Hello and first of all thanks for this awesome gem! I want to add it to my admin system, but faced with some troubles. My:twofactorauthenticatable named AdminUser, so I followed all prescription. May 17, 2010 The ssh client allows you to selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is /.ssh/identity for protocol version 1, and /.ssh/idrsa and /.ssh/iddsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file.
A primer for managing PKCS12 keystores
What is DB2 native encryption?
With DB2 native encryption, you can encrypt user data at rest in your DB2 database server. This enhancement is easy to implement and has no impact on your existing applications or database schema. The following figure shows a DB2 server that uses DB2 native encryption for data and backup encryption.
Figure 1. The two-tier encryption model
The IBM Global Security Kit (GSKit) is a component used by DB2 for Linux, UNIX, and Windows; and other IBM products for its FIPS 140-2 certified cryptographic capabilities. For more information, see Location of the GSKit libraries.
Starting with GSKit 8.0.50.10, you can store master keys in a PKCS#12 keystore. Prior to this version, only certificates were supported. GSKit is included when you install a DB2 database server product. This tutorial's focus is on storing master keys in a PKCS#12-compliant keystore.
Setting up your DB2 environment for DB2 native encryption
Before you start to use DB2 native encryption, ensure that you are setting the correct path to the GSKit libraries and that you are issuing the correct version of the GSKCapiCmd tool.
Location of the GSKit libraries
The GSKit libraries are automatically installed in your DB2 server during DB2 software installation. Ensure that the path to the GSKit libraries is added to the environment variable in the operating system. The following table shows the correct settings for the appropriate environment variable by operating system.
Location of the GSKCapiCmd tool
You can use this GSKit command-line tool to manage master keys and keystores. This tool is automatically installed with the DB2 software. The following table lists the directories where you can find the GSKCapiCmd tool that is installed with your DB2 server.
Checking the version of the GSKCapiCmd tool
Ensure that you are using the same version of GSKit as your DB2 server by checking the location and version of the tool. If you installed multiple IBM products in the DB2 server, you might end up with multiple copies of this tool.
To check the version of the tool, issue the following command:
To check the GSKit libraries version in use, issue the following command:
In 32-bit environments, use the
gsk8capicmd and the gsk8ver commands, instead.
PKCS#12 keystore
The PKCS#12 keystore is a local file that stores encryption master keys as well as certificates. In DB2 10.5 Fix Pack 5, DB2 native encryption only supports PKCS12 keystores.
The keystore is always encrypted with a password specified when the keystore is created. The keystore creator is responsible for this password. You must keep this password secret and safeguarded for future use.
All access to the keystore requires this password. You can specify the password with the
–pw in the GSKCapiCmd tool. You can also specify the password when you start the DB2 instance with the open keystore option in the db2start command.
Choosing a location for the keystore
Choose a directory on a separate physical device from the device where the table space container files and backup files are stored. Following this guideline prevents access to the keystore in case the disk containing the table space container files is lost or stolen.
A directory in the instance owner's home directory is a good option. The instance directory (/sqllib) should not be used because it might be overwritten during an upgrade. In database partitioned or DB2 pureScale® environments, the keystore must be in a shared location accessible to all members.
Deciding whether to enter a password or use a stash file
In addition to manually entering the password to access the keystore, you can store an obfuscated — not encrypted — copy of the password in a stash file for easy access. You can create it when you create the keystore or generate it after the keystore is created. The file name of the stash file is the same as that of the keystore but it has a .sth extension instead of .p12. Use the
-stashed option in the GSKCapiCmd tool to use the stash file instead of entering the password.
Using a password instead of a stash file is more secure. When the password is stored in a stash file, it can be susceptible to attacks. However, specifying the password for each operation places an overhead on the keystore creator to be present every time the password is needed. Consider as an example the option to provide the password with the
db2start command, if the database server stops working, the keystore creator must be available to provide the password and restore the access to the encrypted database. You must weight the tradeoff between security and usability and choose the more appropriate option for your DB2 environment.
If you use a stash file, treat this file with the same level of security as the keystore. Remember that access to the stash file allows access to the keystore.
Creating a PKCS#12 keystore
The DB2 instance owner must create the keystore to own it and maintain it. After logging in as the instance owner, invoke the GSKCapiCmd tool with the following options to create the keystore:
The following table shows a brief description of the options for creating a keystore.
Table 1. Command options to create a keystore
The following example shows how to create a PKCS#12 keystore with a stash file specifying a strong password:
Throughout this tutorial, the PKCS#12 keystore type and the .p12 as file name extension are always used. In DB2 10.5 Fix Pack 5, DB2 native encryption supports only this type of keystore.
Setting file permissions
One way to enforce security of the keystore and the stash file is by using file system permissions in the operating system. Only the keystore creator must have access to the keystore and the stash file. In DB2 environments, the instance owner must be the keystore creator.
On Linux and UNIX operating systems, you should create the keystore with read and write (rw) permissions only for the instance owner (0600). The rest of the users must have no access.
On the Windows operating system, the keystore is created with the file permissions inherited from the folder where it was created. These permissions are likely to be inappropriate for the keystore, so you should change them. If you are using extended Windows security, then only the DB2ADMNS group should have full control over the file. No one else should have any access, including read access. If you are not using extended security, only the log-on user for the DB2 service account should have full control over the file. In either case, if the local system account is the log-on user for the DB2 service account, then SYSTEM should also have full control over the keystore file.
Relaxing the permissions on the keystore and the stash file might expose the keystore to unauthorized users. Access to the master keys implicitly grants access to the data that was encrypted with these keys.
Generating a master key
The first step of managing a master key is generating the master key itself. A cryptographically secure pseudo-random number generator is usually employed for this task. DB2 database servers support master keys with lengths of 128, 192, and 256 bits for use with AES.
Using the /dev/random special file
The /dev/random special file provides an interface to a built-in random number generator in Linux and UNIX. It is a popular choice for cryptography.
The semantics of this special file vary depending on the operating system, and it's important to consult the related operating system documentation before using it.
The following example shows how to use /dev/random to generate n bytes of random data into the random-data file:
Where n can be 16, 24, or 32 to generate a master key of length 128, 192, or 256 bits, respectively.
Using the
|
Actions to transfer a master key |
---|
db2serverA |
|
db2serverB |
|
Option name | Description |
---|---|
-db <name> | Indicates the file name of the keystore. |
-pw <passwd> | -stashed | Specifies the required password or stash file to access the keystore. If this option is omitted, the tool prompts for the password. |
-label <label> | Indicates the name of the master key. |
-format <ascii | binary> |
Specifies whether the format of the master key is in binary or Base64 encoded ASCII in commands that extracts or inserts a master key or certificate from the keystore. When inserting a new master key, the format option should match the format of the input file. When inserting a master key extracted from another keystore, you must specify the same format option used to extract the master key. Master keys generated by DB2 always use the binary format on insertion. |
-type | target_type <cms | kdb| pkcs12 | p12 | pkcs7 | pkcs11> |
Specifies the type of keystore when creating a keystore and exporting or importing master keys. This option is optional. If the option is omitted the tool infers the type from the keystore file name extension. The supported file name extensions are .cms, .kdb, .pkcs12, .p12, .pkcs7, and .pkcs11. For example, the tools infers the PKCS12 keystore type from the .p12 file name extension. If you do not specify any of the supported extensions, you must specify the -type option on all commands so the correct keystore type is used.Use only the pkcs12 type. The cms, kdb, pkcs7 and pkcs11 types are not compliant with PKCS12 and are not supported by DB2 native encryption as of DB2 10.5 Fix Pack 5. |
–fips
option as follows:
–fips true
and the provider cannot be initialized in FIPS mode, the command that you issue with the GSKCapiCmd tool fails. If you specify –fips false
or you do not specify the –fips option and the provider cannot be initialized in FIPS mode, the tool tries to carry on with the command in a non-FIPS mode.
-cert
and -details
options:
If you have upgraded to CuteFTP v9 and are using key pairs created with CuteFTP v8, if the password for an existing key contains any Extended ASCII characters, the password will not work. You will have to reenter the password in Tools > Global Options >Security > SSH2 Security.
|
The private key and passphrase are never transmitted over a connection. When the server attempts to authenticate:
|
Word count should return a '1' as the first number. OpenSSH asks for the identity files password the first time you log in. If CuteFTP fails to connect, contact our support team and provide the kernel version, OpenSSH build, and the CuteFTP build number (located under Help > About).
|
Write something about yourself. No need to be fancy, just an overview.