Automatic passphrase encryption

For security purposes, plain text passwords that are contained in the broker, gateway, target, and CLI component configuration, are now automatically encrypted. Use the DisableAutomaticPassphraseEncryption property to determine whether the passwords are automatically encrypted or not.

For the broker and gateway components, plain text passwords can be set within the Passphrase and DefaultTLSCertificatePassphrase parameters in the component configuration files. For the target, CLI and broker, the ProxyURL property value can contain a plain text password in the userid:password combination in the URL. The broker and gateway passwords and the userid:password combination are now automatically encrypted.

DisableAutomaticPassphraseEncryption=No
Plain text passwords are automatically encrypted. This value is the default value.
DisableAutomaticPassphraseEncryption=Yes
Plain text passwords are not automatically encrypted. For security reasons, it is recommended that you do not disable the automatic encryption.

Setting the parameter value

You can set the DisableAutomaticPassphraseEncryption property value in the following places:
Broker component
The broker configuration file trc_broker.properties.

Windows operating system. The file is in the following directory, depending on the version of Windows operating system that is installed:

\Documents and Settings\All Users\Application Data\IBM\Tivoli\Remote Control\Broker.

\ProgramData\IBM\Tivoli\Remote Control\Broker.

Linux operating system: /etc.

Gateway component
The gateway configuration file trc_gateway.properties.

Windows operating system. The file is in the following directory, depending on the version of Windows operating system that is installed:

\Documents and Settings\All Users\Application Data\IBM\Tivoli\Remote Control\Gateway.

\ProgramData\IBM\Tivoli\Remote Control\Gateway.

Linux operating system: /etc.

Target component
Windows operating system. In the target registry after the target is installed or as a parameter in a silent installation command.
Note: There is no option to disable the auto encryption when you install the target by using the installer program or the deployment Fixlet in the BigFix® console.

Linux operating system: /etc/ibmtrct.conf.

CLI component
Windows operating system. In the target registry after the CLI component is installed.
Note: There is no option to disable the auto encryption when you install the CLI component by using the installer program or the deployment Fixlet in the BigFix® console.

Linux operating system: /etc/ibmtrct.conf

Note: The CLI is unable to automatically encrypt the proxy credentials when the CLI is installed stand-alone, without the target and when the CLI is run by a standard user. If you use the CLI that is included in the target package, the proxy credentials are automatically encrypted by the target. You must restart the target after you edit the settings in the registry or configuration file. When you use the stand-alone CLI tools, you must run the CLI once from an Administrator Command Prompt in a Windows operating system or when logged in as root in Linux.

The following scenarios provide steps for the correct use of the parameter when you do not want to automatically encrypt the passwords. However, for security reasons, it is recommended that you do not disable the automatic encryption.

New deployment scenario

When you install the components for the first time, and you do not want to automatically encrypt passwords, complete the following steps:

Broker and gateway components
  1. After you install the component, edit the relevant properties file.
  2. Enter the plain text passwords in the relevant Passphrase and DefaultTLSCertificatePassphrase parameters.
  3. Set DisableAutomaticPassphraseEncryption=Yes.
  4. Save the file.
  5. Start the component service.

The passwords are saved as plain text in the properties files.

Target component
Windows operating system:
  1. Set the following parameter values in the silent installation command:
    • Set TRC_PROXY_USER_ID and TRC_PROXY_PASSWORD with plain text values.
    • Set DISABLEAUTOMATICPASSPHRASEENCRYPTION=Yes.
  2. Run the installation command. For more information about running a silent target installation, see Running a target custom installation on a Windows system.
Linux operating system:
  1. Edit the /etc/ibmtrct.conf file.
  2. Set a plain text userid:password combination in the ProxyURL property.
  3. Set DisableAutomaticPassphraseEncryption=Yes.
  4. Save the file.
  5. Start the target service.

The userid:password combination in the proxy URL is saved as plain text.

Note: In the new deployment scenario, you must set the DisableAutomaticPassphraseEncryption property value to Yes before you start the component for the first time. Otherwise, the components automatically encrypt the passwords when they start. The components do not decrypt passwords after they are encrypted.

Upgrade scenario

When you upgrade the components, and you do not want to automatically encrypt existing plain text passwords, complete the following steps:
Broker and gateway components
  1. Edit the current properties file.
  2. Set DisableAutomaticPassphraseEncryption=Yes.
  3. Upgrade the component.
The passwords are saved as plain text in the properties files.
Target and CLI components
Windows operating system:
  1. Edit the target registry and set DisableAutomaticPassphraseEncryption=Yes.
  2. Upgrade the component.
Linux operating system:
  1. Edit the /etc/ibmtrct.conf file and set DisableAutomaticPassphraseEncryption=Yes.
  2. Save the file.
  3. Upgrade the component.

The userid:password combination in the proxy URL is saved as plain text.

Disable encryption after you start the components

The components do not decrypt passwords after they are encrypted. Therefore, to disable the automatic encryption and store plain text passwords after you start the components, complete the following steps. You must have the plain text passwords available for this scenario.
Broker and gateway components
  1. Edit the current properties file.
  2. Set DisableAutomaticPassphraseEncryption=Yes.
  3. Delete the encrypted passwords and replace them with the plain text passwords.
  4. Restart the component.
Target and CLI components
Windows operating system:
  1. Edit the target registry and set DisableAutomaticPassphraseEncryption=Yes.
  2. Modify the ProxyURL property and set the userid:password combination to a plain text value.
  3. Restart the component.
Linux operating system:
  1. Edit the current /etc/ibmtrct.conf file and set DisableAutomaticPassphraseEncryption=Yes.
  2. Modify the ProxyURL property and set the userid:password combination to a plain text value.
  3. Save the file.
  4. Restart the component.

The userid:password combination in the proxy URL is saved as plain text.

Note: After passwords are encrypted, if you set DisableAutomaticPassphraseEncryption to Yes and restart the components, the passwords are not affected. The components do not decrypt the passwords and they can still use the encrypted password to unlock the keystore or access the proxy.

More information

  • Keywords or commands are not available to decrypt the passphrases after they are encrypted.
  • The encryption uses an encryption key that is derived from a value unique to the underlying system. The encryption key is never stored. The key is derived from the unique system value every time the component is started. Hence, it is not possible to copy an encrypted passphrase or a configuration file with encrypted passphrases from one system to another system. The component on the other system is unable to use the encrypted passphrase because it is encrypted with a different key.
  • The system-unique value that is used to create the encryption key can be changed. For example, by reinstalling the operating system. If a component configuration with encrypted passphrases is restored from a backup after the operating system is reinstalled, the component is unable to use the encrypted passphrases to open the keystore because they are encrypted with a different key. It is recommended that the plain text passphrase is backed up separately. For example, by using a secure password vault. Do not store the backup passphrase together with the backup keystore.
  • Encrypted passphrases are prefixed with the string {aes-128-gcm}. However, the passphrase that is configured in a gateway inbound and inbound6 connection is encrypted with a different algorithm. It is prefixed with the string {pbkdf2-hmac-sha256}.
  • The encryption algorithm is AES in GCM mode with a 128-bit encryption key.
  • The key derivation algorithm is PBKDF2-HMAC-SHA256 with a 128-bit salt.