Encrypting content

Encrypt the new content for a storage area to help protect the confidentiality of the content in case the content is accessed outside of FileNetĀ® P8 . You can also force the generation of a new encryption key at any time. You might want a new key as a precautionary measure or when you suspect that the security of the current key is compromised.

About this task

You can direct Content Platform Engine to encrypt and decrypt content by using AES in Counter mode, which is a Federal Information Processing Standard (FIPS) 140-compliant algorithm, with a 128-bit key or a 256-bit key. The AES cipher is available automatically through the Java runtime the FileNetEngine application is deployed with. To enable content encryption for a storage area by using AES, start from step 2 in the following procedure.

Starting with V5.5.10, when the Content Platform Engine is deployed as a container, an alternative encryption cipher is available. You can configure usage of the SM4 encryption cipher for content encryption. To enable a containerized deployment of the Content Platform Engine to use SM4 encryption, start from step 1 in the following procedure.

Restriction:
  • Existing content is not encrypted or reencrypted.
  • When content is replicated to an Advanced Storage Device, it is encrypted.
  • When passed for indexing, content is not encrypted.
Important: The retrieval of encrypted content relies upon information that is stored in the object store data. If that information is lost, the content is effectively lost also. To avoid such problems, regularly back up the object store data.

Procedure

  1. (V5.5.10 or later) To enable a containerized deployment of the Content Platform Engine to use SM4 encryption, you must upload an appropriate bouncycastle.jar file and configure the CR to provide its name to the operator. Before you enable the content encryption, complete the following steps:
    1. Create a working directory on the client that you intend to use to connect to the Kubernetes cluster.
    2. Download an appropriate version of bouncycastle.jar from bouncycastle.org. Review the information about recommended versions available in the IBM Software Product Compatibility Reports for the FileNet Content Manager. Place the JAR file into the working directory.
    3. Determine the name of a running Content Platform Engine container.
    4. Copy the bouncycastle.jar in the configDropins/overrides directory for a running Content Platform Engine container. For example, by using the oc cli:
      kubectl cp ./bouncycastle.jar <cpe  pod>:/opt/ibm/wlp/usr/servers/defaultServer/configDropins/overrides
    5. Create a configmap to provide the Content Platform Engine container with an environment variable holding the name of the bouncycastle.jar. When the Content Platform Engine pod is restarted, the JAR is copied from the temporary location of configDropins/overrides to the location used by the Content Platform Engine services.
      Example YAML for the configmap:
      apiVersion: v1
      kind: ConfigMap
      metadata:  
        name: env_vars_configmap 
      data:
        COPY_TO_JRE_LIB: bouncycastle.jar
    6. Add the following to the ecm_configuration.cpe section of the CR:
      cpe_production_setting:
       custom_configmap:
       - name: env_vars_config
         is_env: true
    7. Wait for the operator reconcile to apply the changes and restart the Content Platform Engine deployment.
    8. Proceed with the next set of instructions for using ACCE to select SM4 as the content encryption method.
  2. To enable content encryption for a storage area, access the storage area in the administration console:
    1. In the domain navigation pane, click the object store.
    2. In the object store navigation pane, click Administrative > Storage.
    3. Depending on the storage area type, click either Advanced Storage > Advanced Storage Areas, or click Storage Areas.
    4. Open the storage area.
  3. On the Configuration tab, click Encryption method and select the encryption key that is created to encrypt the storage area.
    Tip: To force the generation of a new encryption key for a storage area when encryption is already enabled, clear the checkbox and then select it again.

What to do next