This directory contains some examples of using the Java Tenant Security Client (TSC) SDK to protect sensitive data.
In order to use SaaS Shield, you need to run one or more Tenant Security Proxies (TSPs) in your environment. This service is provided as a Docker container, so it is easy to run the proxy on any computer that has Docker installed. IronCore Labs hosts the Docker container on a publicly accessible container registry, so you can pull the image from there and run it locally.
The TSP has a companion Docker container, the Tenant Security Logdriver (LD) that runs alongside it in your environment. It is also hosted on the same publicly accessible container registry.
In addition to the Docker containers, you need a configuration file that specifies how the TSP and LD should communicate
with the IronCore Labs Configuration Broker and Data Control Platform, which work together to enable the end-to-end
encryption that keeps all of the tenant KMS configuration information secure. To simplify the process of running
these examples, we have created a demo vendor and tenants that you can use for the examples; all the necessary
configuration information is included in the demo-tsp.conf file in this directory.
NOTE: Normally, the file containing the configuration would be generated by the vendor and loaded into a
Kubernetes secret or similar mechanism for securely loading the configuration into the docker container. We
have included this configuration in the repository as a convenience. Also note that these accounts are all
created in IronCore's staging infrastructure.
The following command will get a TSP and LD running together on your computer with the provided configuration.
The docker-compose command will pull both container images, then start them up together on a subnetwork, so they can
communicate with each other.
docker-compose -f docker-compose.yml upThe TSP will be listening locally on port 32804.
Once the TSP and LD are running, you can experiment with the example Java programs. Each of the subdirectories contains a different illustrative example, with instructions to run.
Each of the examples executes as an individual tenant of our demo SaaS vendor. There are six tenants defined; their IDs are the following:
- tenant-gcp
- tenant-aws
- tenant-azure
- tenant-gcp-l
- tenant-aws-l
- tenant-azure-l
The last three are similar to the first three, but they have key leasing enabled.
By default, an example will use the tenant-gcp tenant. If you would like to experiment with a different tenant, just do:
export TENANT_ID=<select tenant ID>before running the example.
If you would like some more in-depth information, our website features a section of technical documentation about the SaaS Shield product.