open a database in runtime mode. By simply changing a database's file extension from .accdb to .accdr, you can create a "locked-down" version of your Office Access database. You can change the file extension back to .accdb to restore full functionality OTHER • .pub – a Microsoft Publisher publication • .xps – a XML-based document format used for printing (on Windows Vista and later) and preserving documents Databases > Microsoft SQL > Oracle > DB2 Big Data > Hadoop Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 93 Security Audit Log Event Messages The following table contains a complete list of security audit log event messages that DDC prints in the log file. Message Explanation DDCScanClientInvalidCredentialsProbe A probe with invalid credentials. DDCScanClientUnexpectedErrorProbe An unknown probe error. DDCPhoenixBackgroundProcessAuthenticationError A failed authentication against PQS in background processes. DDCPhoenixUpdatePQSSettingsAuthenticationError A failed authentication against PQS updating PQS settings. DDCHDFSUpdateHDFSettingsAuthenticationError A failed authentication against HDFS updating HDFS settings. DDCHDFSBackgroundProcessAuthenticationError A failed authentication against HDFS in background processes. DDCUnauthorizedCloneRequest An unauthorized CLONE request. DDCUnauthorizedGetRequest An unauthorized GET request. DDCUnauthorizedListRequest An unauthorized LIST request. DDCUnauthorizedListPaginatedRequestWithContext An unauthorized LIST PAGINATED request with context. DDCUnauthorizedCreateRequest An unauthorized CREATE request. DDCUnauthorizedUpdateRequest An unauthorized UPDATE request. DDCUnauthorizedListProvisionedRequest An unauthorized LIST PROVISIONED request. DDCUnauthorizedGetProvisionedRequest An unauthorized GET PROVISIONED request. DDCUnauthorizedGetActiveNodeRequest An unauthorized GET ACTIVE NODE request. DDCUnauthorizedTestConnectivityRequest An unauthorized TEST CONNECTIVITY request. DDCUnauthorizedGetLicenseRequest An unauthorized GET LICENSE request. DDCUnauthorizedDecryptRawDataFileRequest An unauthorized DECRYPT RAW DATA FILE request. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 94 Message Explanation DDCUnauthorizedGetDatastoreReportRequest An unauthorized GET DATASTORE REPORT request. DDCUnauthorizedFindScanRequest An unauthorized FIND SCAN request. DDCUnauthorizedScanActionRequest An unauthorized SCAN ACTION request. DDCPQSUnaccessibleGetSummaryReportError An inaccessible PQS in GET SUMMARY REPORT request. DDCPQSUnaccessibleGetDatastoreDetailReportError An inaccessible PQS in GET DATASTORE DETAIL REPORT request. DDCPQSUnaccessibleGetDataObjectsDetailsReportError An inaccessible PQS in GET DATAOBJECTS DETAIL REPORT request. DDCPQSUnaccessibleGetInfotypesSummaryReportError An inaccessible PQS in GET INFOTYPES SUMMARY REPORT request. DDCPQSUnaccessibleGetDataObjectsSummaryReportError An inaccessible PQS in GET DATAOBJECTS SUMMARY REPORT request. DDCPQSUnaccessibleGetScanDetailsReportError An inaccessible PQS in GET SCAN DETAILS REPORT request. DDCPQSUnaccessibleCreateReportTemplateError An inaccessible PQS in CREATE REPORT TEMPLATE request. DDCPQSUnaccessibleGetReportTemplateError An inaccessible PQS in GET REPORT TEMPLATE request. DDCPQSUnaccessibleFindReportTemplatesError An inaccessible PQS in FIND REPORT TEMPLATE request. DDCPQSUnaccessibleUpdateReportTemplateError An inaccessible PQS in UPDATE REPORT TEMPLATE request. DDCPQSUnaccessibleGetScanExecutionsError An inaccessible PQS in GET SCAN EXECUTIONS request. DDCResourceRetrievalGenericCloneError A GENERIC CLONE request. DDCResourceRetrievalGenericGetError A GENERIC GET request. DDCResourceRetrievalGenericListError A GENERIC GET request. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 95 Message Explanation DDCResourceRetrievalGenericListPaginatedRequestError A GENERIC LIST PAGINATED request. DDCResourceRetrievalGenericCreateError A GENERIC CREATE request. DDCResourceRetrievalGenericUpdateError A GENERIC UPDATE request. DDCResourceRetrievalGenericListProvisionError A GENERIC LIST PROVISION request. DDCDatastoreDecryptDataEncryptionKeyNotFoundError A GET KEY request. DDCDatastoreEncryptDataError An ENCRYPT DATA request. DDCScanWatcherInterruptedTimeout An INTERRUPTED TIMEOUT request. DDCScanClientRetrieveScanTimeout A RETRIEVE SCAN TIMEOUT request. DDCScanActionRequest A SCAN ACTION request. DDCDatastoreUpdateRequest A DATASTORE UPDATE request. DDCDatastoreCreateRequest A DATASTORE CREATE request. DDCScanDeleteRequest A SCAN DELETE request. DDCSummaryReportGetRequest A GET SUMMARY REPORT request. DDCDatastoreDetailReportGetRequest A GET DATASTORE DETAILS REPORT request. DDCDataObjectsDetailReportGetRequest A GET DATASTORE DETAILS REPORT request. DDCInfotypesSummaryReportGetRequest A GET INFOTYPES SUMMARY REPORT request. DDCDataObjectsSummaryReportGetRequest A GET DATAOBJECTS SUMMARY REPORT request. DDCScanDetailsReportGetRequest A GET SCAN DETAILS REPORT request. Thales CipherTrust Data Discovery and Classification 2.0.0 : Administrator Guide 08 December 2020, Copyright © 2020 Thales Group. All rights reserved. 96