When you install Enterprise Security, a key file (.enk) is generated and stored as a hidden file in the Security directory.
The key file stores the key that is used to encrypt or decrypt information in the ACDB. Only the PSO can change the key file, so the PSO must protect this file from other users’ read and modify attempts.
Enterprise Security includes a tool (securetool) that allows you to replace the key file with a new key file, then reencrypt the data that was encrypted with the old key. When you replace the key file, you must have the original encryption/decryption key.
Updating the security key file and reencrypting system data
Restrict users from logging in to Enterprise Portal or EAServer until the key file is updated.
In the Security\bin directory, run:
securetool changekey --enkfile <path_to_enk>\.enk --output_enkfile <path_to_enk>\.enk [--random_seed n]
Where path_to_enk is the path to the .enk file, and n is an integer to use as a random seed.
Reencrypt the system data using the new encryption key:
reencsysdata --appserver_url URL --username user_name --password password [--init_ctx_factory initCtxtFactory]
Where URL, user_name, and password are the URL, user name and password for connecting to the security middleware. Optionally, provide an InitialContextFactory; the default is com.sybase.ep.security.naming.InitialContextFactory.
WARNING! If you change the key file (.enk) in a clustered EAServer environment, you must manually copy the new key file to each machine that has Enterprise Security installed.
Lock the .enk file at the operating system level (using file access permissions) to prevent anyone from viewing or accessing the new key.
Remove any restrictions that you imposed to prevent users from logging in to the system. You may now allow user access based on the new key.
