Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Microsoft SQL Server Extensible Key Management (EKM)

Configuring Provider and EKM Logs

search

Configuring Provider and EKM Logs

This section describes the following topics:

  1. Configuring SafeNet ProtectApp MSSQL EKM Provider in SQL Server

  2. Configuring EKM Logs

Configuring SafeNet ProtectApp MSSQL EKM Provider in SQL Server

To configure the SafeNet ProtectApp MSSQL EKM Provider in the SQL Server database:

Enabling EKM in Your SQL Server Database

To enable EKM, execute the following query on the SQL Server.

sp_configure 'show advanced options', 1;
RECONFIGURE;
sp_configure 'EKM provider enabled', 1;
RECONFIGURE;

Only the users with the sysadmin or serveradmin privileges can execute the sp_configure query to change the server configuration. Whereas, the other users can run this command only to view the server configuration.

Loading the DLL

• Before loading the DLL, you must configure the IngrianNAE.properties file. At a minimum, you must set the NAE_IP and Log_File parameters.
• Only the users with the sysadmin privileges can load the DLL.

To load the DLL, execute the following query. This will create a new cryptographic provider named . Provider name is visible under Security\Cryptographic Providers in SQL Server Management Studio.

CREATE CRYPTOGRAPHIC PROVIDER <provider_name>
FROM FILE = '<Installation Directory>\safenet\SQLEKM\safenetsqlekm.dll'

Alter the file location if you did not accept the default installation directory.

Creating Credentials with SQL Server

To create a SQL credential, execute the following query. This will create a new credential named <credential_name>. The credential is visible under Security\Credentials in SQL Server Management Studio.

CREATE CREDENTIAL <credential_name> WITH IDENTITY='<cipherTrust_manager_user>',
SECRET='<cipherTrust_manager_user_password>'
FOR CRYPTOGRAPHIC PROVIDER <provider_name>

You must use a user/password combination that exists on the CipherTrust Manager and that user must have at least Key Admins privileges.

To map this new credential to an existing login on the SQL Server, execute the following query:

ALTER LOGIN <Sql_server_login> ADD CREDENTIAL <credential_name>

Configuring SafeNet ProtectApp MSSQL EKM Provider in SQL Cluster

SafeNet ProtectApp MSSQL EKM Provider can be used in SQL cluster. Install and configure the provider in the cluster environment.

  1. Install the SafeNet ProtectApp MSSQL EKM Provider on all the nodes. For more details, refer Installing SafeNet ProtectApp MSSQL EKM Provider

  2. On all nodes, modify the required properties in the IngrianNAE.properties file.

  3. Configure SQL EKM only on one database node, using the following steps:

    1. Enable EKM

    2. Load the DLL

    3. Create credentials for a database user

  4. Create the key (if needed) only on one node. For more details, refer Creating Keys.

Configuring EKM Logs

MSSQL EKM logs are generated at the file location mentioned in the Config.txt file.
The default path is C:\EKM.

In the Config.txt file, update the config_path property with the file path where you want EKM logs to be generated. For example:

config_path = <log file path>

You can configure separate log files for different database instances.

On this page