Versions Compared

Old Version 6

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Richard Ritchie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Rice 2.x no longer uses the rice config parameter "rice.additionalSpringFiles"  to list override spring files instead each module requires a parameter rice.[module].additionalSpringFiles that lists the override files for that particular module. The encryption service is part of the "kr" module as such we added the following line <param name="rice.kr.additionalSpringFiles">classpath:edu/uconn/kuali/rice/config/UConnKrOverrideSpringBeans.xml</param> to the Rice and KFS configuration files.

...

The class edu.uconn.kuali.rice.core.service.impl.AesEncryptionServiceImpl handles the encryption inside the KFS application. The service is referenced solely by the OJB configuratiion. Each encrypted field contains a conversion property in the OJB configuration of the business object that contains the field. The conversion property must be set to orgto org.kuali.rice.core.framework.persistence.ojb.conversion.OjbKualiEncryptDecryptFieldConversion. This class uses the encryption service to encrypt or decrypt data when being read or stored.

...

The AesEncryptionServiceImpl class uses the Java encryption library to implement the AES encryption algorithm with cipher block chaining and a static initialization vector.

security key

Each server stores the encryption key in a secure location within the security.properties file. This key must match the key used to encrypt the data in order for KFS to function properly.

Encrypted fields
  • org

    edu.uconn.kuali.kfs.cr.businessobject.CheckReconciliation=bankAccountNumber

  • edu.uconn.kuali.kfs.pdpfp.businessobject.AchAccountNumberProcurementCardHolder=achBankAccountNbrtransactionCreditCardNumberorg
  • edu.uconn.kuali.kfs.pdpfp.businessobject.PayeeACHAccountProcurementCardHolderDetail=bankAccountNumbercreditCardNumberorg
  • edu.uconn.kuali.kfs.syspmw.businessobject.BankPaymentworksVendor=bankAccountNumberrequestingCompanyTin
  • edu.uconn.edu.kuali.kfs.cr.tax.businessobject.Payee=headerTaxNumber

  • org.kuali.kfs.fp.businessobject.

    CheckReconciliation

    ProcurementCardTransaction=

    bankAccountNumber

    transactionCreditCardNumber

  • org.kuali.kfs.module.ar.businessobject.Customer=customerTaxNbr
  • org.kuali.kfs.fppdp.businessobject.DisbursementVoucherWireTransferPayeeACHAccount=disbVchrPayeeAccountNumberbankAccountNumber
  • uconn.edu

    org.kuali.kfs.

    tax

    pdp.businessobject.

    Payee

    AchAccountNumber=

    headerTaxNumber

    achBankAccountNbr

  • eduorg.uconn.kuali.kfs.fpsys.businessobject.ProcurementCardHolderBank=transactionCreditCardNumberbankAccountNumberedu.uconn
  • org.kuali.kfs.fp.businessobject.ProcurementCardHolderDetailDisbursementVoucherWireTransfer=creditCardNumberdisbVchrPayeeAccountNumber
  • org.kuali.kfs.fpvnd.businessobject.ProcurementCardTransactionVendorHeader=transactionCreditCardNumbervendorTaxNumber
  • org.kuali.kfs.vnd.businessobject.VendorHeader=vendorTaxNumbervendorForeignTaxId
  • org.kuali.kfs.vnd.businessobject.VendorTaxChange=vendorPreviousTaxNumber

...

Each KFS schema has the EncryptionService included. Encryption on the database is used only for 2 reasons - the data mart and the cleanse process. The data mart only uses the production schemas. The cleanse process is only used in non-production schemas. The encryption service in oracle is referenced through a function, decrypt_string(). The encrypted field is passed to the decrypt_string function.

EncryptionService

The EncryptionService class is a java class stored inside of Oracle. Oracle refers to this as a Java object. The type is class. This class is a copy of the AesEncryptionServiceImpl class, slightly modified in order to minimalize the dependencies and remove any dependencies not available from the Oracle version of Java.

Calling the EncryptionService
Java objects

apache commons 

loading java objects

to verify java objects are valid 

 

encrypted fieldsThe EncryptionService class is referenced by calling a function, decrypt_string and passing the column that needs to be decrypted. For example,

select bnk_cd, decrypt_string(bnk_acct_nbr) from fp_bank_t;

Java objects

The EncyrptionService class requires one important dependency not available from the Oracle Java libraries. This is the Base64 class from the Apache commons codec library. Therefore this class must be loaded into the Oracle schema in order for the EncryptionService to function. 

Commons Codec library 

The commons codec library must be loaded into Oracle. Since this library exists on the application servers, it is best to use the Oracle client loadjava tool from the application server. 

loadjava -user <connection_string> -r -v /usr/share/tomcat7/webapps/kfs-dev/WEB-INF/lib/commons-codec-1.6.jar

To drop an existing EncryptionService object

echo "drop java source EncryptionService;" | sqlplus <connection_string> 

To load the Encryption class

loadjava -user <connection_string>  -r -v EncryptionService.java

To verify java objects are valid 

Expand the Java icon in SQLDeveloper. Click on a java object and check the status. If the status is valid, it means the object is loaded and compiled and ok to be used. If it is invalid it means that the object was imported from another external source and not available to be referenced.