Security (4.3)
With the Security Profile, you can make encryption configurations that can be used by various agents. The profile consists of three tabs: General, Advanced, and External Keystore.
General Tab
Keystore Settings
The following settings are available:
Settings | Description |
---|---|
Type | You have the following options:
Selecting External Keystore or <None> disables the rest of the keystore settings. Selecting External Keystore will require additional input in the External Keystore tab. |
Path | Enter the location of the keystore from which you want to read the key. |
Password | Enter the relevant keystore password. |
Public Key Alias | The encryption alias to use. In a client, it should be the alias to the server public certificate. If left empty the Keystore Alias will be used to encrypt the message. |
Private Key Alias | If the keystore contains more than one key, specify the alias of the key that you want to use. |
Key Password | The Key Password fields is optional. You can enter the key password, or if you leave this field empty, the Password that you entered is the default. |
Example - How to Create a Symmetric Crypto Key
keytool -keystore test.ks -storepass password -genseckey -keysize 128 -alias testkey -keyalg AES
Example - How to Create a Keystore File with Security Contents
The example code below shows how to create a Java keystore file for both the server and client connection. In this example, the file will be generated containing the associated security certificate, public and private key.
Code Block
keytool -genkey -alias server -keyalg RSA -keystore ./server.jks
Note! Remember the password issued for the server.jks file.
Example - How to Create a Client-Specific Keystore File
To create a client-specific Java Keystore file, you can use the keytool command with the required variables. In this example, the generated file will be for a specific client and contain only their certificate and public key.
Code Block
keytool -export -alias server -keystore ./server.jks -file ./server.cer
...
keytool -import -alias client -file ./server.cer -keystore ./client.jks
...
Note! Execution of these commands will present password entry prompts, and you will need to remember the entered passphrase.
Truststore Settings
The following settings are available:
Field | Description |
---|---|
Type | You can select from the following options:
Selecting Use Java Keystore disables the rest of the truststore settings and the keystore specified in Keystore Settings is used. Selecting External Truststore or Use External Keystore disables the rest of the truststore settings and will require more input in External Keystore tab. Selecting <None> disables the rest of the truststore settings. |
Path | Enter the location of the truststore that you want to use. |
Password | Enter the relevant truststore password. |
Advanced Tab
The Advanced tab enables you to make more detailed configurations for which cipher suites to accept.
The following settings are available:
Settings | Description |
---|---|
Enable TLS Settings | If you want to change the TLS security parameters, select this check box. The default setting is to use the settings from the Java installation. |
Accepted Protocols | You can select if you want agents using this profile to accept only TLS version 1.3 or any TLS version. The default setting is to only accept version 1.3. |
Used Cipher Suites | You can select if you want agents using this profile to use only suites that are enabled by default, or any suites. The default setting is to only use suites that are enabled by default. |
Cipher Suite Must Match | In this field, you can enter any characters that you want the cipher suites to match. You can also enter lists of regular expressions, one per row, that you want the cipher suites to match. Suites not matching your entry are greyed out in the Result on this JVM field. |
Cipher Suite Must Not Match | If you want to exclude cipher suites, you can enter any characters in this field which excludes suites matching the characters. You can also enter lists of regular expressions, one per row, for cipher suites to exclude. |
Result on this JVM | This field displays the cipher suites available on the current JVM. |
External Keystore Tab
The External Keystore tab enables you to store your SSL certificates in one secure location. Currently, it can be stored in Azure KeyVault, Google Secret Manager or HashiCorp Vault.
Azure KeyVault
For information about the installation and setup of an Azure KeyVault, see Key Vault | Microsoft Azure .
Settings | Description |
---|---|
Azure KeyVault Profile | Choose an Azure KeyVault Profile to use for the credentials. |
Certificate name | The name of the certificate in Azure KeyVault |
Google Secret Manager
For information about the installation and setup of Google Secret Manager, see Secret Manager documentation | Secret Manager Documentation | Google Cloud .
Global variable macro (Development) requires a base64 encoded PFX certificate to be stored as a Secret in Google Secret Manager.
Settings | Description |
---|---|
Google Secret Manager Profile | Choose a Google Secret Manager Profile to use for the credentials. |
Name | The name of the certificate stored in Google Secret Manager. |
Version | The version of the Secret. |
Key Password | Password of the certificate. |
Generating and Uploading a Certificate
Run the following command to create a self-signed PFX keystone file:
keystore
= name of the pfx file, for example,server.pfx
Encode the PFX file with base64 by running this command:
-i
= name of the input file-o
= name of the output file for the base64 stringCreate a secret on Google Secret Manager with the value of the
Server.b64
.
HashiCorp Vault
For information about the installation and setup of a vault, see Tutorials | Vault | HashiCorp Developer .
Settings | Description |
---|---|
Auth Methods | Select the authentication method used to access the vault. |
Address | The address for the vault. The format of the address begins with the hypertext transfer protocol, either HTTP or HTTPS, followed by the IP address of the vault and the TCP port used by the TCP listener of the vault. |
Username | Enter the vault username. |
Password | Enter the vault password. |
Path | The full path of the vault secret engine that contains the relevant keystore or truststore. |
Uploading a Keystore into Your Vault
Global variable macro (Development) requires certain criteria to be met when uploading the keystore into your vault. The following command will help show you how to upload.
You need to configure the mandatory attributes. The workflow will abort if it calls a Security profile with vault credentials saved in a different format than listed in the table below.
Supported Formats
Attribute | Value Format |
---|---|
filecontent | Base64 String |
keyalias | String |
keypassword | String |
password | String |
Uploading a Truststore into Your Vault
Global variable macro (Development) requires certain criteria to be met when uploading the truststore into your vault. The following command will help show you how to upload it.
You need to configure the mandatory attributes. The workflow will abort if it calls the security profile with the vault credentials that are saved in a different format as listed in the table below.
Attribute | Value Format |
---|---|
filecontent | Base64 String |
password | String |