As part of the normal operation of the PrizmDoc Server API, ID values and tokens are created and provided to the user for use in the public API. Some of these values contain embedded information used for request routing which can include host names, IP addresses and ports of the servers hosting the PrizmDoc Server. This network information should only be relative to internally accessible servers. Nonetheless, the PrizmDoc Server will encrypt the information whenever it is embedded in public-use tokens using AES symmetric encryption and further encode the ciphertext to Base64 to create the new ID or token.
The PrizmDoc Server API ships configured with a default AES key and Initialization Vector (IV) so PrizmDoc Server will work "out-of-the-box". However, it is recommended that you replace the default encryption values with those of your choosing to maintain the highest level of security. The following steps describe how to fully replace the default AES keys with your own.
Step 1: Obtain an AES Key and Initialization Vector (IV)
- First, you will need an AES key and IV that is unique to your organization. Following the AES standard, the key value can be 128, 192 or 256 bits and the IV value must be 128 bits.
- Once you have the key and IV, they must both be Base64 encoded so that they are in a format which can be easily stored in the configuration files of the PrizmDoc Server.
- With a Base64 encoded AES key and IV value you can now begin updating the configuration files.
- If you are using the central configuration, go to Step 2 below.
- If you are using legacy configuration, go to Step 3 below.
Step 2: Update the Central Configuration
The file paths for the Central Configuration file are:
- Linux: /usr/share/prizm/prizm-services-config.yml
- Windows: C:\Prizm\prizm-services-config.yml
Note: The default installation directory is: C:\Prizm.
- Open the central config file.
- Set the security.aesEncryption.key and security.aesEncryption.iv properties to the Base64 encoded values you created in Step 1.
- Save and exit the config file.
The following configuration properties have been deprecated and will be removed in a future release. Alter these properties only if not using the central configuration file.
Step 3: Update the Entry Points Configuration
- Open the Entry Points config file:
- Windows: C:\Prizm\PCCIS\LoadBalancer\pcc.config
- Linux: /usr/share/prizm/pccis/LoadBalancer/pcc.config
- Set the encryptionKey and encryptionIv properties to the Base64 encoded values you created in Step 1.
- Save and exit the config file.
Step 4: Update the PCCIS Configuration
- Open the PCCIS config file:
- Windows: C:\Prizm\PCCIS\ServiceHost\pcc.config
- Linux: /usr/share/prizm/pccis/ServiceHost/pcc.config
- Set the text within the ViewingSessionIdEncryptionKey and ViewingSessionIdEncryptionIv XML elements to the Base64 encoded values you created in Step 1.
- Save and exit the config file.
Step 5: Update the WorkFile Service Configuration
- Open the WorkFile Service config file:
- Windows: C:\Prizm\PCCIS\Workfile\workfile.config
- Linux: /usr/share/prizm/pccis/Workfile/workfile.config
- Set the affinityTokenKey and affinityTokenIv properties to the Base64 encoded values you created in Step 1.
- Save and exit the config file.
Step 6: Update the Redaction Service Configuration
- Open the Redaction Service config file:
- Windows: C:\Prizm\PCCIS\Redaction\redaction.config
- Linux: /usr/share/prizm/pccis/Redaction/redaction.config
- Set the affinityTokenKey and affinityTokenIv properties to the Base64 encoded values you created in Step 1.
- Save and exit the config file.
Step 7: Restart PrizmDoc Viewer for Changes to Take Effect