Configuration Guide › LDAP User Store Management › User, Group, and Organization Managed Object Descriptions › Managing Sensitive Attributes › Attribute-Level Encryption

Attribute-Level Encryption

You can encrypt an attribute in the user store by specifying an AttributeLevelEncypt data classification for that attribute in the directory configuration file (directory.xml). When attribute-level encryption is enabled, CA Identity Manager encrypts the value of that attribute before storing it in the user store. The attribute is displayed as clear text in the User Console.

Note: Managing Sensitive Attributes describes methods for displaying sensitive data in the User Console.

If FIPS 140-2 support is enabled, the attribute is encrypted using RC2 encryption or FIPS 140-2 encryption.

Before you implement the attribute-level encryption, note the following points:

• CA Identity Manager cannot find encrypted attributes in a search.

  Assume that an encrypted attribute is added to a member, admin, owner policy, or an identity policy. CA Identity Manager cannot resolve the policy correctly because it cannot search the attribute.

  Consider setting the attribute to searchable="false" in the directory.xml file—For example:

  <ImsManagedObjectAttr physicalname="title" description="Title" displayname="Title" valuetype="String" maxlength="0" searchable="false">

  <DataClassification name="AttributeLevelEncrypt"/>

  </ImsManagedObjectAttr>

• In implementations, if CA Identity Manager uses a shared user store and Provisioning Directory, do not encrypt the Provisioning Server attributes.
• Assume that you have enabled attribute-level encryption for a user store for applications other than CA Identity Manager. The other applications cannot be able to use the encrypted attribute.