Certain applications or services need to be able to store sensitive data such as passwords. To save such data in encrypted form, they can use the AS Java’s secure storage area. Data saved in this area is encrypted using a secret key that is created explicitly for the application or service.
The server uses the triple DES (Data Encryption Standard) algorithm to perform the encryption.
There are two storage approaches available for storing the encrypted data:
· Centralized storage
With centralized storage, the application or service uses the Secure Storage service on the AS Java to encrypt and decrypt the data. It also stores this data in its secure storage context on the AS Java.
· Decentralized storage
With decentralized storage, the application or service maintains its own storage area for the encrypted data. It only uses the Secure Storage service on the AS Java for encrypting and decrypting the data.
The Secure Storage and Key Storage services must be running when an application or service requests access to its secure storage area.
Applications or services that use the AS Java’s secure storage are assigned a designated context area in secure storage where the encrypted data is stored. To receive a context area, the application or service “registers” with the secure storage service.
The first time the application or service requests access to secure storage, no context exists. Therefore, to register it, the system creates a context for the application or service, generates a secret key, and allows the application access to the context for future requests.
The application can then perform the following tasks:
● Store and retrieve data in its context. The data is encrypted and decrypted using the secret key.
● Modify or delete data in its context.
● Generate or exchange keys.
Access to the contexts is protected using code-based permissions so that applications cannot access contexts belonging to other applications.
The secret key is stored in the securestorage keystore view. You can view these keys in the Key Storage service.
The encrypted data is stored in the database.
You can use the Secure Storage service in the Visual Administrator to replace an application’s secret key, for example, if you think it has been compromised. For more information, see Replacing an Application's Secret Key.
For information about using the corresponding console commands, see the shell commands for secure storage in the Reference Manual.