First time setup

This section walks you step by step on how to download and install the Delphix Engine software onto your infrastructure (VMware, AWS EC2, Azure, or GCP).

Set up network access to the Delphix Engine

  1. Power on the Delphix Engine and open the Console.

  2. Wait for the Delphix Management Service and Delphix Boot Service to come online. This might take up to 10 minutes during the first boot. Wait for the large orange box to turn green.

  3. Press any key to access the sysadmin console.

  4. Enter sysadmin for the username and sysadmin for the password. For more information, read Finding an AWS AMI Instance ID or IP address Amazon documentation..

  5. You will be presented with a description of available network settings and instructions for editing.

  6. Configure the hostname. Use the same hostname you entered during the server installation. If you are using DHCP, this step can be skipped.

  7. Configure DNS. If you are using DHCP, this step can be skipped.

  8. Configure either a static or DHCP address. The static IP address must be specified in CIDR notation (for example, 192.168.1.2/24).

  9. Configure a default gateway. If you are using DHCP, this step can be skipped.

  10. Commit your changes. Note that you can use the get command prior to committing to verify your desired configuration.

  11. Check that the Delphix Engine can now be accessed through a Web browser by navigating to the displayed IP address, or hostname if using DNS.

  12. Exit setup.

Set up the Delphix Continuous Compliance Engine

  1. Use the Setup Wizard to configure the Continuous Compliance Engine after your first login.

    1. Open a supported web browser and connect to the Delphix Continuous Compliance Engine.

    2. Log in with the default credentials:

      1. Username: sysadmin

      2. Password: sysadmin

    3. Change the default password for security purposes.

      The Setup Wizard then starts automatically to guide you through engine configuration.

  2. On the Welcome page, select Continuous Compliance to setup masking-specific settings such as Compliance admin user’s email and password as well as Compliance SMTP settings directly from the setup wizard. It will then redirect the customer to the corresponding login page based on the engine type selected. When you select Continuous Compliance, the wizard creates the admin user with your defined password. This user serves as the Compliance Administrator and performs all administrative setup tasks. However, there are limitations to this feature:

    • Only Masking user settings (email and password) and SMTP settings are supported. Customers will need to use the API to setup LDAP.

    • Once set, these settings can only be updated via the Masking API. There are no corresponding sections in the system dashboard.

    • Engine Type cannot be modified once set in the Setup Wizard because it has other dependencies such as SSO.

      Enter the correct password. After three failed attempts, the system locks your account from the Compliance service.

  3. On the Continuous Compliance Password page, enter the current default password for the Compliance Engine. The default is Admin-12.

  4. On the Administrators page, enter the credentials for the System Administrator, Compliance Administrator, and Engine Administrator.

  5. On the Time page, select an option to maintain the system time, and click Next to continue. Note that the Compliance Engine operates only in the UTC time zone. Time zone selection during setup does not apply.

  6. On the Network page, configure the network interfaces and services as required.

    Modifying the settings of network interfaces or the default gateway can make the Delphix Engine unreachable from the browser. Perform such changes from the Command Line Interface (CLI) on the system console after a successful installation.

  7. On the Network Security page, review the certificates installed by the Engine’s Certificate Authority. Replace any certificate if needed, and click Next to continue.

  8. On the Storage page, select the object storage type for data. The Delphix Continuous Compliance Engine automatically discovers and displays the available storage devices. From the Storage Type for Data drop-down list, choose the desired option.

    The available settings for each storage device may differ based on the selected storage type or engine configuration.

    1. Verify that the required devices are enabled for data storage.

    2. (Optional) Select Expand to increase capacity if additional space is available.

    3. Click Rediscover to detect any newly attached storage devices.

    4. Click Next to continue.

  9. On the Outbound Connectivity page, configure how the Delphix Engine communicates with external services for support, analytics, and notifications.

    1. Web proxy

      1. Select Configure web proxy if the Delphix Continuous Compliance Engine must connect to Delphix Support through a proxy server.

      2. Enter the proxy details as required for your environment.

    2. Phone Home Service

      1. Select Enable phone home service to automatically send a minimal support bundle to Delphix Support once per day over HTTPS.

      2. Use this service to assist with proactive troubleshooting and future support.

    3. User-Click Analytics

      1. Select Enable Usage Analytics to send anonymous, non-personal metadata describing user interactions with the product interface.

      2. Use this data to help improve product performance and usability.

    4. Continuous Compliance SMTP

      1. Select Use an existing SMTP server to configure email notifications for Continuous Compliance.

      2. Enter the following information:

        1. Server Name or IP Address: Specify the SMTP host or IP used to send emails.

        2. From Email Address: Enter the sender address that appears in outgoing notifications.

        3. Email Subject: Define the default subject line for Continuous Compliance email notifications.

      3. Verify your entries and ensure that the SMTP server is reachable from the engine.

    5. Click Next to continue.

  10. On the Authentication page, configure how users access the Delphix Continuous Compliance Engine. You can set up LDAP and SAML/SSO authentication methods according to your organization’s access policies.

    1. Configure LDAP

      Configure the Continuous Compliance LDAP service using the Continuous Compliance API before enabling LDAP on this page. To sync LDAP settings from the setup application into Continuous Compliance at engine startup, select Use LDAP (Server/Port required; TLS optional) and Configure LDAP for Continuous Compliance Engine (Base DN/LDAP filter required; MS AD domain optional). If both are selected and required fields are set, the configuration syncs automatically. The Enable toggle is not synced and must be enabled manually in Continuous Compliance. Ensure a Continuous Compliance user exists in LDAP before enabling LDAP. If you import or modify certificates in the TrustStore, restart the masking service for the changes to take effect. In the setup application, the Test Connection button does not validate the Base DN, LDAP filter, or Microsoft AD domain values. If you get locked out, refer to the LDAP Troubleshooting & Recovery page.

      In the setup application, the Test Connection button performs an LDAP bind test that validates all configuration fields except the LDAP filter. This aligns with the behavior in the Continuous Compliance Engine.

      1. Select Use LDAP to enable authentication with your existing LDAP server.

      2. Enter LDAP Server and Port details.

      3. (Optional) Select Protect LDAP traffic with SSL/TLS to secure communication over the port number entered above (636 for SSL/TLS).

      4. Select the Authentication method.

      5. (Optional) Click Import Server Certificate to upload the LDAP certificate. To import a certificate, you must provide a host, port and protect LDAP traffic with SSL/TLS.

      6. (Optional) Click Test Connection to verify the connection to your LDAP server.

    2. Configure SAML/SSO

      1. Select Use SAML/SSO to enable single sign-on authentication.

      2. Review the Entity ID displayed on the page. This is the unique identifier of your engine as a SAML/SSO service provider.

      3. Copy and paste the IdP Metadata XML from your identity provider into the IdP Metadata field. In your identity provider (IdP), set the Audience Restriction values (SP Entity ID and Partner’s Entity ID) to match this Entity ID.

      4. (Optional) Expand the Advanced Options section and configure the following fields:

        1. Response skew time in seconds: Specify the maximum time difference allowed between the SAML response and the engine’s current time. the default is 120 seconds.

        2. Maximum age of IdP authentication in seconds: Specify how far in the past the engine accepts authentication from the IdP. the default is 86,400 seconds (1 day).

    3. Configure OAuth2

      1. Select Use OAuth2 access tokens to enable token-based authentication for users accessing the Delphix Continuous Compliance Engine.

      2. Enter the following details:

        1. Issuer URI: Specify the URI of the OAuth authorization server.

        2. Audience: Define the intended audience of the access tokens. The default is api://delphix.

        3. User Identifying Claim: Enter the claim in the token used to associate a JWT with a Delphix Engine user. The default is sub.

      3. (Optional) Expand Advanced Options to configure additional parameters:

        1. JWK Set URI: Enter the URI of the JSON Web Key (JWK) set used for validating tokens.

        2. User Matching Field: Select the Delphix user property that matches the user ID claim. The default is PRINCIPAL.

        3. Access Token Skew Time: Define the time window (in seconds) allowed for clock drift between systems when validating tokens. The default is 60 seconds.

    4. Click Next to continue.

  11. On the Network Authorization page, select Use Kerberos authentication to communicate with remote hosts to enable secure communication with remote hosts using Kerberos credentials.

    1. Configure Host Connection Authentication: When connecting to hosts, you can define username-password pairs directly or use an external Enterprise Password Vault for credential management.

      1. Click + to add a new vault entry.

      2. In the Vault Type drop-down, select the vault provider (for example, CyberArk).

      3. Enter the following details:

        1. Vault Name: Specify a descriptive name for the vault connection.

        2. Vault Hostname: Enter the hostname or IP address of the vault server.

        3. Port: Provide the connection port number used by the vault (for CyberArk, the default is typically 443).

        4. App ID: Enter the application ID used to authenticate the Delphix Engine with the vault.

        5. Authentication Certificate: Paste or upload the vault’s authentication certificate.

        6. Private Key: Provide the private key associated with the authentication certificate.

      4. Click Save to add the vault configuration.

      5. (Optional) Repeat the process to add multiple vaults as needed.

    2. Click Next to continue.

  12. On the Registration page, activate the Delphix Continuous Compliance Engine and associate it with your Delphix Support or Community account. You can register the engine online (if internet connectivity is available) or offline (if external access is restricted).

    If the Delphix Engine has access to the external Internet (either directly or through a web proxy), then you can auto-register the Delphix Engine. If external connectivity is not immediately available, you must perform manual registration by copying the Delphix Engine registration code and completing the registration process on the Delphix registration portal. Click Next to continue.

  13. The final Summary tab will enable you to review your configuration. Click Submit to acknowledge the configuration.

Log in to the Delphix Continuous Compliance Engine

  1. Login to a web browser that points to http://masking-engine.example.com/masking.

  2. Enter default username: admin.

  3. Enter default user password: Admin-12.