Encryption support

Edit online

This topic describes the encryption support in IVIG.

Updates to encryption module - Software Stack

The IVIG encryption module secures the keys stored in the product's Java Cryptography Encryption KeyStore (JCEKS).

In this topic, we will see how to backup and restore the masterKey used for encryption in the IVIG.

Attention: It is recommended that you take a backup of the following files.
  • Current keystore file: ${ISVG_HOME}/data/keystore/itimKeystore.jceks
  • Properties file: ${ISVG_HOME}/data/encryptionKey.properties

A new keystore - referred to as a master keystore – is created.

Important: You must take a backup of the masterKey. This is required in the case you want to restore the master key in case of any issues.

For backup and restore procedures, refer the following instructions to run the utilities.

To back up the masterKey
Perform the following steps in IVIG - Software Stack environment.
    • Windows: Navigate to ${ISVG_HOME}/bin/win and open command prompt.
    • Linux: Navigate to ${ISVG_HOME}/bin/unix and open command prompt.
  2. Enter the following command: backupRestoreMasterKey.cmd backupMasterKey {masterKey_password} Where: masterKey_password is a password of user's choice. Ensure to save this password in a secure location as you must provide the same password to restore this masterKey.
  3. Copy the encrypted string (masterKey) returned by the command. Save this masterKey in a secure location as you must provide the same key during restore operation.
To restore masterKey
Perform the following steps in IVIG - Software Stack environment.
    • Windows: Navigate to ${ISVG_HOME}/bin/win and open command prompt.
    • Linux: Navigate to ${ISVG_HOME}/bin/unix and open command prompt.
  2. Enter the following command: backupRestoreMasterKey.cmd restoreMasterKey {masterKey_password} {masterKey} Where: masterKey_password is same password that was used to back up the masterKey and masterKey is the same encrypted string that was returned during the backup of masterKey.
  3. Navigate to ${ISVG_HOME}/data/keystore and verify that the masterKey is created.
  4. Restart the Identity Manager server.
Troubleshooting - Fix Pack installation fails
If the Fix Pack installation fails at any point, perform the following additional steps to revert to the original keystore.
  1. Revert IVIG to the original version (that is the version on which you had applied the new Fix Pack).
  2. Ensure that new keystore files are not present in the ${ISVG_HOME}/data/keystore folder. If the folder contains new keystore files, delete them.
  3. Restore the old JCEKS keystore.
  4. Try re-installing the Fix Pack.
Steps to convert the pre-Fix Pack 3 JCEKS file to new format
If at any point you want to convert the pre-Fix Pack 3 JCEKS file to the Fix Pack 3 (or later) format, then perform these steps.
  1. Check whether the master keystore folder is created at ${ISVG_HOME}/data/keystore
  2. If yes, run the backup master keystore utility.
  3. Delete both the master keystore and JCEKS keystore.
  4. Copy the pre-Fix Pack 3 itimKeystore.jceks keystore to ${ISVG_HOME}/data/keystore.
  5. Run the restore master keystore utility.
  6. Restart the IVIG server.

The Fix Pack installer synchronizes the master keystore and updates the JCEKS files across all the nodes. If you encounter any encryption errors on any node, verify that the master and JCEKS keystore files are same as that of the working node.