Versions Compared

Old Version 12

changes.mady.by.user Josefin Klang (Deactivated)

Saved on

compared with

New Version 13

changes.mady.by.user Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Extract the zip archive containing the Secret Fields Key Updater.

  2. Go to the extracted Secret Fields Key Updater directory.

  3. Edit the file database.properties as appropriate. For more information on this file, see Install Identity Manager.

Identity Manager database

Code Block
dataSourceType=H2
dataSource.jdbcUrl=jdbc:sqlserver://<HOST_NAME>:<DB_PORT>;instance=<INSTANCE_NAME>;databaseName=<DB_NAME>;AUTO_SERVER=TRUE
dataSource.user=<USER_NAME>
dataSource.password=<USER_PASSWORD>

...

  1. Open the file config/encryption-config.xml.

  2. Update the EncryptedFields and NewEncryptedFields field descriptors and their referenced keys as described below. For more information on this file, see 24.R1: Sign and encrypt engine in Identity Manager.

    • EncryptedFields is the old, to be replaced, descriptor. Adapt its values to match the ones that are currently set up in Identity Manager.
      In this example, EncryptedFields references oldEncCert as its key. Change the referenced key to match the one that is currently referenced in Identity Manager.

    • NewEncryptedFields is the new descriptor, holding the information of the replacement key. Change its values accordingly.
      In this example, NewEncryptedFields references newEncCert as its key. Change the referenced key to match the key that will replace the old one in Identity Manager.

Example : encryption-config.xml

Code Block
languagexml
<?xml version="1.0" encoding="UTF-8"?>
<engineSignEncrypt>
  <descriptors>
    <descriptor name="EncryptedFields" version="1">
      <type algorithm="AES/CBC/PKCS7Padding" size="256" result="NX02" key="oldEncCert" asymCipher="RSA/None/OAEPWithSHA384AndMGF1Padding"/>
    </descriptor>
    <descriptor name="NewEncryptedFields" version="1">
      <type algorithm="AES/CBC/PKCS7Padding" size="256" result="NX02" key="newEncCert" asymCipher="RSA/None/OAEPWithSHA384AndMGF1Padding"/>
    </descriptor>
  </descriptors>
  <keys>
    <key name="oldEncCert">
      <type name="pkcs12" locationValue="classpath:oldEncKeypair.p12" pin="1234567"/>
    </key>
    <key name="newEncCert">
      <type name="pkcs12" locationValue="classpath:newEncKeypair.p12" pin="1234"/>
    </key>
  </keys>
</engineSignEncrypt>

...

  1. Stop the Identity Manager applications and shut down Tomcat or the respective docker containers by running docker compose down from within docker/compose/identitymanager/<webappname>/.

  2. Create a backup of the respective databases.

Migration per tenant

Warningnote

The secret field store in the database is tenant-aware, even though the descriptors and keys are not. The migration must be executed separatelyfor every single tenant before changing keys and descriptors in Identity Manager.

...

After migration of all tenants

Make sure update is

...

successful

Make sure the Secret Fields Key Updater successfully ran for every single tenant on the system.

Set up Identity Manager to use the new keypair

  1. For docker:
    Open docker/compose/identitymanager/config/signencrypt.xml for editing.
    For WAR file deployment: Open  
    Open WEB-INF/classes/engineSignEncryptConfig.xml in Identity Manager Operator, Identity Manager Admin, and Identity Manager Tenant for editing.

  2. Change the attributes of the EncryptedFields descriptor and its referenced key to the values needed for the new keypair, as you set them for the NewEncryptedFields descriptor in the migration application. Note that the descriptor's name must still be EncryptedFields and not NewEncryptedFields for Identity Manager.

  3. For docker:
    Run docker compose up from within  docker/compose/identitymanager/<webappname>/ for all Identity Manager applications (Admin, Operator, and Tenant) to recreate the docker containers.
    For WAR file deployment:
    Start Identity Manager.