Version:

MarketplaceSupport

RadiantOne Directory Attribute Encryption

Attribute encryption prevents data from being readable while stored in a RadiantOne Directory store, any temporary replication stores/attributes (cn=changelog, cn=replicationjournal, cn=localjournal), backup files, and exported LDIF files (must use the LDIFZ file extension). Attribute values are encrypted before they are stored in the Universal Directory store, and decrypted before being returned to the client, as long as the client is authorized to read the attribute (based on ACLs defined in RadiantOne), is connected to RadiantOne via SSL, and is not a member of the special group (e.g. cn=ClearAttributesOnly,cn=globalgroups,cn=config).

There are two items to configure. One is the criteria for the key generation used to encrypt/decrypt the attributes. Two is the list of attributes you want to encrypt.

Key Generation

To define the criteria used to generate an encryption key:

  1. Navigate to Main Control Panel > Settings Tab > Security section > Attribute Encryption sub-section.

  2. On the right, click Define Key Generation.

  3. Select the desired cipher from the drop-down list or select AWSKMS if you want to use your own Customer Master Key (CMK) in Amazon Web Services (AWS) Key Management Service (KMS) and have configured the necessary settings in ZooKeeper. If unlimited Java security libraries are installed, there are more ciphers shown in this drop-down list.

    An image showing

    Figure 20: Attribute Encryption Key

  4. If you selected a cipher suite in the previous step, enter a security key. This value is used to auto-generate an encryption key. If you plan on deploying multiple clusters that will participate in inter cluster replication for encrypted attributes, take note of the value you enter here as you must use it when configuring the security key in the other clusters.

An encryption key is auto-generated based on the cipher and security key value provided. This key is used across nodes in a cluster to encrypt/decrypt the attributes configured for encryption. If inter-cluster replication is deployed, all clusters must be configured with the same cipher and security key.

Using Amazon Web Services (AWS) with a Customer Master Key (CMK)

Instead of using the default key generation, you have the option to use a customer master key stored in AWS. The following steps describe the configuration.

  1. Log into your AWS account to create your CMK (Customer Master Key).

  2. With your CMK information, log into the Main Control Panel and go to the ZooKeeper tab.

  3. On the ZooKeeper tab, navigate to /radiantone/v2/doccluster/config/vds_server.conf, click Edit Mode, and locate the following properties:

    "awsAccessKeyId" : null,
    "awsSecretAccessKey" : null,
    "awsKmsCMKRegion" : null,
    "awsKmsCMKAlias" : null,

  4. For the “awsAccessKeyId” property, overwrite the null value with your AWS Access Key ID.

  5. For the “awsSecretAccessKey” property, overwrite the null value with your AWS Access Key Secret.

  6. For “awsKmsCMKRegion” property, overwrite the null value with your AWS region (e.g. "us-east-2").

  7. For “awsKmsCMKAlias” property, overwrite the null value with (e.g. "alias/My_Master_Key”).

  8. Click Save.

  9. Navigate to Main Control Panel > Settings > Security > Attribute Encryption and click Define Key Generation in the relevant section.

  10. Select the AWSKMS option from the drop-down list and click OK.

  11. Click OK to confirm.

  12. Define the attributes to encrypt as outlined in the next section.

Attributes to Encrypt

No attributes are encrypted by default. To configure a list of attributes to encrypt:

  1. Navigate to the RadiantOne Universal Directory (HDAP) store (or configured persistent cache branch) on the Main Control Panel > Directory Namespace tab.

  2. Enter a comma-separated list of attribute names in the Encrypted Attributes property.

  3. Click Save.

  4. Click Re-build Index (if your configuration is a Universal Directory Store) or Initialize to reinitialize the cache (if your configuration is a Persistent Cache).

Attributes listed in the Encrypted Attributes property are added to the Non-indexed attribute list by default. This means these attributes are not searchable by default. Indexing encrypted attributes is generally not advised as the index itself is less secure than the attribute stored in Universal Directory/persistent cache. However, if you must be able to search on the encrypted attribute value, it must be indexed. Only “exact match/equality” index is supported for encrypted attributes. To make an encrypted attribute searchable, remove the attribute from the list of nonindexed attributes and then click Re-build Index or Initialize (to reinitialize) if the branch is a persistent cache.

Accessing Encrypted Attributes

Attribute values are encrypted before they are stored in Universal Directory/persistent cache, and decrypted before being returned to the client, as long as the client is authorized to read the attribute (based on ACLs defined in RadiantOne), is connected to RadiantOne via SSL, and not a member of the special group containing members not allowed to get these attributes (e.g. cn=ClearAttributesOnly,cn=globalgroups,cn=config).   When viewing Universal Directory/persistent cache entries or exporting them to an LDIF file from the Main Control Panel > Directory Browser tab, make sure you are connected via SSL, otherwise the attributes are returned/exported as encrypted.

If you are connected to the Control Panel via SSL, then the operations performed on the Directory Browser tab are based on an SSL connection to RadiantOne, and the attributes defined as encrypted are returned decrypted as long as the user you’ve connected to the Main Control Panel with is authorized to read those attributes and this user is not a member of the Clear Attributes Only Group (which by default is the ClearAttributesOnly group located at,ou=globalgroups,cn=config).

When entries containing encrypted attributes are updated and logged into the RadiantOne changelog (e.g. cn=changelog), a client that is connected to RadiantOne via SSL, and is NOT a member of the special Clear Attributes Only Group (which by default is the ClearAttributesOnly group located at,ou=globalgroups,cn=config) can see encrypted attributes in clear text. If the client is connected to RadiantOne via SSL and is a member of the special Clear Attributes Only Group, the value in the “changes” attribute is returned encrypted.

Clear Attributes Only Group

To apply a deny-by-exception policy to encrypted attributes, you can add users to the ClearAttributesOnly group. Members of this group cannot get encrypted attributes in clear, even if ACLs dictate they can read the encrypted attribute(s) and they are connecting to RadiantOne via SSL.

The table below summarizes the behavior of this special group when a user is connected to RadiantOne via SSL.

Is user a member of the special group?
Attributes In DIT
Values in “changes” attribute In Changelog

No

Clear text

Clear text

Yes

Not displayed

Encrypted

To add a user to the Clear Attributes Only group:

  1. In the Main Control Panel, click the Directory Browser tab.

  2. Expand cn=config and then expand ou=globalgroups.

  3. Select cn=ClearAttributesOnly.

  4. On the right, click Manage Group (Manage Group).

  5. From here you can add users to the group.

Updating Encrypted Attributes

To update encrypted attributes, the client must connect to RadiantOne via SSL and be authorized (via ACLs) to read and update the attribute and not be in the special Clear Attributes Only Group. When editing entries from the Main Control Panel > Directory Browser tab > selected Universal Directory store, encrypted attributes appear as encrypted because this operation is not connected to RadiantOne via SSL. If you are connected to the Control Panel via SSL, then the Directory Browser tab connects to RadiantOne via SSL and the attributes defined as encrypted are shown in clear as long as the user you’ve connected to the Main Control Panel is authorized to read those attributes and is not a member of the blacklisted group. In this case, the connected user can also update the encrypted attribute if permissions allow for it.

Changing an Encryption Key

If you need to change the encryption security key, follow the steps below.

  1. Go to Main Control Panel > Directory Namespace tab.

  2. Select the naming context representing the Universal Directory (HDAP) store.

  3. On the right, remove all values from the encrypted attributes list.

  4. Click Save.

  5. Click Re-build Index.

  6. Repeat steps 1-5 for each store that has encrypted attributes.

  7. Go to Main Control Panel > Settings tab > Security > Attribute Encryption.

  8. Click Define Key Generation. This option is only available if you removed encrypted attributes and rebuilt the index for all applicable stores.

  9. Go to Main Control Panel > Directory Namespace tab.

  10. Select the naming context representing the Universal Directory (HDAP) store.

  11. On the right, add required attributes to the encrypted attributes list.

  12. Click Save.

  13. Click Re-build Index.

  14. Repeat steps 9-13 for all stores that require encrypted attributes.


LDIF File Encryption

Using the LDIFZ format when exporting entries produces a zipped and encrypted LDIF file. This prevents data from being readable while stored in exported LDIF files. This setting is required to support LDIFZ file exports.

Key Generation

To define the criteria used to generate an encryption key:

  1. Navigate to Main Control Panel > Settings Tab > Security section > Attribute Encryption sub-section.

  2. On the right, for LDIFZ Encryption Key, click Define Key Generation.

  3. Select the desired cipher from the drop-down list or select AWSKMS if you want to use your own Customer Master Key (CMK) in Amazon Web Services (AWS) Key Management Service (KMS) and have configured the necessary settings in ZooKeeper. If unlimited Java security libraries are enabled, there are more available ciphers in this drop-down list.

  4. If you selected a cipher suite in the previous step, enter a security key. This value is used to auto-generate an encryption key. If you plan on deploying multiple clusters that will participate in inter cluster replication and you are going to initialize Universal Directory (HDAP) stores from an exported LDIFZ file, take note of the value you enter here as you must use it when configuring the LDIFZ cipher and security key in the other clusters.

Changing an Encryption Key

If you need to change the LDIFZ encryption security key, follow the steps below.

  1. Go to Main Control Panel > Settings tab > Security > Attribute Encryption.

  2. On the right, for LDIFZ Encryption Key, click Define Key Generation.

  3. Select the cipher and enter a security key.

  4. Click OK.

  5. Click Save.

Requiring LDIFZ for Exports

The Secure LDIF Export option allows you to enforce the use of the encrypted LDIFZ format when exporting entries from the Directory Browser tab. With this setting enabled, using the unencrypted LDIF format for exports is not supported.

To enable the secure LDIF export option:

  1. In the Main Control Panel, click the Settings tab.

  2. Navigate to the Security section and select Attribute Encryption.

  3. In the Secure LDIF Export section, click the Enabled switch.

  4. Click Save.

This feature works with the LDIFZ Encryption option as outlined in the table below.

LDIFZ Encryption Key

Secure LDIF Export

Available Export Formats:
LDIF

Available Export Formats:
LDIFZ

undefined

Disabled

🗹

undefined

Enabled

N/A because you can’t enable Secure LDIF if the LDIFZ encryption key is not defined.

N/A because you can’t enable Secure LDIF if the LDIFZ encryption key is not defined.

defined

Disabled

🗹

🗹

defined

Enabled

🗹

IN THIS PAGE