Security of Passwords and Secret Keys
By default, for additional system protection, automatic encryption of configuration files occurs during component installation.
While working with the system, you may need to edit configuration files. To do this, you will need to remove encryption, edit the files, and then encrypt the files again.
This can be done using a utility on Windows or a script on Linux.
Configuration files of the Core, IdP, ProxyApp and Log Server components are subject to encryption.
Windows Utility
Unencryption
Go to the ..PAM_3.2\axidian-pam-tools\configuration-protector\ folder, where the PAM distribution is located.
Run PowerShell as administrator.
Run one of the commands to perform unencryption.
Unencryption of all configuration files located in standard directories:
.\Pam.Tools.Configuration.Protector.exe unprotectinfoThe standard directory for configuration files is: C:\inetpub\wwwroot\<component_name>\appsettings.json.
Unencryption of configuration files of individual components:
.\Pam.Tools.Configuration.Protector.exe unprotect --component enter_component_nameExample:
.\Pam.Tools.Configuration.Protector.exe unprotect --component coreUnencryption of a configuration file located outside the standard directory:
.\Pam.Tools.Configuration.Protector.exe unprotect --component enter_component_name --file "file_path"Example:
.\Pam.Tools.Configuration.Protector.exe unprotect --component Core --file "C:\inetpub\wwwroot\core\appsettings.json"infoIt is possible to specify the path without quotes if the path does not contain spaces.
Encryption
Go to the ..PAM_3.2\axidian-pam-tools\configuration-protector\ folder, where the PAM distribution is located.
Run PowerShell as administrator.
Run one of the commands to perform encryption.
Encryption of all configuration files located in standard directories:
.\Pam.Tools.Configuration.Protector.exe protectinfoThe standard directory for configuration files is: C:\inetpub\wwwroot\<component_name>\appsettings.json.
Encryption of configuration files of individual components:
.\Pam.Tools.Configuration.Protector.exe protect --component enter_component_nameExample:
.\Pam.Tools.Configuration.Protector.exe protect --component coreEncryption of a configuration file located outside the standard directory:
.\Pam.Tools.Configuration.Protector.exe protect --component enter_component_name --file "file_path"Example:
.\Pam.Tools.Configuration.Protector.exe protect --component Core --file "C:\inetpub\wwwroot\core\appsettings.json"infoIt is possible to specify the path without quotes if the path does not contain spaces.
Linux Script
Unencryption
Go to the directory with the protector script:
cd /etc/axidian/axidian-privilege/toolsRun one of the commands to perform unencryption.
Unencryption of all configuration files located in standard directories:
bash protector.sh unprotectUnencryption of configuration files of individual components:
bash protector.sh unprotect –component enter_component_nameExample:
bash protector.sh unprotect –component core
Encryption
Go to the directory with the protector script:
cd /etc/axidian/axidian-privilege/toolsRun one of the commands to perform encryption.
Encryption of all configuration files located in standard directories:
bash protector.sh protectEncryption of configuration files of individual components:
bash protector.sh protect –component enter_component_nameExample:
bash protector.sh protect –component core
Encryption Mechanism Details
Encryption is performed using the AES-256 algorithm by a keyset which is generated using the Data Protection API. Keys are stored on the Axidian Privilege Server and encrypted using the Windows Data Protection API.
Location of keys:
- ОС Windows Server — %ProgramData%\Axidian\Keys
- ОС Linux — /etc/axidian/axidian-pam/keys
Directory usage rights are granted only to Axidian Privilege applications.