Expand my Community achievements bar.

SOLVED

AEM Crypto Support

Avatar

Level 1
Level 1
11/25/22 12:08:02 PM

We are using AEM Crypto Support method for securing API password, we are able to generate encrypted key and decrypt it successfully, but when it is deployed on QA instance it is stopped working. The decrypted value is not matching hence further process blocked. Can somebody please tell me is there anything else have to do?

Views

683

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
11/25/22 12:23:28 PM

Hi @mira_r ,

Yes, that happens when you do not sync the HMAC keys over all instances. You are just couple of steps away!

Every instance is unique and generates a different encrypted key. So the ideal scenario is, we have to use the same key for all authors and publishers belong to one environment.

Steps to sync keys across all instances for AEM 6.3 or above:

Earlier to AEM 6.2, you can see the “hmac” and master files directly in AEM CRX, but due to security concerns, these keys have been removed from CRX and moved inside the bundle.
  1. Go to the author instance and see the bundle id of “Adobe Granite Crypto Bundle Key Provider (com.adobe.granite.crypto.file)”, usually it is bundle No 25.
  2. Then navigate to crx-quickstart/launchpad/felix/bundle25/data. There are two files in data which are hmac and master.
  3. Copy the files and replace them with the files from publishing servers under the same path.
  4. Now follow the same steps for all the other instances and replace the two files with copied files.
Restart the AEM server or you can restart the bundle Adobe Granite Crypto Support (com.adobe.granite.crypto)
 

Steps to sync keys across all instances for AEM 6.2 or below:

  1. Create package of path /etc/key from one of the instance using package manager
  2. Install the package created in other instances
  3. Restart all the instances where package has been installed
You can validate it - run a command in terminal “md5sum hmac” under the data folder and can help to match the key with all the servers to validate if the same key exists for all the servers.
 
Regards,
Santosh

View solution in original post

Views

676

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
1 Reply

Avatar

Correct answer by
Community Advisor
Community Advisor
11/25/22 12:23:28 PM

Hi @mira_r ,

Yes, that happens when you do not sync the HMAC keys over all instances. You are just couple of steps away!

Every instance is unique and generates a different encrypted key. So the ideal scenario is, we have to use the same key for all authors and publishers belong to one environment.

Steps to sync keys across all instances for AEM 6.3 or above:

Earlier to AEM 6.2, you can see the “hmac” and master files directly in AEM CRX, but due to security concerns, these keys have been removed from CRX and moved inside the bundle.
  1. Go to the author instance and see the bundle id of “Adobe Granite Crypto Bundle Key Provider (com.adobe.granite.crypto.file)”, usually it is bundle No 25.
  2. Then navigate to crx-quickstart/launchpad/felix/bundle25/data. There are two files in data which are hmac and master.
  3. Copy the files and replace them with the files from publishing servers under the same path.
  4. Now follow the same steps for all the other instances and replace the two files with copied files.
Restart the AEM server or you can restart the bundle Adobe Granite Crypto Support (com.adobe.granite.crypto)
 

Steps to sync keys across all instances for AEM 6.2 or below:

  1. Create package of path /etc/key from one of the instance using package manager
  2. Install the package created in other instances
  3. Restart all the instances where package has been installed
You can validate it - run a command in terminal “md5sum hmac” under the data folder and can help to match the key with all the servers to validate if the same key exists for all the servers.
 
Regards,
Santosh

Views

677

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply