AEM 6.5 Crypto Support

bhargav_thogat1

13-11-2019

I'm trying to use Crypto Support in AEM 6.5 but the hmac master keys are no longer stored under /etc/key.

It means I cannot just package the keys and transfer to target instance.

I can see the hmac and master keys are stored in launchpad/bundles/.. But everytime we change the instance we need to add these files to bundles folder and restart the bundle which all times may not be suited.

Need some thoughts on this.

Accepted Solutions (1)

Accepted Solutions (1)

yegorkozlov

26-02-2020

Actually there is a way to update the encryption keys programmatically, without ssh access to AEM instances. 

The approach: 1. Upload the key in AEM

for example, to  /content/dam/crypto/hmac 

2. Read the key bytes

Resource resource = resourceResolver.getResource("/content/dam/crypto/hmac");
byte
[] key = IOUtils.toByteArray(resource .adaptTo(Asset.class).getOriginal().getStream());

3. Get the com.adobe.granite.crypto.file bundle

Bundle bundle = Arrays.stream(bundleContext.getBundles())
    .filter(b -> b.getSymbolicName().equals("com.adobe.granite.crypto.file"))
    .findFirst().orElse(null);

4. Get the 'hmac' file

File hmacFile = bundle.getDataFile("hmac");

5. Replace the key

OutputStream out = new FileOutputStream(hmacFile);
out.write(key);
out.close();

6. Repeat 2-6 for the master key 7. Refresh the Granite Crypto Bundle

  • Navigate to http://<server>:<port>/system/console/bundles
  • Locate Adobe Granite Crypto Support bundle (com.adobe.granite.crypto)
  • Click Refresh

8. Delete the hmac and master keys from DAM. You no longer need them.

 

See https://github.com/YegorKozlov/aem-fiddle-scripts/tree/master/encryption-keys

Answers (1)

Answers (1)

aemmarc

Employee

14-11-2019

That is the necessary approach though ...

  1. Find the bundle Id for com.adobe.granite.crypto.file, for example, 21. You can navigate to /system/console/bundles/com.adobe.granite.crypto.file to see the Id.
  2. Navigate to /crx-quickstart/launchpad/felix/bundle<Id>/data in the file system.
  3. Copy the two files: hmac and master from the source instance to the target instances.
  4. Restart the target com.adobe.granite.crypto bundle or the entire AEM instance.

This would be a day-0 exercise though.