Secret key Overview

Overview

When an application enables security, the application typically stores information on the client to be able to identify information about the authenticated user post authentication. Since this information is confidential and integrity of this information is of the most importance, the information is typically stored in an encrypted format. To encrypt the content WebSphere sMash leverages a secret key. A secret key is an encrypted string that can be generated by leveraging the cli command secretkey which is included in zero.core. Each time the cli command is run, a unique secret key is generated. As long as this secret key is not exposed outside of the application, security should be able to encrypt this information without much concern for an external party being able to decrypt the content.

Generating a secret key

Since the implementation for secret key is part of the zero.core dependency, this command can be run within any application. An example of how to run this command in shown in the following code sample:

[ ~/MysMashApp ] zero secretkey
CWPZC2031I: Result
xMgwl+sUzcsRBLb4tBkn5w==

After the command has been run, edit the zero.config and add the secret key obtained from running the CLI command previously shown as the value to /config/security/secretKey in your configuration as shown in the following sample:

/config/security/secretKey="xMgwl+sUzcsRBLb4tBkn5w=="

Since the secret key is required by default security components such as SimpleToken and Cross Site Request Forgery (CSRF) prevention, any application leveraging security must include a secret key as part of the steps for configuring security for the application.

Also, for applications that want to share tokens between WebSphere sMash applications, the secret key needs to be the same value for each application that wants to share that token. If this is the case, then run this command once and copy the secret key and value into each application that wants to share this token.