Manage the Cryptography Keys

Important: To manage the cryptography keys using the following procedures, your system must be updated with the latest ActivID AS 8.6 hot fix.

The ActivID AS internal encryption keys protect sensitive information in the ActivID AS databases and assure database integrity:

  • User credentials (such as passwords and token credentials)
  • System credentials (adapter-sensitive parameters such as the LDAP credential password)
  • Audit row signature
  • Database row integrity signature
  • Sessions (ALSI)

ActivID AS provides the following scripts (located in <ACTIVID_HOME>/ActivID_AS/bin) to manage the keys:

Check the Current Configuration

As ftadmin, use the enumerateKeys.sh script to display or check the list of the shared and domain-specific key sets (sorted by label). The command usage is:

Copy
<ACTIVID_HOME>/ActivID_AS/bin/enumerateKeys.sh –l | – c | – d | -e 'domain'

Where the options are:

  • -l – lists the current keys aliases found in the keystore.
  • -c – performs a key set coherency check to verify that the five keys are present and the same version for the default or security domain key sets.

    Returns a warning if a key set configuration is incoherent with the keystore. Only displays the expected keys in HSM mode.

  • -d – displays the key configuration but does not perform a coherency check.

  • -e – displays the current keys used in the database for the specified domain.

For example, before renewing a key set for a domain, run the following command to display current configuration:

Copy
su ftadmin -c "<ACTIVID_HOME>/ActivID_AS/bin/enumerateKeys.sh -c"

In a deployment with the ONLINEBANK domain, the default key set is configured to the index level 2 and the domain key set is configured to index level 1:

Copy
Working in SOFT mode.
 
This is the current cryptographic keys settings from configuration file content.
Warning: the configuration is loaded when server starts.
Please ensure you have restarted the server since the last configuration change.
 
Current configuration:
 
Default keys:
Default key set is using configured level equal to 2
        hid-ia-4t.audit.2
        hid-ia-4t.dsign.2
        hid-ia-4t.sys.2
        hid-ia-4t.creds.2
        hid-ia-4t.session.2
--> Default keys are ok
 
Default keys for domain ONLINEBANK:
Domain is configured to support shared keys with level equal to 1
        hid-ia-4t.audit.1
        hid-ia-4t.dsign.1
        hid-ia-4t.sys.1
        hid-ia-4t.creds.1
        hid-ia-4t.session.1
--> Default keys for domain ONLINEBANK are ok

If you want to update a domain to the next key set, you have to make sure the target key set already exists or generate the next key set.

If the next key set already exists and is used by a domain, another domain still using the 'older' key set can update to it without needing to generate a new key set.

Note: You can only generate a new key set once the previous set has been ‘used’ (that is, the ActivID AS database has been updated by a cryptographic renewal and the new key level defined in the configuration) and the service has been restarted.

As another example, after a cryptographic renewal, you can list keys referenced in the database for a specific domain to verify that certain key indexes are no longer used.

Important: This operation might take a long time and should only be used for specific administrative tasks (for example, to verify the status of certain key indexes).

In a deployment with the ONLINEBANK domain, run the following command:

Copy
su ftadmin -c "<ACTIVID_HOME>/ActivID_AS/bin/enumerateKeys.sh -e ONLINEBANK"

The script returns the list of shared keys used by the database (where the highest used index is 1). The keys used for signature are displayed for all tables:

Copy
Working in SOFT mode.
 
Enumerating referenced keys in database for domain ONLINEBANK...
 
Enumerate database keys for selected tables...
------------------------Current status--------------------------
Running threads: 1
Duration     : 3 ms
----------------------------------------------------------------
Table FTRESSLOGIN                             HID-IA-4T.CREDS.1                       100003 row(s) (100.00 %)
Table FTRESSLOGIN                             HID-IA-4T.DSIGN.1                       100003 row(s) (100.00 %)
Table FTRESSPASSWORD                          HID-IA-4T.CREDS.1                       1 row(s) (100.00 %)
Table FTRESSPASSWORD                          HID-IA-4T.DSIGN.1                       1 row(s) (100.00 %)
Table FTRESSADAPTERPARAMETER                  NO ENCRYPTION                           324 row(s) (100.00 %)
Table FTRESSADAPTERPARAMETER                  HID-IA-4T.DSIGN.1                       324 row(s) (100.00 %)
Table FTRESSAUTHENTICTNADPTRPARAM             NO ENCRYPTION                           2 row(s) (100.00 %)
Table FTRESSAUTHENTICTNADPTRPARAM             HID-IA-4T.DSIGN.1                       2 row(s) (100.00 %)
Table FTRESSCHANNEL                           NO ENCRYPTION                           2 row(s) (11.11 %)
Table FTRESSCHANNEL                           HID-IA-4T.SYS.1                         16 row(s) (88.89 %)
Table FTRESSCHANNEL                           HID-IA-4T.DSIGN.1                       18 row(s) (100.00 %)
Table FTRESSADAPTERCONFIGPARAM                NO ENCRYPTION                           26 row(s) (76.47 %)
Table FTRESSADAPTERCONFIGPARAM                HID-IA-4T.SYS.1                         8 row(s) (23.53 %)
Table FTRESSADAPTERCONFIGPARAM                HID-IA-4T.DSIGN.1                       34 row(s) (100.00 %)
Table FTRESSCREDENTIAL                        HID-IA-4T.CREDS.1                       1 row(s) (100.00 %)
Table FTRESSCREDENTIAL                        HID-IA-4T.DSIGN.1                       1 row(s) (100.00 %)
Table FTRESSUSERATTRIBUTE                     Unknown column                          ENCRYPTIONKEYNAME.
Table FTRESSUSERATTRIBUTE                     HID-IA-4T.DSIGN.1                       400009 row(s) (100.00 %)
Table FTRESSADAPTERCONFIG                     HID-IA-4T.DSIGN.1                       9 row(s) (100.00 %)
Table FTRESSALSISESSION                       HID-IA-4T.DSIGN.1                       52 row(s) (100.00 %)
Table FTRESSASSET                             HID-IA-4T.DSIGN.1                       2 row(s) (100.00 %)
Table FTRESSASSETGROUP                        HID-IA-4T.DSIGN.1                       2 row(s) (100.00 %)
Table FTRESSAUDITSEQUENCE                     HID-IA-4T.DSIGN.1                       5 row(s) (100.00 %)
Table FTRESSAUTHENTICATIONTYPE                HID-IA-4T.DSIGN.1                       38 row(s) (100.00 %)
Table FTRESSAUTHENTICATOR                     HID-IA-4T.DSIGN.1                       1 row(s) (100.00 %)
Table FTRESSAUTHTYPECHANNEL                   HID-IA-4T.DSIGN.1                       139 row(s) (100.00 %)
Table FTRESSAUTHTYPECREDTYPE                  HID-IA-4T.DSIGN.1                       153 row(s) (100.00 %)
Table FTRESSCHANNELPARAM                      HID-IA-4T.DSIGN.1                       2 row(s) (100.00 %)
Table FTRESSCHANNELPARAMVALUE                 HID-IA-4T.DSIGN.1                       6 row(s) (100.00 %)
Table FTRESSCONFIGURATION                     NO ENCRYPTION                           3 row(s) (100.00 %)
Table FTRESSCREDDEVICE                        HID-IA-4T.DSIGN.1                       1 row(s) (100.00 %)
Table FTRESSCREDENTIALTYPE                    HID-IA-4T.DSIGN.1                       58 row(s) (100.00 %)
Table FTRESSDEVICE                            HID-IA-4T.DSIGN.1                       1 row(s) (100.00 %)
Table FTRESSDEVICETYPE                        HID-IA-4T.DSIGN.1                       61 row(s) (100.00 %)
Table FTRESSDICT                              NO ENCRYPTION                           153 row(s) (100.00 %)
Table FTRESSDICTATTS                          NO ENCRYPTION                           5683 row(s) (100.00 %)
Table FTRESSDICTATTSENUMS                     NO ENCRYPTION                           7032 row(s) (100.00 %)
Table FTRESSFUNCTION                          HID-IA-4T.DSIGN.1                       155 row(s) (100.00 %)
Table FTRESSFUNCTIONSET                       HID-IA-4T.DSIGN.1                       30 row(s) (100.00 %)
Table FTRESSFUNCTIONSETITEM                   HID-IA-4T.DSIGN.1                       468 row(s) (100.00 %)
Table FTRESSGATETYPE                          HID-IA-4T.DSIGN.1                       3 row(s) (100.00 %)
Table FTRESSGROUPATTRIBUTES                   HID-IA-4T.DSIGN.1                       28 row(s) (100.00 %)
Table FTRESSGROUPFUNCPRIV                     HID-IA-4T.DSIGN.1                       220 row(s) (100.00 %)
Table FTRESSGROUPTRANSPRIV                    HID-IA-4T.DSIGN.1                       10 row(s) (100.00 %)
Table FTRESSMDGROUP                           HID-IA-4T.DSIGN.1                       3 row(s) (100.00 %)
Table FTRESSMDGROUPPROMPTS                    HID-IA-4T.DSIGN.1                       29 row(s) (100.00 %)
Table FTRESSMDPROMPT                          HID-IA-4T.DSIGN.1                       17 row(s) (100.00 %)
Table FTRESSROLE                              HID-IA-4T.DSIGN.1                       13 row(s) (100.00 %)
Table FTRESSROLEFUNCPRIV                      HID-IA-4T.DSIGN.1                       256 row(s) (100.00 %)
Table FTRESSSESSIONTRANSFERTYPE               HID-IA-4T.DSIGN.1                       6 row(s) (100.00 %)
Table FTRESSSTATUSCATEGORY                    HID-IA-4T.DSIGN.1                       3 row(s) (100.00 %)
Table FTRESSSTATUSLABEL                       HID-IA-4T.DSIGN.1                       16 row(s) (100.00 %)
Table FTRESSSTATUSTRANSITION                  HID-IA-4T.DSIGN.1                       22 row(s) (100.00 %)
Table FTRESSTRANSACTION                       HID-IA-4T.DSIGN.1                       15 row(s) (100.00 %)
Table FTRESSTRANSACTIONSET                    HID-IA-4T.DSIGN.1                       3 row(s) (100.00 %)
Table FTRESSTRANSACTIONSETITEM                HID-IA-4T.DSIGN.1                       25 row(s) (100.00 %)
Table FTRESSUSER                              HID-IA-4T.DSIGN.1                       100013 row(s) (100.00 %)
Table FTRESSUSERATTRIBUTETYPE                 HID-IA-4T.DSIGN.1                       17 row(s) (100.00 %)
Table FTRESSUSERFUNCPRIV                      HID-IA-4T.DSIGN.1                       155 row(s) (100.00 %)
Table FTRESSUSERGROUP                         HID-IA-4T.DSIGN.1                       24 row(s) (100.00 %)
Table FTRESSUSERGROUPAUTHTYPE                 HID-IA-4T.DSIGN.1                       53 row(s) (100.00 %)
Table FTRESSUSERROLE                          HID-IA-4T.DSIGN.1                       6 row(s) (100.00 %)
Table FTRESSUSERTRANSSETPRIV                  HID-IA-4T.DSIGN.1                       2 row(s) (100.00 %)
Table FTRESSPIITOKEN                          HID-IA-4T.DSIGN.1                       600224 row(s) (100.00 %)
------------------------Final status--------------------------
Duration     : 1 s = 00 h 00 min 01 s
----------------------------------------------------------------
3 keys are used in selected database tables.
Key HID-IA-4T.DSIGN.1                       1202738 row(s)
Key HID-IA-4T.CREDS.1                       100005 row(s)
Key HID-IA-4T.SYS.1                         24 row(s)
 
Highest index for shared keys is 1
Highest index for domain keys is 0
 
Enumerate database keys successfully ended.

Create a New Key Set

The key set renewal process requires that you first generate a new key set and then re-encrypt the database records.

The generation process creates a new version of all keys for a key set (batch process).

Note: To increase security, it is strongly recommended that the keys are renewed regularly and at a set period. As it requires that the database be re-encrypted, you should update to the new keys progressively (in sequences of 120 minutes) to minimize the impact on services.

Create the new key set depending on your cryptographic mode:

Important: If you have multiple ActivID AS servers in your deployment, you must replicate any changes to the HSMs or software keystores to all the servers so they are synchronized.

View the Key Status in the Logs

During the restart of the ActivID AS server or the refresh action, the current set of keys is logged in the activid-server.log.

To view this log, generate a diagnostic package.

Prerequisites: The logging level should be at least at the “INFO” level to see this information.

For example:

Copy
2017-11-05 14:51:43,232 INFO  (JCESecureCode.java:641) - Refresh secret keys
2017-11-05 14:51:43,242 INFO  (FtressSEEConfiguration.java:768) - Default keys:
2017-11-05 14:51:43,243 INFO  (FtressSEEConfiguration.java:774) - Audit encryption key: HID-IA-4T.AUDIT.1
2017-11-05 14:51:43,244 INFO  (FtressSEEConfiguration.java:774) Row encryption key : HID-IA-4T.DSIGN.1
2017-11-05 14:51:43,244 INFO  (FtressSEEConfiguration.java:774) - Configuration encryption key. : HID-IA-4T.SYS.1
2017-11-05 14:51:43,244 INFO  (FtressSEEConfiguration.java:774) - Parameter encryption key. : HID-IA-4T.SYS.1
2017-11-05 14:51:43,245 INFO  (FtressSEEConfiguration.java:774) - Credential encryption key. : HID-IA-4T.CREDS.1
2017-11-05 14:51:43,245 INFO  (FtressSEEConfiguration.java:774) - Device encryption key. : HID-IA-4T.CREDS.1
2017-11-05 14:51:43,245 INFO  (FtressSEEConfiguration.java:774) - Authentication encryption key. : HID-IA-4T.CREDS.1
2017-11-05 14:51:43,245 INFO  (FtressSEEConfiguration.java:774) - Session transfer encryption key. : HID-IA-4T.SESSION.1
2017-11-05 14:51:43,245 INFO  (FtressSEEConfiguration.java:774) - Session encryption key. : HID-IA-4T.SESSION.1

See also:

Renew or Migrate the Cryptography Keys