Show TOC

 Data Storage SecurityLocate this document in the navigation structure

The AS Java provides a secure storage area where applications or service components on the AS Java can store sensitive data such as passwords or communication destinations, in encrypted form. Data saved in this area is encrypted using a secret key that is created explicitly for the application or service component.

Secure Storage for Application Specific Data

Applications or application components, deployed on the AS Java, can save sensitive data in encrypted form in a secure storage area in the AS Java's configuration database. The data saved in this area is encrypted using a secret key that is created explicitly for the application or service. The AS Java uses the triple DES algorithm to perform the encryption.

You can use two approaches for storing and maintaining the encrypted data for the individual applications or application components:

  • Centralized storage

    With centralized storage, applications or application components use the Secure Storage service on the AS Java to encrypt and decrypt the data. This data is also stored in the corresponding secure storage context on the AS Java. You can control the parameters of this secure storage area from the properties of the Configuration Manager.

  • Decentralized storage

    With decentralized storage, the applications and application component maintain their own storage area for the encrypted data. They only uses the Secure Storage service on the AS Java to retrieve the key, which is necessary to encrypt and decrypt the data.

Integration

Applications or services can use the AS Java's Secure Storage service to encrypt and store sensitive data such as passwords. To use the AS Java secure store, applications or services are assigned a designated context area in the secure storage where the corresponding encrypted data is stored.

To receive a context area, AS Java applications or services register with the secure storage service. The first time an application or service requests access to secure storage, the AS Java registers the application or service, creates a context for the application or service, generates a secret key, and allows the application access to the context for future requests. For more information, see Secure Storage for Application-Specific Data in the Administration Manual.

Encryption of the state Field of JSF Pages

To ensure that client-side state is protected, we recommend that you encrypt the state. To do that, you must add the com.sun.faces.ClientStateSavingPassword entry to the web.xml deployment descriptor. You can do this as follows:

<env-entry>

<env-entry-name>com.sun.faces.ClientStateSavingPassword</env-entry-name>

<env-entry-type>java.lang.String</env-entry-type>

<env-entry-value>SOME_PASSWORD</env-entry-value>

</env-entry>

This causes the state to be encrypted, by using the specified password ( SOME_PASSWORD ).