PingFederate Server

Re-encrypting sensitive information with configuration encryption keys

You can use the configkeymgr command-line utility to re-encrypt sensitive configuration information and OAuth client secrets.

About this task

You should re-encrypt sensitive information after you rotate the configuration encryption keys.

To re-encrypt sensitive configuration information:

Steps

  1. Stop the PingFederate console node.

  2. Run the configkeymgr utility on the console node:

    • If PingFederate is running on Windows, open a command prompt, go to <pf_install>/pingfederate/bin, and run configkeymgr.bat.

    • If PingFederate is running on Linux, open a terminal window, go to <pf_install>/pingfederate/bin, and run configkeymgr.sh.

      Result:

    The utility displays its usage help.

  3. Run the reencrypt command.

    The utility offers optional arguments for the reencrypt command.

    Example:

    For example, to perform a dry run of the reencrypt command in a Linux environment, enter the following command.

    ./configkeymgr.sh --reencrypt --dry-run

  4. Restart the PingFederate console node.

  5. If PingFederate is running in a cluster:

    1. Replicate the configuration to the engine nodes.

    2. Run the configkeymgr utility on the engine nodes to re-encrypt data that is not included in the replication archive, such as sensitive data defined in the run.properties file.

      You can run the utility on engine nodes without stopping them.