In this article
All SnapLogic endpoints use the Standard Encryption setting by default. As an Org admin using Groundplex instances to run your Pipelines, you can encrypt Account credentials that access endpoints from SnapLogic using data/server keys.
Enabling Enhanced Account Encryption
- Google Chrome version 37 and later.
- A Groundplex. Windows and Linux machines are supported, but if you plan to host your Snaplex instances in an mixed ecosystem (Windows and Linux OS), the server and data keys must be encrypted on a Linux machine to be used on a Linux-based Snaplex.
- If you are using Linux, make sure you have the latest install of the RPM/DEB on each Groundplex node.
- A Java 11 environment.
Preparing Groundplex Nodes for Enhanced Encryption
SnapLogic Enhanced Encryption makes use of key sizes that are not supported in the standard installation. After restarting the service, a new key pair is generated automatically and saved to disk, per JCC node. You must copy the generated data keys files (
jcc-datakeys.pass) from one node to all of the others in the Groundplex.
Using a Linux machine
- On Linux, the keys are in the
- After you copy the files to the other nodes, restart the service on each node.
- During startup, the nodes upload their public keys to the SnapLogic cloud. You can view the keys displayed in the Encryption Settings dialog.
Using a Windows machine
- On Windows Groundplex instances, copy the keys to a secure folder. Only the security administrators and users that run the Groundplex service must have access to the directory.
- Add the location of the directories as an environmental variable or Java property in Windows with the name SL_KEY_DIR.
Applying Enhanced Account Encryption to your Org
To configure Enhanced Account Encryption on a Groundplex for your SnapLogic Org:
- Log in as an Org admin and navigate to Manager > Settings, then click Configure Encryption.
On the Encryption Settings dialog, click the Groundplex tab (default), then select Enhanced encryption.
Verify that the same key is used on all nodes of the Groundplex; otherwise, you cannot configure the Org with Enhanced Encryption because all keys used across an Org must be consistent
Select the level of sensitivity based on the following:
- High. Encrypts passwords and secret keys
- Medium and High. Encrypts usernames, passwords, and secret keys
Low, Medium, and High. Encrypts host name, database names, database URL properties, usernames, passwords, and secret keys.
- To set a key for the entire Org, select the target key. Only those keys that are available on all nodes are displayed.
- Confirm the new key. This configuration causes all accounts to be decrypted using the existing keys and then re-encrypted with the newly selected Org-level key.
- Click Update to apply enhanced encryption.
When you view the Org Settings, the new Status displays under Configure Encryption:
Scope and Limitations
- Once Enhanced Account Encryption is enabled, you are not be able to see or edit the existing values for the encrypted data types.
However, you are able to enter a new value in that field and save it.
- If you change your sensitivity level from Low, Medium, High to High, existing accounts remain at the previous level unless you update them; going in the other direction causes account data to be encrypted. All new accounts follow the new sensitivity encryption level.
- If you revert to standard encryption, the encrypted data is not automatically decrypted. As long as the server key is still in the node, the encrypted values continue to work.
To change the enhanced encryption key (key rotation) for an organization, perform the following steps:
- Install the latest Groundplex RPM/DEB on one of the Groundplex nodes which is already running with enhanced encryption. This step is required to get the new addDataKey option in the
As root user, run the following command:
This command generate a new key pair and append it to the keystore in
/etc/snaplogic folder with the specified alias (keyFeb2020).
- You must copy the generated data keys files (
jcc-datakeys.pass) from this node to all the others in the Org, similar to when originally setting up the enhanced encryption feature.
- Restart the nodes in the Org. This step is required to pick up the updated key pair. Each node can be restarted one at a time from the dashboard in order to do an online restart.
Once all the nodes are running with the new key pair loaded, the Enhanced Encryption settings display the drop-down list allowing the Org admin to change to the new key.
After you enable Enhanced Encryption on your Groundplex nodes:
Adding Groundplex Nodes
When adding new nodes to a Groundplex, you must ensure that the new nodes have the same key as the other nodes. If a node does not have a matching key, it is ignored until the keys are synchronized. You can redo the configuration through the Enhanced Encryption Settings dialog in the Manager > Settings > Configure Encryption by checking the current key compatibility status.