As you probably know already, Documentum removed the support for RSA Libraries and RSA Lockbox starting with Documentum version 16.7. This means that if you are planning to upgrade to 16.7 or higher versions, you will first need to remove the lockbox from your installation and extract your AEK key from it before starting the upgrade process. To be completely exact, upgrading to 16.7 or above in place (using VMs for example) is normally going to do that for you but if you are using the docker images from OpenText, it’s not going to happen. Therefore, it is always good to know how to do it anyway.
The process to “downgrade” from the Lockbox to the AEK key (the other way around wasn’t really an upgrade in terms of security anyway…) is pretty simple and if I’m not mistaken, it is now in the Upgrade & Migration Guide of Documentum 16.7. This can be prepared while the repository is running but it will require a quick restart to be applied. If you are facing any issue, you can also go back to the Lockbox first and figuring out what the issue is later.
It’s very simple and straightforward to extract the AEK key from the Lockbox but there is one requirement to met. Indeed, you will need the latest version of the dm_crypto_create utility which has been packaged starting with:
- Documentum 7.2 P42
- Documentum 7.3 P23
- Documentum 16.4 P10
If you are using an older version or an older patch, you will first need to upgrade/patch to one of these versions. It **might** be possible to just take the binary from one of these patches and use it on older versions of Documentum but that is probably not supported and it would need to be tested first to make sure it doesn’t break in the process. If you want to test that, just make sure to use the correct version of Lockbox libraries (version 3.1 for CS 7.3 and lower // version 4.0 for CS 16.4).
Once you are with the correct version/patch level, the extraction is just one simple command. Therefore, it can be automated easily in the upgrade process. Before starting, let’s setup/prepare the environment and making sure all is currently working with the Lockbox. I’m using a demo environment I built a few weeks on Kubernetes to show how it works:
[dmadmin@cs-0 ~]$ cd $DOCUMENTUM/dba [dmadmin@cs-0 dba]$ [dmadmin@cs-0 dba]$ cp -R secure secure_$(date "+%Y%m%d") [dmadmin@cs-0 dba]$ [dmadmin@cs-0 dba]$ cd secure [dmadmin@cs-0 secure]$ ls -ltr total 24 -rw-rw-r-- 1 dmadmin dmadmin 3750 Mar 30 13:30 lockbox.lb -rw-rw-r-- 1 dmadmin dmadmin 3 Mar 30 13:30 lockbox.lb.FCD drwxrwx--- 2 dmadmin dmadmin 152 Mar 30 17:41 ldapdb [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ gr_repo="GR_REPO1" [dmadmin@cs-0 secure]$ s_ini="$DOCUMENTUM/dba/config/${gr_repo}/server.ini" [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ grep "crypto" ${s_ini} crypto_mode = AES256_RSA1024_SHA256 crypto_keystore = Local crypto_lockbox = lockbox.lb crypto_keyname = CSaek [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ lb_name=$(grep "^crypto_lockbox" ${s_ini} | sed 's,crypto_lockbox[[:space:]]*=[[:space:]]*,,') [dmadmin@cs-0 secure]$ aek_name=$(grep "^crypto_keyname" ${s_ini} | sed 's,crypto_keyname[[:space:]]*=[[:space:]]*,,') [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ echo "Lockbox Name: ${lb_name} -- AEK Name: ${aek_name}" Lockbox Name: lockbox.lb -- AEK Name: CSaek [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ read -s -p " --> Please put here the Lockbox Passphrase and press Enter: " lb_pp; echo --> Please put here the Lockbox Passphrase and press Enter: [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ read -s -p " --> Please put here the AEK Passphrase and press Enter: " aek_pp; echo --> Please put here the AEK Passphrase and press Enter: [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ # If the below command returns '0', then the Lockbox name, AEK passphrase and the AEK Key name are correct [dmadmin@cs-0 secure]$ # but it doesn't really test the Lockbox passphrase [dmadmin@cs-0 secure]$ dm_crypto_create -lockbox ${lb_name} -lockboxpassphrase ${lb_pp} -keyname ${aek_name} -passphrase ${aek_pp} -check Key - CSaek uses algorithm AES_256_CBC. ** An AEK store with the given passphrase exists in lockbox lockbox.lb and got status code returned as '0'. [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ # If the below command returns 'Reset host done', then the Lockbox name and Lockbox passphrase are both correct [dmadmin@cs-0 secure]$ dm_crypto_manage_lockbox -lockbox ${lb_name} -lockboxpassphrase ${lb_pp} -resetfingerprint Lockbox lockbox.lb Lockbox Path $DOCUMENTUM/dba/secure/lockbox.lb Reset host done [dmadmin@cs-0 secure]$
Once everything is ready & verified, extracting the AEK key is a piece of cake:
[dmadmin@cs-0 secure]$ # AEK passphrase isn't needed to extract the AEK key [dmadmin@cs-0 secure]$ dm_crypto_create -lockbox ${lb_name} -lockboxpassphrase ${lb_pp} -keyname ${aek_name} -removelockbox -output ${aek_name} Retrieved key 'CSaek' from lockbox 'lockbox.lb' and stored as '$DOCUMENTUM/dba/secure/CSaek' [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ ls -ltr total 24 -rw-rw-r-- 1 dmadmin dmadmin 3750 Mar 30 13:30 lockbox.lb -rw-rw-r-- 1 dmadmin dmadmin 3 Mar 30 13:30 lockbox.lb.FCD drwxrwx--- 2 dmadmin dmadmin 152 Mar 30 17:41 ldapdb -rw-r----- 1 dmadmin dmadmin 144 May 8 21:52 CSaek [dmadmin@cs-0 secure]$
When it’s done, a new file has been created with the name specified in the “-output” parameter (${aek_name} above, meaning “CSaek“). The only remaining step is reflecting this change in the server.ini and restarting the repository:
[dmadmin@cs-0 secure]$ grep "crypto" ${s_ini} crypto_mode = AES256_RSA1024_SHA256 crypto_keystore = Local crypto_lockbox = lockbox.lb crypto_keyname = CSaek [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ sed -i 's,^crypto_lockbox,#&,' ${s_ini} [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ grep "crypto" ${s_ini} crypto_mode = AES256_RSA1024_SHA256 crypto_keystore = Local #crypto_lockbox = lockbox.lb crypto_keyname = CSaek [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ $DOCUMENTUM/dba/dm_shutdown_${gr_repo} Stopping Documentum server for repository: [GR_REPO1] OpenText Documentum iapi - Interactive API interface Copyright (c) 2018. OpenText Corporation All rights reserved. Client Library Release 16.4.0200.0080 Connecting to Server using docbase GR_REPO1.GR_REPO1 [DM_SESSION_I_SESSION_START]info: "Session 010f123450009905 started for user dmadmin." Connected to OpenText Documentum Server running Release 16.4.0200.0256 Linux64.Oracle Session id is s0 API> shutdown,c,T,T ... OK API> exit Bye Waiting for 90 seconds for server pid, 4188, to disappear. Fri May 8 21:53:39 UTC 2020: Waiting for shutdown of repository: [GR_REPO1] Fri May 8 21:53:39 UTC 2020: checking for pid: 4188 Fri May 8 21:53:49 UTC 2020: Waiting for shutdown of repository: [GR_REPO1] Fri May 8 21:53:49 UTC 2020: checking for pid: 4188 repository: [GR_REPO1] has been shutdown checking that all children (4214 4218 4219 4263 4305 4348 4542 4557 4584 4766) have shutdown [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ $DOCUMENTUM/dba/dm_start_${gr_repo} starting Documentum server for repository: [GR_REPO1] with server log: [$DOCUMENTUM/dba/log/GR_REPO1.log] server pid: 5055 [dmadmin@cs-0 secure]$ [dmadmin@cs-0 secure]$ head -20 $DOCUMENTUM/dba/log/${gr_repo}.log OpenText Documentum Content Server (version 16.4.0200.0256 Linux64.Oracle) Copyright (c) 2018. OpenText Corporation All rights reserved. 2020-05-08T21:54:02.033346 5055[5055] 0000000000000000 [DM_SERVER_I_START_SERVER]info: "Docbase GR_REPO1 attempting to open" 2020-05-08T21:54:02.033471 5055[5055] 0000000000000000 [DM_SERVER_I_START_KEY_STORAGE_MODE]info: "Docbase GR_REPO1 is using database for cryptographic key storage" 2020-05-08T21:54:02.033507 5055[5055] 0000000000000000 [DM_SERVER_I_START_SERVER]info: "Docbase GR_REPO1 process identity: user(dmadmin)" 2020-05-08T21:54:02.833702 5055[5055] 0000000000000000 [DM_SESSION_I_INIT_BEGIN]info: "Initialize Post Upgrade Processing." 2020-05-08T21:54:02.835032 5055[5055] 0000000000000000 [DM_SESSION_I_INIT_BEGIN]info: "Initialize Base Types." 2020-05-08T21:54:02.837725 5055[5055] 0000000000000000 [DM_SESSION_I_INIT_BEGIN]info: "Initialize dmRecovery." 2020-05-08T21:54:02.846022 5055[5055] 0000000000000000 [DM_SESSION_I_INIT_BEGIN]info: "Initialize dmACL." [dmadmin@cs-0 secure]$
That’s basically it. You are now running with the plain AEK Key just like before the introduction of the Lockbox a few years ago with the Documentum 7.x version.
Maybe one last note on the “dfc.crypto.repository” property of the dfc.properties. As you might know, this property has been introduced to support the move to the lockbox so that Documentum knows which repository should be used for all crypto needs. This parameter should apparently stay, even if you remove the lockbox and continue with the AEK file only because the decryption logic is on the server side and so the DFC Clients still need to know which repository can help on that part. Maybe that will change though…