Optional password encryption - secure script

Optionally encrypt the passwords you use to install, upgrade, and manage HCL Workload Automation.

This section lists and describes the parameters of the secure script. The secure command uses the AES method and prints the encrypted password to the screen or saves it to a file.
Note: Use this script only to encrypt passwords used during the installation and upgrade processes.
You can either:
  • Define a custom passphrase by using the passphrase argument and defining the SECUREWRAP_PASSPHRASE environment variable in the same shell session in which you run the command using the encrypted password. Ensure you set the SECUREWRAP_PASSPHRASE environment variable to the same value as the passphrase argument. You can use encrypted passwords only in association with the specific passphrase used to encrypt them.
  • Use the standard encryption method provided with the secure command. In this case, you simply specify the password parameter.
Note: It is important you understand the limits to the protection that this method provides. The custom passphrase you use to encrypt the passwords is stored in clear format in the passphrase_variables.xml file, stored in configureDropin. To fully understand the implications of this method, it is recommended you read the information provided by Open Liberty at the link Password encryption limitations.

Syntax

Windows operating systems:
secure {-password password | -in file} [-des3toaes] 
[[-passphrase passphrase] | [-useaeskeystore]] [-out file]
UNIX operating systems:
./secure {-password password | -in file} [-des3toaes] 
[[-passphrase passphrase] | [-useaeskeystore]] [-out file]
z/OS operating systems:
secure {-password password | -in file} [-des3toaes] 
[[-passphrase passphrase] | [-useaeskeystore]] [-out file]

Arguments

-password
Specifies the password to be encrypted. This parameter is mutually exclusive with the -in parameter.
-in
Specifies the name and path of the file where you have stored the password to be encrypted. This parameter is mutually exclusive with the -password parameter.
-des3toaes
Converts the specified password from the Triple DES to the AES format.
-passphrase
Specifies the custom passphrase that is used to generate the key with which the command encrypts the password. If you set this parameter, inform the user who installs HCL Workload Automation that they must define the SECUREWRAP_PASSPHRASE environment variable in the same shell from which they run the installation command, and set it to the same value as the passphrase parameter. On Windows operating systems, the passphrase must be at least 8 characters long. This argument generates a password which can be reused for all HCL Workload Automation components. This parameter is mutually exclusive with the -useaeskeystore parameter, which generates a password which can be decrypted only on the local workstation and not reused for other components.
-useaeskeystore
Specifies that the secure command runs the encryption process using the AES keystore specified in the encrypt keystore file option and associated to the encrypt label alias. Both options are defined in the localopts file. The keystore is created automatically at installation time. Using this parameter ensures that passwords are encrypted with a unique key for each installation. Consequently, files encrypted on one component cannot be decrypted on another component due to differing encryption keys. For more information about the encrypt keystore file option and the encrypt label alias, see encrypt keystore file file_name. This parameter is mutually exclusive with the -passphrase parameter, which generates a password which can be reused for other components.
-base64 e
Specifies that the encoding process uses the base64 format.
-out
Specifies the path and name of a file where the command stores the encrypted password. If you do not specify this parameter, the encrypted password is printed to the screen.

Examples

To encrypt password MyPassword with a strong passphrase, run the following command:
./secure -password MyPassword -passphrase de85pU!Mb5G2xewPgdVa
To encrypt the password stored in file MyFile using the default passphrase and save the encrypted password to file OutputFile, run the following command:
secure -in C:\info\MyFile -out C:\info\OutputFile