6.6 Encrypting Sensitive Identity Applications Data

Any sensitive information associated with the User Application that is stored persistently is encrypted by using the symmetric algorithm AES-128. The master key itself is protected by password-based cryptography using PBEWithSHA1AndDESede. The password is never persisted or stored out of memory.

Information that is encrypted includes (but is not limited to):

  • LDAP administrator user password

  • LDAP guest user password

  • DSS trusted CA keystore password

  • DSS signature key keystore password

  • DSS signature key entry password

However, in a cluster environment, if session failover is enabled, some sensitive data (for example, a login-password for single sign-on) in the user session can be transferred on the network during session replication. This can expose sensitive data to network sniffers. To protect this sensitive data, do one of the following:

  • Enable encryption for JGroups. For information about enabling JGroups encryption, see JGroups Encrypt.

  • Make sure that the cluster is behind a firewall.