Data Grid Encryption

Encryption of the data stored within the data grid of Hazelcast (the technology underpinning our deployment groups and clustering in Payara 5) has previously required a Hazelcast Enterprise subscription (see Payara Scales). While this remains an option for those who would like the additional features it provides (such as WAN replication), we’ve introduced our own encryption implementation into Payara Server to provide this feature to you without the additional subscription.

Encryption Mechanism

This feature provides encryption of the data that’s being stored in-memory via the Hazelcast data grid, providing end-to-end encryption of the data across all instances in the domain. End-to-end encryption is encryption of data both at rest (in storage) and in transit (during communication).

Payara Server uses a symmetric key to perform the encryption of the data within the data grid store. This means that the same key is used by each member of the data grid to encrypt and decrypt the data.

This key is generated and protected using the master password and a key derivation function. The key itself is a 256-bit AES key, utilising an initialisation vector and a salt for each call of encryption to help prevent any statistical pattern recognition.

Encryption Targets

The following data sources are encrypted:

  • Web Session Persistence

  • Stateful Session Bean Persistence

  • Request Traces

  • Historic Health Checks

Setup

This section details the necessary steps to set up and enable encryption of the data grid and the various data sources.

Documentation around configuration of the data sources for encryption assumes that you’ve already generated the encryption key and enabled encryption of the data grid.

Generating an Encryption Key

The key to be used by Payara Server to perform the actual encryption and decryption of data can be generated using the following command:

generate-encryption-key

This command generates a key using the master password – the same one used to access the key store used by Payara Server. Similar to the change-master-password command, this command requires you to shut down the DAS to run the command.

This command should only be run on the DAS since this is the master instance, and will be the instance propagating the key out to other instances in the domain.

The default value for the master password is changeit. You can also provide the master password via a password file like so:

asadmin -W /path/to/passwordfile.txt generate-encryption-key

Contents of passwordfile.txt:

AS_ADMIN_MASTERPASSWORD=changeit

If you change the master password after generating your key, you’ll need to regenerate and propagate the new key to each of your instances since the original key was created using the old (and now incorrect) password. It is currently required that --sync full be used to overwrite any existing encryption keys.

Enabling Encryption in Hazelcast

Enabling encryption of the data grid itself is controlled by the set-hazelcast-configuration asadmin command, with the --encryptdatagrid parameter:

set-hazelcast-configuration --encryptdatagrid true

This is a domain-wide setting, and thus means that hybrid setups where encryption is enabled only on specific clusters within a domain is not supported.

Once you’ve generated your key and enabled encryption, you must restart all instances in the domain if they were still running; changes in encryption settings do not take effect until a server is restarted. It is highly recommended that you restart all of your running instances as quickly as possible, since those that haven’t been restarted will be unable to decrypt the encrypted data placed in the data grid store by those that have been.

Web Session Availability Configuration

Encrypting web session availability data requires no extra actions on top of configuring the Web Container Availiability Persistence Type to hazelcast (which it is by default).

set configs.config.server-config.availability-service.web-container-availability.persistence-type=hazelcast

Stateful Session Bean Configuration

Encrypting stateful session bean (SFSB) availability data requires no extra actions on top of configuring the EJB Container Availiability HA and/or SFSB Persistence Type to hazelcast (the default setting for the SFSB HA persistence type is hazelcast).

set configs.config.server-config.availability-service.ejb-container-availability.sfsb-ha-persistence-type=hazelcast set configs.config.server-config.availability-service.ejb-container-availability.sfsb-persistence-type=hazelcast

Request Tracing Configuration

No additional actions necessary.

HealthCheck Configuration

No additional actions necessary.