EJBCA – How to Configure Database Protection using HMAC

Updated on October 1, 2021

The following describes how to set up database protection using the HMAC algorithm for integrity protection.

Generate a private key and a certificate.

openssl ecparam -genkey -name prime256v1 -noout -out key.pem
openssl req -new -x509 -key key.pem -out certificate.pem -days 7300 -subj "/CN=Database Protection"

Put the private key and the certificate in a PKCS#12 file. OpenSSL will ask you for a password that will be used to encrypt the keystore. Make a note of this password, as you will need it later.
```
openssl pkcs12 -export -inkey key.pem -in certificate.pem -out bag.p12 -name dbProtect
```
Print the base64 encoded PKCS#12 file.
```
cat bag.p12 | base64 | tr -d '\012'
```

Put the following configuration in databaseprotection.properties.

conf/databaseprotection.properties

databaseprotection.keyid.1 = 234
databaseprotection.keylabel.1 = dbProtect
databaseprotection.classname.1 = org.cesecore.keys.token.SoftCryptoToken
databaseprotection.data.1 = <the base64 encoded bag.p12 goes here>
databaseprotection.tokenpin.1 = <the password for bag.p12>
databaseprotection.version.1 = 1