Skip to main content

Installation and Administration Guide

Configure Watermark Investigation

To configure watermark investigation:

  1. Ensure that the watermarking investigation tool has access to the data proxy.

  2. Ensure that the data plane has connectivity to HashiCorp vault.

  3. Download or create a properties .json file.

    You can download an example properties file at this location:

    https://docs.privitar.com/provisioning/resources/WatermarkInvProperties.json

    Alternatively, you can create your own file using this code:

    {
  "controlPlaneTarget": "dpp0000water.company-name.cloud:443",
  "exchangeId": "0651b9ca-eae4-4e36-b92b-04e9e459c33b",
  "dataPlaneId":  "376a5c9c-dc50-4c42-9c0d-5bc841803d1f",
  "username":  "testuser@acme.com",
  "controlPlaneChannelUsePlaintext": false,
  "controlPlaneChannelTrustedCertificatePath": "controlplane.crt",
  "controlPlaneChannelTlsProtocols":  ["TLSv1.2"],
  "jwtSigningKeyPath": "./jwt-signing-key.pem",
  "jwtSigningKeyPassword":  null,
  "jwtSigningAlgorithm": "RS256",
  "kmsProperties": {
    "properties":  {"authenticationToken": "hvs.kuzTOe7a6OTDLTZtCtBoRa5P", "url": "http://10.0.0.59:8200", "path": "secret"},
    "extraPropertiesFilePath": null,
    "adapterJarPath":  "./HashiCorpVaultKeyReader_deploy.jar",
    "sharedClassesRegex": "(org.slf4j.*)|(com.fasterxml.jackson.*)"
  },
  "csvProperties": {
    "filePath": "./watermark2__clients__20230602.csv",
    "fileContainsHeaders": true,
    "recordSeparator": "\r\n"
  }
}

  4. For easier execution, copy the following files to the same directory of your choosing:

  5. Edit the control plane section of the properties file to indicate the properties as follows:

    {
  "controlPlaneTarget": "dpp0000water.company-name.cloud:443",
  "exchangeId": "0651b9ca-eae4-4e36-b92b-04e9e459c33b",
  "dataPlaneId":  "376a5c9c-dc50-4c42-9c0d-5bc841803d1f",
  "username":  "testuser@acme.com",
  "controlPlaneChannelUsePlaintext": false,
  "controlPlaneChannelTrustedCertificatePath": "controlplane.crt",
  "controlPlaneChannelTlsProtocols":  ["TLSv1.2"],
  "jwtSigningKeyPath": "./jwt-signing-key.pem",
  "jwtSigningKeyPassword":  null,
  "jwtSigningAlgorithm": "RS256",

    To find the values for controlPlaneTarget, exchangeId, and dataPlaneId, download the data proxy configuration file as follows:

    1. Log in to the user interface of the platform.

    2. Click Data Exchanges in the left navigation.

    3. Click Open Data Exchange.

    4. Click the avatar symbol in the top right corner of the page and select Manage Exchange.

    5. Click the Data Planes tab.

    6. Click the arrow to the right of the associated data plane.

    7. Click the Data Proxy tab.

    8. Under Deployment Instructions, click Download.

      The data proxy configuration file downloads.

    9. Open this JSON file.

      This file includes the dataPlaneId, the exchangeId, and the controlPlaneUrl.

    10. Follow the instructions in the Watermarking Control Plane Properties table.

    Table 50. Watermarking Control Plane Properties

    Property

    Description

    Required?

    Example

    Default

    controlPlaneTarget

    Indicates the URL of the control plane.

    Based on the data proxy configuration file, this is the controlPlaneUrl without the https:// at the beginning and the port number of 443 added to the end.

     

    Yes

    Example data proxy configuration file controlPlaneUrl: https://dsp0000water.privitar.cloud

    Equivalent entry for the controlPlaneTarget property: dsp0000water.privitar.cloud:443

    N/A

    exchangeId

    Indicates the identifier for the associate data exchange.

    This is the exact same value as exchangeId in the data proxy configuration file.

    Yes

    0651b9ca-eae4-4e36-b92b-04e9e459c33b

    N/A

    dataPlaneId

    Indicates the identifier for the associated data plane.

    This is the exact same value as dataPlaneId in the data proxy configuration file.

    Yes

    376a5c9c-dc50-4c42-9c0d-5bc841803d1f

    N/A

    username

    Indicates the username on the platform for the user who will perform the watermark investigation. This can be any existing user with any platform role, or you may create a new user in the platform for this purpose.

    Yes

    N/A

    controlPlaneChannelUsePlaintext

    Indicates whether to use plain text for communication between the control plane and the watermarking investigation tool. The default (false) indicates that TLS is used for communication.

    This is a property of the control plane trusted certificate. You can find this in the control plane Kubernetes log file.

    Yes

    false

    controlPlaneChannelTrustedCertificatePath

    This is the path to the certificate included in the installation bundle for the platform. See Install the Control Plane.

    Alternatively, you can fetch the path in Kubernetes, by running the following commands:

    kubectl get secrets -n istio-system
    kubectl get secret <control plane certificate name> -n istio-system -o jsonpath='{.data.tls\.crt}' | base64 --decode > ./certificate.crt

    Yes

    N/A

    controlPlaneChannelTlsProtocols

    Indicates the supported TLS protocols to use for communication between the control plane and the watermarking investigation tool. The supported values are [TLSv1.2, TLSv1.3].

    You can find this in the control plane Kubernetes log file for the data proxy.

    Yes

    TLSv1.2

    jwtSigningKeyPath

    This is the path to the private key.

    Important

    In order to run a watermarking investigation on a data plane, you must have a private/public key pair with the public key registered on the the data plane and the private key in your local folder. Add the public key on the Data Proxy tab of the Data Planes page in the platform UI. See Create and Edit a Data Plane. Each user only needs to perform this action once per data plane.

    Yes

    ./jwt-signing-key.pem

    jwtSigningKeyPassword

    This is the password for the JWT signing key, if applicable.

    Yes

    null

    jwtSigningAlgorithm

    Indicates the type of secure hash algorithm (SHA) used to create the JWT signing key.

    Keep the default of RS256 for RSASSA-PKCS1-v1_5 using SHA-256.

    Change to ES256 for ECDSA using P-256 (aka secp256r1 or prime256v1) and SHA-256.

    These are the only two SHA types that the platform currently supports.

    Yes

    RS256



  6. Edit the kmsProperties section (example below) of the properties file to indicate the properties in the table below.

    "kmsProperties": {
    "properties":  {"authenticationToken": "hvs.kuzTOe7a6OTDLTZtCtBoRa5P", "url": "http://10.0.0.59:8200", "path": "secret"},
    "extraPropertiesFilePath": null,
    "adapterJarPath":  "./HashiCorpVaultKeyReader_deploy.jar",
    "sharedClassesRegex": "(org.slf4j.*)|(com.fasterxml.jackson.*)"
  },

    Set kubernetesRole and kubernetesAuthPath to the same value in data-plane-values.yaml used when you installed the platform. See Install the Data Plane.

    Table 51. KMS Properties

    Property

    Description

    Required?

    Example

    Default

    authenticationToken

    This is the value of the authentication token.

    Yes

    hvs.kuzTOe7a6OTDLTZtCtBoRa5P

    url

    The URL to the HashiCorp Vault server, including the protocol.

    Yes

    http://vault:8200

    path

    The path in HashiCorp Vault used as the base path for all secrets to be read.

    Yes

    secret

    extraPropertiesFilePath

    If not null, then read the file at this path in Java properties file format and merge it with the Properties field.

    No

    null

    adapterJarPath

    If not null, then read the adapter .jar file from this path. If null, then the adapter .jar file must be on the JVM classpath.

    Yes

    ./HashiCorpVaultKeyReader_deploy.jar

    sharedClassesRegex

    Loaded classes and resources that match this regex will be shared between the adapter (plugin) and the rest of the application. If null, will default to sharing SLF4J and Jackson classes.

    Yes

    (org.slf4j.*)|(com.fasterxml.jackson.*)



  7. Edit the csvProperties section of the properties file to indicate the following about the .csv file:

    "csvProperties": {
    "filePath": "./watermark2__clients__20230602.csv",
    "fileContainsHeaders": true,
    "recordSeparator": "\r\n"
  }

    Note

    You only need to include optional properties that you are changing from the default. If you are using the default value, you can exclude that property from the properties file.

    Table 52. Watermarking .csv Properties

    Property

    Description

    Required?

    Example

    Default

    filePath

    Indicates the path to the .csv file that you want to investigate.

    Yes

    ./2022_12_31_retail_customers.csv

    N/A

    fileContainsHeaders

    Indicates whether the .csv file has a header row.

    No

    false

    true

    delimiter

    Indicates the character used to mark the division between fields. Change this if your file uses a different delimiter character, such as a pipe (|). Note that this cannot be a line break character.

    No

    |

    ,

    quoteCharacter

    Change this if your file uses a different quote character, such as a single quote (').

    No

    '

    "

    escape

    Indicates the character used when there are delimiter or quote characters embedded in the data. To disable this setting, enter null.

    Note

    Be sure to use the escape character before entering your escape character.

    No

    \\

    recordSeparator

    Indicates the line feed. This varies by operating system. For Linux use the default (\n). For Windows, use \r\n.

    No

    \r\n.

    \n

    charSet

    Indicates which character set encoding the file uses. Change this if your file uses a different character set, such as ASCII.

    No

    ASCII.

    UTF-8



You are now ready to Investigate a Watermark.

In this section: