FairCom Server now supports retrieving its master encryption key from AWS Secrets Manager.® This option is an alternative to FairCom Server's MASTER_KEY_FILE option. It has the advantage that the key is not stored locally. To logon to the AWS Secrets Manager, FairCom Server displays a dialog box that prompts the user to enter the AWS Secrets Manager credentials.
To configure FairCom Server to use AWS Secrets Manager, add the following option to ctsrvr.cfg:
SUBSYSTEM EXTERNAL_KEY_STORE AWS {
KEY_ID <key_id>
REGION <region>
TIMEOUT <timeout>
}
<key_id> is the key ID that you assign to the encryption key when you store it in AWS Secrets Manager.
<region> is the AWS region where the AWS Secrets Manager stores your key.
<timeout> is the maximum amount of time, in seconds, to wait for the user to enter the AWS Secrets Manager credentials when FairCom Server starts. The default is 30 seconds. If the timeout period passes before the user enters the credentials, FairCom Server logs the following messages to CTSTATUS.FCS and shuts down:
- User# 00001 Failed to retrieve AWS credentials: CTAWS(324): abandoning wait for AWS credential prompt to complete after <seconds> second(s) due to timeout
- User# 00001 The master password must be entered in order to start this server. The server will now shut down.
How to use AWS Secrets Manager to store the master encryption key for c-tree Server:
In standalone mode (ctrdmp utility for example), the configuration options are set by setting these environment variables to the desired values:
CTAWS_KEY_ID
CTAWS_REGION
CTAWS_TIMEOUT
If FairCom Server is configured to use AWS Secrets Manager and the DLL cannot be loaded, an error is logged to CTSTATUS.FCS:
- User# 00001 Could not load AWS support: CTDLL_LOAD: Failed to load module ctaws.dll: The specified module could not be found.: 981
FairCom Server supports changing the master encryption key when it is stored in AWS Secrets Manager.