Key Locator Framework (KLF)

Key Locator Framework (KLF)

+
Search Tips | Advanced Search

To comply with the Payment Card Industry Data (PCI) security standard, a Key Locator Framework (KLF) has been introduced that will allow the encryption key (for example, the merchant key and Payments instance password) to be stored and retrieved from a configurable location such as from an external, more secure, device.
The Key Locator Framework provides the flexibility to define multiple encryption keys available to the system while each encryption key can be retrieved from a different provider. Four encryption key providers are defined out of the box, two for merchant key and two for Payments instance password. To define a custom encryption key provider, such as managing the key from an external hardware device, a new class that implements WCKey interface must be created. An abstract class, called WCKeyBaseImpl, is also provided out of the box and can be extended by the custom key provider. This abstract class implements some of the common methods on the WCKey interface. The list of encryption keys available to the system are registered in a key configuration file.
An encryption key is defined in the key configuration file as follows:
<key name="MerchantKey" 
     providerName="WC" 
     status="current"
     className="com.ibm.commerce.security.keys.MyMerchantKeyImpl">
        <config name="param1" value="value1"/> 
        <config name="param2" value="value2"/>
</key>
Where...

name

Name of the key. "MerchantKey" refers to the merchant key.

providerName

Name of the provider. You can specify your own custom provider name to refer to your customized provider classname.

status

Valid values are "current" or "new". A "current" key is used whenever the current key is needed. A "new" key is used when running a command line script, for example, MigrateEncryptedInfo, which would be specified if you are migrating encrypted data that is currently encrypted using one provider and needs to be encrypted by a new provider.

className

Java class that implements your encryption key provider.

config

(Optional) Parameters that are required by your provider.

Once all the encryption keys are registered in the key configuration file, the WCKeyRegistry class is used for reading this file and caches all the encryption key providers in memory. Use the getKey() and getNewKey() methods from this class to retrieve the current and new key provider respectively.
For example, to retrieve the current default key implementation, you can use the following code snippet: WCKey key = WCKeyRegistry.getInstance().getKey(<name of the key>);
String keyValue = key.getValueAsString();

To retrieve the new key implementation of a particular encryption key and provider: WCKey newKey = WCKeyRegistry.getInstance().getNewKey(<name of the key>, <name of the provider>);
String newKeyValue = newKey.getNewValueAsString();