Persistent Storage Protection Summary (Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide)

Sun Java System Identity Synchronization for Windows 6.0 Installation and Configuration Guide

Persistent Storage Protection Summary

Persistent Storage Protection Summary summarize how Identity Synchronization for Windows protects sensitive information that is stored on disk.

Table 8–2 Persistent Storage Protection


Persistent Storage	Confidential Information	Protection
Product’s Configuration Stored in a Configuration Directory Server	Credentials for accessing the directories and per Message Queue topic 3DES keys are stored in the product’s configuration directory.	All sensitive information stored in the product’s configuration directory is encrypted with a 3DES key that is generated from the configuration password. See Hardening Your Security for recommendations to further protect the product’s configuration directory.
Directory Server Retro Changelog	The Directory Server Plug-in captures password changes and encrypts them before writing them to the Directory Server Retro Changelog.	The Directory Server Plug-in encrypts all user password changes with a 3DES key that is unique to each deployment.
Message Queue Broker Persistent Storage	The Message Queue broker stores password synchronization messages sent between all connectors.	With the exception of log messages, all persisted messages are encrypted with per-topic 3DES keys.
Message Queue Broker Directory Credentials	The Message Queue broker authenticates users against the product’s configuration directory. It connects to the configuration directory using the directory administrative user name and password provided during Core installation.	The directory password is stored in a passfile, which is protected with file system access controls.
System Manager Boot File	The system manager’s boot file contains information for accessing the configuration. This includes the configuration password and the directory administrative user name and password provided during Core installation.	This file is protected with file system access controls.
Connectors and Central Logger Boot Files	Each connector as well as the central logger have an initial configuration file with credentials for accessing the Message Queue.	These files are protected with file system access controls.
Directory Server Plug-in Boot Configuration	The Plug-in’s configuration, stored in `cn=config`, includes credentials for connecting to the connector.	The `cn=config` subtree is protected with ACIs and the `dse.ldif` file, which mirrors this tree, is protected with file system access controls.
NT Password Filter DLL and NT Change Detector Boot Configuration	The NT subcomponent’s configuration, which is stored in the Windows registry, includes credentials for connecting to the connector.	If access to the PDCs registry is not secure, these registry keys can be protected with access controls.
Windows Connector’s Object Cache	Windows connectors store hashed user passwords in the connector’s object cache.	The passwords are not stored in the clear but encrypted with MD5 hashes. These database files are protected with file system access controls. (see Hardening Your Security