Versions Compared

Old Version 6

changes.mady.by.user Jenni Wallin

Saved on

compared with

New Version Current

changes.mady.by.user Kevin Wu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

With the Security Profile, you can make encryption configurations that can be used by various agents. The profile consists of three tabs: General, Advanced, and External Keystore.

...

Settings

Description

Type

You have the following options:

  • Java Keystore

  • External Keystore

  • <None>

Selecting External Keystore or <None> disables the rest of the keystore settings. Selecting External Keystore will require additional input in the External Keystore tab.

Path

Enter the location of the keystore from which you want to read the key. 

Password

Enter the relevant keystore password. 

Public Key Alias

The encryption alias to use. In a client, it should be the alias to the server public certificate. If left empty the Keystore Alias will be used to encrypt the message.

Private Key Alias

If the keystore contains more than one key, specify the alias of the key that you want to use.

Key Password

The Key Password fields is optional. You can enter the key password, or if you leave this field empty, the Password that you entered is the default.

...

Field

Description

Type

You can select from the following options: 

  • Java Truststore

  • Use Java Keystore

  • External Truststore

  • Use External Keystore

  • <None>

Selecting Use Java Keystore disables the rest of the truststore settings and the keystore specified in Keystore Settings is used.

Selecting External Truststore or Use External Keystore disables the rest of the truststore settings and will require more input in External Keystore tab.

Selecting <None> disables the rest of the truststore settings.

Path

Enter the location of the truststore that you want to use. 

Password

Enter the relevant truststore password.

Advanced Tab

...

The Advanced tab enables you to make more detailed configurations for which cipher suites to accept. 

...

Settings

Description

Enable TLS Settings

If you want to change the TLS security parameters, select this check box. The default setting is to use the settings from the Java installation.

Accepted Protocols

You can select if you want agents using this profile to accept only TLS version 1.3 or any TLS version. The default setting is to only accept version 1.3.

Used Cipher Suites

You can select if you want agents using this profile to use only suites that are enabled by default, or any suites. The default setting is to only use suites that are enabled by default.

Cipher Suite Must Match

In this field, you can enter any characters that you want the cipher suites to match. You can also enter lists of regular expressions, one per row, that you want the cipher suites to match. Suites not matching your entry are greyed out in the Result on this JVM field.

Cipher Suite Must Not Match

If you want to exclude cipher suites, you can enter any characters in this field which excludes suites matching the characters. You can also enter lists of regular expressions, one per row, for cipher suites to exclude.

Result on this JVM

This field displays the cipher suites available on the current JVM.

...

Settings

Description

Azure KeyVault Profile

Choose an Azure KeyVault Profile to use for the credentials.

Certificate name

The name of the certificate in Azure KeyVault

Google Secret Manager

Security-google-icon.pngImage RemovedSecurity-google-icon.pngImage Added

For information about the installation and setup of Google Secret Manager, see https://cloud.google.com/secret-manager/docs.

...

Settings

Description

Auth Methods

Select the authentication method used to access the vault.

Address

The address for the vault. The format of the address begins with the hypertext transfer protocol, either HTTP or HTTPS, followed by the IP address of the vault and the TCP port used by the TCP listener of the vault.

Info

Example

https://127.0.0.1:8200

Username

Enter the vault username.

Password

Enter the vault password.

Path

The full path of the vault secret engine that contains the relevant keystore or truststore.

Info

Example

secret/digitalroute/mz/security/server

Uploading a Keystore into Your Vault

We don't have a way to export this inline extension.

MediationZone requires certain criteria to be met when uploading the keystore into your vault. The following command will help show you how to upload.

Code Block
vault kv put secret/digitalroute/mz/security/<PATH_PREFIX>/keystore filecontent="$(cat <PATH_TO_KEYSTORE>.jks | base64)" password=<PASSWORD> keyalias=<KEYALIAS> keypassword=<KEYPASSWORD>

You need to configure the mandatory attributes. The workflow will abort if it calls a Security profile with vault credentials saved in a different format than listed in the table below.

...

Uploading a Truststore into Your Vault

We don't have a way to export this inline extension.

MediationZone requires certain criteria to be met when uploading the truststore into your vault. The following command will help show you how to upload it. 

Code Block
vault kv put secret/digitalroute/mz/security/<PATH_PREFIX>/truststore filecontent="$(cat <PATH_TO_TRUSTSTORE>.jks | base64)" password=<PASSWORD>

You need to configure the mandatory attributes. The workflow will abort if it calls the security profile with the vault credentials that are saved in a different format as listed in the table below.

...