<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:14.0pt">Great. Thanks, I will read it through.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Xiaoshu<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="color:black">From:
</span></b><span style="color:black">midPoint <midpoint-bounces@lists.evolveum.com> on behalf of Ivan Noris via midPoint <midpoint@lists.evolveum.com><br>
<b>Date: </b>Thursday, May 27, 2021 at 10:31 AM<br>
<b>To: </b>midpoint@lists.evolveum.com <midpoint@lists.evolveum.com><br>
<b>Cc: </b>Ivan Noris <ivan.noris@evolveum.com><br>
<b>Subject: </b>Re: [midPoint] Is it possible to replace the key in keystore<o:p></o:p></span></p>
</div>
<p>Hi,<span style="font-size:11.0pt"><o:p></o:p></span></p>
<p>this might be interesting for you: <a href="https://docs.evolveum.com/midpoint/reference/security/crypto/migrating-encryption-keys/">
https://docs.evolveum.com/midpoint/reference/security/crypto/migrating-encryption-keys/</a><o:p></o:p></p>
<p>It is possible to migrate to a new encryption key by creating a new key and re-encrypting all encrypted information. The documentation above describes the possible way. It would probably require further configuration for partitioning the task to run with
multiple threads/on multiple nodes for production.<o:p></o:p></p>
<p>This page contains information about adding encryption keys: <a href="https://docs.evolveum.com/midpoint/reference/security/crypto/">
https://docs.evolveum.com/midpoint/reference/security/crypto/</a><o:p></o:p></p>
<p><o:p> </o:p></p>
<p>The following information is encrypted by default:<o:p></o:p></p>
<p>- passwords (including User passwords and passwords stored in Resources)<o:p></o:p></p>
<p>The following information is hashed by default:<o:p></o:p></p>
<p>- password history (if enabled)<o:p></o:p></p>
<p>Password for administrator is stored right in the administrator object.<o:p></o:p></p>
<p>E.g.<o:p></o:p></p>
<p> <credentials><br>
<password><br>
<lastSuccessfulLogin><br>
<timestamp>2021-05-27T16:23:02.651+02:00</timestamp><br>
<from>0:0:0:0:0:0:0:1</from><br>
</lastSuccessfulLogin><br>
<previousSuccessfulLogin><br>
<timestamp>2021-05-27T15:49:30.171+02:00</timestamp><br>
<from>0:0:0:0:0:0:0:1</from><br>
</previousSuccessfulLogin><br>
<metadata><br>
<createTimestamp>2018-10-10T12:27:00.526+02:00</createTimestamp><br>
<createChannel><a href="http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init">http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#init</a></createChannel><br>
</metadata><br>
<value><br>
<span style="color:#2042F7"><t:encryptedData><br>
<t:encryptionMethod><br>
<t:algorithm><a href="http://www.w3.org/2001/04/xmlenc#aes128-cbc">http://www.w3.org/2001/04/xmlenc#aes128-cbc</a></t:algorithm><br>
</t:encryptionMethod><br>
<t:keyInfo><br>
<t:keyName>4HXeUejV93Vd3JuIZz7sbs5bVko=</t:keyName><br>
</t:keyInfo><br>
<t:cipherData><br>
<t:cipherValue>abcd6a/jabcdjj/TUabcdy473T+hC5abcdikxJ/eyDA=</t:cipherValue><br>
</t:cipherData><br>
</t:encryptedData></span><br>
</value><br>
</password><br>
</credentials><o:p></o:p></p>
<p>Above you can see the encryption method of the key (AES128-CBC), keyName refers to the key from keystore (I don't have an idea how exactly this ID is derived from key alias name) and tie cipherValue is the encrypted password.<o:p></o:p></p>
<p>So for each password there is also information about key which was used for it, so that it can be decrypted again.<o:p></o:p></p>
<p>In case of hashed passwords the information will be similar, but the hash algorithm would be indicated and the password would be obviously hashed and not decryptable.<o:p></o:p></p>
<p>As for the migration between environments... this looks much more interesting. Obviously if you export data from one environment, you would need to also have the same encryption key. At least for re-encryption using the task above.<o:p></o:p></p>
<p>Hope this helps.<o:p></o:p></p>
<p>Best regards,<o:p></o:p></p>
<p>Ivan<o:p></o:p></p>
<div>
<p class="MsoNormal">On 27. 5. 2021 16:08, Wang, Xiaoshu via midPoint wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:14.0pt">Hi, I have a few curious question.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt">My understanding is that many infos in the repository database is encrypted by the default key in the keystore.jceks of the midpoint.home directory. I wonder if it is possible to change the key.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt">The reason I ask this question is to imagine the scenario, say, the keystore is somehow compromised or if our school’s policy requires us to change the key once in a while, I wonder if it is possible to change
the key without having to start it all over again.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt">In addition, I wonder what info are encrypted by the key and where they are stored. For instance, I couldn’t figure out where the password (or its hash, encrypted form etc.,) for the administrator is stored.
The reason that I ask this is I am trying to create a new environment, but the DB admin copied from another environment, so I am forced to use the previous keystore. I would like to use different key for different environment….</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:14.0pt">Xiaoshu Wang </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<pre>-- <o:p></o:p></pre>
<pre>Ivan Noris<o:p></o:p></pre>
<pre>Senior Identity Engineer<o:p></o:p></pre>
<pre>evolveum.com<o:p></o:p></pre>
</div>
</body>
</html>