Re-encrypting sensitive information with configuration encryption keys - PingFederate - 11.2

PingFederate Server
bundle
pingfederate-112
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.2
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-112
pingfederate
ContentType_ce
Guide
Guide > Administrator Guide
Product documentation

You can use the configkeymgr command-line utility to re-encrypt sensitive configuration information and OAuth client secrets.

You should re-encrypt sensitive information after you rotate the configuration encryption keys.

To re-encrypt sensitive configuration information:

  1. Stop the PingFederate console node.
  2. Run the configkeymgr utility on the console node:
    • If PingFederate is running on Windows, open a command prompt, go to <pf_install>/pingfederate/bin, and run configkeymgr.bat.
    • If PingFederate is running on Linux, open a terminal window, go to <pf_install>/pingfederate/bin, and run configkeymgr.sh.

    The utility displays its usage help.

  3. Run the reencrypt command.

    The utility offers optional arguments for the reencrypt command.

    For example, to perform a dry run of the reencrypt command in a Linux environment, enter the following command.

    ./configkeymgr.sh --reencrypt --dry-run
  4. Restart the PingFederate console node.
  5. If PingFederate is running in a cluster:
    1. Replicate the configuration to the engine nodes.
    2. Run the configkeymgr utility on the engine nodes to re-encrypt data that is not included in the replication archive, such as sensitive data defined in the run.properties file.
      Note:

      You can run the utility on engine nodes without stopping them.