Optional password encryption - secure script
Optionally encrypt the passwords you use to install, upgrade, and manage HCL Workload Automation.
This section lists and describes the parameters of the secure script. The secure command uses the AES method and prints the encrypted password to the screen or saves it to a file.
You can either:
- Define a custom passphrase by using the passphrase argument and defining the SECUREWRAP_PASSPHRASE environment variable in the same shell session in which you run the command using the encrypted password. Ensure you set the SECUREWRAP_PASSPHRASE environment variable to the same value as the passphrase argument. You can use encrypted passwords only in association with the specific passphrase used to encrypt them.
- Use the standard encryption method provided with the secure command. In this case, you simply specify the password parameter.
Note: It is important you understand the limits to the protection that
this method provides. The custom passphrase you use to encrypt the passwords is
stored in clear format in the passphrase_variables.xml file,
stored in configureDropin. To fully understand the implications
of this method, it is recommended you read the information provided by WebSphere Application Server Liberty Base at the link
Liberty: The limits to protection through
password encryption.
Syntax
- Windows operating systems:
-
secure {-password password | -in file}[-passphrase passphrase] [-base64 e][-out file]
- UNIX operating systems:
-
./secure {-password password | -in file}[-passphrase passphrase] [-base64 e][-out file]
- z/OS operating systems:
-
./secure {-password password | -in file}[-passphrase passphrase] [-base64 e][-out file]
Arguments
- -password
- Specifies the password to be encrypted. This parameter is mutually exclusive with the -in parameter.
- -in
- Specifies the name and path of the file where you have stored the password to be encrypted. This parameter is mutually exclusive with the -password parameter.
- -passphrase
- Optional. Specifies the custom passphrase that is used to generate the key with which the command encrypts the password. If you set this parameter, inform the user who installs HCL Workload Automation that they must define the SECUREWRAP_PASSPHRASE environment variable in the same shell from which they run the installation command, and set it to the same value as the passphrase argument. On Windows operating systems, the passphrase must be at least 8 characters long.
- -base64 e
- Specifies that the encoding process uses the base64 format.
- -out
- Specifies the path and name of a file where the command stores the encrypted password. If you do not specify this parameter, the encrypted password is printed to the screen.
Examples
To encrypt password
MyPassword
with a strong passphrase, run the
following
command:secure -password MyPassword -passphrase de85pU!Mb5G2xewPgdVa
To encrypt the password stored in file MyFile using the default
passphrase and save the encrypted password to file OutputFile,
run the following
command:
secure -in C:\info\MyFile -out C:\info\OutputFile