PingDirectory

Setting up the server with an existing encryption settings database

For added convenience, you can use an existing encryption settings database when setting up the server.

About this task

Setting up the server with an existing encryption settings database offers several advantages. You can:

  • Use an encryption settings database protected by an alternative cipher stream provider. Other methods for enabling data encryption during setup will create an encryption settings database that is protected by an unencrypted password stored in a local file, and anyone with access to the system during setup can decrypt that database’s contents. Alternative cipher stream providers offer stronger protection.

  • Enable data encryption restrictions during setup without the need to configure them later.

  • Use an encryption settings database that is frozen at the time of setup without needing to freeze it later.

    If you provide a frozen encryption settings database with data encryption restrictions enabled, the definitions it contains are not exposed, even to server administrators.

To set up the server with an existing encryption settings database:

Steps

  • Run the manage-profile setup command on a server profile with the following properties:

    • A setup-arguments.txt file including the --encryptDataWithPreExistingEncryptionSettingsDatabase argument

    • A <server-root>/pre-setup/config/encryption-settings/encryption-settings-db file representing the desired encryption settings database

    • The pre-setup-dsconfig directory including one or more dsconfig batch files containing changes needed to enable the cipher stream provider

    • Any metadata files contained in the <server-root>/pre-setup directory that the cipher stream provider needs to access the encryption settings database.

    The metadata files needed depend on the enabled cipher stream provider:

    • For the file-based cipher stream provider, use the file specified by the cipher stream provider’s password-file configuration property. If encryption-metadata-file has a value, you must also include the file specified by that property.

    • For the Amazon Key Management Service cipher stream provider, use the file specified by the cipher stream provider’s encrypted-metadata-file configuration property.

    • For the Amazon Secrets Manager cipher stream provider, use the file specified by the cipher stream provider’s encryption-metadata-file configuration property.

    • For the Azure Key Vault cipher stream provider, use the file specified by the cipher stream provider’s encryption-metadata-file configuration property.

    • For the Conjur cipher stream provider, use the file specified by the cipher stream provider’s encryption-metadata-file configuration property.

    • For the PKCS #11 cipher stream provider, use the file specified by the cipher stream provider’s encryption-metadata-file configuration property.

    • For the Vault cipher stream provider, use the file specified by the cipher stream provider’s vault-encrpytion-metadata-file configuration property.