Generating the SBI XML file

Release Notes
- SAKA 4.12.0
- SAKA 4.11.0
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- service iptables restart
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Replicate Essentials Only
- Back
Appendices
- Using a Custom Trust Store
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Modifying the Appliance's IP Address or Hostname
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- Migration Information
- Using HAProxy as a Load Balancer
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.2
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Configure Syslog
- Back

While it is expected that most applications communicating with SAKA will be modified to generate the SBI XML input file directly, there will be some period where it will be necessary to perform the batch operations expediently without having to wait for internal applications to be reprogrammed.

To help during the transition process, the appliance's strongkeyliteClient.jar application includes an option called GenerateBatchInput in the application to take an ASCII text file, with a single record per line in the file, free of any comments or ornamentation, and convert it into an XML file conforming to the SBI schema.

Typing the following command provides some help on the usage of GenerateBatchInput:

java -cp sakaclient.jar GenerateBatchInput

When run, it results in the following output:

Parameter	Explanation
<input-file-name>	The full file-name of the plain ASCII input file containing the lines of text to be converted to SBI in an XML file.
<output-file-name>	The full file-name of the XML file that will contain the resulting XML. It is strongly recommended that convention for these filenames is established so there are no over-write errors. StrongKey recommends the following: the domain ID, followed by a hyphen, followed by the source application name or requester, followed by a hyphen, followed by the date-timestamp. An example would be `1-PANDB-20100920154535.xml`, indicating that the XML file belongs to domain ID 1, was sourced from the PAN database application and was created at 3:45:35PM on 20 September 2010. This will ensure that the same application creating the same text file for a second batch operation will not overwrite the first file on the appliance even as it is being processed (as it will be likely very difficult for any application to write out two files in the exact same second).
<DID>	The unique encryption domain identifier in which this batch job will be processed.
<job-name>	A helpful job-name that can be embedded inside the XML file, so the resulting output can be processed by the client application meaningfully. This name can be an identifier string that has meaning in the application environment.
<Encrypt\|Decrypt\|Delete\|Search>	One of the four cryptographic operations requested for this XML file.
<number-of-records>	The number of lines in the plain ASCII text file. While this is not meant to be a hard number that will prevent the appliance from processing the XML file if the actual number is more or less than this number, it is a helpful guide to humans who may be reviewing the XML file.
[SAKA.xsdlocation-name]	An optional parameter specifying the full path location of the `SAKA.xsd` file against which the `strongkeyliteClient.jar` application builds the XML document. On the SAKA server, this parameter is unnecessary since the file exists in `/usr/local/strongauth/strongkeylite/etc`. However, it may be useful to generate this XML file on other computers—PCs or other servers—without needing access to the appliance itself for generating the XML input file. In that case, copying `SAKA.xsd` to any location on one's PC or server (along with `strongkeyliteClient.jar` and its supporting libraries, of course) makes it possible to generate this XML input file outside the appliance. `SAKA.xsd` must be present at the specified location, otherwise the `strongkeyliteClient.jar` application will not know what type of XML to generate.

In the current directory where the strongkeyliteClient.jar file exists, if a plain ASCII text file exists—plain-input.txt—including the following lines of text...

1111222200000001
1111222200000002
1111222200000003
1111222200000004
1111222200000005
1111222200000006
1111222200000007
1111222200000008
1111222200000009
1111222200000010

...the following command will convert it to an XML file in the SBI format...

java -cp sakaclient.jar GenerateBatchInput plain-input.txt 1-ABCD-20100920T163300.xml
	1 ABCD-PAN-Conversion Encrypt 10

...and resulting in the following XML file:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SKLESBatchInput xmlns="http://strongkeylite.strongauth.com/SKLES201009">
    <DomainId>1</DomainId>
    <JobId>ABCD-PAN-Conversion</JobId>
    <Transaction>Encrypt</Transaction>
    <InputNumber>10</InputNumber>
    <InputValues>
        <Input>1111222200000001</Input>
        <Input>1111222200000002</Input>
        <Input>1111222200000003</Input>
        <Input>1111222200000004</Input>
        <Input>1111222200000005</Input>
        <Input>1111222200000006</Input>
        <Input>1111222200000007</Input>
        <Input>1111222200000008</Input>
        <Input>1111222200000009</Input>
        <Input>1111222200000010</Input>
    </InputValues>
</SKLESBatchInput>

The following figure shows the use of the optional SAKA-location-name parameter since this was executed on a PC where the SAKA.xsd file was not automatically available:

There are no limits to the number of records that may be included in an SBI element of the XML file; however, very large numbers of records may require that the Java executable program be provided more “heap memory” for its execution by supplying an “-Xms” and/or “-Xmx” option, as follows:

java -Xms2048m -Xmx4096m -cp sakaclient.jar GenerateBatchInput plain-input.txt 1-ABCD-20100920T163300.xml 1 ABCD-PAN-Conversion Encrypt 1000000 SAKA.xsd

Indicating that this generation process use 2GB of heap-memory initially when creating the Java Virtual Machine (JVM) to execute the program, and use a maximum of 4GB during the execution, if needed.

The resulting XML file may now be transferred to the appliance for batch processing.