Procedure to perform a key rotation.
You can optionally modify the existing encryption keys by performing a
key rotation, for example if the existing keys expire or are no longer secure.
Perform the following steps on the master domain manager and on each agent in
the environment
-
Generate a new key by running the following keytool
command:
./keytool -genseckey -alias new_alias_name -keyalg AES -keysize 256
-storepass encrypt_keystore_pwd_in_clear -storetype PKCS12 -keystore encrypt_keystore_file
-
Change the localopts file as follows:
- Add the previous value of the encrypt label
parameter to the decrypt label list parameter.
- Change the value of the encrypt label parameter to
new_alias_name.
For more information about the
localopts file, see
Setting local options.
If the keystore does not exist, it is created. If it exists, the new key
is added to the keystore.
The current Symphony plan keeps using the previous key. To apply the new
setting to the Symphony plan, run a JnextPlan command. The message
boxes are encrypted immediately and the useropts file is encrypted
as soon as you save the localopts file and launch a CLI command.
Key product files are now encrypted with the new key.