Please Note:

Administration
Quick Start
Alternative Deployment Method
Tasks
- Centrally Managed APIs Tasks
  - Protect Data
  - Reveal Data
  - Reprotect Data
  - Renew client certificate
- Traditional APIs Tasks
  - Generate random IV
  - Encrypt Data
  - Decrypt Data
  - Encrypt String and Write to File
  - Encrypt/Decrypt Email (Masking Domain)
  - Encrypt/Decrypt File
  - MAC Operations
    - Bulk Operations in HMAC
    - Generate MAC
    - Verify MAC
  - Sign and Sign Verify
    - Generate Digital Signature with RSA Private Key using message/text
    - Verify Digital Signature with RSA Public Key using message/text
    - Generating Digital Signature with RSA Private Key using pre-calculated hash
    - Verify Digital Signature with RSA Public Key using Pre-calculated Hash
  - Key Operations
    - Create global key
    - Create key with random name
    - Create key owned by the NAE user
    - Create EC key owned by NAE user
    - Create Symmetric Key Using HKDF Algorithm
    - Create Key and Assign Permissions
    - Create Key and Assign Custom Attributes
    - Modify Group Permissions for an Existing Key
    - Get Group Permissions on an Existing Key
    - Generate Global RSA Public-Private Key Pair
    - Generate Global EC Public-Private Key Pair
    - Generate KMIP Public-Private Key Pair
    - Export Global Key
    - Export Non-Global Key
    - Import Global Key
    - Delete Global Key
    - Get Size of Global Key
    - Return List of Global Keys on NAE Server
    - Return List of Available Keys on NAE Server
    - Access Non-Global Key
    - Wrap Key
    - Get Key Names
    - Create Versioned Key
    - Create New Version of Key
    - Alter State of a Key Version
    - Encryption, Decryption, and MAC Operations Using Versioned Key
    - Encrypt and Decrypt using All Key Versions
    - Export Versioned Key
  - User and Group Management Tasks
    - Create User
    - Delete User
    - Create User with Custom Attributes
    - Update Custom Attribute User
    - Retrieve Custom Attribute
    - Delete Custom Attribute
    - Change User Password
    - Change Key Owner
    - List Group Membership of a Specific User
    - List All Users in All Groups
    - List All Users in Single Group
    - Create Group
    - Delete Group
    - Add Users to Group
    - List All Users in Specific Group
    - Get All Information About Group
  - Certificate Management Tasks
    - Import Certificate to Key Manager
    - Export Certificate and Private Key From Key Manager
    - Export Certificate From Key Manager
    - Export CA Certificate From Key Manager
    - Delete Certificate From Key Manager
  - Session Management Tasks
    - Create Global Session
    - Create Global Session Using SSL with Client Certificates
    - Create Authenticated Session using NAE Credentials
    - Create an Authenticated Session using Domain User
    - Create session with Obfuscated Credentials
    - Create Authenticated Session using SSL with Client Certificates
    - Create Authenticated Session using SessionLevelConfig
    - Create Authenticated Session with Access to Persistent Key Cache
  - Add Multiple Key Managers
  - Refresh Cached Keys
  - KMIP Tasks
    - KMIP Session
      - Create Authenticated KMIP Session with Client Certificate
      - Create Authenticated KMIP Session with User Credentials
      - Create Authenticated KMIP Session with User Credentials and Client Certificate
    - Wrap Key
    - Verify Key
    - KMIP Encrypt and Decrypt
      - KMIP Encrypt
      - KMIP Decrypt
    - KMIP Encrypt and Decrypt Sample
  - Obfuscate Credentials
  - Logging Related Tasks
    - Time-based Log Rotation
    - Size-based Log Rotation
    - Time and Size -based Log Rotation
    - Include GMT Timestamp Offset
    - Log_MaxBackupIndex
    - Reloading Log Configuration
    - Targeted Logging
    - Configuring Multiple Logging Outputs
    - Implement External Logger Object
  - Obfuscate SSL Client Private Key Passphrase
  - Chain Operations
    - Create Chained Operations
    - Return Intermediate Result in a Chain of Operations
  - SSL Configuration
    - Configure SSL on CipherTrust Manager for NAE Interface
    - Configure SSL on CipherTrust Manager for KMIP Interface
  - Tokenization Related Tasks
    - Initialize and close Token Service Vaultless instance
    - Create token for the plaintext
    - Return plaintext for token
    - Tokenize and detokenize Unicode blocks
      - Tokenize and detokenize Unicode blocks using AlgoSpec
      - Tokenize and detokenize Unicode blocks using Unicode.properties file
    - Tokenize and detokenize large data set
    - Tokenize/Detokenize Date
    - Java API Sample
    - REST APIs
      - Deploy Vaultless Tokenization on HTTPS Server
      - Return plaintext for token
      - Create token for the plaintext
Advanced Topics
- Advanced Topics - Centrally Managed APIs
  - Concepts
  - Protection Policy
  - CADP for Java Logging
  - Client Status
  - Integrate client status notification in your application
- Advanced Topics - Traditional APIs
  - Configuration Parameters
    - Network Configuration Parameters
    - Connection Configuration Parameters
    - Local Encryption Parameters
    - SSL Configuration Parameters
    - Logging Parameters
    - Miscellaneous Parameters
  - Connect to Server
  - Connection Pooling
  - Load Balancing
  - Multi-Tier Load Balancing
  - Format Preserving Encryption
    - FPE/AES
    - FPE/FF1
    - FPE/FF1v2
    - FPE/FF3
    - FPE/FF3-1
    - FPE Formats
    - FPE/AES/Unicode Cardinality Block-Size Table
  - CADP for Java Utilities
    - CryptoDataUtility
    - GetJCEDetails Utility
  - Supported Algorithms
    - Encryption and Decryption with Symmetric Keys
    - Encryption and Decryption with Asymmetric Keys
    - Message Authentication Codes
    - Digital Signatures
    - Supported Cryptographic Algorithms
  - KMIP Fundamentals
    - KMIP Managed Objects
    - KMIP Attribute
    - KMIP Managed Operations
    - KMIP Multiple Operation Batching
    - KMIP Support for NAECertificates
    - Certify and Recertify
    - KMIP States and Dates
  - Key Caching
    - Symmetric/Asymmetric Key Caching
    - Persistent Key Caching
  - Logging
  - Tokenization Concepts
    - AlgoSpec
    - TokenSpec
    - Bulk Migration Parameters
  - Advisory Notes and Best Practices
Troubleshooting

CADP for Java
Administration

Administration

The CipherTrust Application Data Protection for Java (CADP for Java) is a Java Cryptography Extension (JCE) provider that enables users to integrate the Key Manager's capabilities into their Java applications. CADP for Java is available in two variants:

Centrally Managed APIs
Traditional APIs

Centrally Managed APIs

This is our new set of APIs available from CADP for Java 8.18.0 release. CADP for Java offers simplified APIs (Protect/Reveal) to perform cryptography operations. CADP for Java integrates seamlessly with Application Data Protection on CipherTrust Manager, enabling organizations to centrally configure, manage, and enforce data-centric cryptographic policies in a reusable, human-readable format, providing flexibility and ease of management.

Protection policy (ciphers, keys, IV, tweak, and so on) defines how to protect the sensitive data. Whereas, Access policy determines who can view sensitive data and how (plaintext, ciphertext, custom masking format or redacted).

Centrally Managed APIs offer several advantages over traditional APIs, including:

Developers do not need to understand cryptographic parameters (cipher, key, IV, Nonce, Tweak, and so on) to protect data as the Data Security Admins are responsible to handle configurations and policies.
Each deployed application with CADP for Java is visible on CipherTrust Manager (providing a Single Pane of Glass view).
Data Security Admins gain Crypto Agility, enabling real time changes to cipher, keys, and parameters.

Traditional APIs

This is our standard release of CADP for Java which has been delivered so far.

CADP for Java integrates with the Java Cryptographic Extension (JCE), allowing your Java application to perform cryptographic operations for data protection either locally (with key material securely cached in memory) or remotely (by forwarding cryptographic requests to CipherTrust Manager). CADP for Java provides encryption/decryption ciphers, tokenization/detokenization ciphers, sign/verify, MAC/verify operations, along with key management functionalities.

Traditional APIs have some drawbacks compared to centrally managed APIs, as developers must understand and handle cryptographic parameters (cipher, key, IV, nonce, tweak, and so on.) and configurations file by themselves. The CADP for Java configuration is stored in a local file that is deployed with each instance of the application.

General system architecture

The CADP for Java solution consists of the following components:

CADP for Java Provider
The CADP for Java Provider offers APIs to secure your data. Install the CADP for Java Provider on all backend servers that will handle cryptographic or key management requests (currently, can be only done through traditional APIs). All applications, servlets, or scripts interact with a standard JCE interface and issue simple Java-based (JCE) commands to the Key Manager for cryptographic operations. The CADP for Java Provider is independent of the underlying backend server.
The CADP for Java Provider requires:
- Java Virtual Machine (JVM) with support for SSL and Java Cryptographic Extensions (JCE).
- Any of the following Java version:
  - Oracle Java version 8 (minimum 1.8.0_111)
  - Oracle Java 10
  - Oracle Java 11 (including OpenJDK and Amazon Corretto)
  - Oracle Java 12 (including OpenJDK and Azul Java)
  - Oracle Java 14, 15, 17, 19, 21 (including OpenJDK)
  - IBM Java 8 (minimum 8.0.6.25)
Key Manager
The CADP for Java uses the CipherTrust Manager as its trusted key source.

Note

From this point onward, we have separated the content of this page into two tabs: one for centrally managed APIs and the other for traditional APIs. Click on the tab of your choice to view the content.

Centrally Managed APIs

Cryptography support

CADP for Java enables the Java client to perform cryptographic operations by caching keys and configurations locally.

Supported cryptographic operations

Protect
Reveal
Reprotect

Supported algorithms

FPE/AES
FPE/FF1v2
FPE/FF3
FPE/FF3-1
AES/CBC/NoPadding
AES/CBC/PKCS5Padding
AES/ECB/NoPadding
AES/ECB/PKCS5Padding
AES/GCM (Support available in CipherTrust Manager future releases)

The exact CipherTrust Manager version will be specified once it is officially released and will also be reflected in the CipherTrust Manager release notes.

Random 2 (Support available in CipherTrust Manager future releases)

The exact CipherTrust Manager version will be specified once it is officially released and will also be reflected in the CipherTrust Manager release notes.

Licensing

CADP for Java is licensed per deployed instance. Licenses for CADP for Java are part of the CipherTrust Flex Connector Advanced. Refer to CADP Licensing Model for details.

Note

The time on both the client and server machines must be synchronized. To achieve this, NTP (Network Time Protocol) should be configured. Follow instructions to set up NTP.

Traditional APIs

Cryptography support

CADP for Java enables your Java client to perform cryptographic operations either by requesting that operations be performed on the Key Manager (remote mode) or by caching keys on the client and performing crypto locally (local mode).

Remote Mode: The CADP for Java Provider sends the crypto request over your network to the Key Manager using either tcp or ssl protocol. The Key Manager checks for proper authorization, performs the cryptographic operation, and returns the data to the calling application. Remote crypto mode creates an extremely simple, scalable, and secure solution to the challenges of back-end data encryption, integrity checking, and fingerprinting. To minimize the performance impact of remote operations, the provider uses long-lived and configurable sessions with the Key Manager. Connection pools are created for each session, so your application can have multiple connection pools. As a result, very low latencies and high throughputs can be achieved.
Local Mode: The CADP for Java Provider authenticates to the Key Manager, exports, and then stores a key - either in process memory or on disk, for a limited time. Cryptography is performed by the local JCE provider (typically SunJCE). This solution may be ideal for secured clients when network latency is a high, or when local encryption speeds meet performance requirements.

Supported cryptographic operations

Encryption/Decryption
Sign/SignVerify
MAC/MACVerify

Key management support

CADP for Java operates over any of these protocols:

NAE-XML: A flavor of XML specific to the Key Manager
KMIP: The OASIS Key Management Interoperability Protocol, supported by Key Manager

Key management using NAE-XML

The Key Manager is pre-configured for the NAE-XML protocol. When KMIP is not configured, management requests, like key create, export, and delete calls, occur over the NAEXML protocol. To perform key management over NAE-XML, configure NAE_Port in the CADP_for_JAVA.properties file and use the APIs prefaced with NAE such as NAEKey, NAECertificate.

Caution

When using a Key Manager for cryptographic operations, which requires NAE-XML, we recommend not to configure the same CADP for Java client for KMIP.

Key management using KMIP

Key Manager can be configured as KMIP servers, so the CADP for Java client can operate with these servers. CADP for Java offers support for the following KMIP features:

Managed Objects such as Symmetric Keys, Asymmetric Keys, Secret Data, Templates, and Certificates
Operations such as Create, Register, Export/Get, Delete, and Manage Lifecycle
Attributes
Multiple Operations

Services offered

KeyGenerators

DES
DESede
AES
SEED
RC4
HmacSHA1
HmacSHA256
HmacSHA384
HmacSHA512
ARIA

KeyPairGenerator

Cipher

DES/CBC/PKCS5Padding
DES/ECB/NoPadding
DES/ECB/PKCS5Padding
DESede/CBC/NoPadding
DESede/CBC/PKCS5Padding
DESede/ECB/NoPadding
DESede/ECB/PKCS5Padding
AES/CBC/NoPadding
AES/CBC/PKCS5Padding
AES/ECB/NoPadding
AES/ECB/PKCS5Padding
AES/GCM/NoPadding
AES/CTR/NoPadding
FPE/AES/CARD10
FPE/AES/CARD26
FPE/AES/CARD62
FPE/AES/UNICODE
FPE/FF1/CARD10
FPE/FF1/CARD26
FPE/FF1/CARD62
FPE/FF1/UNICODE
FPE/FF1v2/CARD10
FPE/FF1v2/CARD26
FPE/FF1v2/CARD62
FPE/FF1v2/UNICODE
FPE/FF3/CARD10
FPE/FF3/CARD26
FPE/FF3/CARD62
FPE/FF3/UNICODE
SEED/CBC/NoPadding
SEED/CBC/PKCS5Padding
SEED/ECB/NoPadding
SEED/ECB/PKCS5Padding
RC4
RSA/None/PKCS1Padding
RSA/None/PKCS1OAEPPadding
RSA/None/PKCS1OAEPPaddingSHA256
RSA/None/PKCS1OAEPPaddingSHA384
RSA/None/PKCS1OAEPPaddingSHA512
ARIA/CBC/NoPadding
ARIA/CBC/PKCS5Padding
ARIA/ECB/NoPadding
ARIA/ECB/PKCS5Padding
ECIESwithSHA1AES/CBC/PKCS5Padding
ECIESwithSHA224AES/CBC/PKCS5Padding
ECIESwithSHA256AES/CBC/PKCS5Padding
ECIESwithSHA384AES/CBC/PKCS5Padding
ECIESwithSHA512AES/CBC/PKCS5Padding
ECIESwithSHA1AES/CBC/NoPadding
ECIESwithSHA224AES/CBC/NoPadding
ECIESwithSHA256AES/CBC/NoPadding
ECIESwithSHA384AES/CBC/NoPadding
ECIESwithSHA512AES/CBC/NoPadding
ECIESwithSHA1DESede/CBC/NoPadding
ECIESwithSHA224DESede/CBC/NoPadding
ECIESwithSHA256DESede/CBC/NoPadding
ECIESwithSHA384DESede/CBC/NoPadding
ECIESwithSHA512DESede/CBC/NoPadding
ECIESwithSHA1DESede/CBC/PKCS5Padding
ECIESwithSHA224DESede/CBC/PKCS5Padding
ECIESwithSHA256DESede/CBC/PKCS5Padding
ECIESwithSHA384DESede/CBC/PKCS5Padding
ECIESwithSHA512DESede/CBC/PKCS5Padding

MAC

HmacSHA1
HmacSHA256
HmacSHA384
HmacSHA512

Signature

SHA1withRSA
SHA256withRSA
SHA384withRSA
HSHA512withRSA
ECDSA
SHA1withECDSA
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA
SHA1withRSAPSSPadding
SHA256withRSAPSSPadding
SHA384withRSAPSSPadding
SHA512withRSAPSSPadding

Random Number Generators

IngrianRNG
SHA1PRNG

What's Next

After getting familiar with centrally managed and traditional APIs, follow the quick start section to deploy CADP for Java.

Suggest A Change

Administration

Centrally Managed APIs

Traditional APIs

General system architecture

Cryptography support

Supported cryptographic operations

Supported algorithms

Licensing

Cryptography support

Supported cryptographic operations

Key management support

Key management using NAE-XML

Key management using KMIP

Services offered

KeyGenerators

KeyPairGenerator

Cipher

MAC

Signature

Random Number Generators

What's Next

On this page