Changing the default secret key and password to the SAP Metric Data Collector keystore

9.2.9 Available from 9.2.9. To improve security of encrypting the password to the SAP Metric Data Collector, you can change the default secret key or the default password to the SAP Metric Data Collector keystore. These two procedures are independent. You can change the secret key, the keystore password or both depending on your needs.

Before you begin

Contact BigFix Support to obtain the current password to the SAP Metric Data Collector keystore.

Procedure

  • To substitute the default secret key with a custom one, perform the following steps.
    Important: To run each of the following commands, provide the current password for the SAP Metric Data Collector keystore. You can obtain the default password from BigFix Support. If you already changed it, use the custom password that you set up.
    1. To remove the default secret key, run the following command.
      • Linux "/var/opt/BESClient/LMT/SAPTOOL/java/jre/bin/keytool" -delete -keystore "/var/opt/BESClient/LMT/SAPTOOL/keydb/<keystore_name>" -storetype <type> -alias bigfixsaptoolcustomkey
      • Windows "C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\java\jre\bin\keytool.exe" -delete -keystore "C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\keydb\<keystore_name>" -storetype <type> -alias bigfixsaptoolcustomkey
    2. To create a custom secret key, run the following command.
      Important: During the creation of the new secret key, you are asked to provide its password. Specify the same password as the password for the SAP Metric Data Collector keystore. If you did not change the keystore password, provide the one that you obtained from BigFix Support. Otherwise, provide your custom password for the SAP Metric Data Collector keystore.
      • Linux "/var/opt/BESClient/LMT/SAPTOOL/java/jre/bin/keytool" -genseckey -keystore "/var/opt/BESClient/LMT/SAPTOOL/keydb/<keystore_name>" -storetype <type> -keyalg AES -keysize 128 -alias bigfixsaptoolcustomkey
      • Windows "C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\java\jre\bin\keytool.exe" -genseckey -keystore "C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\keydb\<keystore_name>" -storetype <type> -keyalg AES -keysize 128 -alias bigfixsaptoolcustomkey
      where:
      -keyalg
      Is the algorithm used to encrypt the secret key. Only AES is supported.
      -keysize
      Is the size of the secret key. The default size is 128 bits. To use a longer key, set up Java JCE unlimited jurisdiction policy. For more information, see: IBM SDK Policy files.
  • To change the default password to the SAP Metric Data Collector keystore, perform the following steps.
    Important: To run each of the following commands, provide the current password for the SAP Metric Data Collector keystore that you obtained from HCL Support.
    1. To change the password to the keystore, run the following command.
      Password to each key in the keystore must be the same as the password to the keystore. Thus, the -all parameter is used in the command.
      • Linux "/var/opt/BESClient/LMT/SAPTOOL/java/jre/bin/keytool" -storepasswd -all -keystore "/var/opt/BESClient/LMT/SAPTOOL/keydb/<keystore_name>" -storetype <type>
      • Windows "C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\java\jre\bin\keytool.exe" -storepasswd -all -keystore "C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\keydb\<keystore_name>" -storetype <type>
    2. When prompted, provide the new keystore password.
    3. To encode the password, run the following command.
      • Linux "/var/opt/BESClient/LMT/SAPTOOL/saptool.sh" -encode
      • Windows "C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\saptool.bat" -encode
      The password is encoded and displayed in the command line.
    4. Copy the encoded password to a file, and save it in a text format.
      For example:
      • Linux "/var/opt/BESClient/LMT/SAPTOOL/config/custom_access_code.txt"
      • Windows "C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\config\custom_access_code.txt"
      Note: It is recommended to save the custom_access_code.txt in the config directory. This directory remains unchanged after the SAP Metric Data Collector update.
    5. Open the saptool_config.properties file that is in the following location.
      • Linux "/var/opt/BESClient/LMT/SAPTOOL/config/"
      • Windows "C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\config\"

      Provide the path to the file with the encoded password in the configuration_key_init_path parameter.

      For example:
      • Linux configuration_key_init_path=/var/opt/BESClient/LMT/SAPTOOL/config/custom_access_code.txt
      • Windows configuration_key_init_path=C:\\Program Files (x86)\\BigFix Enterprise\\BES Client\\LMT\\SAPTOOL\\config\\custom_access_code.txt
      Tip: Provide the path in one line and without quotation marks. To use a backslash, provide it twice (\\).

      Note: The <type> and <keystore_name> parameters that apply to the above commands specifies the following:
      <type>
      Starting from version 10.0.8.0, the type of the certificate is PKCS12. For earlier versions, it is JCEKS.
      <keystore_name>
      Starting from version 10.0.8.0, the name of the keystore file is keys.p12. For earlier versions, it is keys.jceks.