Skip to main content


         This documentation site is for previous versions. Visit our new documentation site for current releases.      
 

Creating a data page activity for a master key from a custom source

Updated on March 15, 2022

Encrypt system data using an encryption key that is sourced from a Custom Key management service (KMS) that is accessed from a data page. To configure a keystore for a master key by using a data page reference, create the data page, and then use the data page to retrieve a master key from an external source.

  1. On the Definition tab of the data page that you are creating the activity for, next to the Activity name field, click the Add icon.
  2. Enter a label and identifier, and accept the default properties in the Apply to class and Data-Admin-Security-Keystore.
  3. Click Create and open.
  4. In the Method field, enter Java.
  5. Click the Expand icon, and then in the Method Parameters section, in the Java Source field, enter a code snippet appropriate to your use case:
    Caution: Do not include both code snippets.
    • To retrieve a master key directly from an external key management service, enter a code snippet similar to this one:
      
          // Get master key from remote location
          byte[] masterKey = null; // TODO: assign 16 byte master key
          KeyStoreUtils keyUtil = pega.getKeyStoreUtils();
          CustomMasterKey customMasterKey = keyUtil.getMasterKeyObject();
          customMasterKey.setMasterKey(masterKey);
          keyUtil.loadMasterKeyForSystemDataEncryption(customMasterKey);
    • To retrieve REST APIs that encrypt and decrypt data keys from an external key management service, enter a code snippet similar to this one:
      
          KeyStoreUtils keyUtil = pega.getKeyStoreUtils();
          CustomMasterKey customerMasterKey = keyUtil.getMasterKeyObject();

          //Enable remote encryption mode 
          customerMasterKey.setRemoteEncryptionMode(true);

          //If CustomMasterKey object contains Encrypted CDK, then isEncryptedCustomDataKey() method returns true
          if(customerMasterKey.isEncryptedCustomDataKey()){
              String ecdk =new String(customerMasterKey.getECDK());
              //oLog.infoForced("decrypting ECDK: ");

              byte[] cdk = null;// TODO: decrypt the above ecdk at remote KMS and assign it to the cdk variable
              customerMasterKey.setCDK(cdk);
              customerMasterKey.setECDK(null);
              customerMasterKey.setCustomDataKeyType(false);
           }else{
              //CustomMasterKey object contains plaintext CDK
              byte[] cdk =  customerMasterKey.getCDK();
              if(cdk!= null){
                  String str = new String(cdk);
                  //oLog.infoForced("encrypting CDK :");
   
                  byte[] ecdk = null;//TODO: encrypt the above cdk at remote KMS and assign it to the ecdk variable
                  customerMasterKey.setECDK(ecdk);
                  customerMasterKey.setCDK(null);
                  customerMasterKey.setCustomDataKeyType(true);
              }
            }
            keyUtil.loadMasterKeyForSystemDataEncryption(customerMasterKey);
  6. Click Save.

Related articles

Configuring a keystore for a master key from a custom sourceCreating a data page for a master key from a custom source

Tags

Pega Platform 8.7 Security

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Support Center

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega.com is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us