Overview
In order to implement Aes 256 bit encryption is was necessary override the existing encryption service. To accomplish this we re-referenced the "encryptionService" spring bean to point to the new encryption service edu.uconn.kuali.rice.core.service.impl.AesEncryptionServiceImpl.
Wiring it All Together.
Rice 2.x no longer uses the rice config parameter "rice.additionalSpringFiles" to list override spring files instead each module requires a parameter rice.[module].additionalSpringFiles that lists the override files for that particular module. The encryption service is part of the "kr" module as such we added the following line <param name="rice.kr.additionalSpringFiles">classpath:edu/uconn/kuali/rice/config/UConnKrOverrideSpringBeans.xml</param> to the Rice and KFS configuration files.
Encryption Service
Encryption is located in 2 places - inside the KFS application and inside the oracle schemas. For the system to properly function, the key in oracle should match the key in the application, and the encrypted data must be encrypted with that key.
Application Server
AES Encryption Service
security key
Encrypted fields
- org.kuali.kfs.pdp.businessobject.AchAccountNumber=achBankAccountNbr
- org.kuali.kfs.pdp.businessobject.PayeeACHAccount=bankAccountNumber
- org.kuali.kfs.sys.businessobject.Bank=bankAccountNumber
- edu.uconn.kuali.kfs.cr.businessobject.CheckReconciliation=bankAccountNumber
- org.kuali.kfs.module.ar.businessobject.Customer=customerTaxNbr
- org.kuali.kfs.fp.businessobject.DisbursementVoucherWireTransfer=disbVchrPayeeAccountNumber
- uconn.edu.kuali.kfs.tax.businessobject.Payee=headerTaxNumber
- edu.uconn.kuali.kfs.fp.businessobject.ProcurementCardHolder=transactionCreditCardNumber
- edu.uconn.kuali.kfs.fp.businessobject.ProcurementCardHolderDetail=creditCardNumber
- org.kuali.kfs.fp.businessobject.ProcurementCardTransaction=transactionCreditCardNumber
- org.kuali.kfs.vnd.businessobject.VendorHeader=vendorTaxNumber
- org.kuali.kfs.vnd.businessobject.VendorTaxChange=vendorPreviousTaxNumber
Additionally, the krew_doc_hdt_t table contains a column doc_hdr_cntnt that is a CLOB data type containing an encrypted XML string. Likewise, the krns_maint_doc_t table has a column doc_cntnt that is a CLOB data type containing encrypted XML string containing the full maintenance document content. These 2 columns are not re-encrypted by the cleanse program due to the number of rows and size of columns. Hence, after a refresh from production they contain data that is encrypted with the production key.
Database
Each KFS schema has the EncryptionService included. Encryption on the database is used only for 2 reasons - the data mart and the cleanse process. The data mart only uses the production schemas. The cleanse process is only used in non-production schemas. The encryption service in oracle is referenced through a function, decrypt_string(). The encrypted field is passed to the decrypt_string function.
EncryptionService
Java objects
apache commons
loading java objects
to verify java objects are valid
encrypted fields