For additional system protection, it is recommended to encrypt the configuration files after final edits.
The distribution kit includes the Configuration protector utility that located in the PAM_2.9.0\Indeed-pam-windows\MISC\ConfigurationProtector\ folder.
The utility can encrypt the configuration files of the Core, IdP, ProxyApp and Log Server components.
Run the following commands to encrypt the corresponding configuration files:
Core component:
Pam.Tools.Configuration.Protector protect --component Core --file C:\inetpub\wwwroot\pam\core\appsettings.json |
IDP component
Pam.Tools.Configuration.Protector protect --component Idp --file C:\inetpub\wwwroot\pam\idp\appsettings.json |
Log Server component
Pam.Tools.Configuration.Protector protect --component LogServer --file C:\inetpub\wwwroot\ls\targetConfigs\PamTargetDb.config |
ProxyApp component
Pam.Tools.Configuration.Protector protect --component ProxyApp --file "C:\Program Files\Indeed Identity\Indeed PAM\Gateway\ProxyApp\appsettings.json" |
To decrypt the configuration, run the command:
Pam.Tools.Configuration.Protector unprotect --file "c:\path\to\configuration\file" |
Encryption is performed using the AES-256 algorithm by a keyset which is generated using the Data Protection API. Keys are stored in %ProgramData%\Indeed Identity\Indeed PAM\Keys folder.
Keys are encrypted using the Windows Data Protection API with binding to a computer. So, any user within a computer can encrypt or decrypt keys. If the Data Protection API encryption keys are not synchronized between the load balancer instances, then the configuration must be re-encrypted, since the instances will have different keys.