In this article
Table of Contents | ||
---|---|---|
|
Overview
All SnapLogic endpoints use the Standard Encryption setting by default. As an Org admin using Groundplex instances to run your Pipelines, you can encrypt Account credentials that access endpoints from SnapLogic using data/server keys.
...
Note | ||
---|---|---|
| ||
|
...
Note | ||
---|---|---|
| ||
Data keys are the same across JCC nodes; however, the server keys are unique for each JCC node. We recommend that you to generate the data keys on a Linux machine and copy them into the SL_KEY_DIR folder on the Windows machine. The files have to be copied with the name as generated on the Linux machine: and |
- On Windows Groundplex instances, copy the keys to a secure folder. Only the security administrators and users that run the Groundplex service must have access to the directory.
- Add the location of the directories as an environmental variable or Java property in Windows with the name SL_KEY_DIR.
To add a Java property, add the following in the Snaplex properties
Paste code macro theme Agate jcc.jvm_options = -DSL_KEY_DIR=c:\\snaplogic_keys
- Restart the Windows service on all of the Groundplex nodes with the updated slpropz configuration.
Applying Enhanced Account Encryption to your Org
...
When adding new nodes to a Groundplex, you must ensure that the new nodes have the same key as the other nodes. If a node does not have a matching key, it is ignored until the keys are synchronized. You can redo the configuration through the Enhanced Encryption Settings dialog in the Manager > Settings > Configure Encryption by checking the current key compatibility status.
Updating Windows Groundplex Instances to Use an Encrypted Keystore
To enable Enhanced Encryption on Windows Groundplex instances, the recommended procedure is to generate the keys on a Linux machine and then copy them onto the Windows node. The advantage is that the generated keystore is encrypted, and the same keystore can be used on both Windows and Linux nodes.
If there are existing Windows installations with Enhanced Encryption where the key was not initially generated in Linux, adding new Linux-based nodes require these additional steps, because, in such cases, there would be a datakeys.jks
file under the etc
folder, with no .pass
file.
- Copy the keystore
datakeys.jks
from the Windows machine to the Linux machine and place it in /etc/snaplogic/jcc-datakeys.jks
. Perform the following steps as the
root
user.Paste code macro language bash theme Agate # Perform below operations as root user # Copy the datakeys.jks file from windows to the Linux machine, file should be placed at /etc/snaplogic/jcc-datakeys.jks cd /opt/snaplogic # Generate password file with a secure password. Change RANDOM_SECURE_PASSWORD to a secure password to use for the keystore export MYPASS=RANDOM_SECURE_PASSWORD echo -n $MYPASS > /etc/snaplogic/jcc-datakeys.pass # Encrypt the keystore with the new password /opt/snaplogic/pkgs/jdk-11.0.8+10-jre/bin/keytool -storepasswd -new $MYPASS -keystore /etc/snaplogic/jcc-datakeys.jks -storepass "" # Encrypt the key with the same password /opt/snaplogic/pkgs/jdk-11.0.8+10-jre/bin/keytool -keypasswd -alias account-autogen -new $MYPASS -keystore /etc/snaplogic/jcc-datakeys.jks -storepass $MYPASS -keypass ""
Info You might have to change the JRE version based on the environment first if you are not using Java 11.
The keystore is now in a format suitable for use on Linux machines. You can now copy the same jcc-datakeys.jks
and jcc-datakeys.pass
files to other Linux-based nodes without having to repeat the prior steps.
We also recommend that you update the original Windows node to run with this encrypted keystore by following the steps mentioned under Using a Windows machine (by setting the SL_KEY_DIR property).