3DS Server CLI Tool Operation Manual

Usage

3DS Server CLI tool can be used to encrypt sensitive configuration data, encrypt application properties, re-encrypt database, re-encrypt content and view key usage in database. Commands for re-encrypting the database and viewing key usage are only available if datasource properties are defined in configuration properties.

By default, 3DS Server CLI Tool uses configuration properties defined in $THREEDS_HOME/3dss-cli-tool/conf. To use configuration properties from different location, create a directory $THREEDS_CLI_TOOL_CONFIG_HOME where you can store the 3DS Server CLI Tool configuration (e.g. $HOME/.threeDSServerCliTool). Copy the sample configuration files from $THREEDS_HOME/3ds-cli-tool/conf to $THREEDS_CLI_TOOL_CONFIG_HOME. Pass the configuration folder as an option when running the 3DS Server CLI Tool.

Example:

Encrypting 3DS Server configuration sensitive data

Run the script with the encrypt command to encrypt the content passed as an argument:

If you want to use custom encryption key, specify the encryption key alias and keystore information in configuration properties.

Encrypting application properties

Run the script with the encrypt-property command to encrypt the application property passed as an argument:

The encryption key and salt should be specified in configuration properties or as environment variables.

Re-encrypting database

If 3DS Server with database configuration is used, run the script with the re-encrypt-db command to re-encrypt the database content. To be able to use this command, datasource properties must be defined in configuration properties.

This command will decrypt every field and then encrypt the field again with currently active key. To decrypt the content, keys that were used for encryption must be present in keystore with their original aliases, unless the default encryption key was used. Currently active key used for encryption can be defined in configuration properties and if it is not, the default encryption key will be used.

Re-encrypting single value

If you have an encrypted content, you can re-encrypt it by running the script with the re-encrypt-single command.

This command will decrypt ecnrypted-content and encrypt it again with currently active key. To decrypt the content, key that was used for encryption must be present in keystore with its alias, unless the default encryption key was used. Currently active key used for encryption can be defined in configuration properties and if it is not, the default encryption key will be used.