Keys and secrets
Java Agent uses cryptographic keys for encryption, signing, and securing network connections, and passwords. The following sections discuss how to secure keys and secrets in your deployment.
Small keys are easily compromised. Use at least the recommended key size.
In JVM, the default ephemeral Diffie-Hellman (DH) key size is 1024 bits. To support stronger ephemeral DH keys, and protect against weak keys, installations in Tomcat 8.5.37 and later versions use the Tomcat default DH key size of 2048-bit.
Increase the DH key size to protect against weak keys. For WebSphere Java Agent,
jdk.tls.ephemeralDHKeySize=2048 system property. For other
containers, and for more information, see
Customizing Size of Ephemeral Diffie-Hellman Keys
Rotate keys regularly to:
Limit the amount of data protected by a single key.
Reduce dependence on specific keys, making it easier to migrate to stronger algorithms.
Prepare for when a key is compromised. The first time you try key rotation shouldn’t be during a real-time recovery.
Conform to internal business compliance requirements.