Agent autonomy configuration XML files include user credentials
with passwords that can be entered in plain text. Securing access
to these configuration files is usually adequate to secure the credentials.
You can also add a layer of security by storing passwords in encrypted
format within the configuration file.
Before you begin
If you are enabling SNMP alerts from the agent, SNMP v1 &
v2c Community Strings and SNMP v3 Authentication and Privacy Passwords
can be stored in encrypted format in the
PCTRAPS.RKANDATV
trap configuration file.
If you are enabling Centralized Configuration,
the ConfigServer password attributes can be encrypted when they are
stored in a PCCFGLST.RKANDATV Configuration Load
List file or using the IRA_CONFIG_SERVER_PASSWORD parameter in the
KPCENV environment file.
On Windows, Linux,
and UNIX systems, password and
community strings are encrypted and decrypted using the GSKIT encryption
utilities provided by the Tivoli® Management
Services infrastructure. On z/OS®,
GSKit is known as the Integrated Cryptographic Service Facility, or
ICSF. If these strings are stored in encrypted format on z/OS, the ICSF subsystem must be available on
the z/OS system and the ICSF
modules must be added to the z/OS monitoring
agent startup PROC so that the strings can be decrypted for use by
the agent.
Procedure
- Verify that you have at least one IBM® cryptographic coprocessor installed and that
the ICSF is installed.
- Create a KAES256 member in the RKANPARU data set in the z/OS agent runtime environment.
Be sure to use the same encryption key that is used throughout your
environment. If the z/OS Configuration
Tool has already created a KAES256 member with the same encryption
key for a Tivoli Enterprise
Monitoring Server on z/OS and
the z/OS agent is configured
in the same runtime environment as the monitoring server, you can
skip this step.
- Copy the KAES256 member from the monitoring server's RKANPARU
data set to the z/OS agent's
RKANPARU data set.
- Alternatively, you can copy the KAES256.ser file from the keyfiles directory
of the distributed system where you will execute the itmpwdsnmp tool
to encrypt password and community strings. Upload the KAES256.ser
file to the KAES256 member of the z/OS agent's
RKANPARU data set in binary mode. KAES256.ser is 48 bytes on distributed
systems and is padded with blanks in the KAES256 member of the RKANPARU
data set.
- For instructions on using the z/OS Configuration
Tool to create the KAES256 member, see the "Configuring hub and remote monitoring servers
on z/OS" topic
in Configuring the Tivoli Enterprise
Monitoring Server on z/OS.
- Concatenate ICSF modules to the existing startup PROC RKANMODL
DDNAME of the z/OS agent. Edit
the z/OS agent startup PROC
and add ICSF support to the RKANMODL DDNAME. The following
example illustrates RKANMODL where CSF.SCSFMOD0 is the data set that
contains ICSF decryption modules:
//RKANMODL DD DISP=SHR,DSN=my_load_modules
// DD DISP=SHR,DSN=TDOMPT.&LVMLVL..MODL
// DD DISP=SHR,DSN=TDOMPT.&CMSLVL..MODL
// DD DISP=SHR,DSN=CSF.SCSFMOD0
- Restart the monitoring server or the z/OS monitoring agent or both.
What to do next
Use the
itmpwdsnmp utility to create
the encrypted password and community strings. The utility is available
only in the
Tivoli Enterprise Monitoring Agent framework
on distributed platforms. The agent framework can be installed from
the
Tivoli Monitoring Base
DVD or
Tivoli Monitoring Agent
DVD. Run the
itmpwdsnmp tool
in interactive mode on the distributed system to encrypt the passwords
that will be placed in the configuration files. For instructions,
see
SNMP PassKey encryption: itmpwdsnmp.