If you have installed the Oracle Java SE Development Kit (JDK), you can use JMX
operations to perform some common tasks for Encrypted content store.
The JMX client, JConsole, allows the user to see the set of current master keys and the total number of symmetric keys encrypted by each master key. It also enables the users to revoke a master key and to add a new master key alias.
Retire a master key
To retire a master key, follow the sequence of JMX operations below:
-
On the JConsole window, select
the MBeans tab.
The available managed beans are displayed in JConsole.
-
Navigate to SkyVault
>
Configuration
>ContentStore
>
managed
>
encrypted
>
Operations.
The Operation invocation window is displayed.
-
Click revokeMasterKey to stop the relevant master key from
being used for encryption.
The master key is now no longer available for encryption.
- Click reEncryptSymmetricKeys to reencrypt the symmetric keys of this master key with a new master key.
- Click showMasterKeys to check that there are no outstanding symmetric keys for the revoked master key and that the total number of files that were encrypted using the revoked master key is zero.
- Click stop to stop the Encrypted content store subsystem.
- Remove the relevant alias and related password from MBeans > SkyVault > Configuration >ContentStore > managed > encrypted > Attributes > Attribute values window.
-
Click start to restart and reinitialize the Encrypted Content
Store subsystem.
Note: If you update or remove a master key using the JMX client on an Enterprise installation, those updates override the values in the SkyVault-global.properties file. Alternatively, one can delete the master key alias and password by editing the SkyVault-global.properties file and restarting the repository.
Add a new master key
To add a master key, follow the steps below:
- Add the new master key to the master keystore file.
-
Define the new master key alias and password by one of the following ways:
- Add the key alias and password in the SkyVault-global.properties file; or
- Add the key alias and password by using the JMX operations. Follow the sequence of steps from Step 3 onwards.
Note: The values set on a subsystem will mean that the property values from configuration files may be overwritten or ignored. Use the JMX client to set the configuration properties. -
On the JConsole window, select
the MBeans tab.
The available managed beans are displayed in JConsole.
-
Navigate to SkyVault
>
Configuration
>ContentStore
>
managed
>
encrypted
>
Attributes.
The Attribute values window is displayed.
- On the Operation invocation window, click stop to stop the SkyVault Content Services subsystem.
-
On the Attribute values window, add a new key alias in the
cryptodoc.jce.key.aliases field and its password in the
cryptodoc.jce.key.passwords field. Both these fields accept
comma-separated list of values.
Note: While adding a new master key alias, if you add the alias but not the password, the master key will fail to register.
- Click start to restart and reinitialize the Encrypted Content Store subsystem.
- Click showMasterKeys to check that the new master key is now being used.
Expiry of a master key
The Encrypted content store subsystem does not support automatic expiry of the
master key. When a master key expires from the keystore, you must follow the sequence of JMX
operations mentioned in the Retire a master key section above to manually retire the
master key.
Additional JMX operations
- Click cancelRevocation to cancel revocation of the master key. This ensures that the previously revoked master key is now being used.
- Click reloadMasterKeys to reload the master keys from the keystore file.