Skip to main content
Delphix

The security implications of providing a supportbundle to Delphix Support

Description

The following document aims to provide information about which data is collected when a customer generates a support bundle. While security administrators are the target audience this document may be of value to anyone in a customer organisation using or contemplating implementing the Delphix Engine in their environment. Armed with this information customers and their security teams can make an informed decision about whether sending a support bundle to Delphix is acceptable, meeting corporate or even national security requirements on sharing information.

Support bundle data enables Delphix support staff and engineering to understand the configuration of a Delphix Engine and associated source and target hosts. It is important to clarify from the outset that there is no source or target host database-related user data contained within a support bundle

Password information is included in the support bundle, however that data is encrypted. Clear text passwords entered in the browser are encrypted in a custom JSON wrapper prior to transfer to the engine (even with HTTP, transfers are never in plain text). Once the data reaches the Delphix Engine AES128 encryption is applied to the string, based on a key which is not included as part of the support bundle. In practice this means that even for internal support staff with expert knowledge, access to the customer Delphix Engine would be required to effect decryption. 

Generating a supportbundle, downloading the file locally and inspecting its content is feasible.

Overview of Data Collection

The data collected when a support bundle is generated covers several areas.

Delphix Engine Operating system state and configuration
    • ZFS
    • Networking
    • Kernel
    • System configuration
    • Process and service information
Delphix Engine data Logging
    • Application logging
    • Operating System logs
Delphix Engine internal Postgres database
    • Database content
    • Database logs and configuration
       

Privilege Requirements for support bundle Generation

To be able to generate a support bundle the user must have delphix_admin or sysadmin privileges.

 

User: delphix_admin

When logged in as delphix_admin it is possible to add a new user with "Delphix Admin" privileges.

User: sysadmin

When logged in as sysadmin, it is possible to add a new sysadmin user.

Any new user with sysadmin privileges will by default have the authority to generate a support bundle.

 

Supportbundle Transmission Protocol

Support bundle generation provides the option to upload directly to Delphix using the browser interface. This is only applicable in cases where the Delphix Engine is able to reach the internet. Direct uploads are transferred to Delphix using HTTPS. Alternatively, a support bundle may be uploaded to a local (intermediary) host and the file can then be uploaded from a second or third host over HTTPS to https://upload.delphix.com

 For full instructions please see How to Create and Upload Support Logs.