Encrypt the new content for a storage area to help protect the confidentiality of the
content in case the content is accessed outside of FileNet®
P8
. You
can also force the generation of a new encryption key at any time. You might want a new key as a
precautionary measure or when you suspect that the security of the current key is
compromised.
About this task
You can direct Content Platform Engine to encrypt and decrypt content by using AES in
Counter mode, which is a Federal Information Processing Standard (FIPS) 140-compliant algorithm,
with a 128-bit key or a 256-bit key. The AES cipher is available automatically through the Java
runtime the FileNetEngine application is deployed with. To enable content encryption for a storage
area by using AES, start from step 2 in the following procedure.Starting with V5.5.10, when the
Content Platform Engine is deployed as a container, an alternative encryption cipher is available.
You can configure usage of the SM4 encryption cipher for content encryption. To enable a
containerized deployment of the Content Platform Engine to use SM4 encryption, start from step 1 in
the following procedure.
Restriction:
- Existing content is not encrypted or reencrypted.
- When content is replicated to an Advanced Storage Device, it is encrypted.
- When passed for indexing, content is not encrypted.
Important: The retrieval of encrypted content relies upon information that is
stored in the object store data. If that information is lost, the content is effectively lost also.
To avoid such problems, regularly back up the object store data.
Procedure
- (V5.5.10 or later) To enable a containerized deployment of the Content Platform Engine to
use SM4 encryption, you must upload an appropriate bouncycastle.jar file and
configure the CR to provide its name to the operator. Before you enable the content encryption,
complete the following steps:
- Create a working directory on the client that you intend to use to connect to the
Kubernetes cluster.
- Download an appropriate version of bouncycastle.jar from bouncycastle.org. Review the information about recommended versions available in the IBM
Software Product Compatibility Reports for the FileNet Content Manager. Place the JAR file into the
working directory.
- Determine the name of a running Content Platform Engine container.
- Copy the bouncycastle.jar in the
configDropins/overrides directory for a running Content Platform Engine
container. For example, by using the oc cli:
kubectl cp ./bouncycastle.jar <cpe pod>:/opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides
- Create a configmap to provide the Content Platform Engine container with an
environment variable holding the name of the bouncycastle.jar. When the Content Platform Engine pod
is restarted, the JAR is copied from the temporary location of
configDropins/overrides to the location used by the Content Platform Engine
services.
Example YAML for the configmap:
apiVersion: v1
kind: ConfigMap
metadata:
name: env_vars_configmap
data:
COPY_TO_JRE_LIB: bouncycastle.jar
- Add the following to the ecm_configuration.cpe section of the CR:
cpe_production_setting:
custom_configmap:
- name: env_vars_config
is_env: true
- Wait for the operator reconcile to apply the changes and restart the Content Platform
Engine deployment.
- Proceed with the next set of instructions for using ACCE to select SM4 as the content
encryption method.
- To enable content encryption for a storage area, access the storage area in the
administration console:
- In the domain navigation pane, click the object store.
- In the object store navigation pane, click .
- Depending on the storage area type, click either , or click Storage Areas.
- Open the storage area.
-
On the Configuration tab, click Encryption
method and select the encryption key that is created to encrypt the storage area.
Tip: To force the generation of a new encryption key for a storage area when encryption
is already enabled, clear the checkbox and then select it again.