This topic provides information about the data and credentials encrypted by Content Engine. See also Edit Content Engine bootstrap properties.
Content Engine encrypts the following credentials that are stored in the GCD:
NOTE You can view and modify these IDs and passwords in Enterprise Manager. See View and modify FileNet P8 domain properties.
Any attempt to retrieve these password fields via any public API will return zero length binary data. This will result in a null value being emitted when any object containing a password field is exported. You will need to reset the password before you can use the imported object.
Content Engine uses a single 128-bit Master Key for encrypting and decrypting all credentials. The Master Key is generated during Content Engine configuration by using a one-way hash on a phrase supplied while running Configuration Manager, in the configure bootstrap task. You should choose a phrase that follows these guidelines:
During configuration, the generated Master Key is stored in the Content Engine EAR file where it can be retrieved programmatically, but is not otherwise available. Because the Master Key is not a password, the phrase does not need to adhere to any policy for changing passwords. You should take appropriate precautions protecting the original phrase.
You can regenerate a new EAR file with the same key by running the Bootstrap Configuration Utility, and supplying the original Master Key. The passwords stored in the database would be unaffected by the corrupted EAR file and Master Key, as long as there are no serious disk or file system corruption problems. If you enter the original phrase for the Master Key, you will get the same encryption key, and you will not need to re-enter all the passwords stored in the database.
An EAR file with the same Master Key must be used across all servers in the FileNet P8 domain.
If the Master Key is lost or corrupted, the credentials mentioned above would have to be reset by the GCD administrator if any of the encrypted information in the GCD had to be changed or reset.
Resetting the keys must be done by someone who knows the existing passwords (for Verity, Liquent, Directory service user, fixed storage devices, and so on) or who has the ability to reset those passwords. When the Master Key is lost, corrupted or changed, you will have to follow these basic steps:
For assistance, visit the IBM Information Management support page (www.ibm.com/software/data/support).
Content Engine uses symmetric key encryption to encrypt sensitive data at rest. It uses a single encryption algorithm and strength using 128-bit AES encryption. The Content Engine credentials encryption module will easily leverage an alternate encryption standard defined in any JCE (Java Cryptographic Extension).
Process Engine server piggybacks on the Content Engine API for the purpose of authenticating clients. Users of the Process Engine Java API will perform a Java™ Authentication and Authorization Service (JAAS) login, and then make a call to the Content Engine server. The Content Engine server will authenticate the caller, establishing the validity of their JAAS credentials, and return an identity token. The Process Engine API client will then pass this identity token to the Process Engine server. The Process Engine server will rely on this token to establish the client’s identity. This mechanism relies on the use of several symmetric encryption keys. Refer to Process Engine Authentication for details about these keys and their usage.
PKI encryption is used to encrypt sensitive data sent over the wire between clients and Content Engine. Enterprise Manager provides support for setting the passwords used to access Verity collection, and various fixed content provider implementations (CFS-IS, Centera, SnapLock, and others).
The public key of the pair is a property of the FileNet P8 Domain object. Enterprise Manager will use the public key to encrypt password fields that are to be sent to the server.
The private key of the pair will also be stored in the GCD, encrypted with the Content Engine Master Key. The private key will not be accessible via any client API; only Content Engine server code has access to it. Asymmetric encryption is done using 1024-bit keys with the RSA algorithm. The server will decrypt incoming password properties with the private key. These values will then be encrypted using the FileNet P8 Domain's Master Key prior to being persisted. The PKI key pair used for asymmetric encryption will be generated as a part of creating a FileNet P8 domain, via calls to the standard Java™ Cryptography Extension (JCE) provider. Any time Content Engine generates a new Master Key for a FileNet P8 Domain object, it will re-generate this PKI key pair as well.
Content Engine does not provide features for encrypting the data contained in content files being transmitted between Content Engine and the fixed content storage device or file storage area. You should therefore consider whether and how to provide this type of security. While in storage, however, content files are secure. See File storage area and content cache area access rights.