Various passwords within Cúram property files and configurations are stored in an encrypted format out-of-the-box (OOTB).
The Cúram crypto configuration will work for you out-of-the box, but it is recommended you modify these settings with respect to your local security requirements.
For instance, the OOTB settings may be adequate in development, but for production environments it is strongly recommended that you modify them (e.g. by changing the cipher secret key).
The cipher settings are stored in the CryptoConfig.properties file. The properties and their values are as follows:
- curam.security.crypto.cipher.algorithm
- curam.security.crypto.superseded.cipher.algorithm
- Valid values: See curam.security.crypto.cipher.algorithm
- Default: None
- Purpose: Provides for flexibility to support an upgrade/migration period for Cúram user passwords with custom code (e.g. a batch program) via the curam.util.security.EncryptionUtil.decryptSupersededPassword() API. The use of an upgrade/migration period is explained in more detail in How to Utilize the Superseded Digest Settings for a Period of Migration.
- curam.security.crypto.cipher.keystore.location
- Valid values: Path to keystore file containing secret key. This can be an absolute path specification or relative to the classpath (e.g. CuramSample.keystore).
- Default: None
- curam.security.crypto.cipher.keystore.storepass
- Valid values: As per the JDK keytool command.
- Default: password
- Purpose: Specify the password used to access the keystore.
- curam.security.crypto.cipher.provider.class
- Valid values: Fully-qualified name of a JCE cryptography provider class.
- Default: blank
- Purpose: Optional way to enable the use of an alternate standards-compliant provider.
This ciphering functionality applies to the properties as described in Cipher-Encrypted Passwords.
These Cúram cryptographic settings are enabled by default OOTB and represents changes that existing Cúram installations must address as documented in the Cúram Upgrade Guide.