Secure Storage for Application-Specific Data

Use

Certain applications or services need to be able to store sensitive data such as passwords. To save such data in encrypted form, they can use the AS Java's secure storage area. Data saved in this area is encrypted using a secret key that is created explicitly for the application or service.

Storage Approaches

There are two storage approaches available for storing the encrypted data:

Centralized storage
With centralized storage, the application or service uses the Secure Storage service on the AS Java to encrypt and decrypt the data. It also stores this data in its secure storage context on the AS Java.
Decentralized storage
With decentralized storage, the application or service maintains its own storage area for the encrypted data. It only uses the Secure Storage service on the AS Java for encrypting and decrypting the data.

Prerequisites

The Secure Storage and Key Storage services must be running when an application or service requests access to its secure storage area.

Activities

Obtaining a Context Area

Applications or services that use the AS Java's secure storage are assigned a designated context area in secure storage where the encrypted data is stored. To receive a context area, the application or service "registers" with the secure storage service.

The first time the application or service requests access to secure storage, no context exists. Therefore, to register it, the system creates a context for the application or service, generates a secret key, and allows the application access to the context for future requests.

The application can then perform the following tasks:

Store and retrieve data in its context. The data is encrypted and decrypted using the secret key.
Modify or delete data in its context.
Generate or exchange keys.

Note

Access to the contexts is protected using code-based permissions so that applications cannot access contexts belonging to other applications.

The secret key is stored in the securestorage keystore view. You can view these keys in the Key Storage service.

The encrypted data is stored in the database.

Using Console Commands

You can also manage the secure storage from the telnet console.

For more information, see Administration Using Telnet .