Product Documentation

FairCom DB V12 Updates

Previous Topic

Next Topic

Support for Using AWS Secrets Manager as External Encryption key Store

FairCom Server now supports retrieving its master encryption key from AWS Secrets Manager.® This option is an alternative to FairCom Server's MASTER_KEY_FILE option. It has the advantage that the key is not stored locally. To logon to the AWS Secrets Manager, FairCom Server displays a dialog box that prompts the user to enter the AWS Secrets Manager credentials.

To configure FairCom Server to use AWS Secrets Manager, add the following option to ctsrvr.cfg:

SUBSYSTEM EXTERNAL_KEY_STORE AWS {

KEY_ID <key_id>

REGION <region>

TIMEOUT <timeout>

}

<key_id> is the key ID that you assign to the encryption key when you store it in AWS Secrets Manager.

<region> is the AWS region where the AWS Secrets Manager stores your key.

<timeout> is the maximum amount of time, in seconds, to wait for the user to enter the AWS Secrets Manager credentials when FairCom Server starts. The default is 30 seconds. If the timeout period passes before the user enters the credentials, FairCom Server logs the following messages to CTSTATUS.FCS and shuts down:

- User# 00001 Failed to retrieve AWS credentials: CTAWS(324): abandoning wait for AWS credential prompt to complete after <seconds> second(s) due to timeout

- User# 00001 The master password must be entered in order to start this server. The server will now shut down.

How to use AWS Secrets Manager to store the master encryption key for c-tree Server:

  1. Login to AWS Secrets Manager.
  2. Select "Store a new secret."
  3. Select secret type of "Other type of secrets."
  4. Enter the key and its value. For the key, use the name ctreeServerMasterEncryptionKey. For the value, enter the encryption master key.
  5. Select encryption key of "DefaultEncryptionKey" and click Next.
  6. Give the secret a name. This name is the value that you will specify for the KEY_ID value in the ctsrvr.cfg file.
  7. Optionally add a description. Click Next.
  8. Disable automatic rotation and click Next.
  9. Click Store.

In standalone mode (ctrdmp utility for example), the configuration options are set by setting these environment variables to the desired values:

CTAWS_KEY_ID

CTAWS_REGION

CTAWS_TIMEOUT

If FairCom Server is configured to use AWS Secrets Manager and the DLL cannot be loaded, an error is logged to CTSTATUS.FCS:

- User# 00001 Could not load AWS support: CTDLL_LOAD: Failed to load module ctaws.dll: The specified module could not be found.: 981

FairCom Server supports changing the master encryption key when it is stored in AWS Secrets Manager.

TOCIndex