AES encryption

IBM® Maximo® Real Estate and Facilities encrypts any third-party credentials that it stores in the database with AES encryption.

The Advanced Encryption Standard (AES) is a symmetric-key encryption algorithm. In Maximo Real Estate and Facilities, AES is used to encrypt and decrypt Business Object fields that are of the password type with reversible encryption enabled. The encryption key is protected by the <workspaceId>-facilities-vs--sn secret in the Red Hat OpenShift Container Platform. The <workspaceId>-facilities-vs--sn vault secret in the Red Hat OpenShift Container Platform vault is passed to the pod (in the .p12 file), which is then used to unlock the keystore in the database which stores the AES key.

Important: If you are restoring from a backup, or want to use an existing test database, you must ensure that you update the <workspaceId>-facilities-vs--sn vault secret in the Red Hat OpenShift Container Platform before activating Maximo Real Estate and Facilities. If this secret is not detected during deployment, a new secret is created that doesn't match the details in existing database.

Important: Do regular backups of the Maximo Real Estate and Facilities database and back up the <workspaceId>-facilities-vs--sn secret in the Red Hat OpenShift Container Platform.

The PKCS #12 (.p12) keystore files are stored in the following location: /home/userfiles/resources/security/. The keystores in the /security/ directory and the keystore that is stored on the Maximo Real Estate and Facilities database have different purposes and they are all needed.

Administering AES

Access to AES Encryption Manager must be given to the admin user from the Admin Users tab.

In the Maximo Real Estate and Facilities Administrator Console, select AES Encryption to open the AES Encryption Manager. The AES Encryption Manager displays the status of the AES encryption keystore password for each Maximo Real Estate and Facilities pod that is pointing to the Maximo Real Estate and Facilities database.

For an initial installation or on bringing up a database backup, create or update the <workspaceId>-facilities-vs--sn secret in the Red Hat OpenShift Container Platform to contain the correct password.

Regenerating AES encryption keys

Click Regenerate AES Encryption Keys to run a utility that regenerates the AES encryption keys that are stored in the AES Encryption Keystore.

While this process is running, the system is locked and all active users are logged out of the Maximo Real Estate and Facilities application except the user who started the process. If you are doing administrative tasks, such as Object Migration Object Publishing or other system configuration, ensure that you log in to Maximo Real Estate and Facilities before you run this utility. A locked system disables further logins.

Forcing AES keystore password changes

If the password for the AES encryption keystore is not correct for a pod, a warning is displayed in the Administrator Console for that pod. The AES Encryption Manager indicates that the password is not valid and the Force AES Encyrption Keystore Password Change button is displayed. If the password is not valid for one or more pods, you must update the password.

Warning: Forcing an AES encryption keystore password change can cause irreversible data loss. Use this action with caution as it changes the AES encryption keys that are stored in the AES Encryption Keystore.

Click Force AES Encyrption Keystore Password Change to run a utility that regenerates the AES Encryption Keystore with the correct password. You must then reenter the reversible password fields on Maximo Real Estate and Facilities records.