Chapter 8: Advanced Administration Tasks
Authentication Engine related tasks
192
Managing the Admin and Authentication Engine keys
The Admin Server and Authentication Engine hold several cryptographic keys.
The Admin Server key signs database entries to assure data integrity. On a
regular basis, or if either of these keys is compromised, you should change the
key and re-sign all database entries.
To change the Admin Server signing key, back up your system database.
1
At the local machine (where the Admin Server is installed), log on as an
administrator, and go to
<Install_Dir>\SafeWord\SERVERS\Shared
.
2
Locate and open the file
signers.cfg
for editing.
3
To change the Admin server key, add a new line above the line
SccAdminServer that says:
SccAdminServer, AES, 87654321abcdefgh
Or
SccAdminServer, AES, 12345678defghijk
4
To change the Authentication Engine key, add a new line above the line
SccAuthServer that says:
SccAuthServer, AES, 12345678abcdefgh
Note: The key string can be numerics, or a combination of letters and numbers.
For signing, the key must contain 16 characters minimum.
Important: Do not modify the
dbCipher
lines.
5
Restart the Admin Server and/or Authentication Engine using the Windows
Services Utility.
Restore the database, with
Re-sign restored records
checked. This will sign all
entries with the new key.
Note:
This step is optional. If the database is not completely restored but new
keys are assigned, any and all future changes to the database will be resigned with
the new key.
Signers configuration file
# Multiple signers are supported for verification, but the first on
# a name matching a particular component will be used for signing f
# component
#
# Currently supported algorithm types for signing and encryption a
# “DES” and “3DES” are supported for backwards compatibility only
#
SccAdminServer, AES, 87654321abcdefgh
SccAuthServer, AES, 87654321abcdefgh
dbCipher, AES, 12345678abcdefgh
Important:
Do not modify!