Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

AEM 6.5 Crypto Support

Avatar

Avatar
Give Back
Level 2
bhargav_thogat1
Level 2

Likes

2 likes

Total Posts

11 posts

Correct Reply

1 solution
Top badges earned
Give Back
Ignite 1
Validate 1
Boost 1
Applaud 5
View profile

Avatar
Give Back
Level 2
bhargav_thogat1
Level 2

Likes

2 likes

Total Posts

11 posts

Correct Reply

1 solution
Top badges earned
Give Back
Ignite 1
Validate 1
Boost 1
Applaud 5
View profile
bhargav_thogat1
Level 2

13-11-2019

I'm trying to use Crypto Support in AEM 6.5 but the hmac master keys are no longer stored under /etc/key.

It means I cannot just package the keys and transfer to target instance.

I can see the hmac and master keys are stored in launchpad/bundles/.. But everytime we change the instance we need to add these files to bundles folder and restart the bundle which all times may not be suited.

Need some thoughts on this.

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Affirm 1
Level 1
yegorkozlov
Level 1

Likes

0 likes

Total Posts

1 post

Correct Reply

1 solution
Top badges earned
Affirm 1
View profile

Avatar
Affirm 1
Level 1
yegorkozlov
Level 1

Likes

0 likes

Total Posts

1 post

Correct Reply

1 solution
Top badges earned
Affirm 1
View profile
yegorkozlov
Level 1

26-02-2020

Actually there is a way to update the encryption keys programmatically, without ssh access to AEM instances. 

The approach: 1. Upload the key in AEM

for example, to  /content/dam/crypto/hmac 

2. Read the key bytes

Resource resource = resourceResolver.getResource("/content/dam/crypto/hmac");
byte
[] key = IOUtils.toByteArray(resource .adaptTo(Asset.class).getOriginal().getStream());

3. Get the com.adobe.granite.crypto.file bundle

Bundle bundle = Arrays.stream(bundleContext.getBundles())
    .filter(b -> b.getSymbolicName().equals("com.adobe.granite.crypto.file"))
    .findFirst().orElse(null);

4. Get the 'hmac' file

File hmacFile = bundle.getDataFile("hmac");

5. Replace the key

OutputStream out = new FileOutputStream(hmacFile);
out.write(key);
out.close();

6. Repeat 2-6 for the master key 7. Refresh the Granite Crypto Bundle

  • Navigate to http://<server>:<port>/system/console/bundles
  • Locate Adobe Granite Crypto Support bundle (com.adobe.granite.crypto)
  • Click Refresh

8. Delete the hmac and master keys from DAM. You no longer need them.

 

See https://github.com/YegorKozlov/aem-fiddle-scripts/tree/master/encryption-keys

Answers (1)

Answers (1)

Avatar

Avatar
Ignite 1
Employee
aemmarc
Employee

Likes

184 likes

Total Posts

243 posts

Correct Reply

92 solutions
Top badges earned
Ignite 1
Give Back 50
Give Back 5
Give Back 3
Give Back 25
View profile

Avatar
Ignite 1
Employee
aemmarc
Employee

Likes

184 likes

Total Posts

243 posts

Correct Reply

92 solutions
Top badges earned
Ignite 1
Give Back 50
Give Back 5
Give Back 3
Give Back 25
View profile
aemmarc
Employee

14-11-2019

That is the necessary approach though ...

  1. Find the bundle Id for com.adobe.granite.crypto.file, for example, 21. You can navigate to /system/console/bundles/com.adobe.granite.crypto.file to see the Id.
  2. Navigate to /crx-quickstart/launchpad/felix/bundle<Id>/data in the file system.
  3. Copy the two files: hmac and master from the source instance to the target instances.
  4. Restart the target com.adobe.granite.crypto bundle or the entire AEM instance.

This would be a day-0 exercise though.