The default security settings are adequate for evaluation purposes. For production, change the default encryption key, and then replace the default user password.
Procedure 14.1. To Change Default Encryption Keys
By default, OpenIDM uses an symmetric encryption key with alias
openidm-sym-default. Change this default key before
deploying OpenIDM in production.
-
Add the new key to the key store.
$ cd /path/to/openidm/ $ keytool -genseckey -alias new-sym-key -keyalg AES -keysize 128 -keystore security/keystore.jceks -storetype JCEKS Enter keystore password: Enter key password for <new-sym-key> (RETURN if same as keystore password): Re-enter new password: $
Also see
openidm/samples/security/keystore_readme.txt. -
Change the alias used in
openidm/conf/boot/boot.properties.
Procedure 14.2. To Replace the Default User & Password
After changing the default encryption key, change at least the default user password.
-
Use the encrypt command to obtain the encrypted version of the new password.
$ cd /path/to/openidm/ $ cli.sh encrypt newpwd ... -----BEGIN ENCRYPTED VALUE----- { "$crypto" : { "value" : { "iv" : "TCoC/YrmiRmINw6jCPB5LQ==", "data" : "nCFvBIApIQ7C6k+UPzosaA==", "cipher" : "AES/CBC/PKCS5Padding", "key" : "openidm-sym-default" }, "type" : "x-simple-encryption" } } ------END ENCRYPTED VALUE------ -
Replace the user object in the
openidm/db/scripts/mysql/openidm.sqlscript before setting up MySQL as a repository for OpenIDM.Alternatively, replace the user in the internal user table.
