How to Configure Database Protection using HMAC

The following describes how to set up database protection using the HMAC algorithm for integrity protection.

1. Generate a private key and a certificate.

   openssl ecparam -genkey -name prime256v1 -noout -out key.pem

   openssl req -new -x509 -key key.pem -out certificate.pem -days 7300 -subj "/CN=Database Protection"

2. Put the private key and the certificate in a PKCS#12 file. OpenSSL will ask you for a password that will be used to encrypt the keystore. Make a note of this password, as you will need it later.

   openssl pkcs12 -export -inkey key.pem -in certificate.pem -out bag.p12 -name dbProtect

3. Print the base64 encoded PKCS#12 file.

   cat bag.p12 | base64 | tr -d '\012'

4. Put the following configuration in databaseprotection.properties.

   conf/databaseprotection.properties

   databaseprotection.keyid.1 = 234

   databaseprotection.keylabel.1 = dbProtect

   databaseprotection.classname.1 = org.cesecore.keys.token.SoftCryptoToken

   databaseprotection.data.1 = <the base64 encoded bag.p12 goes here>

   databaseprotection.tokenpin.1 = <the password for bag.p12>

   databaseprotection.version.1 = 1