...
Rice 2.x no longer uses the rice config parameter "rice.additionalSpringFiles" to list override spring files instead each module requires a parameter rice.[module].additionalSpringFiles that lists the override files for that particular module. The encryption service is part of the "kr" module as such we added the following line <param name="rice.kr.additionalSpringFiles">classpath:edu/uconn/kuali/rice/config/UConnKrOverrideSpringBeans.xml</param> to the Rice and KFS configuration files.
...
The class edu.uconn.kuali.rice.core.service.impl.AesEncryptionServiceImpl handles the encryption inside the KFS application. The service is referenced solely by the OJB configuratiion. Each encrypted field contains a conversion property in the OJB configuration of the business object that contains the field. The conversion property must be set to orgto org.kuali.rice.core.framework.persistence.ojb.conversion.OjbKualiEncryptDecryptFieldConversion. This class uses the encryption service to encrypt or decrypt data when being read or stored.
...
The AesEncryptionServiceImpl class uses the Java encryption library to implement the AES encryption algorithm with cipher block chaining and a static initialization vector.
security key
Each server stores the encryption key in a secure location within the security.properties file. This key must match the key used to encrypt the data in order for KFS to function properly.
Encrypted fields
...
edu.uconn.kuali.kfs.cr.businessobject.CheckReconciliation=bankAccountNumber
- edu.uconn.kuali.kfs.pdpfp.businessobject.AchAccountNumberProcurementCardHolder=achBankAccountNbrtransactionCreditCardNumberorg
- edu.uconn.kuali.kfs.pdpfp.businessobject.PayeeACHAccountProcurementCardHolderDetail=bankAccountNumbercreditCardNumberorg
- edu.uconn.kuali.kfs.syspmw.businessobject.BankPaymentworksVendor=bankAccountNumberrequestingCompanyTin
- edu.uconn.edu.kuali.kfs.tax.businessobject.Payee=headerTaxNumber
org.kuali.kfs.
crfp.businessobject.
CheckReconciliationProcurementCardTransaction=
bankAccountNumbertransactionCreditCardNumber
- org.kuali.kfs.module.ar.businessobject.Customer=customerTaxNbr
- org.kuali.kfs.fppdp.businessobject.DisbursementVoucherWireTransferPayeeACHAccount=disbVchrPayeeAccountNumberbankAccountNumber
- uconn.edu
org.kuali.kfs.
taxpdp.businessobject.
PayeeAchAccountNumber=
headerTaxNumberachBankAccountNbr
- eduorg.uconn.kuali.kfs.fpsys.businessobject.ProcurementCardHolderBank=transactionCreditCardNumberbankAccountNumberedu.uconn
- org.kuali.kfs.fp.businessobject.ProcurementCardHolderDetailDisbursementVoucherWireTransfer=creditCardNumberdisbVchrPayeeAccountNumber
- org.kuali.kfs.fpvnd.businessobject.ProcurementCardTransactionVendorHeader=transactionCreditCardNumbervendorTaxNumber
- org.kuali.kfs.vnd.businessobject.VendorHeader=vendorTaxNumbervendorForeignTaxId
- org.kuali.kfs.vnd.businessobject.VendorTaxChange=vendorPreviousTaxNumber
...
The EncyrptionService class requires one important dependency not available from the Oracle Java libraries. This is the Base64 class from the Apache commons codec library. Therefore this class must be loaded into the Oracle schema in order for the EncryptionService to funtion.
apache commons
loading java objects
to function.
Commons Codec library
The commons codec library must be loaded into Oracle. Since this library exists on the application servers, it is best to use the Oracle client loadjava tool from the application server.
loadjava -user <connection_string> -r -v /usr/share/tomcat7/webapps/kfs-dev/WEB-INF/lib/commons-codec-1.6.jar
To drop an existing EncryptionService object
echo "drop java source EncryptionService;" | sqlplus <connection_string>
To load the Encryption class
loadjava -user <connection_string> -r -v EncryptionService.java
To verify java objects are valid
encrypted fieldsExpand the Java icon in SQLDeveloper. Click on a java object and check the status. If the status is valid, it means the object is loaded and compiled and ok to be used. If it is invalid it means that the object was imported from another external source and not available to be referenced.