In this article


All SnapLogic endpoints use the Standard Encryption setting by default. As an Org admin using Groundplex instances to run your Pipelines, you can encrypt Account credentials that access endpoints from SnapLogic using data/server keys. 

We strongly recommend that you make backup copies of your data keys. Otherwise, if the data keys to your account become corrupted or are unrecoverable, then all sensitive fields in the accounts would have to be manually re-entered to recover the accounts.

  • You cannot use a Cloudplex for this configuration. Before enabling this feature, you need to work with SnapLogic support to turn off and remove Cloudplex instances from your Org or convert them into Groundplex instances. You can, however, use Enhanced Encryption in an eXtremeplex.
  • We do not recommend moving an Org from Enhanced Encryption to Standard Encryption. However, if the Org with Enhanced Encryption is moved to Standard Encryption, any OAuth 2.0 accounts created before do not function and therefore need to be re-created after the move.

Enabling Enhanced Account Encryption


Preparing Groundplex Nodes for Enhanced Encryption

SnapLogic Enhanced Encryption makes use of key sizes that are not supported in the standard installation. After restarting the service, a new key pair is generated automatically and saved to disk, per JCC node. You must copy the generated data keys files (jcc-datakeys.jks and jcc-datakeys.pass) from one node to all of the others in the Groundplex. 

Server keys (jcc-serverkeys.jks and jcc-serverkeys.pass) must be unique per JCC node. Do not copy server keys across all nodes.

Using a Linux machine

  1. On Linux, find the keys in the  /etc/snaplogic folder.

  2. After you copy the files to the other nodes, restart the service on each node.

  3. During startup, the nodes upload their public keys to the SnapLogic cloud. You can view the keys displayed in the Encryption Settings dialog.

Using a Windows machine

Data keys are the same across JCC nodes; however, the server keys are unique for each JCC node. You should generate the data keys on a Linux machine and copy them to the SL_KEY_DIR folder on the Windows machine. Only the security administrators and users that run the Groundplex service must have access to the directory.

  1. On Windows-based Groundplex instances:
    1. Copy the keys to a secure folder. 
    2. Ensure that the keys have the following names: 
      • jcc-datakeys.jks
      • jcc-datakeys.pass

  2. Add the location of the key directory as a Java property in the Snaplex configuration with the name SL_KEY_DIR.
    1. Navigate to the target Snaplex in Manager, and then click to open it.
    2. Click the Node Properties tab, and under Global Properties, click  to enter the key-value pair.

    3. Add the following in the Snaplex property:

      jcc.jvm_options = -DSL_KEY_DIR=c:\\snaplogic_keys

    4. In the Create Snaplex dialog window, click Create. If you are updating an existing Snaplex, click Update.

  3. Restart the Windows service on all of the Groundplex nodes with the updated slpropz configuration.

Applying Enhanced Account Encryption to your Org

To configure Enhanced Account Encryption on a Groundplex for your SnapLogic Org:

  1. Log in as an Org admin and navigate to Manager > Settings, then click Configure Encryption.

  2. On the Encryption Settings dialog, click the Groundplex tab (default), then select Enhanced encryption.

    1. Verify that the same key is used on all nodes of the Groundplex; otherwise, you cannot configure the Org with Enhanced Encryption because all keys used across an Org must be consistent

    2. Select the level of sensitivity based on the following:

      • High. Encrypts passwords and secret keys
      • Medium and High. Encrypts usernames, passwords, and secret keys
      • Low, Medium, and High. Encrypts host name, database names, database URL properties, usernames, passwords, and secret keys.

         To learn about which fields are encrypted for an Account, see the sensitivity level definition in the Account’s documentation for that Snap Pack.

    3. To set a key for the entire Org, select the target key. Only those keys that are available on all nodes are displayed.

    4. Confirm the new key. This configuration causes all accounts to be decrypted using the existing keys and then re-encrypted with the newly selected Org-level key.
  3. Click Update to apply enhanced encryption. 

When you view the Org Settings, the new Status displays under Configure Encryption:

Scope and Limitations

However, you are able to enter a new value in that field and save it.

Key Rotation

To change the enhanced encryption key (key rotation) for an organization, perform the following steps:

  1. Install the latest Groundplex RPM/DEB on one of the Groundplex nodes which is already running with enhanced encryption. This step is required to get the new addDataKey option in the script.

  2. As root user, run the following command:

    /opt/snaplogic/bin/ addDataKey keyFeb2020

    This command generate a new key pair and append it to the keystore in /etc/snaplogic folder with the specified alias (keyFeb2020).

  3. You must copy the generated data keys files (jcc-datakeys.jks and jcc-datakeys.pass) from this node to all the others in the Org, similar to when originally setting up the enhanced encryption feature.

  4. Restart the nodes in the Org. This step is required to pick up the updated key pair. Each node can be restarted one at a time from the dashboard in order to do an online restart.

  5. Once all the nodes are running with the new key pair loaded, the Enhanced Encryption settings display the drop-down list allowing the Org admin to change to the new key.

After you enable Enhanced Encryption on your Groundplex nodes:

Adding Groundplex Nodes

When adding new nodes to a Groundplex, you must ensure that the new nodes have the same key as the other nodes. If a node does not have a matching key, it is ignored until the keys are synchronized. You can redo the configuration through the Enhanced Encryption Settings dialog in the Manager > Settings > Configure Encryption by checking the current key compatibility status.

Updating Windows Groundplex Instances to Use an Encrypted Keystore

To enable Enhanced Encryption on Windows Groundplex instances, the recommended procedure is to generate the keys on a Linux machine and then copy them onto the Windows node. The advantage is that the generated keystore is encrypted, and the same keystore can be used on both Windows and Linux nodes.

If there are existing Windows installations with Enhanced Encryption where the key was not initially generated in Linux, adding new Linux-based nodes require these additional steps, because, in such cases, there would be a datakeys.jks file under the etc folder, with no .pass file.

  1.  Copy the keystore datakeys.jks from the Windows machine to the Linux machine and place it in /etc/snaplogic/jcc-datakeys.jks.
  2. Perform the following steps as the root user.

    # Perform below operations as root user
    # Copy the datakeys.jks file from windows to the Linux machine, file should be placed at /etc/snaplogic/jcc-datakeys.jks
    cd /opt/snaplogic
    # Generate password file with a secure password. Change RANDOM_SECURE_PASSWORD to a secure password to use for the keystore
    echo -n $MYPASS  > /etc/snaplogic/jcc-datakeys.pass
    # Encrypt the keystore with the new password
    /opt/snaplogic/pkgs/jdk-11.0.8+10-jre/bin/keytool -storepasswd -new $MYPASS -keystore /etc/snaplogic/jcc-datakeys.jks  -storepass ""
    # Encrypt the key with the same password
    /opt/snaplogic/pkgs/jdk-11.0.8+10-jre/bin/keytool -keypasswd -alias account-autogen -new $MYPASS -keystore /etc/snaplogic/jcc-datakeys.jks -storepass $MYPASS -keypass ""

    You might have to change the JRE version based on the environment first if you are not using Java 11.

The keystore is now in a format suitable for use on Linux machines. You can now copy the same jcc-datakeys.jks  and jcc-datakeys.pass files to other Linux-based nodes without having to repeat the prior steps.

We also recommend that you update the original Windows node to run with this encrypted keystore by setting the SL_KEY_DIR property described in Using a Windows Machine.