API Gateway Private key keystore

Document ID : KB000124988
Last Modified Date : 21/01/2019
Show Technical Document Details
Question:
Could you explain how are the private keys stored by default in Gateway? 
I mean the private keys found in TASKS->Certificates -> Manage Private Keys

I understand they are stored in the Gateway Database and they are encrypted in some way. 
Could you specify which cipher being used for Private Keystore?
Environment:
API Gateway 9.X
Answer:
For private keys, the Gateway stores them in keystores. This can be a hardware keystore like a Luna or nCipher device, or can be an internal software keystore ("Software DB"). For Software DB, the keys are stored in the database in PKCS#12 format, encrypted with a passphrase derived from the cluster shared key, which is itself stored encrypted with the cluster passphrase, which the Gateway typically reads from its node.properties file, where it is normally encrypted with the master passphrase, which (on a software-only Gateway) is by default stored obfuscated in the omp.dat file. 

The Gateway currently uses the Triple-DES algorithm to secure the contents of the key store.