You can generate a new primary encryption key and rotate the existing primary keys within the encryption keystore. The new primary key will be used when encrypting any sensitive data. The old, rotated keys will be used to decrypt existing sensitive data.
To list the current encryption keys:
Run the Java Key Tool utility:
Linux: $JAVA_HOME/bin/keytool -list -keystore/opt/netiq/idm/apps/tomcat/conf/encrypt-keys.pkcs12 -storepassencryption-keystore-password -v
Windows: $JAVA_HOME\bin\keytool -list -keystorec:\opt\netiq\idm\apps\tomcat\conf\encrypt-keys.pkcs12 -storepassencryption-keystore-password -v
To rotate the primary encryption key:
Stop the application server, such as Apache Tomcat. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.
Take a backup of the current encryption keystore:
Linux: /opt/netiq/idm/apps/tomcat/conf/encrypt-keys.pkcs12
Windows: c:\opt\netiq\idm\apps\tomcat\conf\encrypt-keys.pkcs12
Run the Master Key Generation utility.
Linux: /opt/netiq/idm/apps/idgov/bin/masterkey-gen.sh -keystore/opt/netiq/idm/apps/tomcat/conf/encrypt-keys.pkcs12 -storepassencryption-keystore-password
Windows: c:\opt\netiq\idm\apps\idgov\bin\masterkey-gen.cmd -keystorec:\opt\netiq\idm\apps\tomcat\conf\encrypt-keys.pkcs12 -storepassencryption-keystore-password
Start the application server such as Apache Tomcat. For more information, see Section 3.5.3, Starting and Stopping Apache Tomcat.