As part of the normal operation of the PCC RESTful Web Services, ID values and tokens are created and provided to the user for use in the public API. Some of these values contain embedded information used for request routing which can include host names, IP addresses and ports of the servers hosting the PCC RESTful Web Services. This network information should only be relative to internally accessible servers. Nonetheless, the PCC Services will encrypt the information whenever it is embedded in public-use tokens using AES symmetric encryption and further encode the ciphertext to Base64 to create the new ID or token.
The PCC RESTful Web Services ship configured with a default AES key and Initialization Vector (IV) so the services will work "out-of-the-box". However, it is recommended that you replace the default encryption values with those of your choosing to maintain the highest level of security. The following steps describe how to fully replace the default AES keys with your own.
Step 1: Obtain an AES Key and Initialization Vector (IV)
- First, you will need an AES key and IV that is unique to your organization. Following the AES standard, the key value can be 128, 192 or 256 bits and the IV value must be 128 bits.
- Once you have the key and IV, they must both be Base64 encoded so that they are in a format which can be easily stored in the configuration files of the PCC Services.
- With a Base64 encoded AES key and IV value you can now begin updating the configuration files. Go to Step 2 below.
Step 2: Update the Entry Points Configuration
- Open the Entry Points config file:
- Windows: C:\Prizm\PCCIS\LoadBalancer\pcc.config
- Linux: /usr/share/prizm/pccis/LoadBalancer/pcc.config
- Set the encryptionKey and encryptionIv properties to the Base64 encoded values you created in Step 1.
- Save and exit the config file.
Step 3: Update the PCCIS Configuration
- Open the PCCIS config file:
- Windows: C:\Prizm\PCCIS\ServiceHost\pcc.config
- Linux: /usr/share/prizm/pccis/ServiceHost/pcc.config
- Set the text within the ViewingSessionIdEncryptionKey and ViewingSessionIdEncryptionIv XML elements to the Base64 encoded values you created in Step 1.
- Save and exit the config file.
Step 4: Update the WorkFile Service Configuration
- Open the WorkFile Service config file:
- Windows: C:\Prizm\PCCIS\Workfile\workfile.config
- Linux: /usr/share/prizm/pccis/Workfile/workfile.config
- Set the affinityTokenKey and affinityTokenIv properties to the Base64 encoded values you created in Step 1.
- Save and exit the config file.
Step 5: Update the Redaction Service Configuration
- Open the Redaction Service config file:
- Windows: C:\Prizm\PCCIS\Redaction\redaction.config
- Linux: /usr/share/prizm/pccis/Redaction/redaction.config
- Set the affinityTokenKey and affinityTokenIv properties to the Base64 encoded values you created in Step 1.
- Save and exit the config file.
Step 6: Restart PCC (and IIS on Windows) for Changes to Take Effect
- After changing any of the config files above, you need to restart PCC.
- Additionally, on Windows, you must also restart IIS for changes to the PCCIS configuration to take effect.