Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:czechidm_installation_win [2020/05/27 07:29]
urbanl [Configure environment properties. Select application profile] Removed use legacy merge sort #2167 		tutorial:adm:czechidm_installation_win [2020/09/08 12:11]
kopro [Create CzechIdM configuration] update confidential storage key length
Line 74: Line 74:
 ==== Create SSL truststore ==== ==== Create SSL truststore ====
 Open the Git Bash and navigate to the ''/c/czechidm/etc''. Then create fake certificate which will be, for this time, the only certificate in the truststore. Open the Git Bash and navigate to the ''/c/czechidm/etc''. Then create fake certificate which will be, for this time, the only certificate in the truststore.
-<code>+<code bash>
 openssl genrsa -out fakecert.key openssl genrsa -out fakecert.key
 +# if the following command fails, remove the parameter -subj and supply the values interactively
 openssl req -new -key fakecert.key -out fakecert.csr -subj "/C=CZ/ST=Czech Republic/L=Prague/O=BCV/CN=CzechIdM placeholder cert" openssl req -new -key fakecert.key -out fakecert.csr -subj "/C=CZ/ST=Czech Republic/L=Prague/O=BCV/CN=CzechIdM placeholder cert"
 openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt openssl x509 -req -in fakecert.csr -signkey fakecert.key -days 1 -sha256 -out fakecert.crt
Line 242: Line 243:
  
 There are two properties in application-production.properties that influence the confidential storage: There are two properties in application-production.properties that influence the confidential storage:
-  * You can set the 128bit (16byte) key directly in the property file using **cipher.crypt.secret.key** property or+  * You can set the 128bit (16byte) or 256bit (32byte) key directly in the property file using **cipher.crypt.secret.key** property or
   * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.   * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.
 <note warning>On Windows, you have to use separate file **secret.key**.</note> <note warning>On Windows, you have to use separate file **secret.key**.</note>
Line 248: Line 249:
 <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note> <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note>
  
-Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit key.+Confidential storage uses AES/CBC/PKCS5Padding (more info) algorithm which operates with 128bit or 256bit key. 
  
 === Attachment store === === Attachment store ===
  • by fiserp