Crypto Support in AEM (Syncing HMAC among AEM instances)
AEM OOTB provides a feature where we can encrypt the secured and confidential data through OOTB AEM Crypto Support and store it in a code repository in the form of OSGi configuration.
Crypto Support is based on keys (hmac and master files) which are unique for each AEM instance. Encrypted text generated for the same plain-text string on one AEM instance will be different from another instance. This can raise alarms in cases where we have the same OSGi configuration values shared among Author and Publish instances under the same topology.
For e.g. /apps/project/config.prod/com.day.cq.db.dbservice.xml
Here DB password for Default DB Service will be same across all Prod AEM instances. So, in order to make sure that the same encrypted value works on all Prod instances, we will have to sync hmac and master files among Prod Author and Publish instances.
Vital Points to know before HMAC SYNC
Sync of HMAC/keys will break the AEM SSL and rest the keystore & trust store of target AEM server. hence make sure -
1- If your instance is SSL enabled. Make sure you have the required certificates to re configure the SSL.
2- if your instance has SSO/SAML enabled , make sure you have required certs for all these, As you my end up in reconfiguring it.
3- Check trust store of your AEM to make sure you have backup of all the certs , as reconfiguration may needed post HMAC SYNC.
How to Replicate HMAC Keys with Instance SSL
Since AEM 6.3, the key material is no longer stored in the repository, but on the actual filesystem. With this in mind, the best way to replicate the keys is to copy them from the filesystem of the source instance to that of the target instance(s) you want to replicate the keys to.