close

Filter

loading table of contents...

Deployment Manual / Version 2406.0

Table Of Contents

4.2.3 Properties File Setup

After creating the keystore, servers and clients need to have access to the keystore credentials. For this, they have to be stored in a Java properties file. Then the servers and clients will be able to access the keystore without prompting for passwords. The password file has to contain the following entries:

CM_KEYSTORE_PASSWORD=<KEYSTORE_PASSWORD>
CM_KEY_ALIAS=<KEY_ALIAS>
CM_KEY_PASSWORD=<KEY_PASSWORD>

As the password file contains the clear text passwords for your keystore, the file has to be protected from unauthorized access. This could be done by setting reasonable access rights for the file, or by putting it on a removable device.

Cipher transformation: By default the service uses less secure RSA-transformation, which is known to be available on all systems. For enhanced security, it is recommended to switch to an RSA algorithm with padding. You may do so by providing an additional property CM_CIPHER_TRANSFORMATION in the password file mentioned above. For available Cipher transformations, have a look at your installed security providers. By default, your Java platform should support the following Cipher transformations:

  • RSA (default and fallback; see below)

  • RSA/ECB/PKCS1Padding

  • RSA/ECB/OAEPWithSHA-1AndMGF1Padding

  • RSA/ECB/OAEPWithSHA-256AndMGF1Padding

Example configuration for different cipher transformation:

CM_KEYSTORE_PASSWORD=<KEYSTORE_PASSWORD>
CM_KEY_ALIAS=<KEY_ALIAS>
CM_KEY_PASSWORD=<KEY_PASSWORD>
CM_CIPHER_TRANSFORMATION=RSA/ECB/OAEPWithSHA-256AndMGF1Padding

Cipher transformation migration: To ease migrating from the default RSA transformation to a more secure transformation with padding, RSA is always used as a fallback. In case decrypting a password failed for the configured cipher, RSA will be tried as well.

Configuring the location of keystore files: In order to use the keystore with the encryption service, the service needs to know the location of the keystore and keystore password files. For this, you have the following two options:

  • By default, the service expects

    • the keystore file under the path ${user.home}/.cmservices/.keystore

    • and the password file under ${user.home}/.cmservices/.keystore.properties

  • If you want to store the files under different paths, you have to provide the following two system properties:

    • CM_KEYSTORE_LOCATION: location of the keystore file

    • CM_KEYSTORE_PASSWORD_FILE_LOCATION: location of the password file

Note

Note

The encryption service Spring bean takes precedence over the static encryption service instance configured using the CM_KEYSTORE_LOCATION and CM_KEYSTORE_PASSWORD_FILE_LOCATION properties.

Search Results

Table Of Contents
warning

Your Internet Explorer is no longer supported.

Please use Mozilla Firefox, Google Chrome, or Microsoft Edge.