Communities
A collaborative platform to connect and grow with like-minded Informaticans across the globe
Product Communities
Connect and collaborate with Informatica experts and champions
Discussions
Have a question? Start a Discussion and get immediate answers you are looking for
User Groups
Customer-organized groups that meet online and in-person. Join today to network, share ideas, and get tips on how to get the most out of Informatica
Get Started
Community Guidelines
Knowledge Center
Troubleshooting documents, product guides, how to videos, best practices, and more
Knowledge Base
One-stop self-service portal for solutions, FAQs, Whitepapers, How Tos, Videos, and more
Support TV
Video channel for step-by-step instructions to use our products, best practices, troubleshooting tips, and much more
Documentation
Information library of the latest product documents
Velocity (Best Practices)
Best practices and use cases from the Implementation team
Learn
Rich resources to help you leverage full capabilities of our products
Trainings
Role-based training programs for the best ROI
Certifications
Get certified on Informatica products. Free, Foundation, or Professional
Product Learning Paths
Free and unlimited modules based on your expertise level and journey
Resources
Library of content to help you leverage the best of Informatica products
Tech Tuesdays Webinars
Most popular webinars on product architecture, best practices, and more
Product Availability Matrix
Product Availability Matrix statements of Informatica products
SupportFlash
Monthly support newsletter
Support Documents
Informatica Support Guide and Statements, Quick Start Guides, and Cloud Product Description Schedule
Product Lifecycle
End of Life statements of Informatica products
Ideas
Events
Change Request Tracking
Marketplace
English
  • Common Content for Data Engineering 10.5.6
  • All Products

Table of Contents

Search

  1. About the Security Guide
  2. Introduction to Informatica Security
  3. User Authentication
  4. LDAP Authentication
  5. Kerberos Authentication
  6. SAML Authentication for Informatica Web Applications
  7. Domain Security
  8. Security Management in Informatica Administrator
  9. Users and Groups
  10. Privileges and Roles
  11. Permissions
  12. Audit Reports
  13. Appendix A: Command Line Privileges and Permissions
  14. Appendix B: Custom Roles

Security Guide

Security Guide

Back Next

Changing the Encryption Key from the Command Line

Changing the Encryption Key from the Command Line

After installation, you can change the encryption key for the domain from the command line. You must shut down the domain before you change the encryption key.
Use the infasetup command to generate an encryption key and configure the domain to use the new encryption key.
The following infasetup commands generate and change the encryption key:
generateEncryptionKey
Generates an encryption key in a file named
sitekey
. If the directory specified for the encryption key contains a file named
sitekey
, Informatica renames the file to
siteKey_old
.
migrateEncryptionKey
Changes the encryption key used to store sensitive data in the Informatica domain.
To change the encryption key for a domain, complete the following steps:
  1. Shut down the domain.
  2. Back up the domain before you change the encryption key.
    To ensure that you can recover the domain if you encounter problems when you change the encryption key, back up the domain before you run the infasetup commands.
  3. To generate an encryption key for the domain, run the
    infasetup generateEncryptionKey
     command.
    Specify the
    encryptionKeyLocation
     option to generate an encryption key:
    Option
    Argument
    Description
    -encryptionKeyLocation
    -kl
    encryption_key_location
    Directory that contains the current encryption key. The name of the encryption file is
    sitekey
    .
    Informatica renames the current
    sitekey
     file to
    sitekey_old
     and generates an encryption key in a new file named
    sitekey
     in the same directory.
    The installer creates an encryption key during installation and upgrade. You do not need the keyword and domain name options while generating the encryption file sitekey. Make sure that you save a copy of the unique site key. If you lose the site key, you cannot generate the site key again. Do not share the unique site key with others.
  4. To change the encryption key for the domain, run the
    infasetup migrateEncryptionKey
     command and specify the location of the old and new encryption key.
    Specify the following options required to change the encryption key for the domain:
    Option
    Argument
    Description
    -LocationOfEncryptionKeys
    -loc
    location_of_encryption_keys
    Directory in which the old encryption key file named
    siteKey_old
     and the new encryption key file named
    siteKey
     are stored.
    The directory must contain the old and new encryption key files. If the old and new encryption key files are stored in different directories, copy the encryption key files to the same directory.
    If the domain has multiple nodes, this directory must be accessible to any node in the domain where you run the migrateEncryptionKey command.
    When you migrate a multinode domain, all the nodes in the domain must use the same encryption key. To change the encryption key for the domain, run the infasetup migrateEncryptionKey command on all nodes in the domain.
    On UNIX, the file name
    siteKey_old
    is case-sensitive. If you manually rename the previous encryption key file, verify that the file name has the correct letter case.
    -IsDomainMigrated
    -mig
    is_domain_migrated
    Indicates whether the domain has been updated to use the latest encryption key.
    When you run the migrateEncryptionKey command for the first time, set this option to False to indicate that the domain uses the old encryption key.
    After the first time, when you run the migrateEncryptionKey command to update other nodes in the domain, set this option to True to indicate that the domain has been updated to use the latest encryption key. Or, you can run the migrateEncryptionKey command without this option.
    Default is True.
  5. Run the infasetup command on each node in the domain.
    If the domain has multiple nodes, run infasetup migrateEncryptionKey on each node. Run the command on the gateway nodes before you run the command on the worker nodes. You can omit the IsDomainMigrated option after the first time you run the command.
  6. Restart the domain.
    You must upgrade all repository services in the domain to update and encrypt sensitive data in the repositories with the new encryption key. You must also migrate the site key after you upgrade the domain.
  7. Upgrade all Model Repository Services, PowerCenter Repository Services, and Metadata Manager Services.
    You can upgrade a Model Repository Service and a PowerCenter Repository Service in the Administrator tool or at the command prompt. You can upgrade a Metadata Manager Service in the Administrator tool.
    The Metadata Manager Service must be disabled before you can upgrade it.
    To upgrade a service in the Administrator tool, select
    Manage
    Upgrade
     in the header area. If you select multiple services, the Administrator tool upgrades the services in the correct order.
    To upgrade a service at the command prompt, use the following commands:
    Repository Service Type
    Command
    Model Repository Service
    infacmd mrs UpgradeContents
    PowerCenter Repository Service
    pmrep Upgrade
0 COMMENTS
We’d like to hear from you!