Oracle® Adaptive Access Manager Installation and Configuration Guide Release 10g (10.1.4.5) Part Number E12050-03 |
|
|
View PDF |
A reference for encryption is provided in this appendix.
Oracle Adaptive Access Manager defines encryption schemes using the "bharosa.cipher.encryption.algorithm.enum" enumeration.
A user defined enumeration is a structured set of properties, that can be treated as a list of objects. Each element in the list may contain several different attributes.
The definition of a user-defined enumeration begins with a property ending in the keyword ".enum" and has a value describing the use of the user-defined enumeration.
Each element definition then starts with the same property name as the enumeration, and adds on an element name. Each enumeration has a value of a unique integer as an ID.
The attributes of the element follow the same pattern, beginning with the property name of the element, followed by the attribute name, with the appropriate value for that attribute.
An example of an enumeration for the "DESede_db" encryption scheme is shown below.
bharosa.cipher.encryption.algorithm.enum.DESede_db=22 bharosa.cipher.encryption.algorithm.enum.DESede_db.name=Triple Data Encryption Standard db bharosa.cipher.encryption.algorithm.enum.DESede_db.description=Triple Data Encryption Standard, scheme used of DB sensitive data encryption bharosa.cipher.encryption.algorithm.enum.DESede_db.classname=com.bharosa.common.util.cipher.DESedeCipher bharosa.cipher.encryption.algorithm.enum.DESede_db.keyRetrieval.classname=com.bharosa.common.util.cipher.KeystoreKeyRetrieval bharosa.cipher.encryption.algorithm.enum.DESede_db.passwordRetrieval.classname=com.bharosa.common.util.cipher.SystemKSBase64PassRetrImpl bharosa.cipher.encryption.algorithm.enum.DESede_db.alias=DESede_db_key_alias bharosa.cipher.encryption.algorithm.enum.DESede_db.keystoreFile=system_db.keystore bharosa.cipher.encryption.algorithm.enum.DESede_db.keystorePassword= bharosa.cipher.encryption.algorithm.enum.DESede_db.aliasPassword=
Attributes of the encryption scheme are shown in the table below:
Attribute | Description | Usage |
---|---|---|
classname | Implementation of the encryption algorithm. | com.bharosa.common.util.cipher.AESCipher
com.bharosa.common.util.cipher.DESedeCipher com.bharosa.common.util.cipher.DESCipher |
keyRetrieval | Defines how to retrieve the key for used for encryption. | com.bharosa.common.util.cipher.SystemKeyRetrieval
com.bharosa.common.util.cipher.KeystoreKeyRetrieval |
keystoreFile | Defines the location of the KeyStore file. | Only applicable if the KeyStore is involved in the retrieval of the key. |
passwordRetrieval | Defines how the password to KeyStore and Alias are provided. | com.bharosa.common.util.cipher.SystemKSPassRetrImpl
com.bharosa.common.util.cipher.SystemKSBase64PassRetrImpl com.bharosa.common.util.cipher. WebLogicKeyStorePasswordRetrievalImpl |
alias | Alias in the KeyStore where the key is stored. | Only applicable if the KeyStore is involved in the retrieval of the key. |
The password retrieval options are shown below.
Option | Description |
---|---|
SystemKSPassRetrImpl | Reads the KeyStore and alias passwords from the Oracle Adaptive Access Manager configuration |
SystemKSBase64PassRetrImpl | Reads the KeyStore and alias passwords from the Oracle Adaptive Access Manager configuration and expects the passwords to be Base64 encoded |
WebLogicKeyStorePasswordRetrievalImpl | Reads the KeyStore and alias passwords from the WebLogic container's provided encryption service |
The following schemes are provided pre-configured.
Oracle Adaptive Access Manager Scheme | Algorithm | Keystore Used | Alias | Password Retrieval |
---|---|---|---|---|
DES | DES | system.keystore | DES | SystemKSBase64PassRetrImpl |
DESede | DESede | system.keystore | DESede | SystemKSBase64PassRetrImpl |
DESede_config | DESede | system_config.keystore | DESede_config_key_alias | SystemKSBase64PassRetrImpl |
DESede_db | DESede | system_db.keystore | DESede_db_key_alias | SystemKSBase64PassRetrImpl |
AES | AES | system.keystore | AES | SystemKSBase64PassRetrImpl |
An example is provided showing the "DESede_db" encryption scheme
bharosa.cipher.encryption.algorithm.enum.DESede_db=22 bharosa.cipher.encryption.algorithm.enum.DESede_db.name=Triple Data Encryption Standard db bharosa.cipher.encryption.algorithm.enum.DESede_db.description=Triple Data Encryption Standard, scheme used of DB sensitive data encryption bharosa.cipher.encryption.algorithm.enum.DESede_db.classname=com.bharosa.common.util.cipher.DESedeCipher bharosa.cipher.encryption.algorithm.enum.DESede_db.keyRetrieval.classname=com.bharosa.common.util.cipher.KeystoreKeyRetrieval bharosa.cipher.encryption.algorithm.enum.DESede_db.passwordRetrieval.classname=com.bharosa.common.util.cipher.SystemKSBase64PassRetrImpl bharosa.cipher.encryption.algorithm.enum.DESede_db.alias=DESede_db_key_alias bharosa.cipher.encryption.algorithm.enum.DESede_db.keystoreFile=system_db.keystore bharosa.cipher.encryption.algorithm.enum.DESede_db.keystorePassword= bharosa.cipher.encryption.algorithm.enum.DESede_db.aliasPassword=
It is possible to add new schemes using the existing methods. For example, you can use the AES algorithm, read KeyStore and alias passwords from WebLogic container encryption scheme.
Scheme definitions are flexible for adding a new encryption algorithm, algorithm key retrievals, and password retrieval methods by extending Oracle Adaptive Access Manager defined interfaces.
The Oracle Adaptive Access Manager configuration checks the property "bharosa.cipher.encryption.algorithm.enum.elem.default" to get the encryption scheme used to encrypt database fields. The default value is "DESede_db". This property is expected to have encryption scheme.
The Oracle Adaptive Access Manager configuration checks the property "bharosa.cipher.encryption.algorithm.enum.elem.system" to get the encryption scheme used to encrypt database fields. The default value is "DESede_config". This property is expected to have encryption scheme.
Integration clients can use "BharosaCipher.getCipher(pEncryptionAlgorithmId)" to work with custom encryption needs. This API expects one of encryption schemes as a parameter.
bharosa.cipher.encryption.algorithm.enum.AES_WL=99 bharosa.cipher.encryption.algorithm.enum.AES_WL.name= AES Scheme using WL password bharosa.cipher.encryption.algorithm.enum.AES_WL.description= AES Encryption Standard bharosa.cipher.encryption.algorithm.enum.AES_WL.classnameProperty=com.bharosa.common.util.cipher.AESCipher bharosa.cipher.encryption.algorithm.enum.AES_WL.keyRetrieval.classname=com.bharosa.common.util.cipher.KeystoreKeyRetrieval bharosa.cipher.encryption.algorithm.enum.AES_WL.keystoreFile=mykeystore.keystore bharosa.cipher.encryption.algorithm.enum.AES_WL.passwordRetrieval.classname=com.bharosa.weblogic.util.cipher.WebLogicKeyStorePasswordRetrievalImpl bharosa.cipher.encryption.algorithm.enum.AES_WL.alias=AES_WL # Change the scheme used DB sensitive fields encryption with new scheme bharosa.cipher.encryption.algorithm.enum.elem.default=AES_WL # (Keystore password=test123, encrypt using WL encryption service) bharosa.encryption.keystore.password={3DES}vsGNV6Q3YSdfdsfsM= # (Key password=test123, encrypt using WL encryption service) bharosa.encryption.keystore.key.password={3DES}vsGNV6Q3YSdfdsfsM=
A KeyStore can store a key used in cryptography in a secure way. Separate passwords to the KeyStore and alias can protect unauthorized access to the key.
Creating and managing a KeyStore is an industry standard. However the "com.bharosa.vcrypt.common.util.KeyStoreUtil" class part of the package provides convenient methods to manage the KeyStore. This utility class takes care of basic KeyStore needs. For advanced needs, refer to the Java Spec.
Usage: java <OARM_INSTAL_DIR>/WEB-INF/lib/ com.bharosa.vcrypt.common.util.KeyStoreUtil <command> readFromFile=<file name>
Useful Commands
Command | Description |
---|---|
WriteKeyToFile | Write secret key from KeyStore to a file |
UpdateOrCreateKeyStore | Creates or updates a KeyStore with the key provided |
UpdateOrCreateKeyStoreWithAutoGeneratedKey | This command first generates a key based on the algorithm specified. The generated key is stored in the KeyStore |
base64encode | Encodes passwords using Base64 |
base64decode | Decodes passwords using Base64 |
Parameters
Parameter | Description |
---|---|
keystorefilename | Name of the KeyStore file to be created / updated. |
keystoretype | Type of KeyStore JCEKS, JKS |
keystorepasswd | Password of the KeyStore |
keystorealias | Alias Name |
keystorealiaspasswd | Password to access the alias |
keyfile | File in which the secret key is stored |
algorithm | Algorithm DES, DESede, DES |
tobase64 | Value to encode to base64 |
frombase64 | Value to decode using base64, expects encoded value as parameter |
Printencodedpasswords | Prints encoded KeyStore and alias passwords along with KeyStore creation / updates. |
writetofilename | File name where key has to be written |