Skip to main content

Appendix J: Key Management Options

PK Protect for Hadoop encryption is compatible with a variety of key management systems. One option is to use the Java keystore which installs with PK Protect. Since the keystore installs with PK Protect, it does not require any configuration.

 Another option is to use a third-party keystore that supports the Key Management Interoperability Protocol (KMIP). Currently, PK Protect encryption can run using either Safenet or RSA as the key management system. Other KMIP-compliant KMSs can be integrated based on customer request.

SAFENET

These instructions illustrate how to configure the Safenet JCE provider on both the server and client. Original documentation from Safenet is found in chapter 10 of Safenet’s “ProtectApp-JCE, Version 6.6.0.”

Server-Side Configuration

  1. Creating a User & Keys

  2. Create User

  3. Create Keys [AES128_Key, AES256_Key]. Associate keys with the owner / newly created user.


  4. Create a Local Certificate Authority (CA). Navigate to the Create Local Certificate Authority section (Security, Certificates CAs, Local CAs). Enter the values shown below to create a new local CA. Click Create.

  5. Navigate to the Create Certificate Request section (Security, Certificates & CAs, Certificates). Enter the values shown below to create a request. Click Create Certificate Request.


  6. Select the new certificate request from the Certificate List section (located above the Create Certificate Request section).

  7. Click Properties.


  8. Copy the actual request (example below). Include the header and footer.


  9. Navigate back to the Local Certificate Authority List section (Security, Certificates & CAs, Local CAs). Select your new local CA and click Sign Request.

  10. Select Server as the Certificate Purpose and paste the certificate request into the Certificate Request field.

  11. Click Sign Request. This will take you to the CA Certificate Information section. Copy the actual certificate (at bottom). Include the header and footer.

  12. Navigate back to the Certificate List section (Security, Certificates & CAs, Certificates). Select your certificate request and click Properties. Click Install Certificate. Paste the actual certificate, as shown below. Click Save.

  13. Navigate to the KMIP Server Settings section (Device, NAE Server, KMIP). Click Edit.

  14. Check Use SSL and select your new server certificate in the Server Certificate field. Click Save.

  15. Navigate back to the Local Certificate Authority List section (Security, Certificates & CAs, Local CAs). Select your new CA and click Download. Place the CA certificate on your client.

  16. Move the certificate from the download location to Java_Home>/lib/security.

  17. Open a command prompt on your client, navigate to Java_Home>/lib/security.

  18. Install the CA certificate into the cacerts keystore using the command below. Follow the prompts as shown.
    keytool -keystore cacerts -import -alias NewLocalCA -file NewLocalCA.crt.cer Enter keystore password: changeit
    ...
    Trust this certificate?[no]: yes
    Certificate was added to keystore

*Note: The value for the -file option must reflect your actual filename. The keystore password must reflect your actual keystore password.

  1. Update the following parameters in your IngrianNAE.properties file:

    • Protocol=ssl

    • Key_Store_Location=< <path to Java Home>/lib/security/cacerts.

    • Key_Store_Password=<password>

    • -Username=<username>

Client-Side Configuration:

  1. Create a Client Certificate

  2. On the client, open a command prompt and navigate to <Java_Home>/lib/security.

  3. From the command line, create a new client keystore to use with PK Protect. ArvilRai_keystore]

  4. Command: keytool -keystore ArvilRai_keystore_1 -genkey -alias ArvilRai_alias_1 -keyalg RSA

    CODE
    Enter keystore password: Dataguise123
    What is your first and last name?
    [Unknown]: Arvil Rai
    What is the name of your organizational unit?
    [Unknown]: ArvilRai
    What is the name of your organization?
    [Unknown]: Dataguise
    What is the name of your City or Locality?
    [Unknown]: Fremont
    What is the name of your State or Province?
    [Unknown]: CA
    What is the two-letter country code for this unit?
    [Unknown]: US
    Is CN= Arvil Rai, OU= ArvilRai, O= Dataguise, L= Fremont, ST= CA, C=US correct?
    [No]: yes
    Enter key password for <ccert> Press ‘Enter’ without entering any password


  5. Generate a client certificate request using the public/private key that was created in your new keystore.
    Command: keytool -keystore ArvilRai_keystore_1-certreq -alias ArvilRai_alias_1 -file ArvilRai_alias_1.csr

    Enter keystore password: <password>

  6. Open the client certificate request file and copy the actual request. Include the header and footer. The certificate is created in <Java_Home>/lib/security.
    Command: vi ccert.csr

  7. Log in to the Management Console on the server machine as an administrator with Certificate Authority and NAE Server and Navigate to the Local Certificate Authority List section (Security, Certificates & CA’s, and Local CAs).

  8. Select NewLocalCA and click Sign Request. (NewLocalCA is the CA created in step 2.)

  9. Select Certificate Purpose Client and paste the certificate request into the Certificate Request field, as shown below:

  10. Click Sign Request. This will take you to the CA Certificate Information section.

  11. Your Client Certificate is now created.

  12. Download & Import Client Certificate

  13. On the client machine, click Download to download your new client certificate (signed.crt) to your client.

  14. Return to the Local Certificate Authority List section (click Back on the CA Certificate Information section).

  15. Select NewLocal CA and click Download.

  16. Navigate to the Trusted Certificate Authority List Profiles section (Security, Certificates & CAs, Trusted CA Lists). Select Profile Name Default and click Properties.

  17. Click Edit in the Trusted Certificate Authority List section. Add the CA to the Trusted CA list.


  18. On the client, move the client certificate and the CA certificate from the download location to <Java_Home>/lib/security.

  19. Open a command prompt on your client and navigate to <Java_Home>/lib/security.

  20. Import the CA certificate (NewLocalCA) into the client keystore.

    CODE
    $ keytool -keystore clientcerts -import -alias NewLocalCA -file NewLocalCA.crt
    Enter keystore password:
    Owner: Issuer:
    Serial number: 0
    Valid from: mm/dd/yy hh:mm until: mm/dd/yy hh:mm
    Certificate fingerprints:
    MD5: F0:2D:2F:ED:55:31:6F:F0:A6:E4:AA:37:1F:83:E7:FA SHA1:8A:08:61:AB:73:32:E2:18:0E:B7:8D:69:2E:91:A6:24
    Trust this certificate? [no]: yes
    Certificate was added to keystore
  21. Import the signed client certificate into the client keystore file.
    Command: keytool -keystore ArvilRai_keystore_1 -import -alias ArvilRai_alias_1 -file signed.crt

    Enter keystore password

    Certificate reply was installed in keystore
          

  22. Verify that the certificates are correctly installed. You will need to see a certificate chain length of 2, and two certificates: the client certificate and the CA.

    CODE
    Command: keytool -keystore ArvilRai_keystore_1 -alias ArvilRai_alias_1 -list –v
    Enter keystore password:
    Alias name: ccert
    Creation date: Oct 19, 2006
    Entry type: keyEntry
    Certificate chain length: 2
    Certificate[1]:
    Owner: CN=clientcerts, OU=clientcerts, O=clientcerts, L=clientcerts, ST=clientcerts, C=US Issuer: EMAILADDRESS=NewLocalCA@NewLocalCA.com, CN=NewLocalCA, OU=NewLocalCA, O=NewLocalCA, L=NewLocalCA, ST=NewLocalCA, C=US
    Serial number: 17
    Valid from: 10/18/06 9:11 AM until: 10/7/16 9:11 AM
    Certificate fingerprints:
    MD5:  7B:73:86:91:A6:E7:6C:60:0C:28:FA:E2:AF:03:0A:ED
    SHA1: 26:63:4C:59:EB:80:A9:16:C9:DB:E4:D4:1D:C0:1A:BD:F3
    Certificate[2]:
    Owner: EMAILADDRESS=NewLocalCA@NewLocalCA.com, CN=NewLocalCA, OU=NewLocalCA, O=NewLocalCA, L=NewLocalCA, ST=NewLocalCA, C=US Issuer: EMAILADDRESS=NewLocalCA@NewLocalCA.com, CN=NewLocalCA, OU=NewLocalCA, O=NewLocalCA, L=NewLocalCA, ST=NewLocalCA, C=US
    Serial number: 0
    Valid from: 10/9/06 5:13 PM until: 10/7/16 5:13 PM
    Certificate fingerprints:
    MD5:  F0:2D:2F:ED:55:31:6F:F0:A6:E4:AA:37:1F:83:E7:FA
    SHA1: 8A:08:61:AB:73:32:E2:18:0E:B7:8D:69:2E:91:A6:24:BC

  23. Update the following parameters in the IngrianNAE.properties file:
    -Key_Store_Location/usr/lib/jvm/java-1.11.0-openjdk-1.6.0.0.x86_64/jre/lib/ext/orgx
    Key_Store_Password=changeit
    Client_Cert_Alias=ccert3
    Client_Cert_Passphrase=

*Note: The Client_Cert_Passphrase parameter should be set to no value.

  1. Return to the Management Console and navigate to the KMIP Server Authentication Settings section.
    (Device Management, NAE Server) and enter the following values:
    Client Certificate Authentication: Used for SSL Session only
    Trusted CA List Profile: Default
    The CA that signed the certificate must be a member of the Trusted CA List Profile.

  2. Be sure to update the HDFSIDPConfig.properties file with Safenet’s NAE.Properties Location. For more information, refer to Section 3.1.1 HDFS IDP.

  3. Verify Safenet JCE Provider Configuration

  4. Create and execute an encryption task from PK Protect.

  5. View catalina.out log file.

  6. If you find exceptions related to KMIP, this means the client has not been configured correctly. Verify each of the above steps again.

  7. If the client was configured successfully, something like what is shown below should be seen in the log file.


RSA Key Manager Configuration

Pre-requisities

Ensure you have all your client, server, and root PKI certificates you obtained from your certificate vendor, and they are loaded on to DPM via the Appliance Console GUI.

  1. Go to Identity Management -> Identity Groups ->Create. Create a new Identity Group. Click Save.

  2. Go to Identity Management -> Identities -> Create. Create a new Identity, associating it with the recently created Identity Group. Select “Operational User” as the role and “.cer” as the file extension.


    Place the corresponding .p12 file in the location as specified in HDFSIDPConfig.properties entry (discussed in the PK Protect Configuration section). Leave the internal and Access manager fields blank. Click Save.

  3. Go to Key Management -> Key Classes. Name a Key Class and associate it with the recently created Identity Group. Click the Activated Keys Have Duration check box. Leave Get Duration from a Crypto Policy unchecked. Click Next.


  4. Select Algorithm AES, Keysize 128 or 256, and mode CBC.

    1. Algorithm: AES

    2. Key Size: 128 or 256

    3. Mode: CBC

    4. Duration: User discretion

    5. Key Behavior: Use Current Key

    6. Check Allow: Auto-generation box

  5. Click the Next button and enter any attributes if desired untill you get to step 5 for review.

  6. Click Finish.

  7. Go to KeyManagement -> KeyClasses. Against the key class for which you want to generate a key, click the yellow key icon in the column titled “Generate key”.

  8. Leave the attributes blank.

  9. Click Add Row and enter an alias. Click Generate.

  10. To use this key, you must have the corresponding Identity in client.identity_name=Identity2 in rsaconfig.properties. Have the corresponding .p12 (corresponding to the .cer file that you added earlier while creating the identity in RSA web console) in your local client configuration in the appropriate place as mentioned in rsaconfig.properties.

  11. Add the just created alias in the list of aliases in HDFSIDPConfig.properties (see below):
    rsa.key.aliases=KeyAlias1420533992581,KeyAlias1419064002219,KeyAlias1419063766020,KeyAlias1419063661538,KeyAlias1419062371543,Sitkey256

PK Protect Configuration

*Note: Configuring PK Protect to use the RSA Key Manager occurs after PK Protect has been successfully installed.

To follow the configuration instructions below, ensure that you have unlimited strength policy jurisdiction files in the java_home/jre/lib/security folder of tomcat's JAVA_HOME.

rsaconfig.properties Configuration - Place rsaconfig.properties file with the following contents in the location as specified in HDFSIDPConfig.properties (#RSA config properties file location rsa.config.props.location=/$JAVA_HOME/jre/lib/software/jdk1.11.0_60/jre/lib/ext/rsaconfig.properties).

Use values as appropriate for your configuration for the items in red font.

CODE
#rsaconfig.properties file
server.host=192.168.5.31
validate.hostname=false
protect_with_deactivated_keys=false
pki.client_keystore_file=/$JAVA_HOME/jre/lib/software/jdk1.11.0_60/jre/lib/ext/client_4.p12 #for convenience this location is the same as where you place your rsaconfig.properties file.
server.retry_delay=5000
client.registration_file=/$JAVA_HOME/jre/lib/software/jdk1.11.0_60/jre/lib/ext/client.reg #for convenience this location is the same as where you place your rsaconfig.properties file.
pki.client_keystore_expiry=15
cache.mode=DiskAndMemory
client.lockbox=false
client.actmgmt_enable=true
client.app_name=name18
client.identity_name=Identity2
pki.client_keystore_password=Password1
cache.max_time_to_live=7200
server.tls_version=TLSv1
server.connect_timeout=10000
server.read_timeout=5000
cache.write_delay=30
cache.file=/$JAVA_HOME/jre/lib//software/jdk1.11.0_60/jre/lib/ext/keycache.kmc #for convenience this location is the same as where you place your rsaconfig.properties file.
high.availability=false
secure_random.general=HMACDRBG256
client.actmgmt_poll_interval=20 m
server.request_retries=3
secure_random.iv=HMACDRBG256
client.registration=false
client.auto_update_certificate=true
server.port=443
pki.server_keystore_file=/$JAVA_HOME/jre/lib//software/jdk1.11.0_60/jre/lib/ext/cacert.pem #for convenience this location is the same as where you place your rsaconfig.properties file.
client.origin_info.optional_in_ciphertext=false
cache.max_keys=100

Place the files given by RSA (the files in the folder RSAFiles) in the location as appropriate to your configuration (replace the rsaconfig.properties with the one you created above). If you have used the default location as mentioned above, they will be placed in the same location as rsaconfig.properties.

HDFSIDPConfig.properties Configuration

Add the following entries, as appropriate, for your configuration above to HDFSIDPConfig.properties, which is in:

CODE
<DGSecure_Install_Directory>/Dataguise/DgSecure/tomcat9/webapps/HDFSIDP/WEB-INF/classes/com/dataguise/hadoop/util
#Retrieve key from KMIP Server
kmip.retrieval=N  ##This must be N for RSA.
#RSA config properties file location
rsa.config.props.location=/$JAVA_HOME/jre/lib//software/jdk1.11.0_60/jre/lib/ext/rsaconfig.properties

#RSA KeyClass
rsa.keyclass=KeyClass2

#KeyRetrieval Source Currently supported value is RSA and Other
key.retrieval.source=RSA

#KeyAliases available in RSA DPM. The aliases must be those belonging to the identity as specified in client.identity_name=Identity2 in rsaconfig.properties file.
rsa.key.aliases=KeyAlias1420533992581,KeyAlias1419064002219,KeyAlias1419063766020,KeyAlias1419063661538,KeyAlias1419062371543,Sitkey256

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.