Encryption

Few important points that you need to keep in mind while enabling encryption in Sterling B2B Integrator are given below.

Encrypt data in transit

  • Ensure that data in transit is always secured.
  • Disable all unsecured adapters and interfaces (HTTP/FTP) and use secured adapters and interfaces (TLS/SSH and HTTPS/FTPS/SFTP).
  • Use NIST mode.

Encrypt data at rest

  • Data in storage is not encrypted by default during installation. It must be enabled before the system is put into service.
  • When documents are within the application, document encryption can be configured to handle this automatically within the database or filesystem.
  • When exporting document, for example, saving them to the external file system and out of the control of the application, integration with encryption tools such as PGP can be implemented.
  • The security.properties file contains the configuration for document encryption. The system certificate configured in Sterling B2B Integrator is CERT_NAME=doccrypto2. This can be an HSM certificate.

    Encrypting data in the database:

    Name of the certificate to use - dbcrypt.default.cert=DefDBCrypt

    Number of times a key can be used before being discarded and recreated -dbcrypt.default.maxkeyuse=10000

    Number of seconds the key will remain in use - dbcrypt.default.maxlifespan=10800

    Algorithm to use for encryption - dbcrypt.default.algorithm=AES-128

    You can change the above configuration by copying it to the customer_overrides.properties file and prefixing the parameters with security.. For example, security.dbcrypt.default.maxkeyuse=10000

Encrypt database passwords

  • Database passwords are encrypted using one of two methods, OBSCURED or ENCRYPTED. Replace clear-text passwords within property files using the ENCRYPTED method.
  • The encryption method is decided by the value of the encryptionPrefix in propertyEncryption.properties or propertyEncryption.properties_platform_security_ext file.

Encrypt LDAP passwords

  • Hide LDAP-related passwords in property files by encrypting them in the customer_overrides.property file.
  • Related documentation: Encrypt LDAP Passwords

Disable weak ciphers

  • Use the following properties to disable the weak ciphers: 
    StrongTLS1.2OnlyCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256
    NISTCompliantCipherSuite=TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Enable TLS on JDBC connection pools

  • TLS between Sterling B2B Integrator and database is achieved by utilizing the capabilities of the database JDBC driver and the database server.
  • The jdbc.properties or customer_overrides.properties file must include:
    oraclePool.url=jdbc:oracle:thin:@(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcps)(HOST=<DB host>)
(PORT=<TCPS port>))
(CONNECT_DATA=(SERVICE_NAME=<service name>)))
  • In customer_overrides.properties, the parameter must be prefixed with jdbcService..

Secure JDBC keystores and truststores

  • When JDBC TLS is enabled, the following additional properties are added to customer_overrides.properties file. The keystore files should be protected so that only the application or root has access to these files. 
    jdbcService.oraclePool.prop_javax.net.ssl.trustStore=
$$PATH$$/ClientTrustStore.jks
jdbcService.oraclePool.prop_javax.net.ssl.keyStore=
$$PATH$$/ClientKeyStore.jks

Use HSM to store all system and private certificates

  • Sterling B2B Integrator supports the following HSM devices: SafeNet Luna SA and nCipher nShield Connect.
  • Related documentation: Hardware Security Module (HSM)

Document encryption

  • Use document encryption to encrypt the payload data stored in the database and/or the file system.
  • Document encryption is disabled by default. You can enable document encryption by add the following property to the customer_overrides.properties file:
    • security.ENC_DECR_DOCS=ENC_ALL - Enable document encryption for file system and database documents. (Recommended)
    • security.ENC_DECR_DOCS=ENC_DB - Enable document encryption for database documents.
    • security.ENC_DECR_DOCS=ENC_FS - Enable document encryption for file system documents.

Document encryption algorithms

The following algorithms for document encryption are supported:
  • AES
  • AES-128
  • AES-192
  • AES-256
  • DES
  • DESede

SSH Key Length

  • Key length of all SSH User Identity Keys should be 2048 bits or higher.