Contents


Cryptography operations in IBM Integration Bus

Comments

Cryptography is the practice of securing communications against intrusion by unauthorized third parties. It involves constructing and analyzing protocols that prevent unauthorized access. It involves various aspects if information security, including authentication, data confidentiality, data integrity, and non-repudiation. Cryptography intersects the disciplines of computer science, electrical engineering, and mathematics. Applications of cryptography include ATM cards, computer passwords, and various aspects of e-commerce.

The Crypto node plug-in is a set of nodes that performs asymmetric cryptography using the PGP RSA algorithm. The nodes:

  • Generate a pair of secret and public keys using the PGP RSA algorithm.
  • Encrypt the a payload using a PGP RSA Public Key
  • Decrypt the payload using a PGP RSA Secret Key

In the encryption-decryption process, the data is base-64 encoded and base-64 decoded. Any special characters or non-XML-supported characters are converted into alphanumeric strings, ensuring successful XML data interchange.

Prerequisites

The Crypto node plug-in requires IBM® Integration Bus V9 or later, and has been developed using V9 FixPack 1 on both Linux® and Microsoft® Windows®. BouncyCastle API is used for cryptography implementation, and you can download it at the bottom of the article.

Installing

The node plug-in consists of two parts: a runtime JAR file named CryptographyRuntime.jar, and a design-time Toolkit plug-in named Cryptography_1.0.0.201409111915.jar, which provides the node for use in message flows.

Installing the runtime component

  1. Unzip the plug-in zip file and copy CryptographyRuntime.jar to all of the machines running brokers that need to run the node.
  2. Place the JAR file in <IIB Install Directory>/plugin (for example, C:\Program Files (x86)\IBM\MQSI\9.0.0.0\jplugin).

Installing the design-time component

  1. Unzip the plug-in zip file if you have not already done so and copy Cryptography_1.0.0.201409111915.jar to <IIB Toolkit Directory>/plugins, where <IIB Toolkit Directory> is where the IBM Integration Bus Toolkit was installed (for example, C:\Program Files (x86)\IBM\IntegrationToolkit90\plugins).

Installing the dependency JAR files

  1. This process uses BouncyCastle APIs. Place the BouncyCastle JAR files in the broker lil path, or in the shared class for the broker. On Windows: C:\ProgramData\IBM\MQSI\shared-classes. On Unix: /var/mqsi/shared-classes.

Uninstalling

  1. Stop the broker and close the Toolkit.
  2. Remove the runtime JAR CryptographyRuntime.jar from the <IIB Install Directory>/plugin directory.
  3. Remove the toolkit JAR Cryptography_1.0.0.201409111915.jar from the <IIB Toolkit Directory>/plugins directory.
  4. Restart the broker and open the Toolkit.

Node details

GenerateKeys

The GenerateKeys node generates a pair of secret and public keys using the PGP RSA algorithm:

The node creates keys in a particular folder on the system. GenerateKeys node properties:

  • Algorithm: Key generation algorithm. Currently only RSA is supported.
  • PublickKeyPath: Location including file name of public key path.
  • PrivateKeyPath: Location including file name of secret key path.
  • KeyIndentity: Username for secret file.
  • Keypassphrase: Password for secret key.
  • isPassphraseEncoded: You can encode you passphrase in BASE64Encode. The node supports BASE64Encode for passwords.

EncryptionNode

  • This node encrypts the entire payload regardless of the parser being used. The output from the node is an encrypted payload under the BLOB parser.
  • You can also encrypt the value of a particular field by creating the field with the value shown below in the local environment: LocalEnvironment.Cryptographt.Encryption.<FieldName> = <FieldValue>. If the local environment is populated as shown, the node does not encrypt the entire payload -- it encrypts only the fields present in the local environment.
  • The output from a payload encryption is in BLOB format. For field-level encryption, the local environment tree is updated with the encrypted value.

Properties of this node:

  • Algorithm: Key generation algorithm. Currently only RSA is supported.
  • PublickKeyPath: Location including file name of public key path.

Decryption Node

  • This node is used to decrypt a payload that was previously encrypted using a public key.
  • You can also decrypt the value of a particular field by creating the field with the encrypted value in the local environment: >LocalEnvironment.Cryptographt.Encryption.<FieldName> = <FieldValue>. If the local environment is populated as shown, the node does not decrypt the entire payload -- it decrypts only the fields present in the local environment.
  • The output from a payload decryption is in BLOB format. For field-level encryption, the local environment tree is updated with the decrypted value.

Properties of this node:

  • Algorithm: Key generation algorithm. Currently only RSA is supported.
  • PrivateKeyPath: Location including file name of secret key path.
  • KeyIndentity: Username for secret file.
  • Keypassphrase: Password for secret key.
  • isPassphraseEncoded: You can encode you passphrase in BASE64Encode. The node supports BASE64Encode for passwords.

How the node works

Key generation

The images below show that a private and public key are generated in the file system:

Payload encryption

A simple XML file is used as input and sent to the queue. The encryption node encrypts the entire payload using the public key:

Encrypted payload in BLOB format:

Encrypted payload read from queue:

Field-level encryption

The image below shows how field-level encryption works. You must pass the list of fields in the local environment tree as show below:

The field should not be nested. If you have multiple occurrences of the same field, use indexes:

The output from the node is shown as above, with the field values updated with the encrypted values. If a local environment tree is populated as shown above, then payload encryption is not performed. Instead, values of the fields in the local environment are encrypted.

Payload decryption

The encrypted payload is used as input, and a BLOB parser receives the message:

Decrypted text in BLOB format.

Text after decryption:

Comparing the payload before encryption to the payload after decryption shows the same data:

Field-level decryption

Sample payload:

<EncryptedData>
<Encryption> 
<Field1>hIwDFPdkENs54bsBBACHKDAld88k9MdDbNJSmyhQ7u/w3T7Ahn0XiwnSaFPq1KKZoMQrAYI6WVWS../2133yRs7cl4D+
VziZ5P7S3pxj9y+iAVrHTst0OLpCq54nbhkT7UgjHU+Es8/4enZdnanuNbO+9i..rf+eji45TvXOmHXYshUh7eKwCK/EeMLn1mJYs
MlTmCqufenxETPoJUpvI5ICbrbO5nEivrhiXS6a..FRX9W6k1iYrl5wiktkmtBW/UloINlhO9IX1ipm1UrkKQ+RZNlnOZP0P7ZpfJ
8trQBSMT1iSpss0=</Field1><Field2>hIwDFPdkENs54bsBA/sHOwRcAbf8b9PGNkr4pIhGbnCyRlQYCU4f3MU67zykHw+xZiqN
8luPTQFf..Ppnj0kIqYVmqCFgzDBvcz7ct2oJAh5BpAuP2OIk8Le8euD0MR9BEnMVHQtYTIbLkHrsiyQA4bnxk..Dc3z/7QC3ve7e
FEAOCt/WDaqPou4ogqNxXeMQMlS75aRGV59/qKe537CXGLYXlQEAk7ATgTw8uzN..KMOzO9M9g3XpSED///uj9pw0T5oxMPmgv1Oo
fxdiGJBCFsBpPwHtHZsQmKcs4d/5XG8QaDHhpA==</Field2><Field3>hIwDFPdkENs54bsBA/9jELn0fQPFWxx29VL0UJkEH0vX
9VxnHQJGaDddZ7pJzEa5Unco17/1+Fx+..t3ycbC/Z6eGIGrg1mnifa0U3JDx+KVAV6eKFL2SROoEy+qyr57GN2LH1iOuYbsollDY
c3vZeV9Xp..2yx/B5fZNa3K3L5ftHnSOuF9OXaAbmowXjSoyslSBX4by1fKCkn0pQp2g1FiTk0svmtR8lUZPtxE..mdWwLC8vEnMp
FqiwNhYFD/lghGwol59sH4DwihK0CJ5iFa0MJHKppN1hhtJ7jisI4oNWMmixjA==</Field3>
</Encryption>
</EncryptedData>

The local environment is populated as shown below:

Decrypted data:

Conclusion

The Crypto node plug-in IBM Integration Bus lets you protect sensitive data in a wide variety of use cases.


Downloadable resources


Related topic


Comments

Sign in or register to add and subscribe to comments.

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Middleware
ArticleID=992369
ArticleTitle=Cryptography operations in IBM Integration Bus
publish-date=12102014