- Platform Release 6.5
- Privacera Platform Installation
- Privacera Platform User Guide
- Privacera Discovery User Guide
- Privacera Encryption Guide
- Privacera Access Management User Guide
- AWS User Guide
- Overview of Privacera on AWS
- Configure policies for AWS services
- Using Athena with data access server
- Using DynamoDB with data access server
- Databricks access manager policy
- Accessing Kinesis with data access server
- Accessing Firehose with Data Access Server
- EMR user guide
- AWS S3 bucket encryption
- Getting started with Minio
- Plugins
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- Privacera Platform documentation changelog
Prerequisites
Overview
Before installing Privacera, there are prerequisites from your infrastructure team that must be met. In addition, depending on the Privacera services and features that you're using, your security team could also have requirements.
The installer, Privacera Manager, needs to run on a host server. In AWS, it is an EC2 instance and in Azure/GCP it is Virtual Machine. Depending upon the deployment type, Privacera Manager might need appropriate privileges,
If the deployment type is on Docker containers, then generally the Privacera services and Privacera Manager run on the same host. So the host machine configuration needs to have greater capacity and also depending on the Privacera services enabled, the host machine might need additional IAM privileges. Also, all the ports used by the services need to be made accessible on the host.
If Privacera is deployed in Kubernetes cluster, then the infrastructure team need to create a Kubernetes cluster and make it available for Privacera install. IAM and other privileges needs to configured for the NodeGroups in the Kubernetes Cluster. In the Kubernetes deployment. There are options available to customize StorageClass and other Kubernetes resources.
Docker
In the Docker deployment type, generally Privacera applications and Privacera Manager runs on the same virtual server. So host where Privacera Manager and Privacera will be installed needs all the IAM roles and ports opened for external connections.
Host machine for running Privacera Manager.
IAM roles for the host
Ports to open for the host
For other considerations, see the following:
Kubernetes
In the Kubernetes deployment type, the host that runs Privacera Manager needs to be configured to connect and create resources in the Kubernetes cluster.
Host machine for running Privacera Manager.
IAM roles for the host
For other considerations, see Kubernetes.
Security
Privacera provides flexibility to meet corporate security guidance. By default, it generates self-signed SSL certificates, but it provides the option to use CA signed SSL certificates. It also supports options to use your own encryption vault and other security requirements.
For other considerations, see Security.
Values for installation environment variables
Installation depends on values you must get from your Privacera technical sales representative for several environment variables.
System requirements for AWS
Prerequisites for installing Privacera Manager on AWS
These prerequisites are only applicable when you are deploying in AWS Cloud.
Privacera Manager needs to be installed on an EC2 instance. Below are the requirements for creating the EC2 instance with required IAM role and Security Group:
EC2 Instance for hosting Privacera Manager
AMI: Amazon Linux AMI 64-bit x86 SSD
If only Privacera Access Suite, then instance type m5.2xlarge or larger
If also using Privacera Discovery, then instance type m5.4xlarge or larger
Storage: Primary (Root) volume (/dev/xvda) minimum size 128 GB, General Purpose SSD (gp2)
IAM Role: Create a new IAM Role. Name it "Privacera_PM_Role". This can be done in the Instance creation wizard sequence. The policies in this role will be dependent on the services that will be enabled. If you are using deployment type Docker, then you need to add the following policy to the Privacera_PM_Role.
Network & VPC with attached Security Group with ports ingress/egress. The ports are depended on the services that will be enabled and the deployment type. More detail is given in below section.
Should be able to download packages from Privacera's download site and Docker Hub.
If using air-gapped option, then install Docker and Docker Compose (version 1.23.1). Additional information for air-gapped install can be found here.
Deployment type: Docker
Note
Follow the below steps only if the services are deployed as Docker containers.
The Required Ports need to be opened on host where Privacera is installed.
Log on to your Privacera host as
ec2-useror a user with sudo privileges.Install Docker with the following commands:
sudo yum install -y docker sudo sed -i 's/32768:65536/1024000:1024000/g' /etc/sysconfig/docker sudo cat /etc/sysconfig/docker sudo service docker start sudo systemctl enable docker sudo usermod -a -G docker ec2-user exit
Log back into the same user account as in step 1. (This forces the usermod action).
Install Docker-Compose with the following commands:
DOCKER_COMPOSE_VERSION="1.23.2" sudo curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose
System requirements for Azure
Prerequisites for installing Privacera Manager on Azure
These prerequisites are only applicable when you are deploying to Azure Cloud.
Privacera Manager needs to be installed on a virtual machine. This virtual machine, along with your service account, must, initially, have sufficient privileges to allow it to download additional Privacera Platform required and optional components.
Create an Azure Virtual Machine (VM) as follows:
Ubuntu installed (18.04.5 LTS preferable)
Deployment Type: Docker
Follow this section only if the services are deployed as Docker containers.
The Ports of Privacera services need to be opened on the host where Privacera is installed.
Install Docker and Docker compose
Log on to your Privacera host as azureuser or a user with 'sudo' privileges..
Install Docker on the VM.
sudo apt update sudo apt install docker.io -y sudo service docker start sudo usermod -a -G docker azureuser exit
Reattach to the VM (SSH to VM as azureuser).
Confirm docker installation Download Docker-compose.
#confirm docker installation docker info DOCKER_COMPOSE_VERSION="1.23.2" sudo curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose
System requirements for Google Cloud Platform (GCP)
Privacera Manager requires a Virtual Machine (VM) with the CentOS operating system.
See System Requirements for Docker in GCP to learn more.
Install Docker and Docker compose
Ensure the following ports are opened on the host: Ports of Privacera Services.
SSH to the VM as the administrator
$VM_USERSet the
VM_USERto the OS user:VM_USER=privacera
sudo yum install -y docker wget sudo sed -i 's/1024:4096/1024000:1024000/g' /etc/sysconfig/docker sudo cat /etc/sysconfig/docker sudo service docker start sudo systemctl enable docker sudo usermod -a -G docker ${VM_USER} exitLog into the VM as
VM_USER, this forces the usermod action.Install Docker-Compose:
DOCKER_COMPOSE_VERSION="1.23.2" sudo curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose
Possible error messages and actions
Error message: "usermod: group ‘docker’ does not exist"
Check if 'docker' is added to groups.
grep "docker" /etc/password
If you find ‘dockerroot’, instead of ‘docker’, edit or create
/etc/docker/daemon.jsonsudo vi /etc/docker/daemon.json { "group": "dockerroot" } sudo usermod -aG dockerroot ${USER} sudo service docker restart exitRepository is unavailable or subscription manager is not found in the CentOS base
Open the config file.
sudo vi /etc/yum/pluginconf.d/subscription-manager.conf
Disable the subscription manager.
[main] enabled=0
SELinux Enabled
Verify the status of SELinux. If it is enforcing, you need to disable it.
getenforce
Run the following command.
sudo vi /etc/selinux/config
To disable SELinux, set the following line.
SELINUX=disabled
Reboot the system.
sudo reboot
Ports of Privacera services
Default port numbers
The following table lists Privacera services and the ports they use. Make sure these ports are open.
Port | Service |
|---|---|
* | Self Security Group |
22 | SSH |
2181 | Apache Zookeeper |
2888 | Apache Zookeeper Leader |
3000 | Grafana |
3888 | Apache Zookeeper Election |
4040 | Discovery |
6080 | Apache Ranger Admin |
6084 | AuditServer |
6182 | Apache Ranger Admin (HTTPS) |
6868 | Privacera Portal |
6869 | Privacera Encryption Gateway (PEG) |
8080 | Graphite |
8181 | Privacera Dataserver (Endpoint) |
8983 | Apache Solr |
9092 | Kafka |
9191 | Privacera Dataserver (Proxy) |
9393 | Ranger Key Management System (HTTPS) |
9494 | Ranger Key Management System |
9797 | Access Request Manager |
9880 | Audit Fluentd |
9898 | Access Request Manager (HTTPS) |
Changing port number of a Privacera service
If you want to assign a different port number, you can do it by looking up the custom property table of the Privacera service and then adding the custom property in the YAML configuration file of the service.
For example:
You want to change the port number of the Portal service from its default value 6868 to 8686. Perform the following steps:
In the left navigation of the documentation, go to Reference - Custom Properties > Portal. This section has the custom properties for all the Privacera services, which you can refer for finding a specific property.
Find the
PORTAL_PORT_EXTERNAL.Add the property with the new port number in the Portal configuration file,
vars.portal.yml.Run the Privacera Manager update.
Now you can access the Portal service on the new port number.
Docker
System requirements for Docker in AWS
Hardware
Your EC2 Instance should have a minimum of 8 cores, 32 GB RAM and 128 GB storage (the m5.2xlarge instance type).
Software
The following packages would be required on your instance as per your operating system:
yum and rpm (RHEL/CentOS/Oracle/Amazon Linux)
zypper and php_curl (SLES)
apt (Debian/Ubuntu)
ssh, curl, tar, wget and gcc*
OpenSSL (v1.01, build 16 or later)
Python (with python-devel*)
User account with sudo permissions
Network
Selinux, firewall/iptables should be disabled to allow communication.
List of ports that can be configured for inbound and outbound connections. To know more about the service ports, see Ports of Privacera Services.
IAM policy and permissions
For information on the IAM policy for EC2 instance, follow the link to configure access for each service.
Install Docker and Docker compose
Log on to your Privacera host as
ec2-useror a user with 'sudo' privileges.Install Docker, by executing the following:
sudo yum install -y docker sudo sed -i 's/32768:65536/1024000:1024000/g' /etc/sysconfig/docker sudo cat /etc/sysconfig/docker sudo service docker start sudo systemctl enable docker sudo usermod -a -G docker ec2-user exit
Log back into the same user account as in step 1. (This forces the usermod action).
Install Docker-Compose:
DOCKER_COMPOSE_VERSION="1.23.2" sudo curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose
Install dependencies for customized Databricks containers
In Databricks, you can create a cluster using custom Docker images. See Customize containers with Databricks Container Services.
If you are deploying Privacera in a such a Databricks cluster, then the following dependencies are required for Privacera installation:
iptables
zip
acl
There are two ways of installing the dependencies:
Method 1
You can add the install commands in a Docker file used for creating the image. This is recommended method of installing the dependencies.
FROM databricksruntime/standard:7.x RUN apt-get update -y && apt-get install zip -y && apt-get install iptables -y && apt-get install -y acl RUN usermod -aG sudo ubuntu RUN echo"$USER ALL=(ALL:ALL) NOPASSWD: ALL"| sudo tee /etc/sudoers.d/root RUN echo"ubuntu ALL=(ALL:ALL) NOPASSWD: ALL"| sudo tee /etc/sudoers.d/ubuntu
Method 2
You can create an install script and attach it to the Databricks cluster. The dependencies will get installed when the cluster gets created.
To create the install script:
Create a
install_docker_depenedency.shfile.vi install_docker_depenedency.sh
Add the following:
#!/bin/bash set -x apt-get update -y && apt-get install zip -y && apt-get install iptables -y && apt-get install -y acl
Azure
System requirements for Docker in Azure
Hardware
Virtual Machine Instance with minimum of 8 Cores, 32GB RAM & 100GB SSD (StandardD8_v3 Size).
Software
The following packages would be required on your instance as per your operating system:
yum and rpm (RHEL/CentOS/Oracle)
zypper and php_curl (SLES)
apt (Debian/Ubuntu)
ssh, curl, tar, wget and gcc*
OpenSSL (v1.01, build 16 or later)
Python (with python-devel*)
User account with sudo permissions
Network
Selinux, firewall/iptables should be disabled to allow communication.
List of ports that can be configured for inbound and outbound connections. To know more about the service ports, see Ports of Privacera Services.
IAM policy and permissions
For information on IAM policy for Azure instance, follow the link to configure access for each service.
Install Docker and Docker compose
Log on to your Privacera host as azureuser or a user with 'sudo' privileges..
Install Docker on the VM.
sudo apt update sudo apt install docker.io -y sudo service docker start sudo usermod -a -G docker azureuser exit
Reattach to the VM (SSH to VM as azureuser).
Confirm docker installation Download Docker-compose.
#confirm docker installation docker info DOCKER_COMPOSE_VERSION="1.23.2" sudo curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose
GCP
System requirements for Docker in GCP
Hardware
Virtual Machine Instance with minimum of 8 Cores, 32GB RAM & 100GB SSD (e2-standard-8 Machine).
Software
The following packages would be required on your instance as per your operating system:
yum and rpm (RHEL/CentOS/Oracle)
zypper and php_curl (SLES)
apt (Debian/Ubuntu)
ssh, curl, tar, wget and gcc*
OpenSSL (v1.01, build 16 or later)
Python (with python-devel*)
User account with sudo permissions
Network
Selinux, firewall/iptables should be disabled to allow communication.
List of ports that can be configured for inbound and outbound connections. To know more about the service ports, see Ports of Privacera Services.
IAM policy and permissions
When creating a service account, assign the following permissions to a predefined or custom role to grant access to Privacera services. For more information, refer to the Google documentation on understanding roles and how to add role permissions to a service account.
pubsub.subscriptions.consume
pubsub.subscriptions.get
pubsub.topics.publish
pubsub.subscriptions.create
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
serviceusage.services.get
bigtable.tables.list
bigtable.tables.mutateRows
bigtable.tables.readRows
monitoring.metricDescriptors.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.clusters.update
bigtable.instances.get
bigtable.instances.getIamPolicy
bigtable.instances.list
bigtable.instances.setIamPolicy
bigtable.tables.checkConsistency
bigtable.tables.create
bigtable.tables.delete
bigtable.tables.generateConsistencyToken
bigtable.tables.get
bigtable.tables.getIamPolicy
bigtable.tables.sampleRowKeys
bigtable.tables.setIamPolicy
bigtable.tables.update
monitoring.metricDescriptors.get
monitoring.timeSeries.list
resourcemanager.projects.get
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.jobs.create
bigquery.models.getData
bigquery.models.getMetadata
bigquery.models.list
bigquery.routines.get
bigquery.routines.list
bigquery.tables.export
bigquery.tables.get
bigquery.tables.getData
bigquery.tables.getIamPolicy
bigquery.tables.list
resourcemanager.projects.get
cloudsql.instances.connect
cloudsql.instances.get
logging.logEntries.list
logging.privateLogEntries.list
logging.buckets.get
logging.buckets.list
logging.exclusions.get
logging.exclusions.list
logging.locations.get
logging.locations.list
logging.logMetrics.get
logging.logMetrics.list
logging.logs.list
logging.logServiceIndexes.list
logging.logServices.list
logging.queries.create
logging.queries.delete
logging.queries.get
logging.queries.list
logging.queries.listShared
logging.queries.update
logging.sinks.get
logging.sinks.list
logging.usage.get
logging.views.access
logging.views.get
logging.views.list
resourcemanager.projects.get
serviceusage.services.use
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
firebase.projects.get
resourcemanager.projects.get
storage.objects.update
Install Docker and Docker compose
Log on to your Privacera host as gcp-user or a user with 'sudo' privileges.
Install Docker on the VM.
sudo yum install -y wget sudo yum install -y docker sudo vi /etc/sysconfig/docker
Update the
OPTIONSvariable with the following:OPTIONS="--default-ulimit nofile=1024000:1024000"
Run the following command.
sudo service docker start sudo usermod -a -G docker $VM_USER
Install Docker Compose
If Docker Compose is not configured in Ansible, then run the following commands:
DOCKER_COMPOSE_VERSION="1.23.2" sudo curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-composeDOCKER_COMPOSE_VERSION="1.23.2" sudo curl -L https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose
Proxy configuration
These are details for configuring a proxy service to allow access to Privacera services, for more information see the Docker documentation. There are different ways to configure Docker to use a proxy server, below explain how to using proxy values and using environment variables.
Proxy configuration using proxy values
If your Docker host must use a proxy to access network resources, you must configure Docker to use the proxy and bypass it when necessary. Below is an example of the Docker configuration file. This file is usually located in the installing user’s home directory in .docker/config.json.
Open the Docker configuration file.
vi ~/.docker/config.json
In the configuration file, add the following JSON to add proxy values:
PRIVACERA_HUB_REPO: Privacera Docker Hub repository where all the images are stored. To get the name of the repository, contact Privacera Sales.auths: This section is managed by Docker and is usually already present. You do not need add it if it is not present.noProxy: All IP addresses, hostnames, and CIDR blocks that must bypass the proxy, including the Privacera Manager host and Privacera services if hosted in Docker. Consult with your network team if you are uncertain what else must be in this section.
{ "auths": { "<PRIVACERA_HUB_REPO>": { "auth": "<some_key>" } }, "proxies": { "default": { "httpProxy": "<your_http_proxy_IP_address_and_port>", "httpsProxy": "<your_https_proxy_IP_address_and_port>", "noProxy": "localhost,172.0.0.0/8,127.0.0.0/8,<local_IP_address>, privacera,dataserver,ranger, solr-1,zoo-1,auditserver,mariadb, access-request-manager" } } }Restart Docker service.
sudo service docker restart
Proxy configuration using Environment Variables
Create a new
.conffile to override the Docker file.sudo vi /etc/systemd/system/docker.service.d/override.conf
Add the below environments to the file:
[Service] Environment="HTTP_PROXY=http://<IP>:<PORT>" Environment="HTTPS_PROXY=http://<IP>:<PORT>" Environment="NO_PROXY=auth.docker.io,registry-1.docker.io,privacera-registry.s3.amazonaws.com,hub2.privacera.com,10.212.3.241,localhost,172.0.0.0/8,127.0.0.0/8,privacera,dataserver,ranger,solr-1,zoo-1,auditserver,mariadb,access-request-manager"
Restart the Docker file:
sudo systemctl restart docker.service sudo systemctl daemon-reload
Kubernetes
Prerequisites for Kubernetes
This section is applicable only if you are installing Privacera on Kubernetes.
Prerequisite | Notes |
|---|---|
Kubernetes Cluster | For security reasons, it is recommended to have Kubernetes dedicated for Privacera |
Kubernetes Namespace | Privacera will automatically create the Namespace in the Kubernetes cluster. But you have the option to pre-create one and make it available during Privacera installation |
IAM Roles for NodeGroups (AWS) | The NodeGroups where Privacera's pods run will need the IAM roles based on the services enabled. For the complete list refer here. |
Install kubectl
kubectl is a tool used to interact with your Kubernetes cluster. To install the kubectl (Kubernetes CLI), see Install Tools.
Cluster authentication
The cluster details such as users, namespaces and authentication mechanisms are defined in the kubeconfig file. A kubeconfig file is a file used to configure access to Kubernetes when used in conjunction with the kubectl tool.
When you create your Kubernetes cluster, the kubeconfig file should be generated automatically. For more information, see the Kubernetes documentation.
By default, the kubeconfig file is generated at the location ~/.kube/config. The kubectl checks for the file at this location.
If the file is not generated at the location, then you can create one. See the following links for each platform:
AWS
System requirements for Privacera Manager Host in EKS
Hardware
EC2 Instance having minimum of 4 cores, 16GB RAM & 64GB Storage (currently m5.xlarge Instance Type).
Software
The following packages would be required on your instance as per your operating system:
yum and rpm (RHEL/CentOS/Oracle/Amazon Linux)
zypper and php_curl (SLES)
apt (Debian/Ubuntu)
ssh, curl, tar, wget and gcc*
OpenSSL (v1.01, build 16 or later)
Python (with python-devel*)
Docker
User account with sudo permissions
Allow only ssh access to the Jump server
Access to the K8s cluster with kubectl
Authority as a cluster admin, or otherwise full access
Network
Selinux, firewall/iptables should be disabled to allow communication.
Azure
System requirements for Privacera Manager Host in AKS
Hardware
Virtual Machine Instance with minimum of 4 Cores, 16GB RAM & 64GB Storage (Standard_D4_v3 Size).
Software
The following packages would be required on your instance as per your operating system:
yum and rpm (RHEL/CentOS/Oracle/Amazon Linux)
zypper and php_curl (SLES)
apt (Debian/Ubuntu)
ssh, curl, tar, wget and gcc*
OpenSSL (v1.01, build 16 or later)
Python (with python-devel*)
Docker
User account with sudo permissions
Allow only ssh access to the Jump server
Access to the K8s cluster with kubectl
Authority as a cluster admin, or otherwise full access
Network
Selinux, firewall/iptables should be disabled to allow communication.
GCP
System requirements for Privacera Manager Host in GKE
Hardware
Virtual Machine Instance with minimum of 4 Cores, 16GB RAM & 64GB Storage (e2-standard-4 Machine).
Software
The following packages would be required on your instance as per your operating system:
yum and rpm (RHEL/CentOS/Oracle/Amazon Linux)
zypper and php_curl (SLES)
apt (Debian/Ubuntu)
ssh, curl, tar, wget and gcc*
OpenSSL (v1.01, build 16 or later)
Python (with python-devel*)
Docker
User account with sudo permissions
Allow only ssh access to the Jump server
Access to the K8s cluster with kubectl
Authority as a cluster admin, or otherwise full access
Network
Selinux, firewall/iptables should be disabled to allow communication.
Security
SSL
By default Privacera creates self-signed SSL certificates for accessing the web interfaces and REST endpoints.
You have the option to supply your own self-signed or CA-signed SSL certificates.
Note
If you provide your own CA-signed certificate and if you rely on the Subject Alternative Name (SAN) field, be sure you specify all of your domains in the certificate's SAN field so that all necessary hostnames (such as your containers) and distributed Privacera services can communiate securely.
You should avoid using wildcards (*) in the SAN field. Wildcard certificates can create significant security risks because the same private key is used across multiple systems, thereby increasing the risk of compromise across your organization.
Vault
If you are using Privacera Encryption, then there is an option to store the master key in external HSM. If you intend to use external HSM, then the following are supported.
Encryption key for StorageClass
If you are deploying Privacera in Kubernetes and if you are using encrypted StorageClass, the key that you used will be needed during configuring Privacera.