Configuring password encryption - PingDataSync - PingDirectory - 9.3

PingDirectory 9.3
bundle
pingdirectory-93
ft:publication_title
PingDirectory 9.3
Product_Version_ce
PingDirectory 9.3 (Latest)
category
Product
pd-93
pingdirectory
ContentType_ce
This procedure is required if synchronizing passwords from a PingDirectory server to Active Directory (AD)Active Directory (AD)AD A directory service for Windows domain networks, included in most Windows Server operation systems., or if synchronizing clear text passwords. These steps are not required if synchronizing from Active Directory to a PingDirectory server, or if not synchronizing passwords.
Note: The Password Sync Agent cannot be pointed at multiple domain clusters.
Note: If the Password Sync Agent is down for any length of time and misses a password change, these changes will not be synced on recovery without either a new password change for the entry or the use of pass-through authentication.
  1. On the PingDirectory server that will receive the password modifications, enable the Change Log Password Encryption component. The component intercepts password modifications, encrypts the password and adds an encrypted attribute, ds-changelog- encrypted-password, to the change log entry. The encryption key can be copied from the output if displayed, or accessed from the <serverroot>/bin/sync-pipe-cfg.txt file. 
    $ bin/dsconfig set-plugin-prop --plugin-name "Changelog Password
Encryption" \
  --set enabled:true \
  --set changelog-password-encryption-key:<key>
  2. On PingDataSync, set the decryption key used to decrypt the user password value in the change log entries. The key allows the user password to be synchronized to other servers that do not use the same password storage scheme. 
    $ bin/dsconfig set-global-sync-configuration-prop \
  --set changelog-password-decryption-key:ej5u9e39pqo68
Test the configuration or populate data in the destination servers using bulk resync mode. Then, use realtime-sync to start synchronizing the data. If synchronizing passwords, install the Password Sync Agent (PSA) on all of the domain controllers in the topology.