Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Security profile is a generic profile that With the Security Profile, you can use to make encryption configurations that can be used by various agents. For example, the HTTP/2 and Kafka agents. The profile consists of three tabs: General, Advanced, and External Keystore.

General Tab

...

Keystore Settings

The following settings are available:

Field

Settings

Description

Type

You

can select from

have the following options:

  • Java Keystore

  • External Keystore

  • <None>

Selecting

External Keystore

External Keystore or <None> disables the rest of the keystore settings. Selecting

External Keystore

External Keystore will require

the more

additional input in the External Keystore tab.

Path

Enter the location of the keystore from which you want to read the key. 

Password

Enter the relevant keystore password. 

Public Key Alias

The encryption alias to use.

When configuring

In a client, it should be the alias to the server

's

public certificate. If left empty the Keystore Alias will be used to encrypt the message.

Private Key Alias

If the keystore contains more than one key, specify the alias of the key that you want to use.

Key Password

The Key Password

field

 fields is optional. You can enter the key password, or if you leave this field empty, the Password that you entered is the default.

create a symmetric crypto keytitle create file security contentstitle create clientspecific file
Excerpt
namekeystore_settings
Info
title

Example - How to

Create a Symmetric Crypto Key

Code Block
$
keytool -keystore test.ks -storepass password -genseckey -keysize 128 -alias testkey -keyalg AES
Info

Example - How to

Create a Keystore

File with

Security Contents

This

The example code below shows how to create a Java keystore file for both the server and client connection.

This will generate

In this example, the file

,

will be generated containing the associated security certificate,

and the

public and private

keys

key

Code Block
Code Block
languagebash
titleCode Block
keytool -genkey -alias server -keyalg RSA -keystore ./server.jks
NOTE:

Note! Remember the password issued for the server.jks file.

Info

Example - How to

Create a

Client-

Specific Keystore

title

File

To create a client-specific Java Keystore file, you can use the keytool command with the required variables. In this example, the generated file will be for a specific client and contain only their certificate and public key. 

Code Block
Code Block
languagebash
$
Code Block
keytool -export -alias server -keystore ./server.jks -file ./server.cer
...
$

keytool -import -alias client -file ./server.cer -keystore ./client.jks
...

Note

:

! Execution of these commands will present password entry prompts, and you will need to remember the entered passphrase. 

Truststore Settings

The following settings are available:

Field

Description

Type

You can select from the following options: 

  • Java Truststore

  • Use Java Keystore

  • External Truststore

  • Use External Keystore

  • <None>

Selecting Use Java Keystore disables the rest of the truststore settings and the keystore specified in Keystore Settings is used.

Selecting

External Truststore

External Truststore or Use

External Keystore

External Keystore disables the rest of the truststore settings and will require more input in External Keystore tab.

Selecting <None> disables the rest of the truststore settings.

Path

Enter the location of the truststore that you want to use. 

Password

Enter the relevant truststore password.

Advanced Tab

...

The Advanced tab enables you to make more detailed configurations for which cipher suites to accept. 

The following settings are available:

Field

Settings

Description

Enable TLS Settings

If you want to change the TLS security parameters, select this check box. The default setting is to use the settings from the Java installation.

Accepted Protocols

You can select if you want agents using this profile to accept only TLS version 1.3 or any TLS version. The default setting is to only accept version 1.3.

Used Cipher Suites

You can select if you want agents using this profile to use only suites that are enabled by default, or any suites. The default setting is to only use suites that are enabled by default.

Cipher Suite Must Match

In this field, you can enter any characters that you want the cipher suites to match. You can also enter lists of regular

expression

expressions, one per row, that you want the cipher suites to match. Suites not matching your entry are greyed out in

the 

the Result on this JVM field.

Cipher Suite Must Not Match

If you want to exclude cipher suites, you can enter any characters in this field which excludes suites matching the characters. You can also enter lists of regular

expression

expressions, one per row, for cipher suites to exclude.

Result on this JVM

This field displays the cipher suites available on the current JVM.

External Keystore Tab

Image Removed

The External Keystore tab enables you to store your SSL certificates in one secure location. Currently, it can be stored in Azure KeyVault, Google Secret Manager or HashiCorp Vault.

Note
title

Note!

Using the Security profile with External Keystore configured with Kafka agents is not supported.

Azure KeyVault

...

For information about the installation and setup of an Azure KeyVault, refer to see https://azure.microsoft.com/en-us/products/key-vault for more information .

Option

Settings

Description

Azure KeyVault Profile

Choose

a

an Azure KeyVault Profile to use for the credentials.

Certificate name

The name of the certificate in Azure KeyVault

Google Secret Manager

Security-google-icon.pngImage Added

For information about the installation and setup of Google Secret Manager, see https://cloud.google.com/secret-manager/docs .

We don't have a way to export this inline extension.

...

Settings

Description

Google Secret Manager Profile

Choose a Google Secret Manager Profile to use for the credentials.

Name

The name of the certificate stored in Google Secret Manager.

Version

The version of the Secret.

Key Password

Password of the certificate.

Generating and Uploading a Certificate

  1. Run the following command to create a self-signed PFX keystone file:

    Code Block
    keytool -genkey -keyalg RSA -keystore Server.pfx -storetype PKCS12

    keystore = name of the pfx file, for example, server.pfx

Note

Note!

When prompted for first and last name, the hostname where the certificate is valid should be entered, for example, localhost. Other values can be anything.

  1. Encode the PFX file with base64 by running this command:

    Code Block
    base64 -i Server.pfx -o Server.b64

    -i = name of the input file
    -o = name of the output file for the base64 string

  2. Create a secret on Google Secret Manager with the value of the Server.b64.

HashiCorp Vault

...

...

For information about the installation and setup of a vault, see https://learn.hashicorp.com/vault

...

.

Info
title

Info!

When setting up your vault, it is recommended that you have the following set up:

  1. Set up a Key-Value (kv) Secret

  2. Enable Userpass authentication instead of the default token authentication.

  3. Set up a policy with read and list permissions and assign it to a user.

Field

Settings

Description

Auth Methods

The

Select the authentication method

for accessing

used to access the vault.

Address

Enter

The address for the vault

address

. The format of the address

starts

begins with the

hyper text

hypertext transfer protocol, either HTTP or HTTPS, followed by the IP address of the vault and the TCP port used by the TCP listener of the vault.

Info
title

Example

https://127.0.0.1:8200

Username

Enter the vault username.

Password

Enter the vault password.

Path

The full path of the vault secret engine that contains the relevant keystore or truststore.

Info
title

Example

secret/digitalroute/mz/security/server

Uploading a

...

Keystore into Your Vault

We don't have a way to export this inline extension.

...

Code Block
vault kv put secret/digitalroute/mz/security/<PATH_PREFIX>/keystore filecontent="$(cat <PATH_TO_KEYSTORE>.jks | base64)" password=<PASSWORD> keyalias=<KEYALIAS> keypassword=<KEYPASSWORD>

...

You need to configure the mandatory attributes. The workflow will abort if it calls

...

a Security profile with

...

vault credentials

...

saved in a different format

...

than listed in the table below.

...

Supported Formats

Attribute

Value Format

filecontent

Base64 String

keyalias

String

keypassword

String

password

String

Uploading a

...

Truststore into Your Vault

We don't have a way to export this inline extension.

...

Code Block
vault kv put secret/digitalroute/mz/security/<PATH_PREFIX>/truststore filecontent="$(cat <PATH_TO_TRUSTSTORE>.jks | base64)" password=<PASSWORD>

The options for the command follow a certain format that has to be adhered toYou need to configure the mandatory attributes. The workflow will abort if it calls the security profile with the vault credentials that are saved in a different format as listed in the table below.

Field

Attribute

Value Format

filecontent

Base64 String

password

String