Versions Compared

Old Version 10

changes.mady.by.user Ankur Parekh

Saved on

compared with

New Version 11

changes.mady.by.user Anand Vedam

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel3

...

  • The new accounts you create with import/migrate/metadata are automatically re-encrypted with destination org keys when you migrate the account from one org(source org) to another(destination), provided:
    • You are migrating the accounts from an org with standard account encryption to an org with standard or enhanced account encryption. In this case, the source org is required to be configured to recognize the destination org as a trusted org. Org admins can configure Organizational Settings to establish trust between orgs
    • You are migrating the accounts from an org with enhanced account encryption to another org with enhanced account encryption. In this case, the customers are required to add the source org’s private keys to the JCC keystores in the destination org. The source private keys should be added with an alias name different from that of the destination key alias for alias names are unique  in the keystore. A recommended name for source key alias will have org name preceded to the default ‘account-autogen’ key alias.
    • Because of the security risk, SnapLogic does not support migration of accounts from orgs with enhanced account encryption to orgs with standard account encryption. In this situation, you must manually recreate the accounts in the target org.
  • Projects with accounts exported prior to Release 4.11 will not have the accounts re-encrypted on import. You need to export the projects again and import in the target org. 

  • If your org is configured for Enhanced Account Encryption, the SnapLogic Create Snap and the SnapLogic Update Snap enable you to create/update accounts when the sensitive fields are provided in plain text. The Snaps will encrypt the data automatically.

    Note

    The presence of 'key' in the property tells the Snap that the field is already encrypted. Therefore, when the property value is in plain text, make sure you delete the 'key' field in the sensitive property object. Otherwise, the Snap cannot encrypt the field. 


Migrating from One Enhanced Encrypted Org to Another

...

Run the following command on source keystore location. This command directly adds the keys to the destination keystore. It requires the host address of the destination machine.
Code Block
keytool -importkeystore -srckeystore jcc-datakeys.jks
-srcstoretype JCEKS -srcstorepass `cat jcc-datakeys.pass` 
-srcalias 'account-autogen' -destkeystore <destination-machine>:<keystore-location>/jcc-datakeys.jks -deststoretype JCEKS 
-deststorepass <destination-machine>:<keystore-location>/jccdatakeys.pass -destalias source-account-autogen 

Multiple-Step Process (Recommended)

  1. Export the source key to a temporary keystore. 

    Code Block
    keytool -importkeystore -srckeystore 
jcc-datakeys.jks -destkeystore 
jcc-datakeys-src-copy.jks -srcstoretype JCEKS -deststoretype JCEKS -srcstorepass 
`cat jcc-datakeys.pass` -deststorepass changeit -srcalias account-autogen -destalias source-account-autogen -srckeypass 
`cat jcc-datakeys.pass` -destkeypass changeit


    Note
    • Both source and destination key-aliases are by default account-autogen. So while importing the source key to destination, a new name should be chosen for source key-alias. A recommended name would have source org name followed by account-autogen. For example, SnaplogicDev-account-autogen.
    • The keys are accessed by the same password that is used for the store that is stored in a .pass file. While exporting the source key to a temporary keyfile, use a temporary password. For example, changeit.

...


  2. Copy the temporary keystore to the destination JCCs.

...

  1. Go to the keystore in the destination JCCs. Import (add) the source key to the destination key using the following command:

    Code Block
    keytool -importkeystore -srckeystore 
jcc-datakeys-src-copy.jks 
-destkeystore jcc-datakeys.jks -srcstoretype JCEKS -deststoretype JCEKS -srcstorepass changeit -srckeypass changeit -deststorepass `cat jcc-datakeys.pass` 
-srcalias source-account-autogen 
-destalias source-account-autogen

...


  2. Change the source key password to use the keystore password.

    Code Block
    keytool -keypasswd -alias 
source-account-autogen -keypass changeit 
-new `cat jcc-datakeys.pass`

...


  2. Once the keys are added, you can list the keys to confirm that the source key is added with alias source-account-autogen

    Code Block
    keytool -list -keystore jcc-datakeys.jks 
-storetype JCEKS -storepass `cat jcc-datakeys.pass`