Key store management

Encryption keys must be stored in one or more encryption key stores.

Edge Encryption supports the following types of key storage mechanisms.
  • File system: Keys are stored in a file in a file system that is accessible by the Edge Encryption proxy. Encryption keys stored in a file are not encrypted so it is your responsibility to protect these files.
  • Java KeyStore: Keys are stored in Java's JCEKS keystore. A Java Keystore is protected by a password so it is more secure than storing keys in a file in the file system. A single Java Keystore can store multiple keys and the keys are identified by a key alias, making it easier to manage multiple keys.
  • NAE (Network Attached Encryption) key store: Keys are stored and retrieved with SafeNet's KeySecure key management.

The Edge Encryption proxy ships with the Java JCEKS Keystore file named keystore.jceks in the keystore directory. This keystore file contains the ServiceNow certificate used to validate encryption rules that have been signed by ServiceNow.

Note: If using a keystore other than the base system JCEKS KeyStore, you must import the ServiceNow public key into your keystore. The public key alias is servicenow.

In addition to the encryption keys, the Java JCEKS Keystore is used to store the RSA key pair for digitally signing the encryption configuration and encryption rules that are stored in the instance, and the digital certificate that the Edge Encryption proxy uses to establish a secure connection with the browsers and any other clients.