Configure Encryption Keys for a CSM Server or Web Application

Use the Server Manager to configure encryption keys for CSM Servers or Web Applications. Encryption keys protect sensitive data contained in Business Object Fields (example: Financial data, SSNs, etc.). When configuring encryption keys, you can:

  • Add keys, or modify the display name of existing keys.
  • Import and export keys using password-protected Cherwell Key Files (.ckf) to move them across systems.
  • Configure compliance logging to the Splunk Server to log decryption attempts (whether or not they are successful).

Good to know:

  • The ability to configure encryption keys depends on your security rights.
  • Encryption keys are managed on a per-server basis; all servers within a server farm require the same encryption keys.
  • Encryption keys are protected using Windows Data Protection API (DPAPI) and are stored in a restricted area of the Windows file system (the Windows Keystore). The keys cannot be accessed directly; they can only be managed using the Encryption Key Management interface in the Server Manager.
  • Compliance logging to a Splunk server is handled separately from event logging for a Server or web application. For more information on integrating Splunk and CSM, see Splunk Integration (Splunk Integration, The Splunk integration is included in hosted environments by default. Compliance logging is optional.
  • Internal CSM auditing is enforced. CSM uses Journal-History records to track encryption/decryption attempts for encrypted fields in Business Object records.
  • References to encryption keys (identifiers and display names) are stored in the CSM database in a table separate from the Business Objects to which they belong; however, the actual encryption keys are not stored in the database. We recommend exporting keys to a password-protected Cherwell Key File (.ckf) and storing them in a secure location as backup. As a best practice, store .ckf and .czar files in separate locations.

To configure encryption keys for a CSM Server or Web Application:

  1. Select Start > All Programs > Cherwell Service Management > Tools > Server Manager.
  2. From the Server drop-down, select a Server or Web application.
  3. Click the Configure button next to Encryption keys.
  4. Select a database connection and enter your login credentials.

    This can only be done on a two-tier connection and is intended to be performed directly on the server running CSM.

    The Encryption Key Management window opens.

  5. Add an encryption key:
    1. Click the Add button.
    2. In the Prompt window, enter a name for the key. This is a display name only; the actual key is stored in the Windows Keystore.

      To edit the display name of an encryption key, select the key, and then click the Edit button.

    3. Select OK.

      A caution message opens, giving you the option to export encryption keys.

    4. Click Yes to export keys to a password-protected .ckf file.

      You can choose not to export keys. However, we recommend exporting and storing them in a secure location. Encryption keys are not stored in the database, and therefore are not exported in .czar files.

    5. If exporting keys, specify a folder location and name for the .ckf file.
    6. Click Save.

      Before the file is saved, you are prompted to enter a password to protect the file.

  6. (Optional) Configure compliance logging:
    1. Select the Compliance Logging check box.
    2. Click the Configure button.

      The Splunk Server Settings window opens.

    3. Define the following settings:
      • Server URL: Provide the URL of the Splunk Server (example: https://splunkserver:8089).
      • User Name: Provide the user name for the Splunk Server acount.
      • Password: Provide the password of the individual with an account on the Splunk Server.
      • Ignore Certificate Errors: Select this check box to ignore certificate errors that might be generated by Splunk using self-signed certificates to encrypt data. Select this check box only if you trust your connection with the server.
    4. Select Test to test the connection to the Splunk Server.
    5. Select OK.

  7. Close the Encryption Key Management Window.
  8. Configure encryption keys for another server or web application, as necessary.