Versions Compared

Old Version 1

changes.mady.by.user Unknown User (anastasia.antonenko)

Saved on

compared with

New Version Current

changes.mady.by.user Unknown User (anastasia.antonenko)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

For additional system protection, it is recommended to encrypt the configuration files after final edits.

Axidian Privilege

Indeed Identity PAM Components Protection

The distribution kit includes the Configuration protector utility that located in the ..PAM_2.9.0\Indeed-pam-windows\MISC\Core.IdP.EncryptorConfigurationProtector\ folder.

The utility can encrypt the configuration files of the Core, IdP, ProxyApp and SSHProxy Log Server components. 

Run the following commands to encrypt the corresponding configuration files:

  • Core component:

    Code Block
    languagepowershell
    Pam.Tools.Configuration.Protector protect --component Core --file C:\inetpub\wwwroot\pam\core\appsettings.json


  • IDP component

    Code Block
    languagepowershell
    Pam.Tools.Configuration.Protector protect --component Idp --file C:\inetpub\wwwroot\pam\idp\appsettings.json


  • Log Server component

    Code Block
    languagepowershell
    Pam.Tools.Configuration.Protector protect --component LogServer --file C:\inetpub\wwwroot\ls\targetConfigs\sampleDbPamTargetDb.config


  • ProxyApp component

    Code Block
    languagepowershell
    Pam.Tools.Configuration.Protector protect --component ProxyApp --file "C:\Program Files\Indeed Identity\Indeed PAM\Gateway\ProxyApp\appsettings.json"

    SSHProxy component

    Code Block
    languagepowershell
    Pam.Tools.Configuration.Protector protect --component SshProxy --file "C:\Program Files\Indeed Identity\Indeed PAM\SSH Proxy\appsettings.json"


Info

These commands are provided for execution when deploying components on Windows.

When deploying components on Linux, the configuration files are encrypted automatically when the deployment script is executed.



To decrypt the configuration, run the command:

Code Block
languagepowershell
Pam.Tools.Configuration.Protector unprotect --file "c:\path\to\configuration\file"

Encryption Mechanism Details

Encryption is performed using the AES-256 algorithm by a keyset which is generated using the Data Protection API. Keys are stored in %ProgramData%\Indeed Identity\Indeed PAM\Keys folder.

Keys are encrypted using the Windows Data Protection API with binding to a computer. So, any user within a computer can encrypt or decrypt keys. If the Data Protection API encryption keys are not synchronized between the load balancer instances, then the configuration must be re-encrypted, since the instances will have different keys.