Page tree
Skip to end of metadata
Go to start of metadata

This is an org-level, subscription feature. This feature is supported with Windows and Linux Groundplexes as well as Hadooplexes.  Must also use Google Chrome version 37 and above.

Account credentials used to access endpoints from SnapLogic can be encrypted using a private key/public key model. The data is encrypted with a public key before it leaves the browser, then is decrypted with a private key on the Groundplex. The private key will need to be manually copied to each node in a Groundplex.

Because you should not store your private key in the cloud, you cannot use a Cloudplex for this configuration. Before enabling this feature, you will need to turn off and remove Cloudplexes from your org or convert them into Groundplexes.

Without the Enhanced Account Encryption feature, Standard Encryption is used.

Enabling Enhanced Account Encryption

Groundplex Node Setup

If you are using Linux, make sure you have the latest install of the RPM/DEB on each Groundplex node. There have been some updates to the startup scripts in relation to this feature.

You will also need make sure the "JCE Unlimited Strength Policy Files JRE8" are installed for your Java Runtime Environment. The enhanced encryption feature will make use of key sizes that are not supported in the standard install. If using an older Snaplex installer with JRE 7, use the policy files at "JCE Unlimited Strength Policy Files JRE7"

After restarting the service, a new key pair will be generated automatically and saved to disk. The generated files will need to be copied from one node to all of the others in the Groundplex. On Linux, the directory to clone should be '/etc/snaplogic'. Once the files have been copied to the other nodes, you will need to restart the service on each node. During startup, the nodes will upload their public keys to the SnapLogic cloud and be displayed in the encryption configuration dialog.

When running pipelines on Windows and Hadoop-based Snaplexes, the Spark Script Snap cannot be used.  Additionally, using the Script Snap to start a subprocess is no longer allowed on these types of Snaplexes as it exposes a way for unauthorized users to obtain the enhanced encryption key.

Windows

On Windows Groundplexes, the key must also be copied to a directory and secured by restricting access to the directory. Only the security administrators and user that runs the Groundplex service should have access to the directory. Next, the directories location should be added as an environmental variable or Java property in Windows with the name SL_KEY_DIR.

Hadoop

Installation is similar to the Linux Groundplex, where each key store and its password must be copied to each node in the Hadoop cluster. The key should be placed in a directory which only the user that runs the Hadooplex process has access. When starting the Hadooplex with the yarn command, the -sl_key_dir option should be used, followed by the path to the directory where the key and password were placed. For example, the command to start the Hadooplex will look something like this:

yarn jar yplex-4.0-Snapreduce.jar -war jcc-4.0-rcXXX-Snapreduce.war -driver  driver-4.0-rcXXX.jar -keys keys.properties -master_conf master.properties -plex_conf  plex.properties -sl_key_dir /etc/snaplogic/keystoredir/


Organization Setup

To configure Enhanced Account Encryption for your SnapLogic organization:

  1. Log into Manager as an org admin.
  2. On the Settings page, click Configure Encryption.

    If you have the Lifecycle Management feature, this page is on the org-level, not the org-Development level.

  3. Verify that the same Organization Key is used on all nodes of the Groundplex (or all nodes of all Groundplexes belonging to each phase of the organization if you have Lifecycle Management enabled). If the same private key is not on all nodes of the Groundplex, it will show as incompatible and you will not be able to configure enhanced encryption.
     

  4. Select Enhanced Encryption, then select the level of sensitivity.

    • High - encrypts passwords and secret keys

    • Medium and High - encrypts usernames, passwords, and secret keys

    • Low, Medium, and High - encrypts host name, database names, database URL properties, usernames, passwords, and secret keys See the documentation for each account to see which fields are encrypted per sensitivity level for that account type.

  5. To set an org wide key, select the appropriate key. Only those keys that are available on all nodes are shown. Once selected, confirm the new key. This will cause all accounts to be decrypted using the existing keys and re-encrypted with the newly selected org level key.

  6. Click Update encryption settings

Scope and Limitations

  • Once Enhanced Account Encryption is enabled, you will not be able to see or edit the existing values for the encrypted data types. You will, however, be able to enter a new value in that field and save it.

  • If you change your sensitivity level from Low/Medium/High to High, existing accounts will remain at the previous level unless you update them; going in the other direction will cause account data to be encrypted. All new accounts will follow the new sensitivity encryption level.
  • If you revert back to standard encryption, the encrypted data will not automatically be decrypted. As long as the private key is still in place on the node, the encrypted values will continue to work.

Key Rotation

The steps to change the enhance encryption key (key rotation) for an organization are

  1. Install the latest Groundplex RPM/DEB on one of the Groundplex nodes which is already running with enhanced encryption. This is required to get the new addDataKey option in the jcc.sh script.
  2. As root user, run:

    /opt/snaplogic/bin/jcc.sh addDataKey keyNov2016

    This will generate a new key pair and it will be appended to the keystore in /etc/snaplogic folder with the specified alias (keyNov2016).

  3. Clone the /etc/snaplogic folder to each of the nodes in the org, same as done when originally setting up the enhanced encryption feature.
  4. Restart the nodes in the org. This is required to pick up the updated key pair. Each node can be restarted one at a time from the dashboard in order to do an online restart.
  5. Once all the nodes are running with the new key pair loaded, the enhanced encryption settings will show the dropdown allowing the org admin to change to the new key. Currently running pipelines will continue when the key is being rotated. Accounts in the organization are sent to the Groundplex to be decrypted with the old key and then encrypted with the new key.


Accounts which were exported when the org was running with the old key will have the sensitive fields encrypted with the old key. When the account information is imported into the org after the key is rotated, the account is imported with the old key. To convert these imported accounts to the new key, go to the manager and redo the key rotation with the new key.

The updates to the key store using the script are supported only on Linux. The updated key store can be copied onto the Windows Groundplex machine to ensure that the rotated key is applied on the Windows machine also. If running a Windows-only Snaplex, the Linux RPM can be installed on a standalone machine for the purpose of updating the key store using the jcc.sh script.

Adding Groundplex Nodes

When adding new nodes to a Groundplex, you must ensure that the new nodes have the same key as the other nodes. If a node does not have a matching key, it will be ignored until the keys are synced up. You can always return to the account configuration dialog in the Organization Settings page to check the current key compatibility status.

  • No labels