How to Use Custom Cryptography (Encryption and Decryption) in PAM360?
By default, PAM360 encrypts all passwords and other sensitive information using AES-256 symmetrical encryption algorithm and store only these encrypted data into the password database. The master encryption key is auto-generated and is unique for every installation. In this scenario, the entire encrypt and decrypt methods will reside inside the PAM360 class file. Hence, both the key-generation and encryption logic were handled by PAM360.
Apart from the default cryptography technique, PAM360 now provides an option to use custom cryptography i.e., the encrypt & decrypt methods can now be customized by implementing our Java interface 'PAM360EncryptDecrypt' with setter and getter methods, where you can use your own key and encryption logic.
Important Note:- Before configuring custom cryptography, take a backup of the PAM360 folder. If the database server is configured in a different machine, ensure that you take a copy of the entire PAM360 database as well. This will avoid data loss, if anything goes wrong during the configuration process. Also, please take necessary precaution with regard to the following aspect:
Personal Password Management:
In case, you / other users in your organization have used 'Personal Password Management' in PAM360 with the option of specifying own encryption key, which is NOT stored in PAM360, those data will eventually be lost when you configure custom cryptography and cannot be retrieved later. Therefore, users will have to be advised to use the 'Export Passwords' option in the personal passwords section before configuration.
Steps to implement custom cryptography in an existing PAM360 installation
A brief summary of the steps to configure custom cryptography in PAM360 include writing an implementation class to run your own encryption logic and executing it. Here are the steps in detail:
Step 1) Write your own implementation class
You need to first write your own class implementing the interface PAM360EncryptDecrypt.java as explained below.
Please refer to the javadoc for interface PAM360EncryptDecrypt for more details.
- generateCryptographicKey() method in the class should generate and return a new 32bit key whenever called while getPam32BitKey() should return the last generated 32bit key, whenever called.
- getMSSQLMasterKey() should return the database master encryption key, that will be used while setting up the MSSQL Always-On cluster as backend. If the return value is null or empty-string, then cluster level nodes' switch-over operations will not be handled.
Step 2: Archive your implementation class
Now, convert your implementation class as SampleEncryption.jar and move it to <PAM360-Installation Folder>/lib directory.
Step 3: Stop PAM360 server
Stop the server of PAM360 if it is running.
Step 4: Execute the Migrate Cryptography script
- Stop and uninstall secondary server.
- Configure custom cryptography in Primary by executing migrateCryptography.bat
- Next, install a fresh secondary instance of PAM360.
- Now, reconfigure High Availability/ Failover service. The HAPack.zip or FOSPack.zip will contain the custom encryption jar.
Scenario 1: High Availablity/Failover Service is not configured
Execute the MigrateCryptography.bat script available in <PAM360_HOME>\bin folder and pass your implementation class as argument.
Script Usage :- MigrateCryptography.bat com.org.crypto.SampleEncryptDecrypt
Scenario 2: In case of High-Availablity/Failover Service being configured
Here are the steps to be followed for to execute the script if High Availablity or Failover Service has been configured in PAM360:
Step 5: Add Custom Cryptography to PAM360ED File
After executing the script, open the file ‘pam360ed.conf’ present inside <PAM360-Home>/conf folder. In the file, look for EDCLASS and add an entry next to it as specified
In the above entry, MyOwnEncDecImpl1.jar,MyOwnEncDecImpl2.jar are sample cryptography jars. Rename your jar files as required and specify one or more jars in a comma separated format. In case, you are using third party jars, then specify that first followed by your implementation class.
Step 6: Start PAM360 server
After completing the above steps, you need to start PAM360 to give effect to this implementation.