This topic contains 7 replies, has 2 voices, and was last updated by  AMDeveloper 1 week, 4 days ago.

  • Author
    Posts
  • #26166
     AMDeveloper 
    Participant

    Hello,

    when we export the configuration through Amster, if there is any password attribute we get it encrypted in the exported JSON file (assuming we have the transport key — sms.transport.key in the JCEKS keystore)

    Now during the time of importing the configuration (while standing up another instance of AM in the same site OR different stand-alone AM), can I send the same encrypted password-value as-is through amster import-config command.
    (assuming that I have already imported the SAME sms.transport.key in the JCEKS keystore of this AM instance)
    OR
    Do I have to first modify the exported JSON file, take out the encrypted value of password and replace it with the plain-text value and then finally import the JSON through import-config command ?

    Thanks.

    #26176
     Peter Major 
    Moderator

    As long as the sms.transport.key is present and refers to the same cryptographic key, you should not need to update the JSON files, you should be able to import them as is.

    #26179
     AMDeveloper 
    Participant

    Thanks Peter. That is logical and my expectation too.

    So in that case,
    if the password-value is different for the AM-instance where I am trying to import the exported JSON files then do I have to first manually delete the encrypted password from the exported JSON file and replace it with
    1. plain-text value of the new password
    OR
    2. out-of-band encrypt the new password with the sms.transport.key and then replace the old encrypted value in the JSON file with this new encrypted value

    Thanks.

    #26182
     Peter Major 
    Moderator

    Trying to import one deployment’s configuration into a different deployment (having different sms.transport.key suggests that we are talking about different deployments) is not a great idea. Each environment should have its own set of password/configuration.

    You are correct nonetheless, either you’ll have to remove the -encrypted attributes from the JSON export and manually enter the passwords in clear text, or somehow generate the new encrypted password values.

    #26184
     AMDeveloper 
    Participant

    Thanks Peter. Appreciate your quick response.
    So both options are acceptable by AM, meaning
    1. I can send the password in clear text
    OR
    2. generate the new encrypted password

    I have one question each for both scenarios.

    If I pick the first one, how would AM differentiate the plain-text from encrypted-on. After all both are Strings that amster is sending out to AM through import-config command ?

    If I pick second option, does amster have commands to encrypt the plain-text ?

    Thanks.

    #26186
     AMDeveloper 
    Participant

    Oh my bad Peter !!!

    If I am sending encrypted value then I use that element of exported JSON eg.,
    userpassword-encrypted” : “AAAAA0FFUwIQioF2gBZ843fbyIwzyxix5d3grwITdnaEYKTawfXO7d/X6UMAECvPbg==

    If I am using plain-text value then I use other one
    userpassword” : “change it”

    So the only piece of puzzle is, how can I encrypt any plain-text using certain sms.transport.key so that AM can decrypt it and then take it further to the config-store.

    Thanks.

    #26188
     Peter Major 
    Moderator

    There is no tool or amster command for this. The encryption key only exists at the AM server instances, so your best bet is to configure the password in the new deployment once (manually or using the plain-text approach), and then export the amster configuration including the encrypted passwords.

    #26192
     AMDeveloper 
    Participant

    Thanks Peter. Almost there.

    So if we do not want to store the plain-text password in the JSON file, then I would import the JSON with NULL value. for eg., “userpassword” : null

    Once import-config is successfully finished, I will open the console and fill up password field.

    So though the password could be required config field, I believe amster import-config will configure the whole AM instance without it.

    Thanks.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?