Encrypting passphrase files - PingDirectory - 9.0


PingDirectory 9.0

Use an encrypted passphrase or a tools.properties file to enable the server and command-line tools to use credentials available but not store them in the clear.

Encrypt these files with the following considerations:

  • If the file is encrypted with a key obtained from the server’s encryption settings database, the server and associated command-line tools retrieve the appropriate key from the encryption settings database, so the clear-text contents of the file are accessed without any interaction. However, if the cipher stream provider configured to protect the contents of the encryption settings database requires interaction, such as the wait for passphrase cipher stream provider, then command-line tools might require interaction to unlock the encryption settings database.
  • If the file is encrypted with a passphrase that the user specifies rather than one obtained from the encryption settings database, the user is interactively prompted for that passphrase when running the tool.

    Do not use this option for key store and trust store PIN files that need to be accessed by the server.

You can encrypt these files using the encrypt-file tool and the following tools:

Certificate keystore and truststore PIN files
When setting up an instance with encryption and either SSL or StartTLS enabled, the installer automatically encrypts the PIN files for the config/keystore, config/truststore, and config/ads-truststore certificate databases.
Command-line arguments
Specify passphrase files using command-line arguments. Most LDAP tools offer --bindPasswordFile, --keystorePasswordFile, and --truststorePasswordFile arguments.
The config/tools.properties file
Use the config/tools.properties file to obtain a default set of arguments for most command-line tools. Alternately, you can use the --propertiesFilePath argument to specify an alternate properties file.
  1. Encrypt a file with the server’s preferred encryption settings definition.
    $ bin/encrypt-file --input-file password.txt \
      --output-file password.txt.encrypted
  2. To use a key from an encryption settings definition that isn't the default and specify the ID of the desired encryption settings definition, use the --encryption-settings-id argument.

    You can obtain the --encryption-settings-id with encryption-settings list.

    $ bin/encrypt-file --input-file password.txt \
      --output-file password.txt.encrypted \
      --encryption-settings-id 4B6899D6716FC3AFFD71F7B447EB135063A0E724
  3. To encrypt the file with a passphrase rather than a key from an encryption settings definition, choose one of the following options:
    • Use the --prompt-for-passphrase argument to interactively prompt for the passphrase.
    • Use the --passphrase-file argument to specify the path to a file containing the clear-text passphrase.
    $ bin/encrypt-file --input-file password.txt \
      --output-file password.txt.encrypted \