This topic describes how to encrypt sensitive data when configuring AMS.
Sensitive data, such as passwords in AMS configuration files, can be encrypted using a master secret cryptographic key. When a master secret is created, AMS generates a random cryptographic shared secret and stores it in a user-specified KeyStore file. The KeyStore file is then encrypted with a user-specified password. Generated encrypted data can then be pasted into AMS configuration files.
AMS configuration is the only location that requires sensitive data encryption.
Only password-specific property values are decrypted. Decryption requires you specify the master secret file via the masterSecretFile property in the AMS.conf file.
AMS is responsible for:
Extracting the master secret from the KeyStore and placing it in a master secret file.
Obtaining the master secret from a master secret file.
Using the master secret in the sensitive data decryption process.
See the Resources section for KeyStore guidelines.
Use the following AMS command options to encrypt AMS data:
keystore-path [--keystorepassword pass-phrase]Creates a master secret and stores it in the KeyStore file.
keystore-path> [--keystorepassword pass-phrase] [--data clear-text]Encrypts sensitive data using the master secret in the KeyStore.
keystore-path [--keystorepassword pass-phrase] [--mastersecretfile master-secret-file]Extracts the master secret from the KeyStore and writes it to the file. This result must be enclosed in single-quotes when used as a value in --substitutions on Linux and macOS systems.
As of AMS 1.4.0, the ams-server –-cipher command option is deprecated. AMS continues to support decryption of sensitive data previously generated by the --cipher option, for backward compatibility. Support for the command option is expected to be removed in a future release.
In order to determine whether AMS is configured with a master secret, AMS detects any master secret configuration and gives information about its configuration through log messages at the INFO level. The result of the master secret detection is added to these log messages.
The path to the master secret file can be on a local or remote secure file system. It is your responsibility as the AMS administrator to ensure AMS has the correct path and read access to this file.
In the examples below, long lines wrap to the next for clarity.
AMS creates a KeyStore containing the master secret without the --keystorepassword option: AMS prompts for the KeyStore password in the console during server startup.
ams-server --secret create --keystore /app-data/ams/keystores/AMS-MasterSecret-1.ks
AMS creates a KeyStore containing the master secret with --keystorepassword option:
ams-server --secret create --keystore /app-data/ams/keystores/AMS-MasterSecret-2.ks --keystorepassword SuperSecret
AMS encrypts sensitive data using a KeyStore without --keystorepassword or --data options: AMS prompts for the KeyStore password and data in the console during server startup.
ams-server --secret encrypt --keystore /app-data/ams/keystores/AMS-MasterSecret-1.ks
AMS encrypts sensitive data using a KeyStore without the --data option: AMS prompts for the data in the console during server startup.
ams-server --secret encrypt --keystore /app-data/ams/keystores/AMS-MasterSecret-1.ks --keystorepassword SuperSecret
AMS encrypts sensitive data using a KeyStore without the --keystorepassword option: AMS prompts for the KeyStore password in the console during server startup.
ams-server --secret encrypt --keystore /app-data/ams/keystores/AMS-MasterSecret-1.ks --data Password-1
AMS generates the master secret file from the KeyStore without --keystorepassword or --mastersecretfile options: AMS prompts for the KeyStore password and master secret file in the console during server startup.
ams-server --secret generate --keystore /app-data/ams/keystores/AMS-MasterSecret-1.ks
AMS generates the master secret file from the KeyStore without the --mastersecretfile option: AMS prompts for the master secret file in the console during server startup.
ams-server --secret generate --keystore /app-data/ams/keystores/AMS-MasterSecret-1.ks --keystorepassword SuperSecret
AMS generates the master secret file from the KeyStore without the --keystorepassword option: AMS prompts for the KeyStore password in the console during server startup.
ams-server --secret generate --keystore /app-data/ams/keystores/AMS-MasterSecret-1.ks --mastersecretfile /app-data/ams/keystores/AMS-MasterSecret-3.data
AMS generates the master secret file from the KeyStore with all options:
ams-server --secret generate --keystore /app-data/ams/keystores/AMS-MasterSecret-1.ks --keystorepassword SuperSecret --mastersecretfile /app-data/ams/keystores /AMS-MasterSecret-4.data
List the master secret file in the /app-data/ams/keystores directory and notice the permissions:
ls -la /app-data/ams/keystores
Configured without the KeyStore password and data:
ams-server --secret encrypt --keystore /KeyStores/AMS-MS.ks
Resulting notification:
KeyStore password: Enter data to encrypt: Confirm data: #!!EtVbgIa/eGIzzbJCiKPZ/uI1TkKbsgRFVx6cPvEPq6tJ81m/eLU=
Configured with the KeyStore password but without data:
ams-server --secret create --keystore /KeyStores/AMS-MS.ks --keystorepassword SuperSecret
Resulting notification:
Enter data to encrypt: Confirm data: #!!EtVbgIa/eGIzzbJCiKPZ/uI1TkKbsgRFVx6cPvEPq6tJ81m/eLU=
Configured with the KeyStore password and data:
ams-server --secret create --keystore /KeyStores/AMS-MS.ks
--keystorepassword SuperSecret
--data MyPassword
Resulting notification:
#!!EtVbgIa/eGIzzbJCiKPZ/uI1TkKbsgRFVx6cPvEPq6tJ81m/eLU=
The encrypted value contains the Bash special characters '!!', which must be enclosed in single-quotes. Example:
--substitutions username=test,passwd='#!!EtVbgIa/eGIzzbJCiKPZ/uI1T=='
The encrypted value contains the Windows special character '!' which is not allowed in Windows scripts. Use the --substitutionfile option to use this value in a substitution variable.