Salesforce

Privacy Portal Installation

Printable View
« Go Back
Information
Privacy Portal Installation
UUID-e3a6fb54-f4fb-d139-a3a0-02c31168aa9b
Article Content

On-Premises Installation Guide PDF

Important

As of January 25, 2023, customers can no longer perform new deployments of on-premises instances. Deployments before this date are still supported and will be upgraded as necessary until this solution reaches end of life.

For more information on available stacks and hosting options, see Supported Stacks for On-Premises and About OneTrust Hosting Options, Locations, and Backup.

Configure Services

  1. Download the OnPrem consumer installer from the URL provided by OneTrust.

  2. Unzip the downloaded installer.

  3. Open a command line and navigate the directory to extracted installer .../k8sdeployemnt/

Setting Up the Certificate

  1. Place the pfx certificate in the following path /ds-portal/k8s-deployment

  2. Navigate to the terminal and change directory to the above path.

  3. Run the below command to get the base64 format of the pfx file:

    cat {pfxname}.pfx | base64 | tr -d " \t\n\r"

  4. Navigate to the package downloaded path and go to the following path …\ds-portal\k8s-deployment\_templates\secrets

  5. Open the internal-certificate.yml file.

  6. In the wildcard_ssl.pfx: placeholder enter the Base 64 code of the SSL certificate and select Save.

Ingress cert and key setup

We need to generate the cert and key from the .pfx certificate.

  1. Run the below command via terminal to generate the cert. After running the command, it will ask you to enter the certificate password. Enter it and .crt file will be generated.

    openssl pkcs12 -in <pfx file name>.pfx -nodes -nokeys -nomac -out <enter the file name as ds-cert.crt>

  2. To generate .key file , run the below command. After running the command, it will ask you to enter the certificate password. Enter it and the .key file will be generated.

    openssl pkcs12 -in <pfx file name>.pfx -nocerts -nodes -out <enter the file name as ds-cert.key>

  3. Place both the ds-cert.crt and ds-cert.key in the ../admin-portal/k8s-deployment/ path.

Configure General Properties

Navigate to the …\ds-portal\k8s-deployment\properties\services and complete the following:

  1. Edit the application-onprem.properties as follows:

    1. app.host.url={OneTrust admin-portal URL}

    2. host.url={consumer portal URL}

    3. Set the db.*properties with SQL Server information

      db.hostname=
db.port=
db.username=
db.password=

  2. Navigate to .../k8s-deployment/tools and extract ds-portal-keystore.zip

  3. Open the Windows Subsystem for Linux or bash command line and point it to the folder .../k8s-deployment/tools/ds-portal-keystore/keystore

  4. Run the command ./get-key-data-subject-auth.sh and enter the following values:

    1. Enter Distinguished Name (e.g.cn=OneTrust, OU=IT): cn=OneTrust, OU=IT

    2. Keypair validity: 365

    3. Auth key alias: AuthJWT

  5. A file named cert.txt will be generated in the same folder. Create a new text file as cert-auth.txt and copy the generated content values from cert.txt file and also update in the application-onprem.properties

  6. Again navigate back to the .../k8s-deployment/tools/ds-portal-keystore/keystore and take the backup of the cert.txt

  7. Navigate back to the Windows Subsystem for Linux or bash command line and run the ./get-keystore-data-subject.sh and enter the following values:

    1. Enter Distinguished Name (e.g.cn=OneTrust, OU=IT): cn=OneTrust, OU=IT

    2. Keypair validity: 365

    3. DS key alias: DsJWT

  8. A file named cert.txt would have generated in the same folder. Copy the values of the below generated content values in cert.txt file and update in the ds-request-onprem.properties

    dsrequest.receipt.jwt.keystore.secretKeyName=
dsrequest.receipt.jwt.key.password=
dsrequest.receipt.jwt.keystore.password=
dsrequest.receipt.jwt.keystore.base64=

  9. In ds-gateway-onprem.properties and turnstile-onprem.properties files, set the value for the below property:

    server.ssl.key-store-password= {the pfx file's password}  
dsar.webform.domain={Enter both admin-portal and Consumer-portal domain names}

Configure .envs

Select the below steps based on the tech stack the application is being installed.

  1. In the installation package navigate to folder …/ds-portal/k8s-deployment/inventory_template

  2. Open and edit .envs file and make the below changes to enter preferred namespace name and the host selected for installation.

    export OT_DS_NAMESPACE=
export OT_DS_HOST=

  3. Provide the values for the docker registry configuration:

    export OT_DOCKER_REGISTRY=
export DOCKER_USER=
export DOCKER_PASSWORD=

  4. In SELF MANAGED CLUSTER section export CLUSTER_NAME="" should be blank

  5. In WINDOWS CLUSTER section export LOCAL_CLUSTER="false" should be false

  6. Follow the below steps based on the tech stack of the application is being installed, then return to step 5.

  7. Give the values for the Password Encryption:

    export IS_ENCRYPTION="false"

    Note

    1. If we have encryption setup then the above placeholder should be set to true

    2. If true, copy the encryptKeyStore.jks file from ...ds-portal\k8s-deployment\tools\ds-portal-keystore\keystore and place in the folder path ...ds-portal\k8s-deployment\encryption_dependencies

  8. Save the file once the above values are updated.

Privacy Portal on AWS

  1. Make the below set of configurations specific to AWS cloud:

    export CLOUD_AWS="true"
export AWS_REGION=
export EKS_CLUSTER=
export OT_CERT_ARN=

  2. Update AWS Elastic File System configuration:

    export OT_AWS_EFS_ID=
export OT_AWS_EFS_REGION=
export OT_AWS_EFS_DNS=

Privacy Portal on Azure

  • Make the below set of configurations specific to Azure cloud:

    export CLOUD_AZURE="true"
export CLOUD_AZURE_SUBSCRIPTION=
export CLOUD_AZURE_RG=
export CLOUD_AZURE_AKS_CLUSTER=

Privacy Portal Setup for Encryption of Passwords & Secrets

  1. From the admin portal copy the encryption.jks file from the following folder path …/ k8s-deployment/tools/admin-portal-keystore/keystore, and paste it in encryption dependencies folder (...ds-portal\k8s-deployment\encryption_dependencies)

    Note

    Keep this file safe, this is the master key used to encrypt and decrypt passwords.

  2. Navigate to ..../admin_portal/k8s-deployment/_templates/secrets and open config.properties file, copy the following properties:

    encrypt.key-store.location=file:/config/encryption_dependencies/encryptKeyStore.jks
encrypt.key-store.password= (get from the application.onprem)
encrypt.key-store.alias=configKey
encrypt.key-store.secret= (same as encrypt.key-store.password)
encrypt.key-store.type=JCEKS

  3. Navigate to the command line terminal (WSL or bash) where we will execute the shell scripts.

  4. Execute installation script by entering ./install_ds_portal.sh encrypt.

  5. Enter docker registry password

  6. Confirm the printed parameters are accurate.

     Do these values look good? (y/n): {Enter "y" if the above enter value is good}

  7. Once the Deployment is done, run the below command:

    kubectl get pods -n {namespace}

  8. Get the config pod name, run the below command run the below command to encrypt the password by modifying the value:

    kubectl -n {namespace} exec -it {config pod name} -- sh -c "curl http://localhost:8100/encrypt -d {password/secret key to encrypt}"

  9. Encrypt the all the passwords in \ds-portal\k8s-deployment\properties\services\application-onprem.properties file using the command in step 7.

    SQL

    db.password=

    Redis

    spring.redis.password=

    Note

    If the external Redis connection is used, the Redis password should be encrypted.

  10. Encryption placeholders

    dsrequest.receipt.jwt.keystore.password=
dsrequest.receipt.jwt.key.password=

Installing the Privacy Portal Pods

  1. Navigate to …/ds-portal/k8s-deployment and create a new folder called inventory

  2. Copy the .envs file from inventory_template folder to newly created inventory folder.

  3. Navigate back to a terminal where we executed the shell scripts.

  4. Change the directory to .../k8s-deployment/

  5. Run the installation script by executing ./install_ds_portal.sh install command. You will be prompted to install any of the required dependencies if they do not exist.

  6. Enter docker registry password

  7. The values updated as part of the .envs file for the cloud selected will be displayed.

  8. Confirm the printed parameters are accurate.

    Do these values look good? (y/n): {Enter "y" if the above enter value is good}

  9. In next steps it prints the components to be installed.

    Do these values look good? (y/n): {Enter "y" if the above enter value is good}

  10. The installer will create the namespaces/services/deployments in the cluster based on the input values provided.

  11. Check the running pods in the namespace by executing below command:

    kubectl get pods -n {namespace}

  12. After all the services are healthy, we need to update the DNS domain name in the selected cloud provider.

  13. Execute the below command to get the public IP address:

    kubectl get ingress –n {namespace}

  14. Copy the external IP address of the load balancer type.

  15. Add the DNS entry in the DNS manager for the IP address obtained.

Set SQL Compatibility level

  • To check the SQL compatibility on the DSPortal DB , run the below query from the master database

    SELECT name, compatibility_level
FROM sys.databases;

  • If the SQL compatibility level is less than 160 , run the below query from the master database

  • ALTER DATABASE <DB NAME> SET COMPATIBILITY_LEVEL = 160;

Accessing Privacy Portal

  1. Enter the following URL into your browser: https://hostname/ui/#/error

  2. Once the installation is complete, ensure the portal can be accessed at https://hostname/ui/#/error
 
Article Visibility
2,470
Translation
English
Checked
Powered by