Sensitive configuration data

Sensitive information such as passwords are never stored in the registry or anywhere else in plain text. For cloud deployments, all sensitive configuration data is encrypted and decrypted using the customer master key in AWS KMS. For on-premises deployments, this configuration data is encrypted and decrypted using the master keystore file created for WFM during installation.

Some internally stored keys must be rotated. When an AWS KMS key changes, WFM will re-encrypt its data keys within one month. For SAML, Infor Ming.le is responsible for rotating its public key.

Note: Keys generated by WFM for PGP or SAML are not rotated automatically. The client is responsible for rotating them once a year.

This table lists the types of encrypted configuration data that are maintained in the system:

Data Configuration Type Rotation Description
System key GLOBALSYSTEMKEY No Key

Generated on the first deployment

OAuth1 No Accesskey, secretkey

WFM generates random values. Used to validate signature.

PGP PGPEXPORTPUBLICKEY Rotated by customer PGP public key

Generated by third-party encryption tool (for example, GnuPG)

PGP PGPIMPORTPRIVATEKEY Rotated by customer Private key and public certificate

Generated by WFM UI and command line utility

SAML (IdP initiated SSO) SAMLPUBLICCERT Rotated by customer Public certificate PEM string

Provided by customer's identity provider. Used to validate signature.

SAML (SP initiated SSO) SAMLPUBLICCERT Rotated by Infor Ming.le Public certificate PEM string

Provided by Infor Ming.le. Used to validate signature.

SAML (SP initiated SSO)

(Continued)

SAMLPRIVATEKEY Rotated by customer Private key PEM string

Created by WFM UI. Used to create signature in SAML token.

Weather API key WEATHERAPIKEY No API key for the third-party weather service, which can optionally be used by customers using machine learning forecasting.

Provided by Infor for cloud customers. Provided by service provider for on-premise customers.