Security of Passwords and Secret Keys

For additional system protection, it is recommended to encrypt the configuration files after final edits.

Axidian Privilege Components Protection

The distribution kit includes the Configuration protector utility that located in the following folder:
..PAM_3.0_RU\axidian-pam-tools\configuration-protector\

The utility can encrypt the configuration files of the Core, IdP, ProxyApp and Log Server components. 

Run the following commands to encrypt the corresponding configuration files:

• Core component:

  Pam.Tools.Configuration.Protector protect --component Core --file C:\inetpub\wwwroot\core\appsettings.json
• IDP component

  Pam.Tools.Configuration.Protector protect --component Idp --file C:\inetpub\wwwroot\idp\appsettings.json
• Log Server component

  Pam.Tools.Configuration.Protector protect --component LogServer --file C:\inetpub\wwwroot\ls\targetConfigs\PamTargetDb.config
• ProxyApp component

  Pam.Tools.Configuration.Protector protect --component ProxyApp --file "C:\Program Files\Axidian\Axidian Privilege\Gateway\ProxyApp\appsettings.json"

info

These commands are provided for execution when deploying components on Windows.

When deploying components on Linux, the configuration files are encrypted automatically when the deployment script is executed.

To decrypt the configuration, run the command:

Pam.Tools.Configuration.Protector unprotect --file "c:\path\to\configuration\file"

Encryption Mechanism Details

Encryption is performed using the AES-256 algorithm by a keyset which is generated using the Data Protection API. Keys are stored in %ProgramData%\Axidian\Keys folder.

Keys are encrypted using the Windows Data Protection API with binding to a computer. So, any user within a computer can encrypt or decrypt keys. If the Data Protection API encryption keys are not synchronized between the load balancer instances, then the configuration must be re-encrypted, since the instances will have different keys.