Secure Data Storage
Informatica encrypts sensitive data, such as passwords and secure connection parameters, before it stores the data in the domain configuration repository. Informatica uses a keyword that you provide to create an encryption key with which to encrypt sensitive data.
During installation, you must provide a keyword for the installer to use to generate the encryption key for the domain. All nodes in a domain must use the same encryption key. If you install on multiple nodes, the installer uses the same encryption key for all nodes in the domain. For more information about generating an encryption key for the domain during installation, see the Informatica installation guides.
After installation, you can change the encryption key for the domain. Run the infasetup command to generate an encryption key and change the encryption key for the domain. After you change the encryption key for the domain, you must upgrade the content of the repositories in the domain to update the encrypted data.
Note: You must keep the name of the domain, the keyword for the encryption key, and the encryption key file in a secure location. The domain name, keyword, and encryption key are required when you change the encryption key for the domain or move a repository to another domain. If you lose the encryption key file, you need the keyword to generate the encryption key again. If you lose the keyword and encryption key, you cannot change the encryption key for the domain or move a repository to another domain.
Secure Directory on UNIX
When you install Informatica, the installer creates a directory to store Informatica files that require restricted access, such as the domain encryption key file. On UNIX, the installer assigns different permissions for the directory and the files in the directory.
By default, the installer creates the following directory within the Informatica installation directory to store the encryption key: <INFA_HOME>/isp/config/keys
The /keys directory contains the encryption key file for the node. If you configure the domain to use Kerberos authentication, the directory also contains the Kerberos keytab files.
During installation, you can specify a different directory in which to store the encryption file. The installer assigns the same permissions to the specified directory as the default directory.
The /keys directory and the files in the directory have the following permissions:
- Directory Permissions
- The owner of the directory has -wx permissions to the directory but no r permission. The owner of the directory is the user account used to run the installer. The group to which the owner belongs also has -wx permissions to the directory but no r permission.
For example, the user account ediqa owns the directory and belongs to the infaadmin group. The ediqa user account and the infaadmin group have the following permissions: -wx-wx---
The ediqa user account and the infaadmin group can write to and run files in the directory. They cannot display the list of files in directory but they can list a specific file by name.
- If you know the name of a file in the directory, you can copy the file from the directory to another location. If you do not know the name of the file, you must change the permission for the directory to include the read permission before you can copy the file. You can use the command chmod 730 to give read permission to the owner of the directory and subdirectories.
For example, you need to copy the encryption key file named siteKey to a temporary directory to make it accessible to another node in the domain. Run the command chmod 730 on the <Informatica installation directory>/isp/config directory to assign the following permissions: rwx-wx---. You can then copy the encryption key file from the /keys subdirectory to another directory.
After you complete copying the files, change the permissions for the directory back to write and execute permissions. You can use the command chmod 330 to remove the read permission.
Note: Do not use the -R option to recursively change the permissions for the directory and files. The directory and the files in the directory have different permissions.
- File Permissions
- The owner of the files in the directory has rwx permissions to the files. The owner of the files in the directory is the user account used to run the installer. The group to which the owner belongs also has rwx permissions to the files in the directory.
The owner and group have full access to the file and can display or edit the file in the directory.
Note: You must know the name of the file to be able to list or edit the file.
Changing the Encryption Key from the Command Line
After installation, you can change the encryption key for the domain from the command line. You must shut down the domain before you change the encryption key.
Use the infasetup command to generate an encryption key and configure the domain to use the new encryption key.
The following infasetup commands generate and change the encryption key:
- generateEncryptionKey
- Generates an encryption key in a file named sitekey. If the directory specified for the encryption key contains a file named sitekey, Informatica renames the file to siteKey_old.
- migrateEncryptionKey
- Changes the encryption key used to store sensitive data in the Informatica domain.
To change the encryption key for a domain, complete the following steps:
1. Shut down the domain.
2. Back up the domain before you change the encryption key.
To ensure that you can recover the domain if you encounter problems when you change the encryption key, back up the domain before you run the infasetup commands.
3. To generate an encryption key for the domain, run the infasetup generateEncryptionKey command.
Specify the encryptionKeyLocation option to generate an encryption key:
Option | Argument | Description |
|---|
-encryptionKeyLocation -kl | encryption_key_location | Directory that contains the current encryption key. The name of the encryption file is sitekey. Informatica renames the current sitekey file to sitekey_old and generates an encryption key in a new file named sitekey in the same directory. |
Note: The installer creates an encryption key during installation and upgrade. You do not need the keyword and domain name options while generating the encryption file sitekey. Make sure that you save a copy of the unique site key. If you lose the site key, you cannot generate the site key again. Do not share the unique site key with others.
4. To change the encryption key for the domain, run the infasetup migrateEncryptionKey command and specify the location of the old and new encryption key.
Specify the following options required to change the encryption key for the domain:
Option | Argument | Description |
|---|
-LocationOfEncryptionKeys -loc | location_of_encryption_keys | Directory in which the old encryption key file named siteKey_old and the new encryption key file named siteKey are stored. The directory must contain the old and new encryption key files. If the old and new encryption key files are stored in different directories, copy the encryption key files to the same directory. If the domain has multiple nodes, this directory must be accessible to any node in the domain where you run the migrateEncryptionKey command. When you migrate a multinode domain, all the nodes in the domain must use the same encryption key. To change the encryption key for the domain, run the infasetup migrateEncryptionKey command on all nodes in the domain. Note: On UNIX, the file name siteKey_old is case-sensitive. If you manually rename the previous encryption key file, verify that the file name has the correct letter case. |
-IsDomainMigrated -mig | is_domain_migrated | Indicates whether the domain has been updated to use the latest encryption key. When you run the migrateEncryptionKey command for the first time, set this option to False to indicate that the domain uses the old encryption key. After the first time, when you run the migrateEncryptionKey command to update other nodes in the domain, set this option to True to indicate that the domain has been updated to use the latest encryption key. Or, you can run the migrateEncryptionKey command without this option. Default is True. |
5. Run the infasetup command on each node in the domain.
If the domain has multiple nodes, run infasetup migrateEncryptionKey on each node. Run the command on the gateway nodes before you run the command on the worker nodes. You can omit the IsDomainMigrated option after the first time you run the command.
6. Restart the domain.
You must upgrade all repository services in the domain to update and encrypt sensitive data in the repositories with the new encryption key. You must also migrate the site key after you upgrade the domain.
7. Upgrade all Model Repository Services, PowerCenter Repository Services, and Metadata Manager Services.
You can upgrade a Model Repository Service and a PowerCenter Repository Service in the Administrator tool or at the command prompt. You can upgrade a Metadata Manager Service in the Administrator tool.
Note: The Metadata Manager Service must be disabled before you can upgrade it.
To upgrade a service in the Administrator tool, select Manage > Upgrade in the header area. If you select multiple services, the Administrator tool upgrades the services in the correct order.
To upgrade a service at the command prompt, use the following commands:
Repository Service Type | Command |
|---|
Model Repository Service | infacmd mrs UpgradeContents |
PowerCenter Repository Service | pmrep Upgrade |