Securing DVM communication

The AR System server and Mid Tier provide encrypted user password protection for secure external data visualization module (DVM) communication. The following two forms store and display encryption data for secure key exchanges:

  • AR System Key Store
  • AR System Server to Key Map

Related topics

Embedding-web-content-through-data-visualization-fields

Configuring-right-to-left-format-in-a-data-visualization-field

An RSA 2048-bit asymmetric encryption algorithm in the server creates a public and private key pair, using the ARSYS.ARF.RSAKEYPAIRGENERATOR plugin. During installation, the server exports the key pair to the AR System Key Store form (the following figure) and the AR System server to Key Map form (the second figure below). The key pair is protected with 128-bit Advanced Encryption Standard (AES) encryption.

AR System Server to Key Map form

serverkeystoreform.gif

The fields on this form are as follows:

Field

Description

Public Key

The public part of a public-private key pair that is used to encrypt the user password in RSA 2048-bit asymmetric encryption

Private Key

The private part of a public-private key pair that is used to decrypt the user password in RSA 2048-bit asymmetric encryption


AR System Server to Key Map form

servertokeymapform.gif

The fields on this form are as follows:

Field

Description

Server Name

The name of the server requiring a secure password.

Public Key

The hexadecimal string for the encrypted bytes. The modulus and exponent are stored per line and the entire key is encrypted by using AES symmetric encryption.

Web Path

The URL that points to a remote Mid Tier.

Only authorized administrators have access to the AR System Key Store form, which displays the key pair. Public key data for a particular server is distributed to consumers in the AR System Server to Key Map form. The public key is presented in clear text, as shown in the following figure; the private key is stored in an encrypted hexadecimal string. The Mid Tier uses the private key to decrypt the user password by checking the custom header for X-Encyrpted-Pwd. If the header is present, the Mid Tier:

  • Selects the password in the header field as opposed to the passwords sent through other means, such as a URL parameter.
  • Retrieves the private key from the AR System Key Store form.
  • Retrieves private key associated with the server name that is sent. The server name that is sent should match the server name string from the server name field in the Server to Key Map form. If the field contains the server's fully qualified name, such as myserver.company.com, the fully qualified name must be sent. If the server name field contains an IP address, the IP address must be sent. The Mid Tier requires the matching server name to locate the private key.
  • Decrypts the key, using an AES symmetric key algorithm.
  • Constructs the private key.
  • Decrypts the password, using RSA 2048-bit decryption.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*