Do's and Don'ts

Do's

• Use PKCS12 format for the keystore.

• Configure file permissions to chmod 600.

• Store password securely using environment variable.

• Configure application.keyStorePath in the relevant property files.

• Configure application.keyStoreAlias=OIPAALIASDEFAULT for the existing encryption or decryption alias.

• Configure application.hmacKeyStoreAlias=OIPAALIASHMACKEY for HMAC signing and verification in PAS and Cycle configurations.

• Retain the existing default alias unless encryption-key rotation is intended. Add new aliases, such as the HMAC alias, as separate secret-key entries instead of replacing the default alias.

• Use Keytool or OpenSSL for supported operations only.

Don'ts

• Don’t modify .dat or AsEncryption manually.

• Don’t hardcode passwords in scripts or config files.

• Don’t allow unauthorized users to access environment variables. Don’t attempt key exchange or rotation.

• Don’t share keystore files over unsecured channels.

• Don’t point application.hmacKeyStoreAlias to a non-existent alias or to an alias with unintended key material.