PingDirectory

Encrypting support data archives

The collect-support-data tool is a vital resource for support personnel to use when trying to diagnose issues with a PingDirectory server.

It collects a range of information about the server installation and the underlying system, including:

  • The current server configuration and configuration changes made over time

  • The server schema

  • Portions of log files

  • Server monitor data

  • The server root DSE

  • The output of the status command

  • A list of all of the access control rules defined in the server

  • Information about all third-party extensions that have been installed

  • Stack traces of all threads running in the server

  • Information about JVM garbage collection and memory usage

  • A listing of all processes running on the system

  • Information about the underlying performance of the system, including CPU utilization, memory consumption, disk I/O

  • Other system-related information, including networking and storage configuration

The collect-support-data tool attempts to redact sensitive information (like encoded passwords and other credentials) as it’s collecting data, and you can use the --securityLevel argument to configure how aggressive it is when deciding what to obscure or remove. However, even at the highest security level, the resulting support data archive likely has information that you want to protect.

One way that you can do this is by encrypting the support data archive before you provide it to support personnel. You can encrypt the contents with a passphrase, and then provide the passphrase to the support engineer through a different channel than was used to transmit the archive. The collect-support-data tool offers the following arguments related to encrypting the archive.

Argument Description

--encrypt

Indicates that the support data archive file should be encrypted.

--passphraseFile

Specifies the path to a file containing the passphrase to use to encrypt or decrypt the file. If this argument is not provided, then the tool interactively prompts for the passphrase.

--generatePassphrase

Indicates that the tool should generate a random encryption passphrase and write it to the specified passphrase file. This argument should only be used in conjunction with both the --encrypt and --passphraseFile arguments.

--decrypt

Indicates that the tool should decrypt the support data archive at the specified path.