Deployment Manual / Version 2406.1
Table Of ContentsAfter creating the keystore, servers and clients need to have access to the keystore credentials. For this, they have to be stored in a Java properties file. Then the servers and clients will be able to access the keystore without prompting for passwords. The password file has to contain the following entries:
CM_KEYSTORE_PASSWORD=<KEYSTORE_PASSWORD> CM_KEY_ALIAS=<KEY_ALIAS> CM_KEY_PASSWORD=<KEY_PASSWORD>
As the password file contains the clear text passwords for your keystore, the file has to be protected from unauthorized access. This could be done by setting reasonable access rights for the file, or by putting it on a removable device.
Cipher transformation:
By default the service uses less
secure RSA-transformation, which is known to be available on all systems. For enhanced
security, it is recommended to switch to an RSA algorithm with padding. You may do so
by providing an additional property CM_CIPHER_TRANSFORMATION
in
the password file mentioned above. For available Cipher
transformations,
have a look at your installed security providers. By default, your Java platform should
support the following Cipher
transformations:
RSA
(default and fallback; see below)RSA/ECB/PKCS1Padding
RSA/ECB/OAEPWithSHA-1AndMGF1Padding
RSA/ECB/OAEPWithSHA-256AndMGF1Padding
Example configuration for different cipher transformation:
CM_KEYSTORE_PASSWORD=<KEYSTORE_PASSWORD> CM_KEY_ALIAS=<KEY_ALIAS> CM_KEY_PASSWORD=<KEY_PASSWORD> CM_CIPHER_TRANSFORMATION=RSA/ECB/OAEPWithSHA-256AndMGF1Padding
Cipher transformation migration:
To ease
migrating from the default RSA
transformation to a more
secure transformation with padding, RSA
is always
used as a fallback. In case decrypting a password failed for the
configured cipher, RSA
will be tried as well.
Configuring the location of keystore files: In order to use the keystore with the encryption service, the service needs to know the location of the keystore and keystore password files. For this, you have the following two options:
By default, the service expects
the keystore file under the path
${user.home}/.cmservices/.keystore
and the password file under
${user.home}/.cmservices/.keystore.properties
If you want to store the files under different paths, you have to provide the following two system properties:
CM_KEYSTORE_LOCATION
: location of the keystore fileCM_KEYSTORE_PASSWORD_FILE_LOCATION
: location of the password file
Note
The encryption service Spring bean takes precedence over the static encryption service instance configured
using the CM_KEYSTORE_LOCATION
and CM_KEYSTORE_PASSWORD_FILE_LOCATION
properties.