Previous Topic: Attribute-Level EncryptionNext Topic: How to Remove Attribute-Level Encryption

Configuration GuideLDAP User Store ManagementUser, Group, and Organization Managed Object DescriptionsManaging Sensitive AttributesAttribute-Level EncryptionHow To Add Attribute-Level Encryption

How To Add Attribute-Level Encryption

Assume that you have added an attribute-level encryption to a CA IdentityMinder directory. CA IdentityMinder automatically encrypts existing clear text attribute values when you save the object which is associated with the attribute. For example, encrypting the password attribute encrypts the password when it saves the profile of the user.

Note: To encrypt the attribute value, the task that you use to save the object must include the attribute. To encrypt the password attribute in the previous example, make sure that the password field is added to the task you use to save the object, such as the Modify User task.

All new objects are created with encrypted values in the user store.

Follow these steps:

  1. Complete one of the following tasks:
  2. Add the following data classification attributes to the attribute that you want to encrypt in the directory.xml file:
    AttributeLevelEncrypt

    Persists the attribute value in an encrypted form in the user store.

    sensitive (optional)

    Hides the attribute value in CA IdentityMinder screens. For example, a password is displayed as asterisks (*).

    For example:

    <ImsManagedObjectAttr physicalname="salary" displayname="Salary" description="salary" valuetype="String" required="false" multivalued="false" maxlength="0" searchable="false">
<DataClassification name="AttributeLevelEncrypt"/>
<DataClassification name="sensitive"/>
  3. If you have created a CA IdentityMinder Directory, associate the directory with an environment.
  4. To force CA IdentityMinder to encrypt all values immediately, modify all objects using the Bulk Loader.

    Note: For more information about the Bulk Loader, see the Administration Guide.