Please Note:

User Guide
Quick Start
- Deploy CADP for Java using Maven Distribution
- Deploy CADP for Java using installer
Tasks
- Generate random IV
- Encrypt Data
- Decrypt Data
- Encrypt String and Write to File
- Encrypt File
- Tokenize/Detokenize Date
- Sign and Sign Verify
  - Generate Digital Signature with RSA Private Key using message/text
  - Verify Digital Signature with RSA Public Key using message/text
  - Generating Digital Signature with RSA Private Key using pre-calculated hash
  - Verify Digital Signature with RSA Public Key using Pre-calculated Hash
- MAC Operations
  - Bulk Operations in HMAC
  - Generate MAC
  - Verify MAC
- Key Operations
  - Create global key
  - Create key with random name
  - Create key owned by the NAE user
  - Create EC key owned by NAE user
  - Create Symmetric Key Using HKDF Algorithm
  - Create Key and Assign Permissions
  - Create Key and Assign Custom Attributes
  - Modify Group Permissions for an Existing Key
  - Get Group Permissions on an Existing Key
  - Generate Global RSA Public-Private Key Pair
  - Generate Global EC Public-Private Key Pair
  - Generate KMIP Public-Private Key Pair
  - Export Global Key
  - Export Non-Global Key
  - Import Global Key
  - Delete Global Key
  - Get Size of Global Key
  - Return List of Global Keys on NAE Server
  - Return List of Available Keys on NAE Server
  - Access Non-Global Key
  - Wrap Key
  - Get Key Names
  - Create Versioned Key
  - Create New Version of Key
  - Alter State of a Key Version
  - Encryption, Decryption, and MAC Operations Using Versioned Key
  - Encrypt and Decrypt using All Key Versions
  - Export Versioned Key
- User and Group Management Tasks
  - Create User
  - Delete User
  - Create User with Custom Attributes
  - Update Custom Attribute User
  - Retrieve Custom Attribute
  - Delete Custom Attribute
  - Change User Password
  - Change Key Owner
  - List Group Membership of a Specific User
  - List All Users in All Groups
  - List All Users in Single Group
  - Create Group
  - Delete Group
  - Add Users to Group
  - List All Users in Specific Group
  - Get All Information About Group
- Certificate Management Tasks
  - Import Certificate to Key Manager
  - Export Certificate and Private Key From Key Manager
  - Export Certificate From Key Manager
  - Export CA Certificate From Key Manager
  - Delete Certificate From Key Manager
- Session Management Tasks
  - Create Global Session
  - Create Global Session Using SSL with Client Certificates
  - Create Authenticated Session using NAE Credentials
  - Create an Authenticated Session using Domain User
  - Create session with Obfuscated Credentials
  - Create Authenticated Session using SSL with Client Certificates
  - Create Authenticated Session using SessionLevelConfig
  - Create Authenticated Session with Access to Persistent Key Cache
- Add Multiple Key Managers
- Refresh Cached Keys
- KMIP Tasks
  - KMIP Session
    - Create Authenticated KMIP Session with Client Certificate
    - Create Authenticated KMIP Session with User Credentials
    - Create Authenticated KMIP Session with User Credentials and Client Certificate
  - Wrap Key
  - Verify Key
  - KMIP Encrypt and Decrypt
    - KMIP Encrypt
    - KMIP Decrypt
  - KMIP Encrypt and Decrypt Sample
- Obfuscate Credentials
- Logging Related Tasks
  - Time-based Log Rotation
  - Size-based Log Rotation
  - Time and Size -based Log Rotation
  - Include GMT Timestamp Offset
  - Log_MaxBackupIndex
  - Reloading Log Configuration
  - Targeted Logging
  - Configuring Multiple Logging Outputs
  - Implement External Logger Object
- Obfuscate SSL Client Private Key Passphrase
- Chain Operations
  - Create Chained Operations
  - Return Intermediate Result in a Chain of Operations
- SSL Configuration
  - Configure SSL on CipherTrust Manager for NAE Interface
  - Configure SSL on CipherTrust Manager for KMIP Interface
- Tokenization Related Tasks
  - Initialize and close Token Service Vaultless instance
  - Create token for the plaintext
  - Return plaintext for token
  - Tokenize and detokenize Unicode blocks
    - Tokenize and detokenize Unicode blocks using AlgoSpec
    - Tokenize and detokenize Unicode blocks using Unicode.properties file
  - Tokenize and detokenize large data set
  - Java API Sample
  - REST APIs
    - Deploy Vaultless Tokenization on HTTPS Server
    - Return plaintext for token
    - Create token for the plaintext
Advanced Topics
- Configuration Parameters
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Local Encryption Parameters
  - SSL Configuration Parameters
  - Logging Parameters
  - Miscellaneous Parameters
- Connect to Server
- Connection Pooling
- Load Balancing
- Multi-Tier Load Balancing
- Format Preserving Encryption
  - FPE/AES
  - FPE/FF1
  - FPE/FF1v2
  - FPE/FF3
  - FPE/FF3-1
  - FPE Formats
  - FPE/AES/Unicode Cardinality Block-Size Table
- CADP for Java Utilities
  - CryptoDataUtility
  - GetJCEDetails Utility
- Supported Algorithms
  - Encryption and Decryption with Symmetric Keys
  - Encryption and Decryption with Asymmetric Keys
  - Message Authentication Codes
  - Digital Signatures
  - Supported Cryptographic Algorithms
- KMIP Fundamentals
  - KMIP Managed Objects
  - KMIP Attribute
  - KMIP Managed Operations
  - KMIP Multiple Operation Batching
  - KMIP Support for NAECertificates
  - Certify and Recertify
  - KMIP States and Dates
- Key Caching
  - Symmetric/Asymmetric Key Caching
  - Persistent Key Caching
- Logging
- Tokenization Concepts
  - AlgoSpec
  - TokenSpec
  - Bulk Migration Parameters
- Advisory Notes and Best Practices
Troubleshooting

CADP for Java
User Guide
Tasks
SSL Configuration
Configure SSL on CipherTrust Manager for KMIP Interface

Configure SSL on CipherTrust Manager for KMIP Interface

This section describes how to set up an SSL connection between CADP for JAVA client and CipherTrust Manager over KMIP protocol. Before you configure an SSL connection, you must register the CADP for Java client on the CipherTrust Manager.

Prerequisites

Create Local CA on CipherTrust Manager
Create a Server Certificate on CipherTrust Manager
Add the Local CA Certificate to Keystore

Auto Register Existing CADP for Java Client

Registering the existing clients involve the following steps. You can either use an existing KMIP interface or configure a new KMIP interface:

Generating registration token
Editing existing KMIP interface
Configuring new KMIP interface

Generate registration token

Log on to the CipherTrust Manager GUI as an administrator.
Click to expand Access Management and then click Registration Tokens. The Registration Tokens page is displayed.
Click New Registration Token.
On the Create New Registration Token screen, perform the following steps:
a. Click Begin.
b. Select or enter details as required and click Next.
c. Select the Local CA from the available options and click Create Token.
d. Copy the token and click Done.
The newly generated token is listed under Token heading.

Edit existing KMIP interface

Log on to the CipherTrust Manager GUI as an administrator.
Expand Admin Settings and click Interfaces.
On the Interface Configurations page, click the ellipsis icon corresponding to the interface for which you want to auto register the KMIP client and then click Edit.
On the <Configure Interface> screen:
a. Select the Auto Registration check box.
b. In the Registration Token text box, enter the token generated in the preceding step.
c. Click Update.
Note
Restart the application (Admin Settings >>System >> Services >> Restart) after interface is modified.

Configure new KMIP interface

Log on to the CipherTrust Manager GUI as an administrator.
Expand Admin Settings click Interfaces.
On the Interface Configurations page, click Add Interface.
On the Configure Interface tab, select Interface Type as KMIP and click Next.
On the Network Form tab, enter/select the following details:
a. Select interface type as KMIP.
b. Select Auto Registration option and in the Registration Token text box enter the token generated in preceding step.
c. Select Enable hard delete option if you want to delete the key meta-data and key material from CipherTrust Manager.
d. Select Network Interface.
e. Enter Port.
f. Select Mode. You must select the Username Location in Certificate option if following modes are selected:
- TLS, verify client cert, user name taken from client cert, auth request is optional
- TLS, verify client cert, password is needed, user name in cert must match user name in authentication request
g. Click Next.
On the Add Certificates tab, enter/select the following details:
a. In the Local CA for Automatic Server Certificate Generation field, select Turn off the auto generation from a local CA.
b. Select Local Trusted CAs.
c. Click Save.
Click Add.
Click the ellipsis icon corresponding to the interface and then click Edit. The Configure Interface screen is displayed.
Expand Upload Certificate.
In the Certificate text box, paste the contents of server certificate, local CA certificate, and key in .PEM format.
Note
Maintain this order: <server cert> <ca cert> <key> while pasting the contents of the certificates and key.
In the Format field, select the .PEM option.

10.Click Upload New Certificate.

11.Click Update.

Restart the application (Admin Settings >>System >> Services >> Restart) after interface is configured.

Register New CADP for Java Client

Registering a new CADP for JAVA client on the CipherTrust Manager involves the following steps:

Creating a client profile
Creating a registration token
Registering a client
Configuring a KMIP interface
Importing certificate and key to Java keystore
Updating the Parameters in CADP_for_JAVA.properties

Create a client profile

Log on to the CipherTrust Manager GUI as an administrator.
Click KMIP.
On the left tab click Client Profile.
On the Client Profiles page, click Add Profile.
On the Add Profile screen:
a. Enter Profile Name.
b. Select Username Location in Certificates.
c. In the Certificate Details section, enter either CSR or CSR parameters.
d. Click Save.
The newly generated client profile is listed under the Client Profile tab.

Create a registration token

Log on to the CipherTrust Manager GUI as an administrator.
Click KMIP and then click Registration Tokens tab on the left.
Click New Registration Token.
On the Create New Registration Token screen perform the following steps:
a. Click Begin.
b. On the Configure Token tab, enter details and click Select CA.
c. On the Select CA tab, select the Local CA from the available options and click Select Profile.
d. On the Select Profile tab, select the Client Profile from the available options and click Create Token.
e. Copy the token and click Done.

Register a client

Log on to the CipherTrust Manager GUI as an administrator.
Click KMIP and on the left tab click Registered Clients.
On the Registered Clients page, click Add Client.
On the Add Client screen:
a. Enter the Name.
b. Enter the Registration Token generated in the preceding step.
c. Click Save.
Click Save Private Key and Save Certificate to download the key and certificate in .pem format.
Click Close.

The newly generated client is listed under the Client Name tab.

Configure a KMIP interface

Refer to Configure a KMIP interface for details.

Import certificate and key to Java keystore

Import the Local CA certificate (which was used while creating a registration token), private key, and certificate to the Java keystore which contains the CA that has signed the server certificate.

Update CADP_for_JAVA.properties File

Update the following parameters in the CADP_for_JAVA.properties file:

Key_Store_Location=Location and name of keystore that contains a copy of the server’s local CA, the client certificate, and the CA that signed the client certificate. For example /tmp/KYLO_utility_keystore/cacerts, where /tmp/KYLO_utility_keystore/ is the keystore path and cacerts is the keystore. For windows machine, the keystore path will be \\tmp\\KYLO_utility_keystore\\cacerts.
Key_Store_Password=Password associated with the keystore.
Client_Cert_Alias= <client certificate alias>.
Client_Cert_Password=<client certificate password, if used>

Suggest A Change

Configure SSL on CipherTrust Manager for KMIP Interface

Prerequisites

Auto Register Existing CADP for Java Client

Generate registration token

Edit existing KMIP interface

Configure new KMIP interface

Register New CADP for Java Client

Create a client profile

Create a registration token

Register a client

Configure a KMIP interface

Import certificate and key to Java keystore

Update CADP_for_JAVA.properties File

On this page