Security: Encrypt Macro Values At-Rest

For System Administrators > System Administration Guide > Configuring Security > Security: Encrypt Macro Values At-Rest

Was this helpful?

IMPORTANT! Macro values often contain sensitive data. To prevent accidental exposure, it is best practice to encrypt these values at rest, meaning at the database level.

After you enable encryption, macro values will never be retrievable directly from the database. You must maintain the certificate you used, as it is the only mechanism available to decrypt macro values. The public and private keys cannot be changed.

If you have existing macros defined, they must be updated through the user interface or API after encryption is enabled. If you choose to disable encryption, all existing macro values will need to be updated to expected values.

Note: Macro encryption is always enabled and enforced for Integration Manager powered by DataCloud (SaaS).

To encrypt macro values a-rest, you must accomplish these tasks:

1. Obtain or create a new encryption keystore.

2. Configure Integration Manager encryption properties.

Perform the following procedures to achieve these tasks.

Step 1: Obtain or Create a New Encryption Keystore

Note: Self-signed certs are acceptable for at-rest data encryption because identity verification is not required at the application level.

You may use either Java keytool or OpenSSL tools to generate, import, and manage certificates from the command line.

This step explains how to accomplish the task using keytool. For OpenSSL certificate instructions, see https://www.openssl.org/.

To create a new encryption keystore

1. Open a command console and change directory to the JRE bin folder.

2. Create a new keystore file using Java keytool.

You may use whatever alias and filename you choose. Examples here use “integration- manager” and “keystore.p12,” respectively.

3. You will be prompted to set a keystore password and add identity details (name, company, address, and so on).

> cd (ProgramData)/Actian/IntegrationManager/jre/bin
> keytool -genkeypair -alias integration-manager -keyalg RSA -keysize 2048 -storetype PKCS12
-keystore keystore. p12 -validity 3650

Step 2: Configure Integration Manager Encryption Properties

• Examples in this step use “integration- manager” and “keystore.p12,” respectively.

• Changing any entries in the application.properties file requires the Integration Manager Service to be restarted.

• It is best practice to ensure you have no duplicate properties in your file.

# Macro Encryption Properties encryption.enabled=true
encryption.key-store=${sharedDataPath}/conf/encryption/keystore.p12 encryption.key-store-password=D0N0tU5eTh1sP@ssW0rd! encryption.certificate-name=integration-manager

Last modified date: 03/14/2022