Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:czechidm_installation_win [2020/06/10 17:01]
apeterova fake certificate 		tutorial:adm:czechidm_installation_win [2020/10/21 08:55]
fiserp [Create CzechIdM configuration]
Line 95: Line 95:
 Now we will create configuration files the CzechIdM will use. Now we will create configuration files the CzechIdM will use.
 <note>Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</note> <note>Code snippets in this chapter can be **mostly** copy-pasted or (but please read through whole chapter to be aware of setting you have to adjust). Configuring the CzechIdM is about altering four or five lines altogether.</note>
-  * The **C:\CzechIdM\etc\secret.key** is a file with confidential storage secret key. This key has to have 128 bit (= 16 bytes). Creation of the **secret.key** is a bit tricky (because Windows). Open the Git Bash, run the **vim** editor and type the key into the file. Then check its format.<code>+  * The **C:\CzechIdM\etc\secret.key** is a file with confidential storage secret key. This key has to have 128 bit (= 16 bytes) or 256 bit (= 32 bytes), length of the key determines the cipher which will be used: AES-128, or AES-256 respectively. Creation of the **secret.key** is a bit tricky (because Windows). Open the Git Bash, run the **vim** editor and type the key into the file. Then check its format.<code>
 cd /c/czechidm/etc cd /c/czechidm/etc
 # start the vim editor # start the vim editor
 vim secret.key vim secret.key
 # press "i" to switch to input mode # press "i" to switch to input mode
-# type the 16 characters of the secret key+# type the 16 or 32 characters of the secret key
 # press ESC to switch to command mode # press ESC to switch to command mode
 # type :wq # type :wq
 # press ENTER # press ENTER
 # now you should see that secret.key file has been created, check its contents # now you should see that secret.key file has been created, check its contents
-# the file should be EXACTLY 17 BYTES LONG, 16 bytes for your key and the last byte "0a"+# the file should be EXACTLY 17 or 33 BYTES LONG, 16 or 32 bytes for your key and the last byte "0a"
 xxd -p secret.key xxd -p secret.key
 ... hex dump here ... text dump here ... ... hex dump here ... text dump here ...
Line 243: Line 243:
  
 There are two properties in application-production.properties that influence the confidential storage: There are two properties in application-production.properties that influence the confidential storage:
-  * You can set the 128bit (16byte) key directly in the property file using **cipher.crypt.secret.key** property or+  * You can set the 128bit (16byte) or 256bit (32byte) key directly in the property file using **cipher.crypt.secret.key** property or
   * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.   * you can create separate file (in our case **secret.key**) containing a random string. Then you reference this file with **cipher.crypt.secret.keyPath** property.
 <note warning>On Windows, you have to use separate file **secret.key**.</note> <note warning>On Windows, you have to use separate file **secret.key**.</note>
Line 249: Line 249:
 <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note> <note warning>CzechIdM doesn't contain any default key for crypt confidential storage. Please define it before you start using the IdM.</note>
  
-Confidential storage uses AES/CBC/PKCS5Padding ([[https://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html|more info]]) algorithm which operates with 128bit key.+Confidential storage uses AES/CBC/PKCS5Padding (more info) algorithm which operates with 128bit or 256bit key. 
  
 === Attachment store === === Attachment store ===
  • by fiserp