You can encrypt an attribute in the user store by specifying an AttributeLevelEncypt data classification for that attribute in the directory configuration file (directory.xml). When attribute-level encryption is enabled, CA IdentityMinder encrypts the value of that attribute before storing it in the user store. The attribute is displayed as clear text in the User Console.
Note: To prevent attributes from appearing in clear text in screens, you can also add a sensitive data classification element to encrypted attributes. For more information, see How to Add Attribute-Level Encryption.
If FIPS 140-2 support is enabled, the attribute is encrypted using RC2 encryption or FIPS 140-2 encryption.
Before you implement the attribute-level encryption, note the following points:
Assume that an encrypted attribute is added to a member, admin, owner policy, or an identity policy. CA IdentityMinder cannot resolve the policy correctly because it cannot search the attribute.
Consider setting the attribute to searchable="false" in the directory.xml file—For example:
<ImsManagedObjectAttr physicalname="title" description="Title" displayname="Title" valuetype="String" maxlength="0" searchable="false">
<DataClassification name="AttributeLevelEncrypt"/>
</ImsManagedObjectAttr>
When CA IdentityMinder integrates with CA SiteMinder, encrypted passwords cause issues when new users try to log in, and enter passwords in clear text.
|
Copyright © 2013 CA.
All rights reserved.
|
|