Key Locator Framework (KLF)

Secure > Enhance site security > Initialize KLF in WebSphere Commerce

Key Locator Framework (KLF)

To comply with the Payment Card Industry Data (PCI) security standard, a Key Locator Framework (KLF) has been introduced that will allow the encryption key (for example, the merchant key and Payments instance password) to be stored and retrieved from a configurable location such as from an external, more secure, device.
The Key Locator Framework provides the flexibility to define multiple encryption keys available to the system while each encryption key can be retrieved from a different provider. Four encryption key providers are defined out of the box, two for merchant key and two for Payments instance password.
To define a custom encryption key provider, such as managing the key from an external hardware device, a new class that implements WCKey interface must be created. An abstract class, called WCKeyBaseImpl, is also provided out of the box and can be extended by the custom key provider. This abstract class implements some of the common methods on the WCKey interface. The list of encryption keys available to the system are registered in a key configuration file.
An encryption key is defined in the key configuration file...
<key name="MerchantKey" 
     providerName="WC" 
     status="current"
     className="com.ibm.commerce.security.keys.MyMerchantKeyImpl"> 
       
    <config name="param1" value="value1"/> 
    <config name="param2" value="value2"/>

</key>
Where:

name Name of the key. "MerchantKey" refers to the merchant key.
providerName Name of the provider. You can specify the own custom provider name to refer to the customized provider classname.
status Valid values are "current" or "new". A "current" key is used whenever the current key is needed. A "new" key is used when running a command line script, for example, MigrateEncryptedInfo, which would be specified if you are migrating encrypted data that is currently encrypted using one provider and needs to be encrypted by a new provider.
className Java class that implements the encryption key provider.
config (Optional) Parameters required by the provider.

Once all the encryption keys are registered in the key configuration file, the WCKeyRegistry class is used for reading this file and caches all the encryption key providers in memory. Use the getKey() and getNewKey() methods from this class to retrieve the current and new key provider respectively.
For example, to retrieve the current default key implementation, you can use the following code snippet:

WCKey key = WCKeyRegistry.getInstance().getKey(<name of the key>);
String keyValue = key.getValueAsString();

To retrieve the new key implementation of a particular encryption key and provider:

WCKey newKey = WCKeyRegistry.getInstance().getNewKey(<name of the key>, <name of the provider>);
String newKeyValue = newKey.getNewValueAsString();

Related

Key Provider Implementations for merchant key

+
Search Tips | Advanced Search

name	Name of the key. "MerchantKey" refers to the merchant key.
providerName	Name of the provider. You can specify the own custom provider name to refer to the customized provider classname.
status	Valid values are "current" or "new". A "current" key is used whenever the current key is needed. A "new" key is used when running a command line script, for example, MigrateEncryptedInfo, which would be specified if you are migrating encrypted data that is currently encrypted using one provider and needs to be encrypted by a new provider.
className	Java class that implements the encryption key provider.
config	(Optional) Parameters required by the provider.