[midPoint] Is it possible to replace the key in keystore

Thu May 27 16:33:44 CEST 2021

Great. Thanks, I will read it through.

Xiaoshu

From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Ivan Noris via midPoint <midpoint at lists.evolveum.com>
Date: Thursday, May 27, 2021 at 10:31 AM
To: midpoint at lists.evolveum.com <midpoint at lists.evolveum.com>
Cc: Ivan Noris <ivan.noris at evolveum.com>
Subject: Re: [midPoint] Is it possible to replace the key in keystore

Hi,

this might be interesting for you: https://docs.evolveum.com/midpoint/reference/security/crypto/migrating-encryption-keys/

It is possible to migrate to a new encryption key by creating a new key and re-encrypting all encrypted information. The documentation above describes the possible way. It would probably require further configuration for partitioning the task to run with multiple threads/on multiple nodes for production.

This page contains information about adding encryption keys: https://docs.evolveum.com/midpoint/reference/security/crypto/

The following information is encrypted by default:

- passwords (including User passwords and passwords stored in Resources)

The following information is hashed by default:

- password history (if enabled)

Password for administrator is stored right in the administrator object.

E.g.

    <credentials>
        <password>
            <lastSuccessfulLogin>
                <timestamp>2021-05-27T16:23:02.651+02:00</timestamp>
                <from>0:0:0:0:0:0:0:1</from>
            </lastSuccessfulLogin>
            <previousSuccessfulLogin>
                <timestamp>2021-05-27T15:49:30.171+02:00</timestamp>
                <from>0:0:0:0:0:0:0:1</from>
            </previousSuccessfulLogin>
            <metadata>
                <createTimestamp>2018-10-10T12:27:00.526+02:00</createTimestamp>
                <createChannel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init</createChannel>
            </metadata>
            <value>
                <t:encryptedData>
                    <t:encryptionMethod>
                        <t:algorithm>http://www.w3.org/2001/04/xmlenc#aes128-cbc</t:algorithm>
                    </t:encryptionMethod>
                    <t:keyInfo>
                        <t:keyName>4HXeUejV93Vd3JuIZz7sbs5bVko=</t:keyName>
                    </t:keyInfo>
                    <t:cipherData>
                        <t:cipherValue>abcd6a/jabcdjj/TUabcdy473T+hC5abcdikxJ/eyDA=</t:cipherValue>
                    </t:cipherData>
                </t:encryptedData>
            </value>
        </password>
    </credentials>

Above you can see the encryption method of the key (AES128-CBC), keyName refers to the key from keystore (I don't have an idea how exactly this ID is derived from key alias name) and tie cipherValue is the encrypted password.

So for each password there is also information about key which was used for it, so that it can be decrypted again.

In case of hashed passwords the information will be similar, but the hash algorithm would be indicated and the password would be obviously hashed and not decryptable.

As for the migration between environments... this looks much more interesting. Obviously if you export data from one environment, you would need to also have the same encryption key. At least for re-encryption using the task above.

Hope this helps.

Best regards,

Ivan
On 27. 5. 2021 16:08, Wang, Xiaoshu via midPoint wrote:
Hi, I have a few curious question.

My understanding is that many infos in the repository database is encrypted by the default key in the keystore.jceks of the midpoint.home directory. I wonder if it is possible to change the key.

The reason I ask this question is to imagine the scenario, say, the keystore is somehow compromised or if our school’s policy requires us to change the key once in a while, I wonder if it is possible to change the key without having to start it all over again.

In addition, I wonder what info are encrypted by the key and where they are stored. For instance, I couldn’t figure out where the password (or its hash, encrypted form etc.,) for the administrator is stored. The reason that I ask this is I am trying to create a new environment, but the DB admin copied from another environment, so I am forced to use the previous keystore. I would like to use different key for different environment….

Xiaoshu Wang

_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

https://lists.evolveum.com/mailman/listinfo/midpoint

--

Ivan Noris

Senior Identity Engineer

evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210527/6100f233/attachment.htm>