Skip to main content
LinkedIn
Copied!

Table of Contents

Creating a data page activity for a master key from a custom source

Version:

Only available versions of this content are shown in the dropdown

Encrypt system data using an encryption key that is sourced from a Custom Key management service (KMS) that is accessed from a data page. To configure a keystore for a master key by using a data page reference, create the data page, and then use the data page to retrieve a master key from an external source.

  1. On the Definition tab of the data page that you are creating the activity for, next to the Activity name field, click the Add icon.

  2. Enter a label and identifier, and accept the default properties in the Apply to class and Data-Admin-Security-Keystore.

  3. Click Create and open.

  4. In the Method field, enter Java.

  5. Click the Expand icon, and then in the Method Parameters section, in the Java Source field, enter a code snippet appropriate to your use case:

    Do not include both code snippets.
    • To retrieve a master key directly from an external key management service, enter a code snippet similar to this one:
      
                // Get master key from remote location
                byte[] masterKey = null; // TODO: assign 16 byte master key
                KeyStoreUtils keyUtil = pega.getKeyStoreUtils();
                CustomMasterKey customMasterKey = keyUtil.getMasterKeyObject();
                customMasterKey.setMasterKey(masterKey);
                keyUtil.loadMasterKeyForSystemDataEncryption(customMasterKey);
      
    • To retrieve REST APIs that encrypt and decrypt data keys from an external key management service, enter a code snippet similar to this one:
      
                KeyStoreUtils keyUtil = pega.getKeyStoreUtils();
                CustomMasterKey customerMasterKey = keyUtil.getMasterKeyObject();
      
                //Enable remote encryption mode 
                customerMasterKey.setRemoteEncryptionMode(true);
      
                //If CustomMasterKey object contains Encrypted CDK, then isEncryptedCustomDataKey() method returns true
                if(customerMasterKey.isEncryptedCustomDataKey()){
                    String ecdk =new String(customerMasterKey.getECDK());
                    //oLog.infoForced("decrypting ECDK: ");
      
                    byte[] cdk = null;// TODO: decrypt the above ecdk at remote KMS and assign it to the cdk variable
                    customerMasterKey.setCDK(cdk);
                    customerMasterKey.setECDK(null);
                    customerMasterKey.setCustomDataKeyType(false);
                 }else{
                    //CustomMasterKey object contains plaintext CDK
                    byte[] cdk =  customerMasterKey.getCDK();
                    if(cdk!= null){
                        String str = new String(cdk);
                        //oLog.infoForced("encrypting CDK :");
         
                        byte[] ecdk = null;//TODO: encrypt the above cdk at remote KMS and assign it to the ecdk variable
                        customerMasterKey.setECDK(ecdk);
                        customerMasterKey.setCDK(null);
                        customerMasterKey.setCustomDataKeyType(true);
                    }
                  }
                  keyUtil.loadMasterKeyForSystemDataEncryption(customerMasterKey);
      
  6. Click Save.

Did you find this content helpful?

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us