Changing the Encryption Key of the PAM Database

Key compromise is a situation when a key becomes known and can be used by third parties. If the encryption keys of PAM databases have been compromised, change the keys by updating the PAM configuration. For key rotation, the KeyRotator utility is used.

Paths to component configuration files are provided in the table.

Component	Windows	Linux
KeyRotator	AxidianPAM_3.3\axidian-pam-tools\key-rotator\appsettings.json	/etc/axidian/axidian-privilege/tools/key-rotator/appsettings.json
Core	C:\inetpub\wwwroot\core\appsettings.json	/etc/axidian/axidian-privilege/core/appsettings.json
IdP	C:\inetpub\wwwroot\idp\appsettings.json	/etc/axidian/axidian-privilege/idp/appsettings.json

Setting up KeyRotator configuration

1. Decrypt the PAM configuration files depending on the installation scheme.

2. Open the KeyRotator configuration file.

3. In the Database section, specify the DBMS server type for the Provider parameter: PgSql or MsSql.
   Do not close the file.

   KeyRotator configuration file

   "Database": {
     "Provider": "MsSql", // Specify DBMS
     "PamCore": "PAM_CORE_DB_CONNECTION_STRING",
     "PamIdp": "PAM_IDP_DB_CONNECTION_STRING"
   }

4. Open the Core configuration file.

5. In the ConnectionStrings section, copy the value of the PamCore parameter.
   Specify this value in the KeyRotator configuration file in the Database section for the PamCore parameter.

   Core configuration file

     "$schema": "appsettings.schema.json",
     "ConnectionStrings": {
       "PamCore": "a4a1b2e2910371e15b353", // Copy this value
       "JobsQueue": "ecda23a59b856554561ce"
     }
   KeyRotator configuration file

   "Database": {
     "Provider": "MsSql",
     "PamCore": "a4a1b2e2910371e15b353", // Paste the value from the Core component file
     "PamIdp": "PAM_IDP_DB_CONNECTION_STRING"
    }

6. Open the Idp configuration file.

7. In the ConnectionStrings section, copy the value of the DefaultConnection parameter.
   Specify this value in the KeyRotator configuration file in the Database section for the PamIdp parameter.

   Idp configuration file

   "ConnectionStrings": {
        "DefaultConnection": "77f6951e7881ed232cd2d", // Copy this value
        "JobsQueue": "0786670f99283fcceee86"
     }  
   KeyRotator configuration file

   "Database": {
      "Provider": "MsSql",
      "PamCore": "ENCRYPTED_CfDJ8DpxpXA-mxxMpMmnxTrA",
      "PamIdp": "77f6951e7881ed232cd2d" // Paste the value from the IdP component file
    }

8. Save the changes in the KeyRotator configuration file.

Encryption key change

Change the encryption keys of the Core or Idp component databases.If changes are needed for both components, change the keys sequentially, as the KeyRotator configuration file stores only one set of keys.

Core Component Database

1. Generate a new encryption key.

   Windows

   To generate a key using the KeyGen script:

   1. Run PowerShell as administrator.

   2. Navigate to the PAM installation package at the path AxidianPAM_3.3\axidian-pam-tools\key-gen

   3. Execute the command:

      powershell -ExecutionPolicy Bypass -File dbkeygen.ps1 

   4. Save or copy the key.

   Linux

   To generate a key using the OpenSSL utility, execute the command:

   openssl rand -hex 32

   • rand — command for generating random data.
   • -hex — output the key in hexadecimal format.
   • 32 — key size in bytes.

   The key will appear in the console, for example, e16155e21c73e86c4792c. Save or copy it.

2. Open the Core configuration file. In the Encryption section, for the Key parameter, copy the old key and save it, then specify the new encryption key.

   Core configuration file

   "Encryption": {
     "Primary": {
       "Algorithm": "AES",
       "HashAlgorithm": "SHA512",
       "Key": "1c697af0512e1a20ce099", // Copy the old key, then paste the new key
       "MediaFiles": {
         "Algorithm": "AES"
       }
     }
   }

3. Open the KeyRotator configuration file.

4. In the Encryption section, for the Key parameter, specify the new encryption key.
   In the Secondary section, for the Key parameter, specify the value of the old key from the Core configuration file.

   KeyRotator configuration file

    "Encryption": {
    // new encryption settings
      "Primary": {
        "Algorithm": "AES",
        "HashAlgorithm": "SHA512",
        "Key": "e16155e21c73e86c4792c" // Insert the new key
      },
    // old encryption settings
      "Secondary": {
        "Algorithm": "AES",
        "HashAlgorithm": "SHA512",
        "Key": "1c697af0512e1a20ce099" //  Insert the old key from the Core component file
        }
      }

5. Save the changes in the KeyRotator and Core configuration files.

6. Perform key rotation using the KeyRotator utility.

   Windows

   1. Navigate to the PAM installation package at  AxidianPAM_3.3\axidian-pam-tools\key-rotator
   2. Run the Pam.Tools.KeyRotator.exe utility.

   Linux

   Execute the command in the terminal:

   sudo bash /etc/axidian/axidian-privilege/tools/key-rotator.sh rotate --component Core

7. Encrypt the configuration file and restart the management server.

Idp component database

1. Generate a new encryption key.

   Windows

   To generate a key using the KeyGen script:

   1. Run PowerShell as administrator.

   2. Navigate to the PAM installation package at the path AxidianPAM_3.3\axidian-pam-tools\key-gen

   3. Execute the command:

      powershell -ExecutionPolicy Bypass -File dbkeygen.ps1 

   Linux

   To generate a key using the OpenSSL utility, execute the command:

   openssl rand -hex 32

   • rand — command for generating random data.
   • -hex — output the key in hexadecimal format.
   • 32 — key size in bytes.

   The key will appear in the console, for example, 594d73ab13ead58463da6. Save or copy it.

2. Open the Idp configuration file. In the Encryption section, for the Key parameter, copy the old key and save it, then specify the new encryption key.

   Idp configuration file

   "Encryption": {
     "Primary": {
       "Algorithm": "AES",
       "HashAlgorithm": "SHA512",
       "Key": "ceaaa7f6ac059e0140051", // Copy the old key, then paste the new key
       }                                           
     }

3. Open the KeyRotator configuration file.

4. In the Encryption section, for the Key parameter, specify the new encryption key.
   In the Secondary section, for the Key parameter, specify the value of the old key from the IdP configuration file.

   KeyRotator configuration file

    "Encryption": {
    // new encryption settings
      "Primary": {
        "Algorithm": "AES",
        "HashAlgorithm": "SHA512",
        "Key": "594d73ab13ead58463da6" // Insert the new key
      },
    // old encryption settings
      "Secondary": {
        "Algorithm": "AES",
        "HashAlgorithm": "SHA512",
        "Key": "ceaaa7f6ac059e0140051" // Insert the old key from the Core component file
        }
      }

5. Save the changes in the KeyRotator and IdP configuration files.

6. Perform key rotation using the KeyRotator utility.

   Windows

   1. Navigate to the PAM installation package at  AxidianPAM_3.3\axidian-pam-tools\key-rotator
   2. Run the Pam.Tools.KeyRotator.exe utility.

   Linux

   Execute the command in the terminal:

   sudo bash /etc/axidian/axidian-privilege/tools/key-rotator.sh rotate --component Core

7. Encrypt the configuration file and restart the management server.

Encryption and restart of the management server

After modifying the KeyRotator, Core, or IdP configuration files, perform file encryption and restart the PAM management server containers.

Windows

1. Perform encryption of PAM configuration files.

2. Run PowerShell as administrator.

3. Launch IIS Manager:

   start inetmgr

4. Click on the desired server in the left panel.

5. In the right panel, click Restart.

Linux

1. Perform encryption of PAM configuration files.

2. Navigate to the PAM scripts folder and restart the component:

   sudo bash /etc/axidian/axidian-privilege/scripts/run-pam.sh