[8.5.5.18 or later]

Creating a custom AES key manager

You can create an Advanced Encryption Standard (AES) custom key manager to generate a key for AES password encryption. Create this key for the rare situations where the default key manager does not implement a specific requirement that meets your key generation needs.

Before you begin

Determine the specific password encryption requirement that would cause you to use the custom AES key manager instead of the default AES key manager. If you do not have a specific requirement, use the default AES key manager instead.

If you conclude that you must use a custom AES key manager, ensure that this key manager provides the same key among the nodes in the same cell. Configuration files, which contain the encrypted passwords, are shared among the nodes.

About this task

Build the custom AES key manager class. Put the resulting JAR file in the proper location so that the client environment and the server environment can use it.

Procedure

  1. Build your custom AES key manager class.
    The interface for the class is as follows:
    package com.ibm.wsspi.security.crypto.aes;

public interface EncryptionKeyManager  {
    /**
     * Returns a Secretkey object which corresponds the specified keyAlias. 
     *  javax.crypto.SecretKey interface defines getAlgorithm, getEncoded,
     * and getFormat methods. For this implementation, getAlgorithm method needs
     * to return "AES", getFormat method needs to return "RAW", and getEncoded 
     * methods needs to return 16 bytes (128 bits) byte array.
     *  This method will be invoked upon encrypting or decrypting passwords, or
     * while processing modifyPasswordEncryption wsadmin command.
     * Returns a key object which corresponds the keyAlias. 
     * 
     * @param keyAlias key alias name
     * @return SecretKey object
     * @throws EncryptionKeyManagerException
     */
    SecretKey getKey(String keyAlias) throws EncryptionKeyManagerException;

    /**
     * Returns all of the key alias associated with this key manager.
     *  This method is invoked by some wsadmin commands of PasswordUtilCommands
     * command group.
     * 
     * @return List of all key alias
     * @throws EncryptionKeyManagerException
     */
    List<String> getAllKeyAliases() throws EncryptionKeyManagerException;

    /**
     * Returns the key alias which is used for encrypton.
     *  This key alias should be included in the output list of getAllKeyAliases
     * method
     *  This method will be invoked upon encrypting passwords, or some wsadmin
     * commands of PasswordUtilCommands command group.
     * 
     * @return the key alias name.
     * @throws EncryptionKeyManagerException
     */
    String getActiveEncryptionKeyAlias() throws EncryptionKeyManagerException;
  2. Put the JAR file that contains the implementation class of the com.ibm.wsspi.security.crypto.aes.EncryptionKeyManager interface class in the location where the Java class path is set.

    For the server environment, put the JAR file in the WAS_HOME/lib/ext directory.

    For the client environment, put the JAR file in the class path.

    Avoid trouble: For a multi-node environment, put the custom AES key manager on all the nodes, and then restart all the nodes.
  3. Enable the custom AES key manager.

    For more information, see Enabling a custom AES key manager.