Optional password encryption - secure script

Optionally encrypt the passwords you use to install, upgrade, and manage HCL Workload Automation.

This section lists and describes the parameters of the secure script. The secure command uses the AES method and prints the encrypted password to the screen or saves it to a file.

You can either:
  • Define a custom passphrase by using the passphrase argument and defining the SECUREWRAP_PASSPHRASE environment variable in the same shell session in which you run the command using the encrypted password. Ensure you set the SECUREWRAP_PASSPHRASE environment variable to the same value as the passphrase argument. You can use encrypted passwords only in association with the specific passphrase used to encrypt them.
  • Use the standard encryption method provided with the secure command. In this case, you simply specify the password parameter.
Note: It is important you understand the limits to the protection that this method provides. The custom passphrase you use to encrypt the passwords is stored in clear format in the passphrase_variables.xml file, stored in configureDropin. To fully understand the implications of this method, it is recommended you read the information provided by WebSphere Application Server Liberty Base at the link Liberty: The limits to protection through password encryption.

Syntax

Windows operating systems:
secure {-password password | -in file}[-passphrase passphrase]
[-base64 e][-out file]
UNIX operating systems:
./secure {-password password | -in file}[-passphrase passphrase]
[-base64 e][-out file]
z/OS operating systems:
./secure {-password password | -in file}[-passphrase passphrase]
[-base64 e][-out file]

Arguments

-password
Specifies the password to be encrypted. This parameter is mutually exclusive with the -in parameter.
-in
Specifies the name and path of the file where you have stored the password to be encrypted. This parameter is mutually exclusive with the -password parameter.
-passphrase
Optional. Specifies the custom passphrase that is used to generate the key with which the command encrypts the password. If you set this parameter, inform the user who installs HCL Workload Automation that they must define the SECUREWRAP_PASSPHRASE environment variable in the same shell from which they run the installation command, and set it to the same value as the passphrase argument. On Windows operating systems, the passphrase must be at least 8 characters long.
-base64 e
Specifies that the encoding process uses the base64 format.
-out
Specifies the path and name of a file where the command stores the encrypted password. If you do not specify this parameter, the encrypted password is printed to the screen.

Examples

To encrypt password MyPassword with a strong passphrase, run the following command:
secure -password MyPassword -passphrase de85pU!Mb5G2xewPgdVa
To encrypt the password stored in file MyFile using the default passphrase and save the encrypted password to file OutputFile, run the following command:
secure -in C:\info\MyFile -out C:\info\OutputFile