Installation

This section describes the steps you must perform to install the Hyperscale Compliance Engine.

Hyperscale Compliance Installation

Pre-requisites

Ensure that you meet the following requirements before you install the Hyperscale Compliance Engine.

• Download the Hyperscale tar file (delphix-hyperscale-masking-3.0.0.0.tar.gz) from download.delphix.com.
• You must create a user that has permissions to install Docker and Docker compose.
• Install Docker on VM. Minimum supported docker version is 20.10.7.
• Install Docker compose on VM. Minimum supported docker-compose version is 1.29.2.

• Check if docker and docker-compose are installed by running following command:

  • docker-compose -v

    The above command displays an output similar to the following:

    docker-compose version 1.29.2, build 5becea4c

  • docker -v

    The above command displays an output similar to the following:

    Docker version 20.10.7, build 3967b7d

• Download and install Linux based Oracle’s instant client on the machine where the Hyperscale Compliance Engine will be installed. The client should essentially include instantclient-basic (Oracle shared libraries) along with instantclient-tools containing Oracle’s SQL*Loader client. A group ownership id of 50 and a permission mode of 750 must be set recursively on the directory where Oracle’s instant client binaries/libraries will be installed. This is required by the Hyperscale Compliance Engine to be able to read/execute from the directory.

Procedure

Perform the following procedure to install the Hyperscale Compliance Engine.

1. Unpack the Hyperscale tar file.

   tar -xzf delphix-hyperscale-masking-3.0.0.0.tar.gz

2. Load the extracted tars into Docker.

   docker load --input controller-service.tar
   docker load --input unload-service.tar
   docker load --input masking-service.tar
   docker load --input load-service.tar
   docker load --input proxy.tar
   

3. Create an NFS shared mount, that will act as a Staging Area, on the Hyperscale Compliance Engine host where the Hyperscale Compliance engine will perform read/write/execute operations:

   1. Create a ‘Staging Area’ directory. For example: /mnt/hyperscale/staging_area. The user(s) within each of the docker containers part of the Hyperscale Compliance Engine and the appliance OS user(s) in the Continuous Compliance Engine(s), all have a group ownership id of 50. As such, the ‘staging_area’ directory, along with the directory(‘hyperscale’) one level above, require a group ownership id of 50 and a permission mode of 770 so that the Hyperscale Compliance Engine and the Continuous Compliance Engine(s) can perform read/write/execute operations on the staging area.

   2. Mount the NFS shared directory on the staging area directory(/mnt/hyperscale/staging_area). This NFS shared storage can be created and mounted in two ways as detailed in the NFS Server Installation section. Based on the umask value for the user which is used to mount, the permissions for the staging area directory could get altered after the NFS share has been mounted. In such cases, the permissions(i.e 770) must be applied again on the staging area directory.

      Note

      The directory created in step 3a (‘staging_area’) will be provided as the ‘mountName’ and the corresponding shared path from the NFS file server as the ‘mountPath’ in the MountFileSystems API.

4. Configure the following docker container volume bindings for the docker containers by editing the docker-compose.yaml file from tar:

   1. For each of the docker containers, except the ‘proxy’ container, add a volume entry binding the staging area path (from 3(a), /mnt/hyperscale) to the Hyperscale Compliance Engine container path(/etc/hyperscale) as a volume binding under the ‘volumes’ section.
   2. For load-service docker container, add a volume entry which binds the path of the ‘Oracle instant Client’ on the host to the path on the container(/usr/lib/instantclient) under the ‘volumes’ section.
   3. [Optional] Step 6b explains how the logs of a given container can be viewed with docker commands. If you would like to redirect the logs of one or more containers to a particular directory, then you have an option to do the same by setting up a logging directory and exposing the same, as a volume binding, in the docker-compose.yaml file. This directory again must have a group ownership id of 50 and a permission mode of 770, due to the same reasons as highlighted in step 3a, so that the Hyperscale Compliance Engine can perform read/write/execute operations in the logging directory. The following example includes volume bindings to redirect docker container logs of each service to separate directories.

   An example docker-compose.yaml file looks like the following:

   networks:
     hyperscale-net: {}
   services:
     controller-service:
       depends_on:
         load-service:
           condition: service_started
         masking-service:
           condition: service_started
         unload-service:
           condition: service_started
       environment:
         API_KEY_CREATE: "true"
       healthcheck:
         interval: 30s
         retries: 3
         start_period: 30s
         test: curl --fail --silent http://localhost:8080/actuator/health | grep UP || exit 1
         timeout: 25s
       image: delphix-controller-service-app:3.0.0.0
       init: true
       networks:
         hyperscale-net: null
       restart: unless-stopped
       volumes:
         - hyperscale-controller-data:/data:rw
         - /home/hyperscale_user/logs/controller_service:/opt/delphix/logs
     load-service:
       image: delphix-load-service-app:3.0.0.0
       init: true
       networks:
         hyperscale-net: null
       restart: unless-stopped
       volumes:
         - hyperscale-load-data:/data:rw
         - /mnt/hyperscale:/etc/hyperscale
         - /opt/oracle/instantclient:/usr/lib/instantclient
         - /home/hyperscale_user/logs/load_service:/opt/delphix/logs
     masking-service:
       image: delphix-masking-service-app:3.0.0.0
       init: true
       networks:
         hyperscale-net: null
       restart: unless-stopped
       volumes:
         - hyperscale-masking-data:/data:rw
         - /mnt/hyperscale:/etc/hyperscale
         - /home/hyperscale_user/logs/masking_service:/opt/delphix/logs
     proxy:
       depends_on:
         controller-service:
           condition: service_started
       image: delphix-hyperscale-masking-proxy:3.0.0.0
       init: true
       networks:
         hyperscale-net: null
       ports:
         - published: 443
           target: 443
       restart: unless-stopped
     unload-service:
       image: delphix-unload-service-app:3.0.0.0
       init: true
       networks:
         hyperscale-net: null
       restart: unless-stopped
       volumes:
         - hyperscale-unload-data:/data:rw
         - /mnt/hyperscale:/etc/hyperscale
         - /home/hyperscale_user/logs/unload_service:/opt/delphix/logs
   version: '3.7'
   volumes:
     hyperscale-controller-data: {}
     hyperscale-load-data: {}
     hyperscale-masking-data: {}
     hyperscale-unload-data: {}
   

5. (OPTIONAL) To modify the default Hyperscale configuration properties for the application, see Configuration Settings.

6. Run the application from the same location where you extracted the docker-compose.yaml file.

   docker-compose up -d

   • Run the following command to check if the application is running. The output of this command should shows five containers up and running.

     docker-compose ps

   • Run the following command to access application logs of a given container.

     docker logs -f <service_container_name>

     Note

     Service container name can be accessed by output of the command docker-compose ps.

   • Run the following command to stop the application (if required).

     sudo docker-compose down

7. Once the application starts, an API key will be generated that will be required to authenticate with the Hyperscale Compliance engine. This key will be found in the docker container logs of the controller service.

   Docker logs -f <service_container_name>

   Note

   Service container name can be accessed by output of the command docker-compose ps.

   The above command displays an output similar to the following where the string NEWLY GENERATED API KEY can be grepped from the log::

   2022-05-18 12:24:10.981  INFO 7 --- [           main] o.a.c.c.C.[Tomcat].[localhost].[/]    : Initializing Spring embedded WebApplicationContext
   2022-05-18 12:24:10.982  INFO 7 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 9699 ms
   NEWLY GENERATED API KEY: 1.89lPH1dHSJQwHuQvzawD99sf4SpBPXJADUmJS8v00VCF4V7rjtRFAftGWygFfsqM
   

   To authenticate with the Hyperscale Compliance Engine, you must use the API key and include the HTTP Authorization request header with type apk; apk <API Key>.

   For more information, see the Authentication section under Accessing the Hyperscale Compliance API.

Continuous Compliance Engine Installation

Delphix Continuous Compliance Engine is a multi-user, browser-based web application that provides complete, secure, and scalable software for your sensitive data discovery, masking, and tokenization needs while meeting enterprise-class infrastructure requirements. For information about installing the Continuous Compliance Engine, see Continuous Compliance Engine Installation documentation.