Any sensitive information associated with the identity applications that is stored persistently is encrypted by using the symmetric algorithm AES-128. The master key itself is protected by password-based cryptography using PBEWithSHA1AndDESede. The password is never persisted or stored out of memory.
Information that is encrypted includes (but is not limited to):
LDAP administrator user password
LDAP guest user password
DSS trusted CA keystore password
DSS signature key keystore password
DSS signature key entry password
However, in a cluster environment, if session failover is enabled, some sensitive data (for example, a login-password for single sign-on) in the user session can be transferred on the network during session replication. This can expose sensitive data to network sniffers. To protect this sensitive data, do one of the following:
Enable encryption for JGroups. For information about enabling JGroups encryption, see JGroups Encrypt.
Make sure that the cluster is behind a firewall.