Home
Managing security
HCL Launch uses a flexible team-based and role-based security model that maps to your organizational structure.
Encryption key tools
Using the encryption key tools, you can manage your encryption keys.
Creating an encryption key
Use the keycreate tool to create a key for secure property encryption without removing previous keys or changing the primary encryption key.

Managing security
HCL Launch uses a flexible team-based and role-based security model that maps to your organizational structure.
- Guidelines for setting up server security
  Although there is no single best way to set up security for the server, the following steps are sufficient in most cases.
- SSL configuration
  With Secure Sockets Layer (SSL) technology, clients and servers can communicate securely by encrypting all communications. Data is encrypted before it is sent and decrypted by the recipient. This communication cannot be deciphered or modified by third-parties. In addition to encryption, SSL can also support authentication.
- Encryption key tools
  Using the encryption key tools, you can manage your encryption keys.
  - Creating an encryption key
    Use the keycreate tool to create a key for secure property encryption without removing previous keys or changing the primary encryption key.
  - Rotating an encryption key
    The keyrotate tool uses the primary encryption key to re-encrypt database secure data that was encrypted with other keys.
  - Deleting an encryption key
    The keydelete command removes a key for secure property encryption.
- Authorization realms
  Use the Authorization Realms pane to create authorization realms and user groups for the server. Groups can be imported from external systems, such as LDAP.
- Authentication realms
  Authentication realms manage users and determine user identity within authorization realms for the server.
- Roles and permissions
  A role is a list of permissions that users have on the HCL Launch server. These permissions include the ability to create, edit, and delete objects, such as applications, environments, and components. The permission also includes the parts of the server interface that users can access.
- Security teams
  Users and groups on the server are assigned roles when they are added to teams.
- Security types
  Security types define categories of objects on the server. You can put all objects into a single category, or you can put them in separate categories and give roles different access rights to different categories.
- Tokens
  Tokens provide authorization for agents, agent relays, users, and external systems or applications from the server. Agents use tokens when they run process steps and communicate with the HCL Launch server and external services.

Creating an encryption key

Use the keycreate tool to create a key for secure property encryption without removing previous keys or changing the primary encryption key.

About this task

If you complete the processs, the tool provides instructions to make the new key primary. A new non-primary key cannot be used for property encryption. It must be made primary first.

To create an encryption key:

Procedure

Run the keycreate command to create an encryption key.
It also prints the alias of the new key. You can run the keycreate tool while the server is online. In an HA cluster, it must be run on only one cluster member because all clusters share the same keystore. The usage is keycreate and requires no arguments.
Configure the server to use the new key as its primary key.

Edit the installed.properties file and set the encryption.keystore.alias property to the alias that the keycreate command prints. In an HA cluster, each member has its own installed.properties file, so you must edit each cluster individually.
Restart the server.

The server loads keys and the primary key setting only at startup. In an HA cluster, you must restart each member.

Results

When this process is complete, the server (or all servers in an HA cluster) uses the new primary key to encrypt new data exclusively. Previous keys can be used only to decrypt previous data.