Preparing AES Key Wrap Encryption

By default, AM uses the Java Cryptography Extension (JCE) encryption class to encrypt and decrypt system password and keys in the configuration store and by other components, such as agents.

If your deployment requires a more secure encryption algorithm, AM supports the Advanced Encryption Standard (AES) Key Wrap algorithm (RFC3394). AM's implementation of AES Key Wrap uses the Password-Based Key Derivation Function 2 (PBKDF2) (RFC2898) with HMAC-SHA1. This allows administrators to choose key size hash algorithms, such as SHA256, SHA384, or SHA512.

Important

The AES Key Wrap Encryption algorithm is only enabled when installing AM. There is no current upgrade path for existing installations.

The Security Token Service (STS) feature does not support the AES Key Wrap Encryption algorithm. Make sure that you do not deploy this feature in an AM instance configured to use the AES Key Wrap Encryption algorithm.

To Configure AES Key Wrap Encryption for Tomcat
  • Edit your container startup scripts, for example setenv.sh, to set the following JVM system properties in Tomcat:

    JAVA_OPTS="$JAVA_OPTS -Dcom.iplanet.security.encryptor=org.forgerock.openam.shared.security.crypto.AESWrapEncryption" (1)
    JAVA_OPTS="$JAVA_OPTS -Dorg.forgerock.openam.encryption.key.iterations=10000" (2)
    JAVA_OPTS="$JAVA_OPTS -Dorg.forgerock.openam.encryption.useextractandexpand=true" (3)
    JAVA_OPTS="$JAVA_OPTS -Dorg.forgerock.openam.encryption.key.size=256" (4)
    JAVA_OPTS="$JAVA_OPTS -Dorg.forgerock.openam.encryption.key.digest=SHA512"

    1

    Enables use of AES Key Wrap encryption.

    2

    Specifies the iteration count of the encryption key.

    Large iteration counts, for example, of 20,000, slow down brute-force attacks when passwords are of low quality (less than 20 characters and easy to predict).

    AM does not have an iteration count requirement. However, it will log a warning if both of the following conditions are true:

    • The number of iterations is less than 10,000.

    • The AM encryption key is less than 20 characters long.

    3

    Enables the algorithm introduced in AM 7.1 that reduces the performance cost of AES Key Wrap encryption even when high iteration counts are used.

    If this property is unset, and you configured a large iteration count, AM startup times may see a performance impact if there are many agents in your deployment.

    Determine the optimal iteration count based on the security and performance requirements of your deployment.

    4

    Specifies the size of the encryption key.

    Configure the key size to meet the needs of your deployment.

    5

    Specifies the digest algorithm. Possible values are SHA1, SHA256, SHA384, or SHA512.

    Configure the digest algorithm to meet the needs of your deployment.

    Caution

    You cannot change these configuration parameters once AM has been installed.

Read a different version of :