In this article
All SnapLogic endpoints use the Standard Encryption setting by default. As an Org admin using Groundplex instances to run your Pipelines, you can encrypt Account credentials that access endpoints from SnapLogic using data/server keys.
We strongly recommend that you make backup copies of your data keys. Otherwise, if the data keys to your account become corrupted or are unrecoverable, then all sensitive fields in the accounts would have to be manually re-entered to recover the accounts. |
|
SnapLogic Enhanced Encryption makes use of key sizes that are not supported in the standard installation. After restarting the service, a new key pair is generated automatically and saved to disk, per JCC node. You must copy the generated data keys files (jcc-datakeys.jks
and jcc-datakeys.pass
) from one node to all of the others in the Groundplex.
Server keys ( |
/etc/snaplogic
folder.Data keys are the same across JCC nodes; however, the server keys are unique for each JCC node. You should generate the data keys on a Linux machine and copy them to the SL_KEY_DIR folder on the Windows machine. Only the security administrators and users that run the Groundplex service must have access to the directory. |
jcc-datakeys.jks
jcc-datakeys.pass
Click the Node Properties tab, and under Global Properties, click to enter the key-value pair:
Add the following in the Snaplex property:
jcc.jvm_options = -DSL_KEY_DIR=c:\\snaplogic_keys |
To configure Enhanced Account Encryption on a Groundplex for your SnapLogic Org:
On the Encryption Settings dialog, click the Groundplex tab (default), then select Enhanced encryption.
Verify that the same key is used on all nodes of the Groundplex; otherwise, you cannot configure the Org with Enhanced Encryption because all keys used across an Org must be consistent
Select the level of sensitivity based on the following:
Low, Medium, and High. Encrypts host name, database names, database URL properties, usernames, passwords, and secret keys.
To learn about which fields are encrypted for an Account, see the sensitivity level definition in the Account’s documentation for that Snap Pack. |
To set a key for the entire Org, select the target key. Only those keys that are available on all nodes are displayed.
When you view the Org Settings, the new Status displays under Configure Encryption:
However, you are able to enter a new value in that field and save it.
To change the enhanced encryption key (key rotation) for an organization, perform the following steps:
jcc.sh
script.As root user, run the following command:
/opt/snaplogic/bin/jcc.sh addDataKey keyFeb2020 |
This command generate a new key pair and append it to the keystore in /etc/snaplogic
folder with the specified alias (keyFeb2020).
jcc-datakeys.jks
and jcc-datakeys.pass
) from this node to all the others in the Org, similar to when originally setting up the enhanced encryption feature.Once all the nodes are running with the new key pair loaded, the Enhanced Encryption settings display the drop-down list allowing the Org admin to change to the new key.
After you enable Enhanced Encryption on your Groundplex nodes:
Accounts in the organization are sent to the Groundplex to be decrypted with the old key and then encrypted with the new key.
jcc.sh
script.When adding new nodes to a Groundplex, you must ensure that the new nodes have the same key as the other nodes. If a node does not have a matching key, it is ignored until the keys are synchronized. You can redo the configuration through the Enhanced Encryption Settings dialog in the Manager > Settings > Configure Encryption by checking the current key compatibility status.
To enable Enhanced Encryption on Windows Groundplex instances, the recommended procedure is to generate the keys on a Linux machine and then copy them onto the Windows node. The advantage is that the generated keystore is encrypted, and the same keystore can be used on both Windows and Linux nodes.
If there are existing Windows installations with Enhanced Encryption where the key was not initially generated in Linux, adding new Linux-based nodes require these additional steps, because, in such cases, there would be a datakeys.jks
file under the etc
folder, with no .pass
file.
datakeys.jks
from the Windows machine to the Linux machine and place it in /etc/snaplogic/jcc-datakeys.jks
.Perform the following steps as the root
user.
# Perform below operations as root user # Copy the datakeys.jks file from windows to the Linux machine, file should be placed at /etc/snaplogic/jcc-datakeys.jks cd /opt/snaplogic # Generate password file with a secure password. Change RANDOM_SECURE_PASSWORD to a secure password to use for the keystore export MYPASS=RANDOM_SECURE_PASSWORD echo -n $MYPASS > /etc/snaplogic/jcc-datakeys.pass # Encrypt the keystore with the new password /opt/snaplogic/pkgs/jdk-11.0.8+10-jre/bin/keytool -storepasswd -new $MYPASS -keystore /etc/snaplogic/jcc-datakeys.jks -storepass "" # Encrypt the key with the same password /opt/snaplogic/pkgs/jdk-11.0.8+10-jre/bin/keytool -keypasswd -alias account-autogen -new $MYPASS -keystore /etc/snaplogic/jcc-datakeys.jks -storepass $MYPASS -keypass "" |
You might have to change the JRE version based on the environment first if you are not using Java 11. |
The keystore is now in a format suitable for use on Linux machines. You can now copy the same jcc-datakeys.jks
and jcc-datakeys.pass
files to other Linux-based nodes without having to repeat the prior steps.
We also recommend that you update the original Windows node to run with this encrypted keystore by setting the SL_KEY_DIR property described in Using a Windows Machine.