As part of the normal operation of the PrizmDoc Back-end RESTful Services, ID values and tokens are created and provided to the user for use in the public API. Some of these values contain embedded information used for request routing which can include host names, IP addresses and ports of the servers hosting the PrizmDoc Back-end RESTful Services. This network information should only be relative to internally accessible servers. Nonetheless, the PrizmDoc Server will encrypt the information whenever it is embedded in public-use tokens using AES symmetric encryption and further encode the ciphertext to Base64 to create the new ID or token.
The PrizmDoc Back-end RESTful Services ship configured with a default AES key and Initialization Vector (IV) so PrizmDoc Server will work "out-of-the-box". However, it is recommended that you replace the default encryption values with those of your choosing to maintain the highest level of security. The following steps describe how to fully replace the default AES keys with your own.
Step 1: Obtain an AES Key and Initialization Vector (IV)
- First, you will need an AES key and IV that is unique to your organization. Following the AES standard, the key value can be 128, 192 or 256 bits and the IV value must be 128 bits.
- Once you have the key and IV, they must both be Base64 encoded so that they are in a format which can be easily stored in the configuration files of the PrizmDoc Server.
- With a Base64 encoded AES key and IV value you can now begin updating the configuration files.
- If you are using the central configuration, go to Step 2 below.
- If you are using legacy configuration, go to Step 3 below.
Step 2: Update the Central Configuration
- Open the central config file.
- Set the security.aesEncryption.key and security.aesEncryption.iv properties to the Base64 encoded values you created in Step 1.
- Save and exit the config file.
The following configuration properties have been deprecated and will be removed in a future release. Alter these properties only if not using the central configuration file.
Step 3: Update the Entry Points Configuration
- Open the Entry Points config file:
- Windows: C:\Prizm\PCCIS\LoadBalancer\pcc.config
- Linux: /usr/share/prizm/pccis/LoadBalancer/pcc.config
- Set the encryptionKey and encryptionIv properties to the Base64 encoded values you created in Step 1.
- Save and exit the config file.
Step 4: Update the PCCIS Configuration
- Open the PCCIS config file:
- Windows: C:\Prizm\PCCIS\ServiceHost\pcc.config
- Linux: /usr/share/prizm/pccis/ServiceHost/pcc.config
- Set the text within the ViewingSessionIdEncryptionKey and ViewingSessionIdEncryptionIv XML elements to the Base64 encoded values you created in Step 1.
- Save and exit the config file.
Step 5: Update the WorkFile Service Configuration
- Open the WorkFile Service config file:
- Windows: C:\Prizm\PCCIS\Workfile\workfile.config
- Linux: /usr/share/prizm/pccis/Workfile/workfile.config
- Set the affinityTokenKey and affinityTokenIv properties to the Base64 encoded values you created in Step 1.
- Save and exit the config file.
Step 6: Update the Redaction Service Configuration
- Open the Redaction Service config file:
- Windows: C:\Prizm\PCCIS\Redaction\redaction.config
- Linux: /usr/share/prizm/pccis/Redaction/redaction.config
- Set the affinityTokenKey and affinityTokenIv properties to the Base64 encoded values you created in Step 1.
- Save and exit the config file.
Step 7: Restart PrizmDoc for Changes to Take Effect