Generating secure keystore passwords for code coverage

To prevent storing plain text passwords, run z/OS® Debugger Password File Generator to generate a keystore password properties file with an encrypted password.

About this task

z/OS Debugger Password File Generator generates a keystore password properties file with an encrypted password. Run this tool from the command line before starting the headless code coverage collector in secure mode. For more information, see Starting and stopping the headless code coverage collector.
Note:
  • Headless Code Coverage for Windows and Linux are deprecated.
  • Headless Code Coverage for Windows and Linux are not available with IBM® Debug for z/OS®.

Procedure

  1. Create a properties file that contains a valid path to a keystore file. If the file is for configuring Code Coverage Service, the key must be ccskeystorefile. If the file is for starting the daemon in secured mode, or for configuring authorization, the key must be keystorefile. The keystore password does not have to be specified in the properties file before running the tool. If specified, it will be overwritten.
    • On Windows and Linux, you can find the following sample files:
      • <install_location>/headless-cc/ccskeystoreinfo.properties
      • <install_location>/headless-cc/keystoreinfo.properties
    • On z/OS, you can find the following sample files:
      • /usr/lpp/IBM/debug/headless-code-coverage/ccskeystoreinfo.properties
      • /usr/lpp/IBM/debug/headless-code-coverage/keystoreinfo.properties

  2. Start the z/OS Debugger Password File Generator with the desired command-line options.

    > genpassword -tool=<ccs|ccdaemon> -filename=<path>

    Note:
    • z/OS Debugger Password File Generator cannot be run in the Remote Shell.
    • If you are running the tool on Windows or Linux, the executables are in the headless-cc subdirectory where you installed the product.
    • If you are running the tool on z/OS®, execute the genpassword.sh script in,

      /usr/lpp/IBM/debug/headless-code-coverage/bin/.

  3. If the provided keystore properties file is valid, you will be prompted to enter a password. Type your keystore password and press Enter. The password will not be displayed on the console
  4. If genpassword runs successfully, you will see messages CRRDG9411I and CRRDF9415W on the console.
  5. Secure your file with appropriate file system permissions.
Note: Different encryption and decryption methods are supported depending on the Java version. You must use the same version of Java that runs the genpassword when you run the headless code coverage.
Syntax diagram for the genpassword command is shown here. You can use either the single letter parameter or the complete one for each option. All parameters and values are case-sensitive.
Read syntax diagramSkip visual syntax diagramgenpassword-h,help-v,version-t,tool=<ccs|ccdaemon|rds>-f,filename=<path>
Options list
Format: genpassword [options]
-t,tool=<ccs|ccdaemon|rds>
Specify a tool where you use the keystore properties file.
  • Use -t,tool=ccs if the keystore properties file contains a ccskeystorefile and ccskeystorepassword property keys.
  • Use -t,tool=ccdaemon if the keystore properties file contains keystorefile and keystorepassword property keys.
Note: genpassword can also be used to generate encrypted passwords that can be used with Remote Debug Service. See Generating secure keystore passwords for Remote Debug Service.
-f,filename=<path>
Specify a path to the keystore properties file. The keystore properties file must contain a path to a keystore file (ccskeystorefile or keystorefile format). If it contains a keystore password, it will get overwritten with an encrypted password.
Note: The updated keystore properties file is stored in UTF-8 regardless of the provided file's encoding. The encoding must remain in UTF-8 when passed into the headless code coverage collector.
-v,version
Prints the product version.
-h,help
Prints the help screen.