The CA Gateway deployment provides the jTinyUAL utility for securing sensitive information in plain text files.

If you secure a setting using jTinyUAL and specify a plaintext version of the same setting in another CA Gateway configuration file (such as application.yml), the jTinyUAL-protected setting takes precedence.

Checking entropy

The entropy required by the TinyUAL library of the jTinyUAL utility may exceed the available entropy on the CA Gateway system. If TinyUAL does not have sufficient entropy to encrypt settings, CA Gateway may experience significant delays during startup.

To check if your host system has enough entropy, run the following command.

head -c 8192 /dev/random | hexdump

If the command completes almost immediately, the server has enough entropy. However, if it takes several minutes, the server does not have enough entropy, and you must install a daemon.

Run the below commands in the host machine because the Docker containers use the entropy provided by this machine.

If your system has a random number generator, install the rngd daemon. For example, in CentOS:

sudo yum -y install rng-tools
sudo systemctl start rngd
sudo systemctl enable rngd

If your system does not have a random number generator, install the haveged daemon.

sudo yum -y install haveged
sudo systemctl start haveged
sudo systemctl enable haveged

Creating jTinyUAL files to protect settings

For each setting you want to protect, create a separate jTinyUAL file with the following contents.

decrypted=<VALUE>

Where <VALUE> is the plaintext value of the setting you want to encrypt. When encrypting the file, jTinyUAL will change decrypted to encrypted, and replace the plaintext value with an encrypted value. For example:

#Sat Jun 29 16:34:47 EDT 2019
encrypted=VElOWVVBTAF0F/1mY3XEXgyRLnP3q05cjToYU1WG7Nc9n+617INxg2XkPtVYE5ZNrJkQxVzqrVFcbrmV1Ord4snp/HNU91jnIa/SthwG1gomakWgE+x0zlJK8+cn5ggSIF6IrnsRqhxCxppENlSZGar0tUARNxLLA9+okmwTUF+lWRRWab+O6nWjmRov9ax+CTSTzuFhGjajCuBoJ5qPlmIr48hu+5+z5QCGeGScYphcaw1reTuWSo34BZLdiJq7qqOZmcwO5xIdEalEnSXTdRSDYQKY4wYelxAhgzP1hi1OoTcFYTzk+xDZACpu0j42WZsEh9YlTJtgUYb6nlrBN1XcPQo18CrKFLRCBcPjieU3IicI+LUfX0K8RSHqz/lv1c46Vo8v/wYFjJyZQpO75wyUJvzXte8pKXuMgptoFnpr+ty13Gf4MOrW7zkqX5FFUaV/LAszy2jfux8Az1dMnJatM+ZJ47N8Ohh3B6a+q8LSt3cYisBulqNEPFN2j2YwG6jF0Eg1qXENrxchnelk5o9KKP/0qZI8OsZIS9UAiep1fCuyz0w5+AmAanUqVgDOsScWLkal1o311Ay79MqI4h1gAD9mZycYpUSKl7mL0hL/uKHGbTy3egg34l8R/lz7O+XAxtfO7pt0Z4E7csPZFgEUB7PVKNUk0XRGIgXxjdqxg2jVfCpoBUutHpc876npDPsnPBLBA2QY6yPO

Do not share jTinyUAL files between instances of CA Gateway. These files only work for one CA Gateway instance.

Creating a jTinyUAL properties file

The jTinyUAL properties file maps each CA Gateway setting you want to protect with the jTinyUAL file that contains the setting value. In this file, add <SETTING>=<FILE> pairs where:

  • <SETTING> is the CA Gateway setting in Java properties format.
  • <FILE> is the name of the file that contains the setting value.

For example:

cagw.authorities.managed_cas.example_ca_id.properties.admin_epf_password=example_ca_admin_epf_password.tual

After creating the jTinyUAL properties file:

  1. Save the file (for example, as tual.properties ) in the same folder containing the jTinyUAL files.
  2. Add the file path to the tual.properties setting.