PingFederate Server

Re-encrypting sensitive information with configuration encryption keys

You can use the configkeymgr command-line utility to re-encrypt sensitive configuration information and OAuth client secrets.

About this task

You should re-encrypt sensitive information after you rotate the configuration encryption keys.

To re-encrypt sensitive configuration information:

Steps

  1. Stop the PingFederate console node.

  2. Run the configkeymgr command-line utility on the console node:

    Choose from:

    • If PingFederate is running on Windows, open a command prompt, go to <pf_install>/pingfederate/bin, and run configkeymgr.bat.

    • If PingFederate is running on Linux, open a terminal window, go to <pf_install>/pingfederate/bin, and run configkeymgr.sh.

      Result:

    The utility displays its usage help.

  3. Run the reencrypt command.

    The utility offers optional arguments for the reencrypt command.

    Example:

    For example, to perform a dry run of the reencrypt command in a Linux environment, enter the following command.

    ./configkeymgr.sh --reencrypt --dry-run

  4. Restart the PingFederate console node.

  5. If PingFederate is running in a cluster:

    1. Replicate the configuration to the engine nodes.

    2. Run the configkeymgr utility on the engine nodes to re-encrypt data that is not included in the replication archive, such as sensitive data defined in the run.properties file.

      You can run the utility on engine nodes without stopping them.

  6. If PingFederate is running with the active/passive admin node feature enabled:

    1. Run the configkeymgr command-line utility on the passive admin nodes to re-encrypt data that is not included in the configuration synchronization data, such as sensitive data defined in the run.properties file.

    You can run the configkeymgr command-line utility on passive admin nodes without stopping them.