Please Note:

User Guide
Quick Start
- Deploy CADP for Java using Maven Distribution
- Deploy CADP for Java using installer
Tasks
- Generate random IV
- Encrypt Data
- Decrypt Data
- Encrypt String and Write to File
- Encrypt File
- Tokenize/Detokenize Date
- Sign and Sign Verify
  - Generate Digital Signature with RSA Private Key using message/text
  - Verify Digital Signature with RSA Public Key using message/text
  - Generating Digital Signature with RSA Private Key using pre-calculated hash
  - Verify Digital Signature with RSA Public Key using Pre-calculated Hash
- MAC Operations
  - Bulk Operations in HMAC
  - Generate MAC
  - Verify MAC
- Key Operations
  - Create global key
  - Create key with random name
  - Create key owned by the NAE user
  - Create EC key owned by NAE user
  - Create Symmetric Key Using HKDF Algorithm
  - Create Key and Assign Permissions
  - Create Key and Assign Custom Attributes
  - Modify Group Permissions for an Existing Key
  - Get Group Permissions on an Existing Key
  - Generate Global RSA Public-Private Key Pair
  - Generate Global EC Public-Private Key Pair
  - Generate KMIP Public-Private Key Pair
  - Export Global Key
  - Export Non-Global Key
  - Import Global Key
  - Delete Global Key
  - Get Size of Global Key
  - Return List of Global Keys on NAE Server
  - Return List of Available Keys on NAE Server
  - Access Non-Global Key
  - Wrap Key
  - Get Key Names
  - Create Versioned Key
  - Create New Version of Key
  - Alter State of a Key Version
  - Encryption, Decryption, and MAC Operations Using Versioned Key
  - Encrypt and Decrypt using All Key Versions
  - Export Versioned Key
- User and Group Management Tasks
  - Create User
  - Delete User
  - Create User with Custom Attributes
  - Update Custom Attribute User
  - Retrieve Custom Attribute
  - Delete Custom Attribute
  - Change User Password
  - Change Key Owner
  - List Group Membership of a Specific User
  - List All Users in All Groups
  - List All Users in Single Group
  - Create Group
  - Delete Group
  - Add Users to Group
  - List All Users in Specific Group
  - Get All Information About Group
- Certificate Management Tasks
  - Import Certificate to Key Manager
  - Export Certificate and Private Key From Key Manager
  - Export Certificate From Key Manager
  - Export CA Certificate From Key Manager
  - Delete Certificate From Key Manager
- Session Management Tasks
  - Create Global Session
  - Create Global Session Using SSL with Client Certificates
  - Create Authenticated Session using NAE Credentials
  - Create an Authenticated Session using Domain User
  - Create session with Obfuscated Credentials
  - Create Authenticated Session using SSL with Client Certificates
  - Create Authenticated Session using SessionLevelConfig
  - Create Authenticated Session with Access to Persistent Key Cache
- Add Multiple Key Managers
- Refresh Cached Keys
- KMIP Tasks
  - KMIP Session
    - Create Authenticated KMIP Session with Client Certificate
    - Create Authenticated KMIP Session with User Credentials
    - Create Authenticated KMIP Session with User Credentials and Client Certificate
  - Wrap Key
  - Verify Key
  - KMIP Encrypt and Decrypt
    - KMIP Encrypt
    - KMIP Decrypt
  - KMIP Encrypt and Decrypt Sample
- Obfuscate Credentials
- Logging Related Tasks
  - Time-based Log Rotation
  - Size-based Log Rotation
  - Time and Size -based Log Rotation
  - Include GMT Timestamp Offset
  - Log_MaxBackupIndex
  - Reloading Log Configuration
  - Targeted Logging
  - Configuring Multiple Logging Outputs
  - Implement External Logger Object
- Obfuscate SSL Client Private Key Passphrase
- Chain Operations
  - Create Chained Operations
  - Return Intermediate Result in a Chain of Operations
- SSL Configuration
  - Configure SSL on CipherTrust Manager for NAE Interface
  - Configure SSL on CipherTrust Manager for KMIP Interface
- Tokenization Related Tasks
  - Initialize and close Token Service Vaultless instance
  - Create token for the plaintext
  - Return plaintext for token
  - Tokenize and detokenize Unicode blocks
    - Tokenize and detokenize Unicode blocks using AlgoSpec
    - Tokenize and detokenize Unicode blocks using Unicode.properties file
  - Tokenize and detokenize large data set
  - Java API Sample
  - REST APIs
    - Deploy Vaultless Tokenization on HTTPS Server
    - Return plaintext for token
    - Create token for the plaintext
Advanced Topics
- Configuration Parameters
  - Network Configuration Parameters
  - Connection Configuration Parameters
  - Local Encryption Parameters
  - SSL Configuration Parameters
  - Logging Parameters
  - Miscellaneous Parameters
- Connect to Server
- Connection Pooling
- Load Balancing
- Multi-Tier Load Balancing
- Format Preserving Encryption
  - FPE/AES
  - FPE/FF1
  - FPE/FF1v2
  - FPE/FF3
  - FPE/FF3-1
  - FPE Formats
  - FPE/AES/Unicode Cardinality Block-Size Table
- CADP for Java Utilities
  - CryptoDataUtility
  - GetJCEDetails Utility
- Supported Algorithms
  - Encryption and Decryption with Symmetric Keys
  - Encryption and Decryption with Asymmetric Keys
  - Message Authentication Codes
  - Digital Signatures
  - Supported Cryptographic Algorithms
- KMIP Fundamentals
  - KMIP Managed Objects
  - KMIP Attribute
  - KMIP Managed Operations
  - KMIP Multiple Operation Batching
  - KMIP Support for NAECertificates
  - Certify and Recertify
  - KMIP States and Dates
- Key Caching
  - Symmetric/Asymmetric Key Caching
  - Persistent Key Caching
- Logging
- Tokenization Concepts
  - AlgoSpec
  - TokenSpec
  - Bulk Migration Parameters
- Advisory Notes and Best Practices
Troubleshooting

CADP for Java
User Guide

User Guide

The CipherTrust Application Data Protection for JAVA (CADP for Java) provides an interface for key management operations, as well as application-level encryption of sensitive data. The solution can protect both unstructured data types such as - Excel and PDF files and structured data types such as - credit card numbers, social security numbers, national ID numbers, and passwords. Encryption takes places as soon as the data is generated or first processed, and remains secure across its entire life-cycle.

General system architecture

The CADP for Java solution consists of two main components:

CADP for Java Provider
The CADP for Java Provider are the jar files and the properties files used for configuration. The CADP for Java Provider requires:
- Java Virtual Machine (JVM) with support for SSL and Java Cryptographic Extensions (JCE).
- Oracle Java version 8 (minimum 1.8.0_111), 10, 11 (including OpenJDK and Amazon Corretto), 12 (including OpenJDK and Azul Java), 14 (including OpenJDK), 15 (including OpenJDK), 17 (including OpenJDK), 19 (including OpenJDK), 21 (including OpenJDK) or IBM Java 8 (minimum 8.0.6.25).
Key Manager
The CADP for Java is compatible with CipherTrust Manager 2.11.1 and higher versions.

Install the CADP for Java Provider on all the back-end servers that will be making requests for cryptographic operations or key management. All applications, servlets, or scripts see a conventional JCE interface and issue simple Java–based (JCE) commands to the Key Manager to perform cryptographic operations. Our CADP for Java provider is not dependent on the underlying back-end server.

Cryptography support

CADP for Java enables your Java client to perform cryptographic operations either by requesting that operations be performed on the Key Manager (remote mode) or by caching keys on the client and performing crypto locally (local mode).

Remote Mode: The CADP for Java Provider sends the crypto request over your network to the Key Manager using either tcp or ssl protocol. The Key Manager checks for proper authorization, performs the cryptographic operation, and returns the data to the calling application. Remote crypto mode creates an extremely simple, scalable, and secure solution to the challenges of back-end data encryption, integrity checking, and fingerprinting. To minimize the performance impact of remote operations, the provider uses long-lived and configurable sessions with the Key Manager. Connection pools are created for each session, so your application can have multiple connection pools. As a result, very low latencies and high throughputs can be achieved.
Local Mode: The CADP for Java Provider authenticates to the Key Manager, exports, and then stores a key - either in process memory or on disk, for a limited time. Cryptography is performed by the local JCE provider (typically SunJCE). This solution may be ideal for secured clients when network latency is a high, or when local encryption speeds meet performance requirements.

Supported cryptographic operations

Encryption/Decryption
Sign/SignVerify
MAC/MACVerify

Key management support

CADP for Java operates over any of these protocols:

NAE-XML: A flavor of XML specific to the Key Manager
KMIP: The OASIS Key Management Interoperability Protocol, supported by Key Manager

Key management using NAE-XML

The Key Manager is pre-configured for the NAE-XML protocol. When KMIP is not configured, management requests, like key create, export, and delete calls, occur over the NAEXML protocol. To perform key management over NAE-XML, configure NAE_Port in the CADP_for_JAVA.properties file and use the APIs prefaced with NAE such as NAEKey, NAECertificate.

Caution

When using a Key Manager for cryptographic operations, which requires NAE-XML, we recommend not to configure the same CADP for Java client for KMIP.

Key management using KMIP

Key Manager can be configured as KMIP servers, so the CADP for Java client can operate with these servers. CADP for Java offers support for the following KMIP features:

Managed Objects such as Symmetric Keys, Asymmetric Keys, Secret Data, Templates, and Certificates
Operations such as Create, Register, Export/Get, Delete, and Manage Lifecycle
Attributes
Multiple Operations

Services offered

KeyGenerators

DES
DESede
AES
SEED
RC4
HmacSHA1
HmacSHA256
HmacSHA384
HmacSHA512
ARIA

KeyPairGenerator

Cipher

DES/CBC/PKCS5Padding
DES/ECB/NoPadding
DES/ECB/PKCS5Padding
DESede/CBC/NoPadding
DESede/CBC/PKCS5Padding
DESede/ECB/NoPadding
DESede/ECB/PKCS5Padding
AES/CBC/NoPadding
AES/CBC/PKCS5Padding
AES/ECB/NoPadding
AES/ECB/PKCS5Padding
AES/GCM/NoPadding
AES/CTR/NoPadding
FPE/AES/CARD10
FPE/AES/CARD26
FPE/AES/CARD62
FPE/AES/UNICODE
FPE/FF1/CARD10
FPE/FF1/CARD26
FPE/FF1/CARD62
FPE/FF1/UNICODE
FPE/FF1v2/CARD10
FPE/FF1v2/CARD26
FPE/FF1v2/CARD62
FPE/FF1v2/UNICODE
FPE/FF3/CARD10
FPE/FF3/CARD26
FPE/FF3/CARD62
FPE/FF3/UNICODE
SEED/CBC/NoPadding
SEED/CBC/PKCS5Padding
SEED/ECB/NoPadding
SEED/ECB/PKCS5Padding
RC4
RSA/None/PKCS1Padding
RSA/None/PKCS1OAEPPadding
RSA/None/PKCS1OAEPPaddingSHA256
RSA/None/PKCS1OAEPPaddingSHA384
RSA/None/PKCS1OAEPPaddingSHA512
ARIA/CBC/NoPadding
ARIA/CBC/PKCS5Padding
ARIA/ECB/NoPadding
ARIA/ECB/PKCS5Padding
ECIESwithSHA1AES/CBC/PKCS5Padding
ECIESwithSHA224AES/CBC/PKCS5Padding
ECIESwithSHA256AES/CBC/PKCS5Padding
ECIESwithSHA384AES/CBC/PKCS5Padding
ECIESwithSHA512AES/CBC/PKCS5Padding
ECIESwithSHA1AES/CBC/NoPadding
ECIESwithSHA224AES/CBC/NoPadding
ECIESwithSHA256AES/CBC/NoPadding
ECIESwithSHA384AES/CBC/NoPadding
ECIESwithSHA512AES/CBC/NoPadding
ECIESwithSHA1DESede/CBC/NoPadding
ECIESwithSHA224DESede/CBC/NoPadding
ECIESwithSHA256DESede/CBC/NoPadding
ECIESwithSHA384DESede/CBC/NoPadding
ECIESwithSHA512DESede/CBC/NoPadding
ECIESwithSHA1DESede/CBC/PKCS5Padding
ECIESwithSHA224DESede/CBC/PKCS5Padding
ECIESwithSHA256DESede/CBC/PKCS5Padding
ECIESwithSHA384DESede/CBC/PKCS5Padding
ECIESwithSHA512DESede/CBC/PKCS5Padding

MAC

HmacSHA1
HmacSHA256
HmacSHA384
HmacSHA512

Signature

SHA1withRSA
SHA256withRSA
SHA384withRSA
HSHA512withRSA
ECDSA
SHA1withECDSA
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA
SHA1withRSAPSSPadding
SHA256withRSAPSSPadding
SHA384withRSAPSSPadding
SHA512withRSAPSSPadding

Random Number Generators

IngrianRNG
SHA1PRNG

Suggest A Change

User Guide

General system architecture

Cryptography support

Supported cryptographic operations

Key management support

Key management using NAE-XML

Key management using KMIP

Services offered

KeyGenerators

KeyPairGenerator

Cipher

MAC

Signature

Random Number Generators

On this page