Task 12: Encrypt IdM passwords and keys

Note This is an optional task.

In this task, you will run the IdM encryption tool to encrypt all IdM passwords and keys. This task is optional but highly recommended for the best security in production environments.

To do this, follow these steps:

  1. Update the second column of the following table with the passwords and keys that you have configured for IdM.

    Location Password/Key Description
    <idm-service>\WEB-INF\classes\integrationusers.properties

    idmTransportUser=xxxxxx

    This is the IdM password that Service Manager uses to access the IdM service.

    • XXXXXX is a string that defines the password and other properties of the IdM user account. For example:

      idmTransportUser=1Qaz2wsx3edc,ROLE_ADMIN,PERM_IMPERSONATE,enabled

    • You must encrypt the entire string on the right side of the equals sign.
    <idm-service>\WEB-INF\spring\applicationContext.properties

    idm.encryptedSigningKey=xxxxxx

    This is the signing key used to sign IdM tokens.

    <idm-service>\WEB-INF\spring\applicationContext.properties

    idm.persistence.connection.password = xxxxxx

    This is the password of the IdM database connection account.

    <idm-service>\WEB-INF\spring\applicationContext.properties

    idm.saml.keystore.password=xxxxxx

    idm.saml.keystore.defaultKey.name=xxxxxx

    idm.saml.keystore.defaultKey.password=xxxxxx

    This is the password, default key name and passwords of the IdM SAML keystore file: <idm-service>\WEB-INF\classes\security\samlKeystore.jks.

    If you use the out-of-box keystore file, these parameter values are already encrypted and you must not change them.

  2. Unzip <idm package>.zip, find the "dataprotection-passwordtool-1.0.3-standalone.jar" file and copy it to the <idm-service>/WEB-INF/classes/security directory.

  3. Edit the <idm-service>/WEB-INF/classes/security/key-configuration.properties file. Comment out other profile such as strong128, and then uncomment the following legacy items:

    enckeytype.local.profile=legacyCSA
    enckeytype.local.jce=SunJCE
    enckeytype.local.passphrase.name=local legacy passphrase
    enckeytype.local.passphrase.provider=file
    enckeytype.local.passphrase.file=key-local-legacy-passphrase.txt
    enckeytype.local.passphrase.deleteFile=false
    
    enckeytype.network.profile=legacyCSA
    enckeytype.network.jce=SunJCE
    enckeytype.network.passphrase.name=network legacy passphrase
    enckeytype.network.passphrase.provider=file
    enckeytype.network.passphrase.file=key-network-legacy-passphrase.txt
    enckeytype.network.passphrase.deleteFile=false
    
  4. For each parameter value in the previous table, run the following command:

    java -jar dataprotection-passwordtool-1.0.3-standalone.jar --encrypt –conf . local <mypassword>

    Example:

  5. Copy the encrypted value back to the IdM configuration file to overwrite the original parameter value by using the following format:

    Parameter=ENC(encrypted value)

    Here are examples:

    idmTransportUser=ENC(gJL7uUNgKWMvi7YuZPaXjTwATek8gkEFbaJoDdk8ANqeLbnjumbTPQQXkOgrP0w1A322u4gucc+Q0CMjq+2G3BaeOGymyvYhgh1rNg==)
    idm.encryptedSigningKey=ENC(gJL7uUNgKWMvi7YuZPaXjTwATek8gkEFbaJoDdk8ANqeLbnjumbTPQQXkOgrP0w1A322u4gucc+Q0CMjq+2G3BaeOGymyvYhgh1rNg==)