Overview

This section introduces the new encryption key management feature in OIPA, designed to enhance data security, simplify key handling, and align with enterprise-grade compliance standards. It explains how to configure, secure, and manage encryption keys in OIPA using a dedicated Java KeyStore (oipakeystore.p12). It ensures compliance with security standards and supports flexible key lifecycle operations. Encryption Keys are managed using OCI Vault, which provides hardware security modules (HSM) that comply with FIPS-140-2 Level 3 or equivalent standards.

Till the current release, encrypted key is stored in two parts:

• one part of the key is stored in a .dat file, whose path is defined in encryptDecryptFilePath of PAS.Properties file, and

• the other part of the key is stored in the database table AsEncryption.

Starting from OIPA 12.2, the keystore is used as the runtime source for secret-key aliases. The existing encryption alias remains OIPAALIASDEFAULT and a dedicated HMAC alias OIPAALIASHMACKEY is additionally configured through application.hmacKeyStoreAlias for HMAC signing and verification flows.

The keystore can contain multiple secret-key entries. In the current 12.2 implementation, the existing default alias is retained for encryption/decryption compatibility and the new alias OIPAALIASHMACKEY is added for HMAC usage without modifying the existing default alias.

Important:
In the current release, encryption and decryption are supported solely to maintain backward compatibility. Key exchange and rotation are not yet enabled.
Customers should avoid modifying the encryption keys at this stage, as doing so may lead to issues with data decryption and encryption.
For 12.2 HMAC support, configure, and maintain the dedicated HMAC alias separately from the default encryption alias.