Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

BYOK Integration

BYOK for Salesforce

search

Please Note:

BYOK for Salesforce

Salesforce provides the ability to import keys from Key Manager. You can use the imported keys in all Salesforce services and custom applications.

Prerequisites

To use BYOK for Salesforce ensure that:

  1. CADP for Java is installed and configured. Refer to Quick start for detailed installation instructions and Configuration Parameters for configuration details.

  2. A javac compiler exits in the path.

  3. Any of the supported Java version is installed on your machine. Refer to General system architecture for details.

The high-level steps involved in using BYOK for Salesforce with CADP for Java are:

  • Creating Self-signed Certificate in Salesforce and downloading it on the target machine.

  • Creating an AES-256 key on Key Manager (referred as tenant secret in Salesforce).

  • Wrapping the AES-256 key with self-signed certificate to generate the wrappedData (key) and generating hash of the wrappedData in Base64 format.

  • Uploading the wrappedData (key) and hash of the wrappedData to Salesforce.

Create Self-signed Certificate

To create self-signed certificate:

  1. Log on to the Salesforce account. the Salesforce homepage is displayed.

  2. In the Quick Find text box, enter certificate and key management and then click Find Services. The following screen is diaplayed.

    Home Page

  3. In the search result list, click Certificate and Key Management. The Certificate and Key Management screen is displayed.

    Certificate and Key Management

  4. In the Certificates section, click Create Self-Signed Certificate. The Certificates page is displayed.

    Create Certificate

  5. Provide the following details:

    1. Enter the Label and Unique Name for the certificate. The Unique Name should be assigned as per the Salesforce instructions. To view the recommendation, take the mouse pointer over Help next to the Unique Name text box.

    2. From the Key Size drop-down list, select 4096.

    3. Select the Use Platform Encryption check box.

    4. Don’t select the Exportable private Key check box.

    5. Click Save. The Certificates page is displayed with details of the certificate generated.

  6. Click Download Certificate. Specify the directory in the system where the certificate (.crt file) is to be saved. The certificate created is listed in the Certificates section on the Certificate and Key Management page. The page also provides the link to edit or delete the certificate created.

Create AES-256 Key

Refer to Create a key for detailed instructions.

Wrap AES Key

Run the ByokSample. This sample is available on github.

Usage


java ByokSample -cloudName [AWS|Salesforce|GoogleCloud] -userName  -password  -aesKeyName  [-publicKeyPath ] -wrappedKeyPath  [ -wrappingKeyName RSA KeyName] [-outputFormat base64] -wrappingAlgo [SHA1|SHA256|PKCS1.5] [-hash256Path filePath]
ParameterDescription
cloudNameName of the cloud where you want to upload your key.
userNameName of the user on Key Manager.
passwordPassword of the user name on Key Manager.
The following special characters, * ‘ “ and | are not allowed in the password.
aesKeyNameName of the AES-256 key created on Key Manager. If the key does not exist on Key Manager, the ByokSample first creates an AES-256 key and then wraps it using AWS public key.
publicKeyPathComplete path including the file name of the public key downloaded from Salesforce. If the public key is already imported to Key Manager, you can skip this parameter.
wrappedKeyPathComplete path including the file name of the wrapped key.
outputFormatFor Salesforce, specify the output format as Base64.
wrappingAlgoWrapping algorithm.
Possible option is SHA1.
wrappingKeyNameName of the RSA public key used to wrap AES key. If the publicKeyPath parameter is provided, the public key available at this location will be imported to Key Manager with the specified name and will be used to wrap the AES key. Else, already existing key with the specified name on Key Manager will be used to wrap the AES Key.
hash256PathComplete path including the file name where you want to save the hash of the wrapped data (wrapped key).

Example

This example shows how to wrap an AES-256 bit key.


java ByokSample -cloudName salesforce -userName kmuser -password kmpassword -aesKeyName AES256Key -publicKeyPath /TestingKey2.crt -wrappedKeyPath /test_wrap -wrappingKeyName SalesForcePublicKey -wrappingAlgo SHA1 -outputFormat base64 -hash256path /test_SalesForce_hash

The successful execution creates two files with .b64 extension.

Upload Wrapped Key and Import Token to Salesforce

To upload the wrapped key (tenant secret) and the hash of the wrapped key to Salesforce, follow the steps described here.

  1. Log on to Salesforce. In the Quick Find text box, enter Platform Encryption and click Find Seervices.

  2. In the search results, under Platform Encryption, click the Key Management link. The Key Management screen is displayed.

    Key Management

  3. In the Key Management section, click Bring Your Own Key.

    Bring Your Own Key

  4. From the Choose Certificate drop-down list, select the self-signed certificate against which you want to upload the wrapped key tenant secret) and hash of wrapped data.

  5. In the Upload Tenant Secret section, specify the directory location for Encrypted Tenant Secret and Hashed Tenant Secret fields.

  6. Click Upload. The wrapped key and hash of the wrapped key are uploaded and listed in the Key Management section of the Platform Encryption screen.

On this page