Optional password encryption - secure script

Optionally encrypt the passwords you use to install, upgrade, and manage HCL Workload Automation.

This section lists and describes the parameters of the secure script. The secure command uses the AES method and prints the encrypted password to the screen or saves it to a file. This command is available by default on all HCL Workload Automation components.

Note: Use this script only to encrypt passwords used during the installation and upgrade processes.

You can either:

Define a custom passphrase by using the passphrase argument and defining the SECUREWRAP_PASSPHRASE environment variable in the same shell session in which you run the command using the encrypted password. Ensure you set the SECUREWRAP_PASSPHRASE environment variable to the same value as the passphrase argument. You can use encrypted passwords only in association with the specific passphrase used to encrypt them.
Use the standard encryption method provided with the secure command. In this case, you simply specify the password parameter.

Note: It is important you understand the limits to the protection that this method provides. The custom passphrase you use to encrypt the passwords is stored in clear format in the passphrase_variables.xml file, stored in configureDropin. To fully understand the implications of this method, it is recommended you read the information provided by Open Liberty at the link Password encryption limitations.

Syntax

Windows operating systems:

secure -fips on|weak|off | -checksecurity | -updatesecurity | -securitystatus | {-password password 
| -in file} [-fipscompliance true|false] [-des3toaes] 
[[-passphrase passphrase] | [-useaeskeystore]] [-out file]

UNIX operating systems:

./secure -fips on|weak|off | -checksecurity | -updatesecurity | -securitystatus | {-password password 
| -in file} [-fipscompliance true|false] [-des3toaes] 
[[-passphrase passphrase] | [-useaeskeystore]] [-out file]

z/OS operating systems:

secure -fips on|weak|off | -checksecurity | -updatesecurity | -securitystatus | {-password password 
| -in file} [-fipscompliance true|false] [-des3toaes] 
[[-passphrase passphrase] | [-useaeskeystore]] [-out file]

Arguments

-fips

Specifies your FIPS settings:

on: Select on to enable FIPS in full mode. In this mode, FIPS enforces the most rigorous cryptographic levels defined by the FIPS 140-3 standard.
weak: Select weak to enable FIPS in weak mode. In this mode, FIPS enforces the most rigorous cryptographic levels defined by the FIPS 140-3 standard, but supports also the SHA-1 and 3DES algorithms.
off: Select off to disable FIPS. In this mode, FIPS standards are not enforced, but the product is still robust and secure.

-checksecurity

Checks the encryption level for password encryption. If user passwords are encrypted with the AES algorithm, the command modifies the useAESEncryptionAlgorithm optman option to yes. If the encryption algorithm is different from AES, the command displays a warning message.

-updatesecurity

Changes the encryption algorithm for user passwords from 3DES to AES. To prevent communication problems, this change requires that all components in your environment are at version 10.2.5 or later.

The command checks and modifies the useAESEncryptionAlgorithm optman option, based on the encryption algorithm used in your environment for user passwords, as follows:

users with passwords in 3DES: the useAESEncryptionAlgorithm option is set to no.
users with passwords in AES: the useAESEncryptionAlgorithm option is set to yes.

For more information about optman options, see Global options - detailed description.

-securitystatus

Displays security settings in your environment, for example the current FIPS mode.

-password

Specifies the password to be encrypted. This parameter is mutually exclusive with the -in parameter.

-in

Specifies the name and path of the file where you have stored the password to be encrypted. This parameter is mutually exclusive with the -password parameter.

-fipscompliance

Allows overriding the product’s FIPS mode. For instance, if a master domain manager, agent, or Dynamic Workload Console has FIPS enabled and the option -fipscompliance =false is specified, FIPS is selectively disabled for the secure command. Conversely, passing -fipscompliance =true enforces FIPS for that command, regardless of the global setting.

-des3toaes

Converts the specified password from the Triple DES to the AES format.

-passphrase

Specifies the custom passphrase that is used to generate the key with which the command encrypts the password. If you set this parameter, inform the user who installs HCL Workload Automation that they must define the SECUREWRAP_PASSPHRASE environment variable in the same shell from which they run the installation command, and set it to the same value as the passphrase parameter. On Windows operating systems, the passphrase must be at least 8 characters long. This argument generates a password which can be reused for all HCL Workload Automation components. This parameter is mutually exclusive with the -useaeskeystore parameter, which generates a password which can be decrypted only on the local workstation and not reused for other components.

-useaeskeystore

Specifies that the secure command runs the encryption process using the AES keystore specified in the encrypt keystore file option and associated to the encrypt label alias. Both options are defined in the localopts file. The keystore is created automatically at installation time. Using this parameter ensures that passwords are encrypted with a unique key for each installation. Consequently, files encrypted on one component cannot be decrypted on another component due to differing encryption keys. For more information about the encrypt keystore file option and the encrypt label alias, see encrypt keystore file file_name. This parameter is mutually exclusive with the -passphrase parameter, which generates a password which can be reused for other components.

-base64 e

Specifies that the encoding process uses the base64 format.

-out

Specifies the path and name of a file where the command stores the encrypted password. If you do not specify this parameter, the encrypted password is printed to the screen.

Examples

To encrypt password MyPassword with a strong passphrase, run the following command:

./secure -password MyPassword -passphrase de85pU!Mb5G2xewPgdVa

To encrypt the password stored in file MyFile using the default passphrase and save the encrypted password to file OutputFile, run the following command:

secure -in C:\info\MyFile -out C:\info\OutputFile