You can use the configkeymgr command-line utility to re-encrypt sensitive configuration information and OAuth client secrets.
You should re-encrypt sensitive information after you rotate the configuration encryption keys.
To re-encrypt sensitive configuration information:
- Stop the PingFederate console node.
Run the configkeymgr utility on the console node:
- If PingFederate is running on Windows, open a command prompt, go to <pf_install>/pingfederate/bin, and run configkeymgr.bat.
- If PingFederate is running on Linux, open a terminal window, go to <pf_install>/pingfederate/bin, and run configkeymgr.sh.
The utility displays its usage help.
The utility offers optional arguments for the
For example, to perform a dry run of the
reencryptcommand in a Linux environment, enter the following command.
./configkeymgr.sh --reencrypt --dry-run
- Restart the PingFederate console node.
If PingFederate is running in a cluster:
- Replicate the configuration to the engine nodes.
Run the configkeymgr utility on the engine nodes to re-encrypt data
that is not included in the replication archive, such as sensitive data
defined in the run.properties file.
You can run the utility on engine nodes without stopping them.