Saturday, March 16, 2019

Configuring Keystore for IIQ


username@hotsname:~> cd /apps/sp/apache-tomcat-8.5.31/webapps/identityiq/WEB-INF/bin/
username@hotsname://apps/sp/apache-tomcat-8.5.31/webapps/identityiq/WEB-INF/bin> ./iiq keystore -j
> addKey

Generate a new encryption key (y/n)?
y
Generating a new encryption key for keystore [/apps/tomcat/webapps/identityiq/WEB-INF/classes/iiq.dat].
New encrpytion key successfully saved to keystore.
All application servers must be restarted for changes to take effect.
> list
Listing contents for keystore [/apps/tomcat/webapps/identityiq/WEB-INF/classes/iiq.dat].
KeyAlias   Algorithm Format       Object

2          AES    RAW          javax.crypto.spec.SecretKeySpec@17fbb

>quit

2 files with Extension .cfg and .dat will be generated in /WEB-INF/classes location.
iiq.cfg
iiq.dat

Restart the Application Server,

Now to test if the newly generated password is using this new KeyStore or not , Connect to iiq console and execute encrypt , we will see the output will be the Encrypted Password and the value which is returned start with the value 2: .

Changing the Existing Password based on new KeyStore

Navigate to Setup --> Tasks --> New Task --> Encrypted Data Synchronization Task
Select the Option available in the Task for which need Password based on the new KeyStore need to be generated

  1. Disable Application Synchronization -  Application Password
  2. Disable Identity Synchronization - Identity /User Password
  3. Disable IntegrationConfig Synchronization - Password Stored in init Config
  4. Convert Encrypted Identity Secrets to Hashing - Secret Q/A