I am building an Infor ION Grid laboratory manually without LifeCycle Manager (LCM) for my learning purposes. In part 2, I had made the installation using cryptographic keys taken from an existing Grid installation. Today, I will create new keys.
The Grid uses TLS to ensure privacy, authentication, and integrity of communication within the Grid. That involves asymmetric cryptography, public/private key pairs, key exchange, digital certificates, digital signatures, symmetric keys, ciphers, etc.
The Infor Documentation Infocenter has an Infor ION Grid Security Administration Guide:
The Infor documentation that is publicly available covers the default cryptographic properties of the Grid such as algorithms, providers, cipher suites, block cipher modes of operation, hashing functions, padding, key length, paths, file names, etc.; the Internet covers cryptography in general; and I am not revealing any secrets; therefore, I am revealing no more information than what is already available publicly. Besides, revealing cryptographic properties does not reveal any secrets, therefore Infor is not revealing any secrets either. Besides, the default properties can be changed to suit our needs. The security of a cryptosystem depends not on the knowledge of its cryptographic properties, but on its implementation and on the security of the secret key material. Thus, it is important you keep your systems up-to-date, and keep your secret key material secure. In doubt, read Auguste Kerckhoffs’s principle, “il faut qu’il puisse sans inconvénient tomber entre les mains de l’ennemi” or Claude Shannon’s maxim, “we shall assume that the enemy knows the system being used.”
For the Grid, we need these files, where the file names must match the Grid name, e.g. Grid:
- Grid.ks: this is the Java keystore for the Grid. It contains the Grid’s public/private key pair, and the Grid self-signed certificate which will be the root certificate authority (CA) to sign other keys.
- Grid.pw (optional): this is the clear text password for both keystore and private key.
For each host, we need these files, where the file names are server:
- server.ks: this is the Java keystore for the host. It contains the host’s public/private key pair, and the host certificate signed by the Grid.
- server.pw: this is the clear text password for both keystore and private key.
- server.key: this is a symmetric key, signed and encrypted, used to encrypt/decrypt protected Grid properties.
In a production environment, keep all these files secure.
The Grid has a console tool that automatically creates the key material:
1. Create Grid material
Use this command to create new key material for the Grid (replace the parameter values with your values, and use a strong password):
java ^ -cp resources\grid-core.jar;resources\bcprov-jdk16.jar;resources\bcmail-jdk16.jar ^ com.lawson.grid.security.Certificates ^ -create=gridcert ^ -gridname Grid ^ -gridpassword password123 ^ -gridkeystore secure
It produces these two files:
Note: Grid.der is the root CA that typically system administrators will push to the users computers, and then those computers will automatically trust the certificates of M3, Smart Office, etc.
Note: Unfortunately, the command does not automatically generate a strong password for this keystore, which leaves it vulnerable to user choice.
The Grid certificate has the following extensions:
- Basic Constraints: Subject is a CA, Path Length Constraint: 1
- Subject Key Identifier
- Key Usage: Digital Signature, Certificate Signing
- Extended Key Usage: TLS Web Server Authentication, Code Signing, TLS Web Client Authentication
2. Create host material
Use this command to create new key material for the host (replace the parameter values with your values, and add as many roles and addresses as needed for this host):
java ^ -cp resources\grid-core.jar;resources\bcprov-jdk16.jar;resources\bcmail-jdk16.jar ^ com.lawson.grid.security.Certificates ^ -create=hostcert ^ -gridname Grid ^ -gridpassword password123 ^ -hostname localhost ^ -gridkeystore secure ^ -hostkeystore secure ^ -role grid-admin ^ -address localhost ^ -address ::1 ^ -address 127.0.0.1 ^ -address example.com ^ -unresolved
It produces these two files:
Note: Fortunately, the command automatically generates a strong password for this keystore.
3. Create symmetric material
Use this command to create new symmetric key material (replace the parameter values with your values):
java ^ -cp resources\grid-core.jar;resources\bcprov-jdk16.jar;resources\bcmail-jdk16.jar ^ com.lawson.grid.security.Certificates ^ -create=symkey ^ -gridname Grid ^ -gridkeystore secure ^ -gridpassword password123 ^ -symkeypath secure ^ -hostkeystore secure ^ -hostname localhost
It produces this file:
Alternatively, we can generate the server.key in Java by taking the Grid certificate’s distinguished name in ASN.1 DER encoded form, signing it with the Grid’s private key, and encrypting it with the host’s public key, but I am not allowed to show the source code for that, and I am struggling with replicating it with the OpenSSL RSA utility and AES encryption. So use the Grid command tool above to generate server.key.
We now have the new unique necessary and sufficient cryptographic key material for a minimalist Grid, and the Grid successfully validates it:
successfully initialized secret key successfully initialized server keystore
I collected all the commands in my GitHub at keys.cmd.
Next time, I would like to:
- Generate the symmetric key with OpenSSL
- Continue researching security vulnerabilities
- Use the new Grid installer
- Setup an administrative router
- Setup session providers
- Install applications
- Install the Grid on Linux and PostgreSQL
That was an illustration of how to manually create – for learning purposes – new cryptographic keys for a minimalist installation of the Infor ION Grid using the built-in tools, and alternatively using the Java keytool. I am learning so I probably missed a few things. Thankfully the Grid console tool automates most of it.
That’s it! Congratulations if you’ve made it so far.
- Building an Infor Grid Lab – Part 1 – early Grid version 0.x
- Building an Infor Grid Lab – Part 2 – latest Grid version 11.x
- Building an Infor Grid Lab – Part 2bis – Configuration Manager
- Building an Infor Grid Lab – Part 3 – Cryptographic keys
- Building an Infor Grid Lab – Part 4 – Grid installer
- Building an Infor Grid Lab – Part 4bis – Console and silent install
- Building an Infor Grid Lab – Part 5 – PostgreSQL database
- Building an Infor Grid Lab – Part 6 – Ubuntu Linux
- Building an Infor Grid Lab – Part 6bis – CentOS Linux
- Building an Infor Grid Lab – Part 7 – Virtual Private Cloud