AES encryption

AES encryption can be used to encrypt any string within the gateway writer section of the configuration file. It is used by the gateway to prevent sensitive data from being available in readable format in the gateway configuration file.

Note: AES encryption is supported on Tivoli® Netcool/OMNIbus V7.4.0 (and above) on all operating systems.

nco_aes_crypt

You can encrypt strings in the gateway configuration file using the nco_aes_crypt tool (supplied with Tivoli Netcool/OMNIbus). The syntax of encrypted data is as follows:

@datalength:encrypted_data@

Where datalength is the length of the data in bytes (expressed as a decimal) and the data itself is base64 encoded. The at sign (@) indicates the start and end of the encrypted data definition. The colon (:) acts as a field separator.

The encrypted values appear in single quotes on the right side of expressions in the writer section of the configuration file. The following is an example line from a configuration file showing the host name given in encrypted format:

HOST ='@64:lHBLuIPLNye8zCWhykFVFY7y90V9kCjGK5GSWu5VBdSlgQOqarq6T4UK4xk5Vqix@'

Note: You can obtain the nco_aes_crypt tool from the IBM Passport Advantage website: http://www-306.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm. Access the Software Downloads section and search for

Netcool/OMNIbus
Gateway configuration encryption library

Using the nco_aes_crypt tool

Data in the configuration file must be encrypted using the nco_aes_crypt tool.

This is a command line tool which takes the following format:

nco_aes_crypt [-d | -e] [-o outfile] -k keyfile -f filename
nco_aes_crypt [-d | -e] [-o outfile] -k keyfile data

The output of this command will be the encrypted string to be used in the configuration file.

The following table describes the options available with nco_aes_crypt:

Table 1. nco_aes_crypt command line options
Command line option	Description
-d or-e	Use this option to specify the mode in which the nco_aes_crypt tool runs: d - decrypt mode e - encrypt mode The default is e.
-o `string`	Use this option to specify the output file to which the encrypted data will be written.
-k `string`	Use this option to specify the path of the file containing the key data.
-f `string`	Use this option to specify the path of the file containing data requiring encryption.
`data`	Use this option to specify the data to be encrypted or decrypted.

Encryption key file

The encryption key is stored in a flat file alongside the encrypted data. The key storage file has an ASCII numeric key length indicator followed by a colon and the key in binary form.

The format of the key file is as follows:

key_length:key_data

Where key_length is the length of the key in bits and the key_data is the key in binary form. Valid length values are 128, 192 and 256.

For example:

128:1234567812345678

In this case, key_length is 128 since the ASCII string 1234567812345678 has 16 bytes (128 bits).

You can generate random or pre-defined keys of varying lengths using nco_keygen. To generate a key file, use the following command:

nco_keygen -o outfile[-l length|-k]key][-h |-?]

The following table gives the descriptions of the above command line options.

Table 2. Encrytion key file command line options
Command line option	Description
-o `outfile`	Use this option to specify the output file name.
-l `length`	Use this option to specify the length (in bits) of the key to write out. The default is 128. Note: The value that you specify must be divisible by 8.
-k `key`	Use this option to specify the key to be written out, expressed as hex digits. Note: This option bypasses automatic key generation.
-h `\|-?`	Use this option to print the help information and exit

Note: AES encryption is used as the initial encryption method for sensitive data. However, this does not mean that the data can be considered to be secure purely due to AES encryption; the security of the data depends on the restriction of access to the key file used for AES encryption. Access to this file is controlled using UNIX file permissions.

Using encrypted data

To use encrypted data, you must add the following line to the WRITER section of the configuration file:

LOAD ENCRYPTION KEY FROM 'key_file_path' USING 'AES'

Where key_file_path is the path to the file containing the encryption key.

Running the ObjectServer in a secure mode

When the gateway connects to the ObjectServer running in secure mode, it needs to authenticate with a user name and password. This user name and password can be encrypted using the nco_aes_crypt tool.

To enable the encryption, the location of the key file must be specified at the beginning of the configuration file. This is followed by the AUTH_USER and AUTH_PASSWORD fields which contain the encrypted user name and password required for authentication.

The following example shows the three fields that need to be added at the beginning of the configuration file when the ObjectServer runs in a secure mode:

LOAD ENCRYPTION KEY FROM '/HOME/72/solaris/omnibus/keyflie_name' USING
'AES';
AUTH_USER '@44:2yXgd6fp9q1Ey4sSAb2RibzA3+PpCZmhAZXo6nNdkvQ=@'; #
encrypted_user_name
AUTH_PASSWORD '@44:mdyEb8VTh+2wALnNlR7dnGnxRZ3BkMOQbR5IgxLlHuc=@'; #
encrypted_password