Data360 DQ+ uses the Application DB to store the data encryption keys utilized in the application. The master key that is used to encrypt the data encryption keys is stored in a Java Key Store. The path to the keystore and the password are specified in the install.properties file at the installation time.
# Java keystore used by the application. The system will create one at this
# location if it does not exist. It is recommended that an existing keystore
# generated outside of Sagacity be used here.
APP_KEYSTORE_FILE=${sagacityExclusiveMountPoint}/security/sagacity.keystore
# The password to the application keystore.
APP_KEYSTORE_PASSWORD=
The passwords specified in the properties file are encrypted at the installation time.
System administrators can use the Java Keytool utility to manage the encryption keys and certificates in the keystore. The keytool command is a key and certificate management utility. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication or data integrity and authentication services, using digital signatures. The keytool command also enables users to cache the public keys (in the form of certificates) of their communicating peers.
More information can be obtained from:
https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
The following outlines the steps to re-encrypt the data keys stored in the Postgres database with a new security key. Data keys are encryption keys used to encrypt sensitive data in the system. These keys are in turn encrypted by a master key configured for the system during deployment. Depending on the deployment mode, the master key may be managed by third party Key Management System (KMS) or a Java Key Store file.
Enterprise Deployment
In an Enterprise Deployment, the master key is stored in a Java Key Store file configured in the install.properties file. To re-encrypt the data keys, follow the following steps:
- Execute stopTomcat command to shut down the application servers in all nodes
- Execute backupApplicationDb command to back up the application database
- Make a copy of the key store file that is being configured in the install.properties file.
- To show the keys currently in the key store:
keytool -list -keystore ./sagacity.keystore
- Add a new key to the key store. Make sure you use the same passwords as before. For example:
keytool -genkeypair -keystore ./sagacity.keystore -alias sagacityKey2 -keyalg RSA -validity 36500 -dname CN=Sagacity,OU=Dev,O=Infogix,L=Naperville,ST=IL,C=US –v
- Confirm that the key has been added by listing the keys in the key store again.
- Update install.properties to change the master key alias to point to the new key:
APP_MASTER_KEY_ALIAS=sagacityKey2
- Execute reencrypt command to re-encrypt the data keys
- Execute deploy command to deploy the application
- Execute startTomcat command to start up the application servers in all nodes
- Verify that access to encrypted data is available before making application available to users.
The system administrator performing these operations is not the Application administrator, and would not have access to the application internals (data screens). The decrypted data is viewable only through the application screens by an authorized user.
Comments
0 comments
Please sign in to leave a comment.