Page created: 24 Jul 2019
|
Page updated: 6 Nov 2019
| 1 min read
7.3 Product PingDirectory
-
Use dsconfig to configure the server so that the
encryption-settings database is encrypted with a PIN contained in the file
config/encryption-settings.pin
.$ bin/dsconfig create-cipher-stream-provider \ --provider-name "Encryption Settings PIN File" \ --type file-based \ --set enabled:true \ --set password-file:config/encryption-settings.pin
-
Use dsconfig to set the global configuration property for
the cipher stream provider, which sets the on-disk encryption.
$ bin/dsconfig set-global-configuration-prop \ --set "encryption-settings-cipher-stream-provider:Encryption Settings PIN File"
-
Use the
encryption-settings
tool to create a new encryption-settings definition. This command automatically generates a new 256-bit encryption key for use with AES encryption, and mark it as the preferred definition for future encryption operations in the server. Note that this command will fail if you do not have the unlimited encryption strength policy installed as described in the previous section (if you do not have that policy installed, then you are restricted to a 128-bit key for AES encryption).$ bin/encryption-settings create \ --cipher-algorithm AES \ --key-length-bits 256 \ --set-preferred
-
Obtain a list of the definitions in the encryption-settings database.
$ bin/encryption-settings list
-
You can export an encryption-settings definition from the database using a
command like the following where the encryption-settings ID should be changed as
necessary to suit your deployment:
$ bin/encryption-settings export \ --id DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 \ --output-file /tmp/exported-key \ --pin-file /tmp/exported-key.pin
-
If no PIN file is specified, then you will be interactively prompted to provide
it. To import an encryption-settings definition into the database on another
server.
$ bin/encryption-settings import \ --input-file /tmp/exported-key \ --pin-file /tmp/exported-key.pin \ --set-preferred