IdentityIQ Cloud Gateway Configuration
A secret key shipped with the IdentityIQ Cloud Gateway is used to encrypt all sensitive data processed by IdentityIQ Cloud Gateway. SailPoint recommends replacing the secret key shipped with IdentityIQ Cloud Gateway with a secret key that is created for your environment.
Perform the following procedure to setup the encryption key:
-
Creating the IdentityIQ Cloud Gateway Secret Key: The following command will create a new keystore and a secret key:
keytool -keystore keystoreName -storetype jceks -genseckey -alias alias -keysize 128 -keyAlg AES
where alias should be a number greater than 1.
Enter the appropriate values when prompted for setting the keystore password and other details required for creating the keystore.
For example:
keytool -keystore cibkeystore.jck -storetype jceks -genseckey -alias 2 -keysize 128 -keyAlg AES
Note
When asked to provide two passwords, enter the first password for keystore and the second for alias. The keystore and alias password must be the same. If different passwords are provided, the following error message appears:
Given final block not properly padded.
-
Encrypt the Keystore password using the default secret key: The keystore password is required by IdentityIQ Cloud Gateway to access the secret key. To protect the password, encrypt the keystore password.
Navigate to cloudGatewayInstallationDir/apache-tomcat-7.0.32/webapps/CloudGateway/WEB-INF/bin and execute the following command:
cib encrypt keystorePassword
The above command displays the encrypted value of the keystore password.
-
Configuring IdentityIQ Cloud Gateway to use the new Secret Key: Edit the iiq.properties file present in the cloudGatewayInstallationDir/apache/tomcat/7.0.32/webapps/CloudGateway/WEB‐INF/classes directory.
Uncomment the following lines by deleting the # symbol:
#keyStore.file=/example/path/filename
#keyStore.password=/example/path/filename
Replace the values of KeyStore.file and keyStore.password with the full path of the IdentityIQ Cloud Gateway keystore (created in step 1 above) and the encrypted keystore password (created in step 2 above).
Note
On Windows, the full file path of the keystore should be escaped with '\'. For example:
keyStore.file=E:\\identityiqCloudGateway\\keystore\\keyfilename.jck
-
Encrypt the password that is used to authenticate each request that the IdentityIQ Cloud Gateway should process. This password should be encrypted using the newly created secret key referenced by its alias. Navigate to cloudGatewayInstallationDir/apache-tomcat-7.0.32/webapps/CloudGateway/WEB-INF/bin and execute the following command:
cib encrypt RequestPassword alias
where alias is the number specified at the time of creating the secret key.
The above command displays the encrypted value of the Request password.
Note
Every request that is sent from IdentityIQ to the IdentityIQ Cloud Gateway is first authenticated. The request Username and request password to be used for this is defined in the iiq.properties file. The default value for the request username is cibadmin and the value for request password is admin. You are strongly advised to change this. For more information, refer to the IdentityIQ Cloud Gateway Administrative Operations.
-
Replace the value of cib.password in iiq.properties file with the encrypted value obtained in step 4 above.
-
If you want to change the Cloud Gateway administrator name, change the cib.username in iiq.properties file. By default, it is cibadmin. This request username and request password need to be specified while defining the CloudGateway Application in IdentityIQ.
Note
If the secret key is created after running the IdentityIQ Cloud Gateway Synchronization Task (as described in Run the IdentityIQ Cloud Gateway Synchronization Task) then the IdentityIQ Cloud Gateway Synchronization Task must be run again after completing the above step 6.
Start the IdentityIQ Cloud Gateway. For more information, see Starting the IdentityIQ Cloud Gateway.