4.2.2 Symmetric Encryption Provider with Keystore
This section describes how to configure the Symmetric Encryption Providers to use a secret key stored in a keystore file.
Configuring a Keystore-Based Secret Key
To configure the Symmetric encryption provider to use a secret key in a keystore, set the following properties in the crypto.properties file.
|
Property Name |
Value |
|
crypto.provider |
com.kana.connect.common.lib.crypto.SymmetricCryptoProvider |
|
Class name of the Symmetric Encryption Provider. |
|
|
|
|
|
crypto.provider.jce.provider |
SunJCE |
|
internal name of the JCE provider (“SunJCE” is the standard encryption engine that is bundled with the Java Runtime Environment) |
|
|
|
|
|
crypto.provider.jce.provider.classname |
com.sun.crypto.provider.SunJCE |
|
the JCE provider which implements the Provider interface and that can be instantiated and installed as a dynamic JCE provider in Java |
|
|
|
|
|
crypto.provider.jce.provider.position |
1 |
|
position in which the JCE provider defined by crypto.provider.jce.provider.classname is going to be inserted in the chain of existing JCE providers if not already present |
|
|
|
|
|
crypto.provider.jce.algorithm_mode_padd |
AES |
|
specify the encryption algorithm, mode and padding (encryption transformation – for example “AES” or "DES"). See Appendix A in the Java Cryptography Architecture Reference Guide for more information about standard transformation names |
|
|
|
|
|
crypto.provider.key.size |
128 or 256 |
|
Specifies the size of the encryption/decryption key in bits. Key sizes greater than 128 bits require the unlimited strength policy files (see below). |
|
|
|
|
|
crypto.provider.key.location.type |
keystore |
|
specifies the type of the encryption/decryption key: can be “file” or “keystore” |
|
|
|
|
|
crypto.provider.keystore.file |
/opt/connect/kc/import/crypto.keystore |
|
specifies the location of the keystore file. IMPORTANT: The keystore file should be stored in the import directory so that it is copied to all nodes during the deployment process. This property should be an absolute pathname. |
|
|
|
|
|
crypto.provider.keystore.type |
JCEKS |
|
specifies the type of the keystore file. IMPORTANT: Should be "JCEKS". |
|
|
|
|
|
crypto.provider.keystore.password |
any password |
|
specifies the password of the keystore file. |
|
|
|
|
|
crypto.provider.key.alias |
Connect_AES_Key |
|
Each key in the keystore has a textual name or alias. This property can be any string. |
|
|
|
|
|
crypto.provider.key.password |
any password |
|
Each key in the keystore may have a password. This property can be any string. |
|
|
|
|
An example crypto.properties file is shown below.
# class name which implements connect CryptoProvidercrypto.provider=com.kana.connect.common.lib.crypto.SymmetricCryptoProvidercrypto.provider.jce.provider=SunJCEcrypto.provider.jce.provider.classname=com.sun.crypto.provider.SunJCEcrypto.provider.jce.provider.position=1crypto.provider.jce.algorithm_mode_padd=AEScrypto.provider.key.size=128# configure keystore-based secretcrypto.provider.key.location.type=keystorecrypto.provider.keystore.file=/opt/connect/kc/import/crypto.keystorecrypto.provider.keystore.type=JCEKScrypto.provider.keystore.password=JCEKScrypto.provider.key.alias=Connect_AES_KEYcrypto.provider.key.password=connectaespasswordCreating the Keystore and Secret Key
Once the cypto.properties file has been configured, the cryptoutil program may be used to create the keystore and a secret key entry. To create the keystore and secret key, run the following program:
$ sh install/cryptoutil.sh -ks It will create a keystore file and a secret key based on the parameters in crypto.properties. In this example, the program will create a keystore file named crypto.keystore with a secret key under the alias "Connect_AES_KEY." After running this command, you check can verify the contents of the keystore file using the java keytool command:
$ keytool -list -storetype jceks -keystore import/crypto.keystoreEnter keystore password:Keystore type: JCEKSKeystore provider: SunJCEYour keystore contains 1 entryconnect_aes_key, Oct 31, 2010, SecretKeyEntry,$Testing the Crypto Provider Configuration
Test your crypto provider configuration by encrypting the database connection string in database.properties:
$ sh install/encryptdbinfo.shThis program should add a new database.connect.encrypted property to the database.properties file:
database.connect.encrypted=DdgCgX/Gyp+9n2j5gyRwDAedoK4Yi3OcQKoa812ZR6AmN7cA/ZJsrdhg89CELx8dNote: If you receive an exception similar to the one shown below, you are most likely using key sizes that are larger than currently permitted by the Java Cryptography Libraries. To enable larger key sizes, install the unlimited-strength crypto policy files from this link: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html.
com.kana.connect.common.lib.crypto.CryptoException: java.security.InvalidKeyException: Illegal key size or default parameters