Operations Center provides two methods of data encryption using industry-standard encryption algorithms.
Password-based Encryption (PBE): Defaults to using the DES encryption algorithm for generating a cryptographic key used to seed the encryption algorithm.
File-based Encryption: Defaults to AES encryption to obtain a secure keyblock from a persistent file.
Configure both of the provided algorithm types with system settings provided to the virtual machine. Place these configuration values in the system properties of the virtual machine using the encryption libraries.
For the PBE-based encryption algorithm, use the following customization parameters. Add the parameters to both the /OperationsCenter_install_path/config/formula.custom.properties and /OperationsCenter_ExperienceManager_install_path/config/monitor.properties files. Table 11-1 lists the parameters for PBE.
Table 11-1 Parameters for PBE
Parameter |
Description |
---|---|
System.Cipher.PBE.CipherName |
Algorithm name (default: PBEWithMD5AndDES) |
System.Cipher.PBE.KeyFactoryName |
Default key factory name (default: PBEWithMD5AndDES) |
System.Cipher.PBE.Passphrase |
Password (default: fixed) |
System.Cipher.PBE.Salt |
Salt (default: fixed) |
System.Cipher.PBE.IterationCount |
Count (default: 17) |
System.Cipher.PBE.ProviderName |
the name of the JCE provider (default: JRE supplied provider) |
The following is an example of system property settings used to enable a system-wide usage of the PBE algorithm:
System.Cipher.DefaultCipher=PBE System.Cipher.PBE.Passphrase=crackme!
Table 11-2 lists the customization parameters to be used for the file-based encryption algorithm.
Table 11-2 Parameters for File Based Encryption
Parameter |
Description |
---|---|
System.Cipher.FILE.CipherName |
Name of the algorithm. Defaults to AES. |
System.Cipher.FILE.KeyFile |
Location of keyfile (URL or file). |
System.Cipher.FILE.AbortOnMissing |
Exits VM if keyfile is missing. |
System.Cipher.FILE.ProviderName |
Name of the JCE provider. Defaults to the JRE supplied provider. |
This cipher requires the KeyFile parameter and contains the generated keyblock used to seed the algorithm.
To generate a keyblock, use the provided utility:
mosjava com.mosol.util.security.crypt.DefaultFileBasedKeyCipherWrapper generate keyfile [bits: 128,192 or 256]
For example, type the following:
mosjava com.mosol.util.security.crypt.DefaultFileBasedKeyCipherWrapper generate /OperationsCenter_install_path/128aes.keyblock 128
The following example shows system property settings used to enable a system-wide usage of the PBE algorithm:
System.Cipher.DefaultCipher=FILE System.Cipher.FILE.KeyFile=/OperationsCenter_install_path/128aes.keyblock
A requirement is transmitted the KeyFile to the client software in a secure way if used for client-based authentication.
It is possible to use a keyblock length longer than the default 128‑bit setting (for example, 192 or 256 bit AES encryption keyblock length).
To use a keyblock length longer than the default 128‑bit setting:
Download and install the unlimited strength JCE policy files from Sun, which is subject to export restrictions. These files are at: http://java.sun.com/j2se/1.4.2/download.html#docs.
Perform this step for each virtual machine, including the Operations Center server, Experience Manager remote Monitor, Operations Center console (operations client), etc.
Generate the keyblock using the utility provided above. Supply either 192 or 256 as the keyblock length.
To use the encryption library for only one of the Operations Center subsystems, such as Experience Manager:
Set a configuration value in the /OperationsCenter_install_path/config/formula.custom.properties file that directs the configuration type or subsystem to use a particular mode.
For example, the following statements direct the Experience Manager integration to use the FILE-based algorithm for encrypting data. To configure a Experience Manager Monitor to handle encryption in the same way, place the same values in the Experience Manager monitor.properties file.
System.Cipher.Configured.BEM=FILE
System.Cipher.FILE.KeyFile=/OperationsCenter_install_path/keyblock.aes
System.Cipher.FILE.AbortOnMissing=true