JAMS encrypts password and private key information when it is stored in the database. The standard JAMS installation uses a predefined encryption key, which is adequate for many sites. For additional protection you can generate a unique encryption key but must ensure that it is properly backed up and secured.
When generating a unique encryption key, JAMS uses the AES encryption algorithm to re-encrypt all password and private key information within the database. The generated key is then encrypted and stored using the Windows Data Protection API (DPAPI). The protected key is then linked to user account associated with the JAMS Server and Scheduler services.
Use the following commands available in the JAMSDBA utility to manage encryption keys:
- GENERATE KEY - Generates a new 256 bit encryption key, decrypts the password with the old key then encrypts it with the new key. The new encryption key is then stored using DPAPI.
- EXPORT KEY - Pulls the encryption key from DPAPI and writes it to a text file.
Caution: It is critical that you protect the EXPORT file since the key is not encrypted. - IMPORT KEY – this is similar to the GENERATE KEY. But in this case the new key is pulled from a text file instead of being generated. If recovering from backup or configuring the secondary server in a failover configuration, you should use the /NOENCRYPT qualifier to skip the decryption and re-encryption of the current data.
Protecting a Standalone JAMS Server
To protect a standalone JAMS Server, follow the steps below:
- Log on to the server as a user with "Execute" access to JAMS configuration settings.
- Set your default directory to the JAMS Scheduler installation directory. The default is:
C:\Program Files\MVPSI\JAMS\Scheduler
- Execute JAMSDBA.EXE to open a JAMSDBA> prompt.
- Enter GENERATE KEY <Tenant Name> and press Return, e.g. GENERATE KEY DEFAULT.
- Enter EXPORT KEY YourFileName.txt <Tenant Name> and press Return.
- Enter EXIT and press Return.
- Move the exported text file to a safe location.
Restoring a Standalone JAMS Server
When restoring a backup of the JAMS database to different server, the encrypted passwords cannot be decrypted because of the encryption key DPAPI protection associated with the original machine/user. To restore the encryption key from a backup follow these steps:
- Log on to the server as a user with "Execute" access to the JAMS configuration settings.
- Set the default directory to the JAMS Scheduler installation directory. The default is:
C:\Program Files\MVPSI\JAMS\Scheduler
- Copy the exported text file YourFileName.txt from your safe location to the current directory.
- Execute JAMSDBA.EXE to open a JAMSDBA> prompt.
- Enter IMPORT KEY /NOENCRYPT <Tenant Name> and press Return.
- Enter EXIT and press Return.
Failover Environments
To protect the servers in a failover environment please follow the steps listed below:
- Make sure that your primary JAMS Server is in the running state.
- Log on to the primary server as a user with "Execute" access to the JAMS configuration settings.
- Execute JAMSDBA.EXE to open a JAMSDBA> prompt.
- Enter GENERATE KEY and press Return.
- Enter EXPORT KEY YourFileName.txt and press Return.
- Enter EXIT and press Return.
- Move the exported text file to a safe location.
- Log on to the secondary server as a user with "Execute" access to the JAMS configuration settings.
- Set your default directory to the JAMS Scheduler installation directory. The default is:
C:\Program Files\MVPSI\JAMS\Scheduler
- Copy the exported text file YourFileName.txt from your safe location to the current directory.
- Execute JAMSDBA.EXE to open a JAMSDBA> prompt.
- Enter IMPORT KEY/NOENCRYPT and press Return.
- Enter EXIT and press Return.
See Also
Working with User Credential Definitions
Comments