Sensitive configuration data
Sensitive information such as passwords are never stored in the registry or anywhere else in plain text. For cloud deployments, all sensitive configuration data is encrypted and decrypted using the customer master key in AWS KMS. For on-premises deployments, this configuration data is encrypted and decrypted using the master keystore file created for WFM during installation.
Some internally stored keys must be rotated. When an AWS KMS key changes, WFM will re-encrypt its data keys within one month. For SAML, Infor OS Portal is responsible for rotating its public key.
This table lists the types of encrypted configuration data that are maintained in the system:
| Data | Configuration Type | Rotation | Description |
|---|---|---|---|
| System key | GLOBALSYSTEMKEY | No | Key Generated on the first deployment |
| OAuth1 | No | Accesskey, secretkey WFM generates random values. Used to validate signature. |
|
| PGP | PGPEXPORTPUBLICKEY | Rotated by customer | PGP public key Generated by third-party encryption tool (for example, GnuPG) |
| PGP | PGPIMPORTPRIVATEKEY | Rotated by customer | Private key and public certificate Generated by WFM UI and command line utility |
| SAML (IdP initiated SSO) | SAMLPUBLICCERT | Rotated by customer | Public certificate PEM string Provided by customer's identity provider. Used to validate signature. |
| SAML (SP initiated SSO) | SAMLPUBLICCERT |
Rotated by Infor OS Portal |
Public certificate PEM string Provided by Infor OS Portal. Used to validate signature. |
| SAML (SP initiated SSO) (Continued) |
SAMLPRIVATEKEY | Rotated by customer | Private key PEM string Created by WFM UI. Used to create signature in SAML token. |
| Weather API key | WEATHERAPIKEY | No | API key for the third-party weather
service, which can optionally be used by customers using machine
learning forecasting. Provided by Infor for cloud customers. Provided by service provider for on-premise customers. |