Generating AES keys and password

Use the OpenSSL command-line tool, which is included with InfoSphere® MDM, to generate AES 128-, 192-, or 256-bit keys. The madpwd3 utility is used to create the password.

1. From a command line, go to MAD_ROOTDIR/bin (either MDM_INSTALL_HOME or WAS_PROFILE_HOME/installedApps/CELL/MDM-native-APPNAME/native.war/bin). For example:
   • On Microsoft Windows:

     cd C:\Program Files\IBM\MDM\bin

     or

     cd C:\IBM\WebSphere\AppServer\profiles\Node01\installedApps\localhostCell01\MDM-native-MDMInstance.ear\native.war/bin

   • On AIX or Linux:

     cd /opt/IBM/MDM/bin

     or

     cd /opt/IBM/WebSphere/AppServer/profiles/Node01/installedApps/localhostCell01/MDM-native-MDMInstance.ear/native.war/bin

2. On the command line, type:
   • For 128-bit key:

     openssl enc -aes-128-cbc -k secret -P -md sha1

   • For 192-bit key:

     openssl enc -aes-192-cbc -k secret -P -md sha1

   • For 256-bit key:

     openssl enc -aes-256-cbc -k secret -P -md sha1

     “secret” is a passphrase for generating the key.

     The output from the command is similar to:

     • 128-bit:

       
       salt=92AE31A79FEEB2A3
       key=770A8A65DA156D24EE2A093277530142
       iv=F5502320F8429037B8DAEF761B189D12
       

     • 192-bit:

       
       salt=D495560961CCCFE0
       key=4D92199549E0F2EF009B4160F3582E5528A11A45017F3EF8
       iv =35B2FF0795FB84BBD666DB8430CA214E
       

     • 256-bit:

       
       salt=263BC60258FF4876
       key=B374A26A71490437AA024E4FADD5B497FDFF1A8EA6FF12F6FB65AF2720B59CCF
       iv =7E892875A52C59A3B588306B13C31FBD
       

3. Copy the key output into a .dat file, excluding the “key” characters. For example, a “myaeskey.dat” file for 256-bit can contain:

   
   B374A26A71490437AA024E4FADD5B497FDFF1A8EA6FF12F6FB65AF2720B59CCF
   

   Do not have a carriage return or line feed in the file.

4. Place the iv output into another .dat file, excluding the “iv” characters. For example, a myiv.dat file can contain:

   
   7E892875A52C59A3B588306B13C31FBD
   

   Do not have a carriage return or line feed in the file.

   Important: If the key and iv are generated with another tool, you must verify that the result is hex-encoded and that the size of the key for 128 is 32 characters, 192 is 48 characters, and 256 is 64 characters. The hex-encoded iv is 32 characters in length. Hex encoding means that each character in the key and iv are converted to its hexadecimal equivalent. For example, the letter “A” is “41” in hexadecimal. Hex encoding eases the storage and transport of the key and iv because the non-encoded versions of these items can contain ASCII control character sequences.
5. Run the madpwd3 utility to generate the encrypted password. The madpwd3 utility allows for the key and iv to be entered either from a file or directly on the command line. Use the -keyfile and -ivfile options to specify as a file or use the -key and -iv options to enter them at the command prompt. There is no limit on the length of the password input and the output length is variable. For example:

   
   madpwd3 -keyfile myaeskey.dat -ivfile myaesiv.dat -in foopass
   

   generates this output:

   
   PLAINTEXT = (foopass)
   ENCRYPTED = (99CA56BDF62638567F456941650237AB)
   DECRYPTED = (foopass)
   

   The madconfig utility prompts for this information when creating InfoSphere MDM and InfoSphere MDM Message Brokers instances.