You can specify the encryption type used by a
Deployment Automation
server, agent, or agent relay. The encryption setting is used to protect
secured values.
Supported encryption types
-
LEGACY (uses the legacy method to encrypt data)
-
AES256
-
RSA
Keys
External encryption and decryption keys are provided by the user or
generated automatically when a server starts (the folder
enc-keys is created and stores the keys).
Each key is stored with a file name using this pattern:
| Pattern
|
Description
|
| <encryption type>-<key
index>-E
|
Stores the encryption key.
|
| <encryption type>-<key
index>-D
|
Stores the decryption key.
|
| <encryption type>-<key
index>
|
Used as a fallback if no files with the above
names are found (used when a –E or –D key with the corresponding index cannot
be found).
|
- If there are no files in the folder
enc-keys when a server, agent relay, or agent are
started, random keys are stored for the encryption type.
- The key index can contain one character only.
- If a key is not found or an error occurs during encryption or
decryption, the default hard-coded key is used.
- The ‘!’ symbol is reserved for the default key index.
- Data is always encrypted using the latest key (the one with the
biggest index).
- All keys are reloaded when a server restarts.
- Encrypted data contains the index of the encryption key. The
corresponding decryption key should have the same index and be present in the
profile.
Server
- Default encryption type:
AES256
- To set the server encryption type, edit the property
systemConfig/encryptionAlgorithm in
da_config.xml.
- RSA is not supported and needs length DB fields that contain
encrypted values to be increased.
- The folder enc-keys is created in:
<profile location>/conf/server
- Data that is encrypted in DB is not re-encrypted during a server
upgrade or after the encryption algorithm property changes. If the property
changes, secure properties in the file
installed.properties are re-encrypted when the server
starts.
Agent
- Default encryption type:
LEGACY
- To set the agent encryption type, edit the property
locked/agent.strict.encryption.type in
agent.properties.
- Non-default encryption is not compatible with old plugins, however
the default is less secure.
- The folder
enc-keys is created in:
<agent location>/conf/agent
- If the encryption type property is changed, secure properties in
agent.properties file are re-encrypted when an agent
starts.
Agent Relay
- Default encryption type:
AES256
- To set the agent relay encryption type, edit the property
agentrelay.encryption.type in
agentrelay.properties.
- The folder
enc-keys is created in:
<agent relay location>/conf
- If the encryption type property is changed, secure properties
in agentrelay.properties file are re-encrypted when an agent
relay starts.
Copyright © 2011–2020 Micro Focus or one of its affiliates. All rights reserved.