Configuring a Gateway Integration Endpoint - Encrypted Blob Storage

A gateway integration endpoint (GIEP) allows STEP to communicate with an external storage system. Once a GIEP has been created and Encrypted Blob Storage is selected, the configuration settings allow you to identify the location of the required data.

This GIEP is intended to be used with an event processor running the Asset Publisher processor. When integrating with PDX, assets can be encrypted in-transit using Amazon Web Services (AWS) Key Management Service (KMS).

Important: For environments using Product Data Exchange (PDX), configuration is required on your PDX system to implement AWS for asset delivery and/or AWS encryption. Contact Stibo Systems for information.

Prerequisites

To use the Gateway Integration Endpoint Configuration dialog for Encrypted Blob Storage, the following case sensitive properties must be set up first in the sharedconfig.properties file on the STEP application server.

Note: Sensitive configuration values that should be filtered from view are denoted with 'Secret.' This means that the actual values are not visible to users or to Stibo Systems, for example, via Admin Portal configuration lists and remote diagnostics.

The encryption functionality is defined by the following properties. The first four properties are required for all encryption while the last property is only required for a proxy scenario in an on-premises system. A server restart is not required to implement changes to the EncryptedMessage properties.

In each of the properties, replace [Dynamic] with text that identifies the usage, in the examples below, 'PDXEncryption' is the replacement text. Multiple encryption methods can be configured by using a set of properties with the same 'dynamic' text, such as PDXEncryption1 and PDXEncryption2.

The replacement text is displayed in the 'Encryption Config' parameter on the GIEP configuration dialog and the 'Encryption Configuration' parameter on the 'Product Data Exchange 2' delivery method on an OIEP.

  1. EncryptedMessage.[Dynamic].AWSKMS.AccessKeyID

    For example: EncryptedMessage.PDXEncryption.AWSKMS.AccessKeyID=AKIAXF2WQ7KV6UXGGVZG

  2. EncryptedMessage.[Dynamic].AWSKMS.AccessKeySecret

    For example: EncryptedMessage.PDXEncryption.AWSKMS.AccessKeySecret=I5RN/lmxU5GG+iEJ9qibfDqJYf//S3SsF/cLCF1G

  3. EncryptedMessage.[Dynamic].AWSKMS.KeyArn

    For example: EncryptedMessage.PDXEncryption.AWSKMS.KeyArn=arn:aws:kms:eu-west-1:493565835888:alias/PDX-Key

  4. EncryptedMessage.[Dynamic].PluginID

    For example: EncryptedMessage.PDXEncryption.PluginID=AWSKMS

    Important: AWSKMS is the only valid value for the PluginID property. Setting this required property associates it with the other properties that share the same dynamic value.

  5. EncryptedMessage.[Dynamic].AWSKMS.Proxy

    This property is only required for an on-premises system if the delivery connection must first pass through a proxy server with its own login requirement. If a proxy is being used, the setting in this property must match the setting of the HTTP configuration options, as defined in the HTTP Proxy Configurations.

    For example: EncryptedMessage.PDXEncryption.AWSKMS.Proxy=Sample1

Configuring the Gateway Integration Endpoint

Once the case-sensitive properties as described above are entered into the sharedconfig.properties file, the options outlined within these properties display in the dropdowns in the dialog. If the dropdowns are empty, then the properties are not set up or are set up incorrectly.

  1. On the Gateway Integration Endpoint Configuration dialog, select Encrypted Blob Storage from the top dropdown.

  2. On the Blob Storage parameter, select the desired option from the second dropdown. Complete the available parameters as defined the related topics:

    • Configuring a Gateway Integration Endpoint - Amazon S3 Blob Storage (here)

    • Configuring a Gateway Integration Endpoint - Microsoft Azure Blob Storage (here)

    • Configuring a Gateway Integration Endpoint - Google Cloud Storage (here)

    • Configuring a Gateway Integration Endpoint - Encrypted Blob Storage (here)

    Note: While additional layers of encryption can be added in this configuration by selecting Encrypted Blob Storage from the second dropdown, consider that the same number of additional levels of decryption are required on the receiving system.

  3. On the Encryption Config parameter, select the option.

  4. Click Save to complete the configuration.

  5. Enable the endpoint as defined in the Running a Gateway Integration Endpoint topic here.

  6. Test the connection from the gateway as follows:

    • On the Gateway Connectivity flipper, click the Check Connectivity button.

    • In the Check Connectivity dialog, in the Java Script Check Code section, add:

      gateway.checkConnectivity()

    • Click the Check Connectivity button and verify success or make the necessary corrections to connect.

Using the Gateway Integration Endpoint

Configuration of a GIEP is required to set up:

  • Asset Publisher Event Processor

    For more information, refer to the Asset Publisher Processing Plugin Parameters and Triggers topic in the Event Processors section of System Setup documentation here.

  • Cloud Blob Storage Delivery Method

    For more information, refer to the Cloud Blob Storage Delivery Method topics in the OIEP Delivery Methods (here) and the Export Manager Delivery Methods (here) sections of the Data Exchange documentation.