How to Use Custom Cryptography (Encryption and Decryption) in PAM360?4 minutes to read
By default, PAM360 encrypts all passwords and other sensitive information using AES-256 symmetrical encryption algorithm and store only these encrypted data into the password database. The master encryption key is auto-generated and is unique for every installation. In this scenario, the entire encrypt and decrypt methods will reside inside the PAM360 class file. Hence, both the key-generation and encryption logic were handled by PAM360. Apart from the default cryptography technique, PAM360 now provides an option to use custom cryptography i.e., the encrypt & decrypt methods can now be customized by implementing our Java interface PAM360EncryptDecrypt with setter and getter methods, where you can use your own key and encryption logic.
Personal Password ManagementIn case, you/other users in your organization have used 'Personal Password Management' in PAM360 with the option of specifying own encryption key, which is NOT stored in PAM360, those data will eventually be lost when you configure custom cryptography and cannot be retrieved later. Therefore, users will have to be advised to use the 'Export Passwords' option in the personal passwords section before configuration. Steps to implement custom cryptography in an existing PAM360 installationA brief summary of the steps to configure custom cryptography in PAM360 include writing an implementation class to run your own encryption logic and executing it. Here are the steps in detail: Step 1: Write your own implementation classYou need to first write your own class implementing the interface PAM360EncryptDecrypt.java as explained below. Please refer to the javadoc for interface PAM360EncryptDecrypt for more details.
Step 2: Archive your implementation classNow, convert your implementation class as SampleEncryption.jar and move it to <PAM360-Installation Folder>/lib directory. Step 3: Stop PAM360 serverStop the server of PAM360 if it is running. Step 4: Execute the Migrate Cryptography script
Scenario 1: High Availability/Failover Service is not configured Execute the MigrateCryptography.bat script available in <PAM360_HOME>\bin folder and pass your implementation class as argument. Script Usage: MigrateCryptography.bat com.org.crypto.SampleEncryptDecrypt Scenario 2: In case of High-Availability/Failover Service being configured Here are the steps to be followed for to execute the script if High Availability or Failover Service has been configured in PAM360: Step 5: Add Custom Cryptography to PAM360ED FileAfter executing the script, open the file pam360ed.conf present inside <PAM360-Home>/conf folder. In the file, look for EDCLASS and add an entry next to it as specified.
In the above entry, MyOwnEncDecImpl1.jar, MyOwnEncDecImpl2.jar are sample cryptography jars. Rename your jar files as required and specify one or more jars in a comma separated format. In case, you are using third party jars, then specify that first followed by your implementation class. Step 6: Start PAM360 serverAfter completing the above steps, you need to start PAM360 to give effect to this implementation. | |
[Webinar] Weave privileged access security into your org-wide ITSM workflows. Register now