Table of Contents

  1. About the Security Guide
  2. Introduction to Informatica Security
  3. User Authentication
  4. LDAP Security Domains
  5. Kerberos Authentication
  6. Domain Security
  7. SAML Authentication for Informatica Web Applications
  8. Security Management in Informatica Administrator
  9. Users and Groups
  10. Privileges and Roles
  11. Permissions
  12. Audit Reports
  13. Command Line Privileges and Permissions
  14. Custom Roles
  15. Default List of Cipher Suites

Security Guide

Security Guide

Changing the Encryption Key from the Command Line

Changing the Encryption Key from the Command Line

After installation, you can change the encryption key for the domain from the command line. You must shut down the domain before you change the encryption key.
Use the infasetup command to generate an encryption key and configure the domain to use the new encryption key.
The following infasetup commands generate and change the encryption key:
generateEncryptionKey
Generates an encryption key in a file named sitekey. If the directory specified for the encryption key contains a file named sitekey, Informatica renames the file to siteKey_old.
migrateEncryptionKey
Changes the encryption key used to store sensitive data in the Informatica domain.
To change the encryption key for a domain, complete the following steps:
  1. Shut down the domain.
  2. Back up the domain before you change the encryption key.
    To ensure that you can recover the domain if you encounter problems when you change the encryption key, back up the domain before you run the infasetup commands.
  3. To generate an encryption key for the domain, run the infasetup generateEncryptionKey command.
    Specify the following options required to generate an encryption key:
    Option Argument Description
    -keyword
    -kw
    keyword The text string used as the base word from which to generate an encryption key.
    The keyword must meet the following criteria:
    • From 8 to 20 characters long
    • Includes at least one uppercase letter
    • Includes at least one lowercase letter
    • Includes at least one number
    • Does not contain spaces
    -domainName
    -dn
    domain_name Name of the Informatica domain.
    -encryptionKeyLocation
    -kl
    encryption_key_location Directory that contains the current encryption key. The name of the encryption file is sitekey.
    Informatica renames the current sitekey file to sitekey_old and generates an encryption key in a new file named sitekey in the same directory.
  4. To change the encryption key for the domain, run the infasetup migrateEncryptionKey command and specify the location of the old and new encryption key.
    Specify the following options required to change the encryption key for the domain:
    Option Argument Description
    -LocationOfEncryptionKeys
    -loc
    location_of_encryption_keys Directory in which the old encryption key file named siteKey_old and the new encryption key file named siteKey are stored.
    The directory must contain the old and new encryption key files. If the old and new encryption key files are stored in different directories, copy the encryption key files to the same directory.
    If the domain has multiple nodes, this directory must be accessible to any node in the domain where you run the migrateEncryptionKey command.
    On UNIX, the file name siteKey_old is case-sensitive. If you manually rename the previous encryption key file, verify that the file name has the correct letter case.
    -IsDomainMigrated
    -mig
    is_domain_migrated Indicates whether the domain has been updated to use the latest encryption key.
    When you run the migrateEncryptionKey command for the first time, set this option to False to indicate that the domain uses the old encryption key.
    After the first time, when you run the migrateEncryptionKey command to update other nodes in the domain, set this option to True to indicate that the domain has been updated to use the latest encryption key. Or, you can run the migrateEncryptionKey command without this option.
    Default is True.
  5. Run the infasetup command on each node in the domain.
    If the domain has multiple nodes, run infasetup migrateEncryptionKey on each node. Run the command on the gateway nodes before you run the command on the worker nodes. You can omit the IsDomainMigrated option after the first time you run the command.
  6. Restart the domain.
    You must upgrade all repository services in the domain to update and encrypt sensitive data in the repositories with the new encryption key.
  7. Upgrade all Model Repository Services, PowerCenter Repository Services, and Metadata Manager Services.
    You can upgrade a Model Repository Service and a PowerCenter Repository Service in the Administrator tool or at the command prompt. You can upgrade a Metadata Manager Service in the Administrator tool.
    The Metadata Manager Service must be disabled before you can upgrade it.
    To upgrade a service in the Administrator tool, select ManageUpgrade in the header area. If you select multiple services, the Administrator tool upgrades the services in the correct order.
    To upgrade a service at the command prompt, use the following commands:
    Repository Service Type Command
    Model Repository Service infacmd mrs UpgradeContents
    PowerCenter Repository Service pmrep Upgrade

Updated May 17, 2019


Explore Informatica Network