When an encryption settings definition is compromised, all data encrypted with that definition is vulnerable and you must stop using the definition immediately.
If an encryption settings definition is compromised, stop using that definition immediately. You must re-encrypt any data encrypted with the compromised definition using a new definition or purge that data from the server. To minimize the risk of data exposure, act quickly on all servers using this definition and act on one server at a time to avoid environment-wide downtime.
If you have a compromised encryption settings definition:
- Create a new encryption settings definition and make it the preferred definition for new write operations.
Ensure that client traffic is routed away from the compromised server
If the PingDirectory server is accessed through a PingDirectoryProxy server, then you can set the
health-check-stateconfiguration property for any LDAP external server definitions that reference that server to
To ensure that external clients are not allowed to perform writes in the PingDirectory server, set the
writability-modeglobal configuration property to
Look at the monitor entries with the
ds-replication-server-handler-monitor-entryobject class to ensure that the value of the
update-sentattribute is no longer increasing.
This signals that all outstanding local changes are replicated to other servers.
- Stop the PingDirectory server instance.
Delete the replication server database by removing all files in the
If all local changes have been replicated to other servers, this deletion does not result in any data loss in the replication environment.
Export the contents of all local DB and changelog backends to LDIF.
If you are using the AES256 scheme to store passwords in a reversibly encrypted form, and if any of those passwords are encrypted with the compromised encryption settings definition, you should use the export-reversible-passwords tool rather than the export-ldif tool to perform the LDIF export of the local DB backends. You can use the export-reversible-passwords tool to generate an LDIF file in which all reversibly encrypted passwords are exported in a decrypted form so that when they are re-imported, they are re-encrypted.
Re-import the data from LDIF.
The data is now encrypted using the new preferred encryption settings definition.
Export the compromised encryption settings definition from the encryption settings
As a precaution, this backs up the definition in case some remaining data was encrypted with that definition's key.
- To prevent the PingDirectory server from using the compromised definition, delete the definition from the encryption settings database.
- Start the PingDirectory server instance.
- Allow replication to update the server with any changes processed offline.
To re-allow externally-performed write operations, change the value of the global
writability-modeconfiguration property to
To allow client traffic to re-route to that server instance, reconfigure the
For example, if you changed the value of the
health-check-stateproperty in step 2, change it back to