Expand my Community achievements bar.

SOLVED

AEM 6.5 Crypto Support

Avatar

Level 2

I'm trying to use Crypto Support in AEM 6.5 but the hmac master keys are no longer stored under /etc/key.

It means I cannot just package the keys and transfer to target instance.

I can see the hmac and master keys are stored in launchpad/bundles/.. But everytime we change the instance we need to add these files to bundles folder and restart the bundle which all times may not be suited.

Need some thoughts on this.

1 Accepted Solution

Avatar

Correct answer by
Level 1

Actually there is a way to update the encryption keys programmatically, without ssh access to AEM instances. 

The approach: 1. Upload the key in AEM

for example, to  /content/dam/crypto/hmac 

2. Read the key bytes

Resource resource = resourceResolver.getResource("/content/dam/crypto/hmac");
byte
[] key = IOUtils.toByteArray(resource .adaptTo(Asset.class).getOriginal().getStream());

3. Get the com.adobe.granite.crypto.file bundle

Bundle bundle = Arrays.stream(bundleContext.getBundles())
    .filter(b -> b.getSymbolicName().equals("com.adobe.granite.crypto.file"))
    .findFirst().orElse(null);

4. Get the 'hmac' file

File hmacFile = bundle.getDataFile("hmac");

5. Replace the key

OutputStream out = new FileOutputStream(hmacFile);
out.write(key);
out.close();

6. Repeat 2-6 for the master key 7. Refresh the Granite Crypto Bundle

  • Navigate to http://<server>:<port>/system/console/bundles
  • Locate Adobe Granite Crypto Support bundle (com.adobe.granite.crypto)
  • Click Refresh

8. Delete the hmac and master keys from DAM. You no longer need them.

 

See https://github.com/YegorKozlov/aem-fiddle-scripts/tree/master/encryption-keys

View solution in original post

2 Replies

Avatar

Employee

That is the necessary approach though ...

  1. Find the bundle Id for com.adobe.granite.crypto.file, for example, 21. You can navigate to /system/console/bundles/com.adobe.granite.crypto.file to see the Id.
  2. Navigate to /crx-quickstart/launchpad/felix/bundle<Id>/data in the file system.
  3. Copy the two files: hmac and master from the source instance to the target instances.
  4. Restart the target com.adobe.granite.crypto bundle or the entire AEM instance.

This would be a day-0 exercise though.

Avatar

Correct answer by
Level 1

Actually there is a way to update the encryption keys programmatically, without ssh access to AEM instances. 

The approach: 1. Upload the key in AEM

for example, to  /content/dam/crypto/hmac 

2. Read the key bytes

Resource resource = resourceResolver.getResource("/content/dam/crypto/hmac");
byte
[] key = IOUtils.toByteArray(resource .adaptTo(Asset.class).getOriginal().getStream());

3. Get the com.adobe.granite.crypto.file bundle

Bundle bundle = Arrays.stream(bundleContext.getBundles())
    .filter(b -> b.getSymbolicName().equals("com.adobe.granite.crypto.file"))
    .findFirst().orElse(null);

4. Get the 'hmac' file

File hmacFile = bundle.getDataFile("hmac");

5. Replace the key

OutputStream out = new FileOutputStream(hmacFile);
out.write(key);
out.close();

6. Repeat 2-6 for the master key 7. Refresh the Granite Crypto Bundle

  • Navigate to http://<server>:<port>/system/console/bundles
  • Locate Adobe Granite Crypto Support bundle (com.adobe.granite.crypto)
  • Click Refresh

8. Delete the hmac and master keys from DAM. You no longer need them.

 

See https://github.com/YegorKozlov/aem-fiddle-scripts/tree/master/encryption-keys