Database settings
To modify the database connection parameters, do the following:
- Click Configure to open the Configure database connection page.
- Specify the hostname or IP (and optionally, the instance name) of the SQL Server (Server name) that you are connecting to, along with the database Catalog name and settings related to encryption of network traffic between your SQL Server and Token Vault computer (Use encryption for data and Trust server certificate) according to your SQL Server and environment configuration.
-
Under the
Runtime credentials group on the same page, you can specify a runtime account for the
Token Vault
database.
You need to select the Authentication type to determine how the Token Vault service connects to the SQL Server database:
- Via SQL Server Authentication, you can specify an SQL user by entering a User name and Password.
-
Via Windows Authentication, using the identity of the account running the Token Vault Windows service.
-
Via Microsoft Entra ID - Password, you can specify an existing Microsoft Entra ID user by entering a User name and Password.
Select this option only when you specify an Azure SQL server.
-
Via Microsoft Entra ID - Integrated, using the identity of the account running the Token Vault Windows service.
Select this option only when you specify an Azure SQL server, and your local Active Directory is synchronized with Microsoft Entra ID.
The Token Vault service uses these credentials only for runtime connection to the SQL Server.
Kofax highly recommends using Windows or Microsoft Entra Integrated Authentication for Token Vault database connection. -
Click
Verify & Save to save the database configuration settings.
The Database settings page appears displaying the Token Vault database status and the new database connection parameters.
If you configure an earlier version of a Token Vault database, the Database settings page shows that the database is outdated, and it cannot be used with this Token Vault version.
To upgrade the database so that it is usable with this Token Vault version, continue with the following steps.
-
Click
Upgrade on this page.
The Upgrade database page appears displaying the Database parameters and Runtime credentials.
-
Under the
Admin credentials group, select the
Authentication type and specify the credentials (User name and
Password) for the database upgrade.
The following authentication types can be selected:
-
SQL Server Authentication
-
Windows Authentication
-
Microsoft Entra ID - Password
-
Microsoft Entra ID - Integrated
In case of "Windows Authentication" and "Microsoft Entra ID - Integrated" authentication types, the User name must be specified in DOMAIN\USERNAME format.
The credentials specified are only used during database upgrade to run the Token Vault SQL scripts on the selected database.
-
- Click Upgrade to upgrade the selected database.
- Click Restart service to restart the Token Vault Windows service and use the newly configured database.
Encrypt sensitive data manually
-
On the other Token Vault machine, open a Command prompt window as the user who runs the Kofax Token Vault Windows service.
If this user is LocalSystem, then open a Command prompt window as such a user who has privileges to use the private key of the certificate whose thumbprint is configured as the HTTPS certificate thumbprint on the Token Vault General Settings page.
-
Navigate to the Token Vault installation folder.
-
Run the following command:
tokenvault.exe cert update old:<old certificate thumbprint>
where <old certificate thumbprint> is the configured certificate thumbprint.
-
Restart the Kofax Token Vault Service.
Now, the encryption of sensitive data in the database is not certificate-based.
The following steps are required only if this Token Vault is configured with HTTPS protocol, after the database is configured successfully, and it is alive and up-to-date.
-
On this Token Vault machine, open a Command prompt window as the user who runs the Kofax Token Vault Windows service.
If this user is LocalSystem, then open a Command prompt window as such a user who has privileges to use the private key of the certificate whose thumbprint is configured as the HTTPS certificate thumbprint on the Token Vault General Settings page.
-
Navigate to the Token Vault installation folder.
-
Run the following command:
tokenvault.exe cert update new:<new certificate thumbprint>
where <new certificate thumbprint> is the HTTPS certificate thumbprint that is configured on the General Settings page.
-
Restart the Kofax Token Vault Service.
-
On this Token Vault machine, import the certificate earlier used by the other Token Vault machine into the Local Computer store (Certificates (Local Computer)\Personal).
-
Add permission to the user account of the Windows service running Token Vault to use the private key of the imported certificate.
-
Open a Command prompt window as the user who runs the Kofax Token Vault Windows service.
If this user is LocalSystem, then open a Command prompt window as such a user who has privileges to use the private key of both the imported certificate and the certificate whose thumbprint is configured as the HTTPS certificate thumbprint on the Token Vault General Settings page.
-
Navigate to the Token Vault installation folder.
-
Run the following command:
tokenvault.exe cert update old:<old certificate thumbprint> new:<new certificate thumbprint>
where:
-
<old certificate thumbprint> is the thumbprint of the imported certificate, and
-
<new certificate thumbprint> is the HTTPS certificate thumbprint that is configured on the General Settings page.
-
-
Restart the Kofax Token Vault Windows service.