PhenixID

PSD1146 – Enable AES encryption in Identity Provisioning

Summary

This PhenixID Solution Document (PSD) is written for PhenixID Identity Provisioning (PIP) 5.1.0 or later.

By default PIP uses DES encryption with an included encryption key. The encryption is used for password values before writing them in the file config.aam.

With PIP 5.1.0 you can change encryption algorithm for PIP from DES to AES-128 bit encryption with your own key. How this is done is explained in this PSD.

System Requirements

  • PhenixID Identity Provisioning 5.1.0 or later

Changing from DES to AES

  1. Create an encryption key file
  2. Enable AES-128 bit by adding a global parameter
  3. Save the configuration.
  4. Restart PIP service. PIP will now encrypt and decrypt data using your custom key.

1. Create an encryption key file

The encryption key its just a string in a file made up by you. The key fil be used to encrypt and decrypt data.
In this PSD I will create and use a txt-file called MySecretAES128Key.txt with the key Very#Secret(/Key1999

  1. Create a txt-file MySecretAES128Key.txt
  2. Store the file in, for example, ../PhenixID/Provisioning/Key
  3. Add in the file (and the file can only contain this) Very#Secret(/Key1999
  4. Save the file

Note. This key file needs to be available each time the configuration is reloaded by either the PIP Service or the PIP Configurator. If you are sure that the configuration is NOT reloaded by the service during runtime, you can remove the key file after startup.

2. Add global parameter

In short you add a global parameter with the link to the encryption key file. The global parameter and value is the trigger for PIP to use AES instead of DES. By default this global parameter is missing which means PIP uses DES as default encryption method.

  1. Open the Global Parameters dialog.
  2. Add a new standard parameter called Aes.Encryption.Key.File
  3. Add the file path and file name to the value.
    Example: ../PhenixID/Provisioning/Key/MySecretKey.txt
  4. Save the configuration.
  5. Restart the PIP service.

Remote Configuration

The password for sending a PIP configuration to a remote server will still remain in DES encryption.

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se