Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Rice 2.x no longer uses the rice config parameter "rice.additionalSpringFiles"  to list override spring files instead each module requires a parameter rice.[module].additionalSpringFiles that lists the override files for that particular module. The encryption service is part of the "kr" module as such we added the following line <param name="rice.kr.additionalSpringFiles">classpath:edu/uconn/kuali/rice/config/UConnKrOverrideSpringBeans.xml</param> to the Rice and KFS configuration files.

 

Encryption Service

Encryption is located in 2 places - inside the KFS application and inside the oracle schemas. For the system to properly function, the key in oracle should match the key in the application, and the encrypted data must be encrypted with that key.

 

Application Server

AES Encryption Service

security key

 

DatabaseEncrypted fields

  • org.kuali.kfs.pdp.businessobject.AchAccountNumber=achBankAccountNbr
  • org.kuali.kfs.pdp.businessobject.PayeeACHAccount=bankAccountNumber
  • org.kuali.kfs.sys.businessobject.Bank=bankAccountNumber
  • edu.uconn.kuali.kfs.cr.businessobject.CheckReconciliation=bankAccountNumber
  • org.kuali.kfs.module.ar.businessobject.Customer=customerTaxNbr
  • org.kuali.kfs.fp.businessobject.DisbursementVoucherWireTransfer=disbVchrPayeeAccountNumber
  • uconn.edu.kuali.kfs.tax.businessobject.Payee=headerTaxNumber
  • edu.uconn.kuali.kfs.fp.businessobject.ProcurementCardHolder=transactionCreditCardNumber
  • edu.uconn.kuali.kfs.fp.businessobject.ProcurementCardHolderDetail=creditCardNumber
  • org.kuali.kfs.fp.businessobject.ProcurementCardTransaction=transactionCreditCardNumber
  • org.kuali.kfs.vnd.businessobject.VendorHeader=vendorTaxNumber
  • org.kuali.kfs.vnd.businessobject.VendorTaxChange=vendorPreviousTaxNumber

Additionally, the krew_doc_hdt_t table contains a column doc_hdr_cntnt that is a CLOB data type containing an encrypted XML string. Likewise, the krns_maint_doc_t table has a column doc_cntnt that is a CLOB data type containing encrypted XML string containing the full maintenance document content. These 2 columns are not re-encrypted by the cleanse program due to the number of rows and size of columns. Hence, after a refresh from production they contain data that is encrypted with the production key.

Database 

Each KFS schema has the EncryptionService included. Encryption on the database is used only for 2 reasons - the data mart and the cleanse process. The data mart only uses the production schemas. The cleanse process is only used in non-production schemas. The encryption service in oracle is referenced through a function, decrypt_string(). The encrypted field is passed to the decrypt_string function.

EncryptionService
Java objects

apache commons 

loading java objects

...