PingDirectory

Configuring password encryption

About this task

This procedure is required if synchronizing passwords from a PingDirectory server to Active Directory (AD), or if synchronizing clear text passwords. These steps are not required if synchronizing from Active Directory to a PingDirectory server, or if not synchronizing passwords. NOTE: The Password Sync Agent cannot be pointed at multiple domain clusters.

If the Password Sync Agent is down for any length of time and misses a password change, these changes will not be synced on recovery without either a new password change for the entry or the use of pass-through authentication.

Steps

  1. On the PingDirectory server that will receive the password modifications, enable the Change Log Password Encryption component. The component intercepts password modifications, encrypts the password and adds an encrypted attribute, ds-changelog- encrypted-password, to the change log entry. The encryption key can be copied from the output if displayed, or accessed from the <serverroot>/bin/sync-pipe-cfg.txt file.

    $ bin/dsconfig set-plugin-prop --plugin-name "Changelog Password
    Encryption" \
      --set enabled:true \
      --set changelog-password-encryption-key:<key>
  2. On PingDataSync, set the decryption key used to decrypt the user password value in the change log entries. The key allows the user password to be synchronized to other servers that do not use the same password storage scheme.

    $ bin/dsconfig set-global-sync-configuration-prop \
      --set changelog-password-decryption-key:ej5u9e39pqo68

Next steps

Test the configuration or populate data in the destination servers using bulk resync mode. See Using the resync tool on the Identity Sync Server. Then, use realtime-sync to start synchronizing the data. See Using the realtime-sync tool for more information. If synchronizing passwords, install the Password Sync Agent (PSA) on all of the domain controllers in the topology.