Encrypting system data by using a custom key management service - Failed to add keystore to cache
Hello dears,
When I execute java code through activity, getting "Failed to add keystore to cache" error message on run time. After keyUtil.loadMasterKeyForSystemDataEncryption(customMasterKey) has been executed, exception occured.
byte[] masterKey = "qvhgLaZ21WtDxxsz3Vpjag08ZYiMtKhaFLkvNA4Ieb+RtNcG4a8DxjyGMyAh61kN".getBytes(); // TODO: assign 16 byte master key KeyStoreUtils keyUtil = pega.getKeyStoreUtils(); CustomMasterKey customMasterKey = keyUtil.getMasterKeyObject(); customMasterKey.setMasterKey(masterKey); keyUtil.loadMasterKeyForSystemDataEncryption(customMasterKey);
How can I solve this issue?
Accepted Solution
Updated: 11 Nov 2024 9:40 EST
Bentego
TR
Hi @PRATAPB1
We are proceeding with "Configuring a HashiCorp Vault keystore" option (installing HashiCorp in some cluster and performing POCs) as "Encrypting system data by using a custom key management service" option has been deprecated for some reason.
Bentego
TR
@VarunK66 I have not found the root cause. Last option would be better to do it with custom java code apart from following documentation but I am not recommending to deploy it on production or distribute usage of custom java approach all over the application especially if the outage of application has possibility to drastically harm the organization financially before performing a solid test. In addition, I am afraid that we cannot use the ootb @encrypt… @decrypt… functions and encrypt property with this custom java approach.
Maantic Technologies Pvt Ltd.
IN
Hi @m.caldag
Not sure why you are using custom java code to load the cipher. You can always navigate to Configure --> System --> Settings --> Data Encryption landing page and mention a platform cipher (a keystore pointing to your custom key management service) and activate it.
Once activated successfully you should be able to encrypt all you application properties using the "PropertyEncrypt" type of Access Control Policy.
Updated: 22 Mar 2024 13:43 EDT
Bentego
TR
Hi @SrijitaB keystore drop down data is initially empty. You have to create a key store first and associate a data page in case key store location is selected as Customer - source master key from other KMS using a data page. Client is not working with any external services like Amazon KMS, Microsoft Azure Key Vault, Google Cloud KMS and HashiCorp Vault so the custom is a one of the option. Tracer is showing the fail after execution of activity which is associated with source data page of Keystore.
https://docs-previous.pega.com/security/87/creating-data-page-activity-master-key-custom-source
Accepted Solution
Updated: 11 Nov 2024 9:40 EST
Bentego
TR
Hi @PRATAPB1
We are proceeding with "Configuring a HashiCorp Vault keystore" option (installing HashiCorp in some cluster and performing POCs) as "Encrypting system data by using a custom key management service" option has been deprecated for some reason.
Barclays
GB
Hi @m.caldag,
we had contacted Pega on this and they have confirmed that custom key management is not going to be deprecated and we have got it working now (new sample code needed). Pega has updated page to confirm the same.
Thanks,
Bhanu
Bentego
TR
Hi @BhanuP389
Well done to you to get the fixed and fresh sample codes. However, we will stick with the initial announcement and continue with HashiCorp Vault Source master key from HashiCorp vault Configuration.
Good luck.
Pegasystems Inc.
IN
@m.caldagCan you try configuring the system data encryption section in the data encryption configuration page ( configure-> System->settings->data encryption ) and if you are running the java code using the activity have you mentioned the Keystore file in the parameter page of the activity Thank you !
Bentego
TR
Hi @Manojkumar_ J ,
I could not try it due to I have been failed on the preparation steps of keystore and no, I have not set file path on some parameter value because I have simply set the string value and have the byte array with using getBytes function as recommended link below.
https://docs-previous.pega.com/security/87/creating-data-page-activity-master-key-custom-source