Implementation Guide › Changing Communication Encryption Methods › SSL, Authentication, and Certificates › Configure the Servers to Use an Identical Encryption Key

Configure the Servers to Use an Identical Encryption Key

When you install more than one Enterprise Management Server, each server uses its own encryption key with which to encrypt and decrypt data in the central database. If your environment uses multiple Enterprise Management Servers to write data to and read data from a single central database, each server must use an identical encryption key.

Important! Complete the following steps only if you did not specify the FIPS key that the primary Enterprise Management Server uses when you installed the secondary Enterprise Management Server, using the -DFIPS_KEY option.

To configure the servers to use an identical encryption key

1. Stop JBoss if it is running. Do one of the following:
   • Interrupt the JBoss application server window (Ctrl+C).
   • Stop the JBoss service from the Services panel.
2. Configure the Enterprise Management Servers to use an identical encryption key. Do as follows:
   1. Copy the FIPSKey.dat file in the following directory from the primary Enterprise Management Server:

      JBoss_HOME/server/default/deploy/IdentityMinder.ear/config/com/netegrity/config/keys
      

   2. Paste the FIPSKey.dat file in this directory on each secondary Enterprise Management Server.

      A message appears informing you that files by that name exists.

   3. Select to overwrite the existing file with the new file.

      The new files are placed in the directory. Each Enterprise Management Server now uses an identical encryption key.

3. Use the new encryption key to update the AES passwords on each secondary Enterprise Management Server. Do as follows:
   1. Encrypt the clear text password.
   2. Locate the following files on each secondary Enterprise Management Server:

      JBoss_HOME/server/default/conf/login-config.xml
      

      JBoss_HOME/server/default/deploy/properties-service.xml
      

   3. Replace each AES password in the files with the new, encrypted password.
4. Start JBoss.

   The primary and secondary Enterprise Management Servers now encrypt and decrypt data with an identical encryption key.

Example: Encrypted AES Password

The following snippet of the login-config.xml file shows an encrypted AES password:

<application-policy name="imobjectstoredb">
	<authentication>
		<login-module code="com.netegrity.jboss.datasource.PasswordEncryptedLogin" 
		flag="required">
			<module-option name="userName">user1</module-option>
			<module-option name="password">
			{AES}:/lxnvWwAEcYhSmOu3YT3ow==</module-option>
			<module-option name="managedConnectionFactoryName">
			jboss.jca:name=jdbc/objectstore,service=NoTxCM</module-option>
		</login-module>
	</authentication>
</application-policy>