The following describes how to set up database protection using the HMAC algorithm for integrity protection.

  1. Generate a private key and a certificate.

    openssl ecparam -genkey -name prime256v1 -noout -out key.pem
    openssl req -new -x509 -key key.pem -out certificate.pem -days 7300 -subj "/CN=Database Protection"
    CODE
  2. Put the private key and the certificate in a PKCS#12 file. OpenSSL will ask you for a password that will be used to encrypt the keystore. Make a note of this password, as you will need it later.

    openssl pkcs12 -export -inkey key.pem -in certificate.pem -out bag.p12 -name dbProtect
    CODE
  3. Print the base64 encoded PKCS#12 file.

    cat bag.p12 | base64 | tr -d '\012'
    CODE
  4. Put the following configuration in databaseprotection.properties.

    conf/databaseprotection.properties

    databaseprotection.keyid.1 = 234
    databaseprotection.keylabel.1 = dbProtect
    databaseprotection.classname.1 = org.cesecore.keys.token.SoftCryptoToken
    databaseprotection.data.1 = <the base64 encoded bag.p12 goes here>
    databaseprotection.tokenpin.1 = <the password for bag.p12>
    databaseprotection.version.1 = 1
    CODE