[midPoint] Is it possible to replace the key in keystore
Ivan Noris
ivan.noris at evolveum.com
Thu May 27 16:30:53 CEST 2021
Hi,
this might be interesting for you:
https://docs.evolveum.com/midpoint/reference/security/crypto/migrating-encryption-keys/
It is possible to migrate to a new encryption key by creating a new key
and re-encrypting all encrypted information. The documentation above
describes the possible way. It would probably require further
configuration for partitioning the task to run with multiple threads/on
multiple nodes for production.
This page contains information about adding encryption keys:
https://docs.evolveum.com/midpoint/reference/security/crypto/
The following information is encrypted by default:
- passwords (including User passwords and passwords stored in Resources)
The following information is hashed by default:
- password history (if enabled)
Password for administrator is stored right in the administrator object.
E.g.
<credentials>
<password>
<lastSuccessfulLogin>
<timestamp>2021-05-27T16:23:02.651+02:00</timestamp>
<from>0:0:0:0:0:0:0:1</from>
</lastSuccessfulLogin>
<previousSuccessfulLogin>
<timestamp>2021-05-27T15:49:30.171+02:00</timestamp>
<from>0:0:0:0:0:0:0:1</from>
</previousSuccessfulLogin>
<metadata>
<createTimestamp>2018-10-10T12:27:00.526+02:00</createTimestamp>
<createChannel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init</createChannel>
</metadata>
<value>
<t:encryptedData>
<t:encryptionMethod>
<t:algorithm>http://www.w3.org/2001/04/xmlenc#aes128-cbc</t:algorithm>
</t:encryptionMethod>
<t:keyInfo>
<t:keyName>4HXeUejV93Vd3JuIZz7sbs5bVko=</t:keyName>
</t:keyInfo>
<t:cipherData>
<t:cipherValue>abcd6a/jabcdjj/TUabcdy473T+hC5abcdikxJ/eyDA=</t:cipherValue>
</t:cipherData>
</t:encryptedData>
</value>
</password>
</credentials>
Above you can see the encryption method of the key (AES128-CBC), keyName
refers to the key from keystore (I don't have an idea how exactly this
ID is derived from key alias name) and tie cipherValue is the encrypted
password.
So for each password there is also information about key which was used
for it, so that it can be decrypted again.
In case of hashed passwords the information will be similar, but the
hash algorithm would be indicated and the password would be obviously
hashed and not decryptable.
As for the migration between environments... this looks much more
interesting. Obviously if you export data from one environment, you
would need to also have the same encryption key. At least for
re-encryption using the task above.
Hope this helps.
Best regards,
Ivan
On 27. 5. 2021 16:08, Wang, Xiaoshu via midPoint wrote:
>
> Hi, I have a few curious question.
>
> My understanding is that many infos in the repository database is
> encrypted by the default key in the keystore.jceks of the
> midpoint.home directory. I wonder if it is possible to change the key.
>
> The reason I ask this question is to imagine the scenario, say, the
> keystore is somehow compromised or if our school’s policy requires us
> to change the key once in a while, I wonder if it is possible to
> change the key without having to start it all over again.
>
> In addition, I wonder what info are encrypted by the key and where
> they are stored. For instance, I couldn’t figure out where the
> password (or its hash, encrypted form etc.,) for the administrator is
> stored. The reason that I ask this is I am trying to create a new
> environment, but the DB admin copied from another environment, so I am
> forced to use the previous keystore. I would like to use different key
> for different environment….
>
> Xiaoshu Wang
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210527/43aae72c/attachment-0001.htm>
More information about the midPoint
mailing list