Configure Encryption Keys for a CSM Server or Web Application
Use the Server Manager to configure encryption keys for CSM Servers or Web Applications. Encryption keys protect sensitive data contained in Business Object Fields (example: Financial data, SSNs, etc.). When configuring encryption keys, you can:
- Add keys, or modify the display name of existing keys.
- Import and export keys using password-protected Cherwell Key Files (.ckf) to move them across systems.
- Configure compliance logging to the Splunk Server to log decryption attempts (whether or not they are successful).
Good to know:
- The ability to configure encryption keys depends on your security rights.
- Encryption keys are managed on a per-server basis; all servers within a server farm require the same encryption keys.
- Encryption keys are protected using Windows Data Protection API (DPAPI) and are stored in a restricted area of the Windows file system (the Windows Keystore). The keys cannot be accessed directly; they can only be managed using the Encryption Key Management interface in the Server Manager.
- Compliance logging to a Splunk server is handled separately from event logging for a Server or web application. For more information on integrating Splunk and CSM, see Splunk Integration (Splunk Integration, http://docs.splunk.com/Documentation). The Splunk integration is included in hosted environments by default. Compliance logging is optional.
- Internal CSM auditing is enforced. CSM uses Journal-History records to track encryption/decryption attempts for encrypted fields in Business Object records.
- References to encryption keys (identifiers and display names) are stored in the CSM database in a table separate from the Business Objects to which they belong; however, the actual encryption keys are not stored in the database. We recommend exporting keys to a password-protected Cherwell Key File (.ckf) and storing them in a secure location as backup. As a best practice, store .ckf and .czar files in separate locations.
To configure encryption keys for a CSM Server or Web Application:
- Select Start > All Programs > Cherwell Service Management > Tools > Server Manager.
- From the Server drop-down, select a Server or Web application.
- Click the Configure button next to Encryption keys.
- Select a database connection and enter your login credentials.
This can only be done on a two-tier connection and is intended to be performed directly on the server running CSM.
The Encryption Key Management window opens.
- Add an encryption key:
- Click the Add button.
- In the Prompt window, enter a name for the key. This is a display name only; the actual key is stored in the Windows Keystore.
To edit the display name of an encryption key, select the key, and then click the Edit button.
Select OK.
A caution message opens, giving you the option to export encryption keys.
- Click Yes to export keys to a password-protected .ckf file.
You can choose not to export keys. However, we recommend exporting and storing them in a secure location. Encryption keys are not stored in the database, and therefore are not exported in .czar files.
- If exporting keys, specify a folder location and name for the .ckf file.
- Click Save.
Before the file is saved, you are prompted to enter a password to protect the file.
- (Optional) Configure compliance logging:
- Select the Compliance Logging check box.
- Click the Configure button.
The Splunk Server Settings window opens.
- Define the following settings:
- Server URL: Provide the URL of the Splunk Server (example: https://splunkserver:8089).
- User Name: Provide the user name for the Splunk Server acount.
- Password: Provide the password of the individual with an account on the Splunk Server.
- Ignore Certificate Errors: Select this check box to ignore certificate errors that might be generated by Splunk using self-signed certificates to encrypt data. Select this check box only if you trust your connection with the server.
- Select Test to test the connection to the Splunk Server.
Select OK.
- Close the Encryption Key Management Window.
- Configure encryption keys for another server or web application, as necessary.