This section describes how to configure the Symmetric Encryption Providers to use a secret key stored in a keystore file.
| Property Name | Value |
|---|---|
| crypto.provider | com.kana.connect.common.lib.crypto.SymmetricCryptoProvider |
| Class name of the Symmetric Encryption Provider. | |
| crypto.provider.jce.provider | SunJCE |
| internal name of the JCE provider (“SunJCE” is the standard encryption engine that is bundled with the Java Runtime Environment) | |
| crypto.provider.jce.provider.classname | com.sun.crypto.provider.SunJCE |
| the JCE provider which implements the Provider interface and that can be instantiated and installed as a dynamic JCE provider in Java | |
| crypto.provider.jce.provider.position | 1 |
| position in which the JCE provider defined by crypto.provider.jce.provider.classname is going to be inserted in the chain of existing JCE providers if not already present | |
| crypto.provider.jce.algorithm_mode_padd | AES |
| specify the encryption algorithm, mode and padding (encryption transformation – for example “AES” or "DES"). See Appendix A in the Java Cryptography Architecture Reference Guide for more information about standard transformation names | |
| crypto.provider.key.size | 128 or 256 |
| specifies the size of the encryption/decryption key in bits | |
| crypto.provider.key.location.type | keystore |
| specifies the type of the encryption/decryption key: can be “file” or “keystore” | |
| crypto.provider.keystore.file | /opt/connect/kc/import/crypto.keystore |
| specifies the location of the keystore file. IMPORTANT: The keystore file should be stored in the import directory so that it is copied to all nodes during the deployment process. This property should be an absolute pathname. | |
| crypto.provider.keystore.type | JCEKS |
| specifies the type of the keystore file. IMPORTANT: Should be "JCEKS". | |
| crypto.provider.keystore.password | any password |
| specifies the password of the keystore file. | |
| crypto.provider.key.alias | Connect_AES_Key |
| Each key in the keystore has a textual name or alias. This property can be any string. | |
| crypto.provider.key.password | any password |
| Each key in the keystore may have a password. This property can be any string. | |
# class name which implements connect CryptoProvider
crypto.provider=com.kana.connect.common.lib.crypto.SymmetricCryptoProvider
crypto.provider.jce.provider=SunJCE
crypto.provider.jce.provider.classname=com.sun.crypto.provider.SunJCE
crypto.provider.jce.provider.position=1
crypto.provider.jce.algorithm_mode_padd=AES
crypto.provider.key.size=128
# configure keystore-based secret
crypto.provider.key.location.type=keystore
crypto.provider.keystore.file=/opt/connect/kc/import/crypto.keystore
crypto.provider.keystore.type=JCEKS
crypto.provider.keystore.password=JCEKS
crypto.provider.key.alias=Connect_AES_KEY
crypto.provider.key.password=connectaespassword
$ sh install/cryptoutil.sh -ks
It will create a keystore file and a secret key based on the parameters in crypto.properties.
In this example, the program will create a keystore file named crypto.keystore with a secret
key under the alias "Connect_AES_KEY." After running this command, you check can verify the contents
of the keystore file using the java keytool command:
$ keytool -list -storetype jceks -keystore import/crypto.keystore
Enter keystore password:
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 1 entry
connect_aes_key, Oct 31, 2010, SecretKeyEntry,
$
$ sh install/encryptdbinfo.sh
This program should add a new database.connect.encrypted property to the database.properties file:
database.connect.encrypted=DdgCgX/Gyp+9n2j5gyRwDAedoK4Yi3OcQKoa812ZR6AmN7cA/ZJsrdhg89CELx8d