The Secure Agent encrypts sensitive data that is stored in the Secure Agent directory, preventing an attacker from copying and running the Secure Agent on another machine. You can change the key that it is used to encrypt this data.
When you install a Secure Agent, some of the files in the Secure Agent directory contain sensitive data such as agent credentials, agent proxy credentials, and JDK keystore passwords. If you store connections on the Secure Agent, files on the Secure Agent machine also store the connection credentials.
To encrypt all the information stored within the Secure Agent, Informatica uses AES 256 as the encryption method. This method uses a key that is unique to the Secure Agent. The encryption key is generated using some machine-specific information and can be found in this location: <Secure Agent installation directory>/apps/agentcore/conf.
By default, the encryption key is generated using the following properties:
•Operating system of the Secure Agent machine
•Machine architecture, for example, 32-bit, 64-bit, or 64-bit ARM
•Host name of the machine
•Hardware MAC address
You can prevent some of these properties from being used to generate the encryption key. For example, if you plan to back up the agent on one machine and restore it on a different machine, you might want to exclude the host name and hardware MAC address. You can also add other properties to make the encryption even more secure. For example, if the Secure Agent is installed on Amazon Web Services, you might add the instance ID or the AMI ID.
You can change the encryption key at any time. To do this, you use the consoleAgentManager rotateDeviceKey command.
The command performs the following actions:
•Re-encrypts the infaagent.ini and proxy.ini files.
•Re-encrypts the connection master key.
•Forces the redeployment of the Secure Agent services on the next startup.
After you run the command, you must also configure the following environment variables:
Environment variable
Description
INFA_AGENT_EXCLUDE_SEC_PROPS
Specifies the properties to exclude. Set the value to the same values you excluded in the rotateDeviceKey command.
INFA_AGENT_ADDITIONAL_SEC_PROPS
Specifies the properties to add. Set the value to the same values you added in the rotateDeviceKey command.
Changing the data encryption key on Windows
To change the Secure Agent data encryption key, use the consoleAgentManager rotateDeviceKey command.
Back up the Secure Agent installation directory before you change the data encryption key.
The user account you use to change the encryption key must have privileges to delete files in the Secure Agent installation directory and its subdirectories.
Note: During upgrade, there can be two versions of the Data Integration Server running within the maintenance window. Do not change the encryption key until the upgrade has completed and the newer version of the Data Integration Server is the only version that is running.
1Stop the Secure Agent.
2Open a command prompt as an administrator, and navigate to the following directory:
You can exclude the following properties: OS_TYPE, OS_ARCH, HOSTNAME, and HWD_MAC_ADDR. Separate multiple properties with a comma.
Additional properties can be any key=value pair. For example, instanceId=<AWS instance ID>,amiId=<AWS AMI ID>. Separate multiple properties with a comma.
For example, to exclude the Secure Agent machine hostname and hardware MAC address from the encryption key and include the AWS instance ID, run the following command:
4When the command completes successfully, if you excluded security properties, create the system environment variable INFA_AGENT_EXCLUDE_SEC_PROPS, and set the value to the same values that you set in the rotateDeviceKey command.
5 If you added security properties, create the system environment variable INFA_AGENT_ADDITIONAL_SEC_PROPS, and set the value to the same values that you set in the rotateDeviceKey command.
6Restart the machine.
7If the Secure Agent doesn't start automatically, restart the Secure Agent.
Changing the data encryption key on Linux
To change the Secure Agent data encryption key, use the consoleAgentManager rotateDeviceKey command.
Back up the Secure Agent installation directory before you change the data encryption key.
Note: During upgrade, there can be two versions of the Data Integration Server running within the maintenance window. Do not change the encryption key until the upgrade has completed and the newer version of the Data Integration Server is the only version that is running.
You can exclude the following properties: OS_TYPE, OS_ARCH, HOSTNAME, and HWD_MAC_ADDR. Separate multiple properties with a comma.
Additional properties can be any key=value pair. For example, instanceId=<AWS instance ID>,amiId=<AWS AMI ID>. Separate multiple properties with a comma.
For example, to exclude the Secure Agent machine hostname and hardware MAC address from the encryption key and include the AWS instance ID, run the following command:
4When the command completes successfully, if you excluded security properties, create the environment variable INFA_AGENT_EXCLUDE_SEC_PROPS in the source bash profile, and set the value to the same values that you set in the rotateDeviceKey command.
5 If you added security properties, create the environment variable INFA_AGENT_ADDITIONAL_SEC_PROPS in the soource bash profile, and set the value to the same values that you set in the rotateDeviceKey command.