The System Security menu consists of the following sections:


  • Data Security 
  • HMAC Verification


Data Security


Field

Description

Enable Key Encryption Key (KEK) to secure sensitive data

By default the application generates a random Key Encryption Key (KEK) for each installation and it is stored in the database. The KEK is used to encrypt the Data Encryption Key (DEK) when then encrypts the sensitive information in the database e.g. user credentials and other key material.

You have a choice to generate the KEK in HSM using ADSS Server and then configure the ADSS Web RA to use the KEK from ADSS Server by enabling this option for the enhanced security.

Note that if you lose the KEK, it can become a single point of failure and even Ascertia can not help to recover this key. It is highly recommended that you get a proper backup mechanism for the KEK to avoid any unforeseen issue in future.

Encryption Server

Encryption server is the ADSS Server instance that can be used to encrypt the Data Encryption Key (DEK)



HMAC Verifications 


When a user installs the ADSS Web RA application as a new instance, HMAC will be enabled by default. 


What is HMAC?


Hash-based Message Authentication Code (HMAC) is a message authentication code that uses a cryptographic key in conjunction with a hash function. 


HMAC provides the server and the client each with a private key that is known only to that specific server and client. The client creates a unique HMAC or hash, per request to the server by hashing the request data with the private keys and sending it as a part of the request. 


HMAC key is different for each ADSS Web RA installation. 


How It Works?


  • When a user ticks the HMAC check box, the system will start computing and calculating HMAC of each request made with the database. 


 

                                     




  • In the next step, a drop down appears under the Enable HMAC Verification check box that is used to configure algorithm for HMAC computation. ADSS Web RA supports the following algorithms for HMAC computation:


  • HMAC SHA - 256
  • HMAC SHA - 384
  • HMAC SHA - 512 




                                     



The HMAC verification check box enables the system to verify the data integrity of the entire data of the application. 


  • It configures the interval for core thread to verify data integrity using HMAC and generate verification report, send them to the configured email addresses of the operators. The interval field describes the number of days and the time describes the execution time of core thread. 
  • It verifies each request enabled to verify data in each request retrieved from the database. This sections shows the red alert in the list, with a detailed view of the records and sends email to the configured email addresses in alerts for each request. 
  • The email address for alerts describe email addresses that will receive the HMAC verification report. 
  • After enabling the HMAC verifications in the configurations, all invalid or tampered records in the lists will be displayed as red. 
  • When a specific record is viewed to see the details, a red roaster message will appear 'This data has invalid HMAC' as shown below: