Task 16: Encrypt IdM passwords and keys

Note This is an optional task.

In this task, you will run the IdM encryption tool to encrypt all IdM passwords and keys. This task is optional but highly recommended for the best security in production environments.

To do this, follow these steps:

  1. Update the second column of the following table with the passwords and keys that you have configured for IdM.

    Location Password/Key Description
    <idm-service>\WEB-INF\classes\integrationusers.properties

    idmTransportUser=xxxxxx

    This is the IdM password that Service Manager uses to access the IdM service.

    • XXXXXX is a string that defines the password and other properties of the IdM user account. For example:

      idmTransportUser=1Qaz2wsx3edc,ROLE_ADMIN,PERM_IMPERSONATE,enabled

    • You must encrypt the entire string on the right side of the equals sign.
    <idm-service>\WEB-INF\spring\applicationContext.properties

    idm.encryptedSigningKey=xxxxxx

    This is the signing key used to sign IdM tokens.

    <idm-service>\WEB-INF\spring\applicationContext.properties

    idm.persistence.connection.password = xxxxxx

    This is the password of the IdM database connection account.

    <idm-service>\WEB-INF\spring\applicationContext.properties

    idm.saml.keystore.password=xxxxxx

    idm.saml.keystore.defaultKey.name=xxxxxx

    idm.saml.keystore.defaultKey.password=xxxxxx

    This is the password, default key name and passwords of the IdM SAML keystore file: <idm-service>\WEB-INF\classes\security\samlKeystore.jks.

    If you use the out-of-box keystore file, these parameter values are already encrypted and you must not change them.

  2. Change to the <idm-service>/web-inf/lib directory.
  3. For each parameter value in the previous table, run the following command:

    java -cp "cryptoUtil-1.0.3.jar;jasypt-1.9.1.jar;commons-codec-1.7.jar;slf4j-log4j12-1.7.5.jar;slf4j-api-1.7.5.jar;log4j-1.2.17.jar" com.hp.ccue.crypto.util.App encrypt xxxxxx

    Where: xxxxxx represents the value that you want to encrypt.

    When the encryption is complete, the original value and encrypted value are returned. The following is an example:

    original:1Qazwsx3edc
    encrypted:0bEhLG0zDOdYBLf013p3Qfn66kNTMYvh
  4. Copy the encrypted value back to the IdM configuration file to overwrite the original parameter value by using the following format:

    Parameter=ENC(encrypted value)

    Here are examples:

    idmTransportUser=ENC(0bEhLG0zDOdYBLf013p3Qfn66kNTMYvh)

    idm.encryptedSigningKey=ENC(0bEhLG0zDOdYBLf013p3Qfn66kNTMYvh)