How to Secure Distributed Layer Communication

This page describes how to secure distributed layer communication in the meaning of SpoolerController-to-SpoolerController distribution of data in Near Roaming Group.

By default the distributed memory shared by Spooler Controllers in the same Near Roaming Group communicates in not secured mode. There are proprietary protocols to share and transfer data that could be influenced by Man-in-the-Middle type of attack.
This article describes how to secure the communication to keep the data private and unmodifiable by attackers.

Konica Minolta recommends to use symmetric encryption with a keystore, either with AES 128 bit length key, or more preferably with AES 256 bit length key, that is more secure although it requires administrator to install Java Cryptography Extension by Oracle, Inc.

1. Keystore

There must be a keystore with the same key on each Spooler Controller in the Near Roaming Group. If the encryption is omitted or keystore with different certificates is used on any Spooler Controller then the node cannot connect into the clustered Near Roaming Group.

  1. Use keytool.exe tool distributed in Java SDK - use the command either for AES 128 or AES 256 bit length keys.

    AES 128
    keytool.exe -genseckey -alias spocGroup -keyalg AES -keysize 128 -storepass password -keypass password -storetype JCEKS -keystore keystore-128.jck

    or

    AES 256
    keytool.exe -genseckey -alias spocGroup -keyalg AES -keysize 256 -storepass password -keypass password -storetype JCEKS -keystore keystore-256.jck

  2. Copy the generated keystore file to each SpoolerController, to path SPOC_HOME\distServer\config\

2. Configuration

Following steps must be done on each of the Spooler Controllers in the same Near Roaming Group. It is required to edit SPOC_HOME\distServer\config\spoc-cluster-jgroups-TCP.xml or SPOC_HOME\distServer\config\spoc-cluster-jgroups-UDP.xml depending if the Near Roaming Group is defined to use either TCP or UDP based communication.

  1. Open either spoc-cluster-jgroups-TCP.xml or spoc-cluster-jgroups-UDP.xml for editing.

  2. It is XML file, but it depends on the order of the elements, so find element <VERIFY_SUSPECT timeout="1500"/>. Put one of the following pieces of code (depends on AES 128 or 256 chosen) right after that element:

    AES 128
    <SYM_ENCRYPT
    provider="SunJCE"
    sym_algorithm="AES"
    sym_keylength="128"
    encrypt_entire_message="true"
    keystore_name="c:/DispatcherParagon/SPOC/distServer/config/keystore-128.jck"
    store_password="password"
    key_password="password"
    alias="spocGroup"/>

    or

    AES 256
    <SYM_ENCRYPT
    provider="SunJCE"
    sym_algorithm="AES"
    sym_keylength="256"
    encrypt_entire_message="true"
    keystore_name="c:/DispatcherParagon/SPOC/distServer/config/keystore-256.jck"
    store_password="password"
    key_password="password"
    alias="spocGroup"/>

  3. If another passwords were entered in previous step into keytool.exe tool, make sure they are changed in the appended XML element.

  4. Make sure the path entered in the appended XML element leading to keystore generated in previous step is correct, or change it if required. (Please note that forward slashes ("/") are used.)

  5. Save the modified configuration file.

  6. Make sure the change was applied on all Spooler Controllers in the same Near Roaming Group.

3. Apply the changes

Start or restart (if it was running) the complete Near Roaming Group according to documentation to apply the changes.