- This line was added.
- This line was removed.
- Formatting was changed.
This article describes how to change the secret fields encryption keypair in Smart ID Identity Manager. The keys are changed using an application provided by Nexus. This application is referenced as Secret Fields Key Updater in this article.
Some of the use cases where you might need to change the fields encryption keypair are:
- You started using a productive Identity Manager installation while still using the supplied, insecure example keys. Those must be replaced by your own keys and any existing secret fields must be re-keyed with those keys.
- You started using an Identity Manager installation based on soft-tokens for encrypting secret fields, and you want to improve security by switching to keys generated by a Hardware Security Module (HSM). Any existing keys must be re-keyed with the new keys.
- The keys for secret field encryption have been compromised and existing secrets need to be re-keyed with new keys.
- You want to change the keys for encryption of secret fields for any other reason and have existing secret fields in the database.
This is a summary of what must be in place before the migration starts.
Before you start the migration:
Migration per tenant
The secret field store in the database is tenant-aware, even though the descriptors and keys are not.
During the migration, log files are created in the filelogs/idm_migration.log.
If necessary, edit log4j.xml to customize the path of the log messages.
After migration of all tenants
This article is valid for Smart ID 20.06.1 and later.