Use the OpenSSL command-line tool, which is included with InfoSphere® MDM, to generate
AES 128-, 192-, or 256-bit keys. The madpwd3 utility is used to create the
password.
Before you begin
Verify that these environment variables are set:
- On Microsoft
Windows, set
MAD_SSLLIB=ssleay32.dll
and
set MAD_SSLCRYPTOLIB=libeay32.dll
- On AIX® or Linux®,
export
MAD_SSLLIB=libssl.so
and export
MAD_SSLCRYPTOLIB=libcrypto.so
Procedure
- From a command line, go to
MAD_ROOTDIR/bin (either
MDM_INSTALL_HOME or
WAS_PROFILE_HOME/installedApps/CELL/MDM-native-APPNAME/native.war/bin).
For example:
- On Microsoft
Windows:
cd C:\Program Files\IBM\MDM\bin
or
cd C:\IBM\WebSphere\AppServer\profiles\Node01\installedApps\localhostCell01\MDM-native-MDMInstance.ear\native.war/bin
- On AIX or Linux:
cd /opt/IBM/MDM/bin
or
cd /opt/IBM/WebSphere/AppServer/profiles/Node01/installedApps/localhostCell01/MDM-native-MDMInstance.ear/native.war/bin
- On the command line, type:
- For 128-bit key:
openssl enc -aes-128-cbc -k secret -P -md sha1
- For 192-bit key:
openssl enc -aes-192-cbc -k secret -P -md sha1
- For 256-bit key:
openssl enc -aes-256-cbc -k secret -P -md sha1
“secret” is a passphrase for generating the key.
The output from the command is similar to:
- 128-bit:
salt=92AE31A79FEEB2A3
key=770A8A65DA156D24EE2A093277530142
iv=F5502320F8429037B8DAEF761B189D12
- 192-bit:
salt=D495560961CCCFE0
key=4D92199549E0F2EF009B4160F3582E5528A11A45017F3EF8
iv =35B2FF0795FB84BBD666DB8430CA214E
- 256-bit:
salt=263BC60258FF4876
key=B374A26A71490437AA024E4FADD5B497FDFF1A8EA6FF12F6FB65AF2720B59CCF
iv =7E892875A52C59A3B588306B13C31FBD
- Copy the key output into a .dat file, excluding the
“key” characters. For example, a “myaeskey.dat” file for 256-bit can contain:
B374A26A71490437AA024E4FADD5B497FDFF1A8EA6FF12F6FB65AF2720B59CCF
Do not have a carriage return or line feed in the file.
- Place the iv output into another .dat file, excluding
the “iv” characters. For example, a myiv.dat file can contain:
7E892875A52C59A3B588306B13C31FBD
Do not have a carriage return or line feed in the file.
Important: If the key and iv are generated with another tool, you must
verify that the result is hex-encoded and that the size of the key for 128 is 32 characters, 192 is
48 characters, and 256 is 64 characters. The hex-encoded iv is 32 characters in length. Hex encoding
means that each character in the key and iv are converted to its hexadecimal equivalent. For
example, the letter “A” is “41” in hexadecimal. Hex encoding eases the storage and transport of the
key and iv because the non-encoded versions of these items can contain ASCII control character
sequences.
- Run the madpwd3 utility to generate the encrypted
password. The madpwd3 utility allows for the key and iv to be entered either from
a file or directly on the command line. Use the
-keyfile
and
-ivfile
options to specify as a file or use the -key
and
-iv
options to enter them at the command prompt. There is no limit on the length of
the password input and the output length is variable. For example:
madpwd3 -keyfile myaeskey.dat -ivfile myaesiv.dat -in foopass
generates this output:
PLAINTEXT = (foopass)
ENCRYPTED = (99CA56BDF62638567F456941650237AB)
DECRYPTED = (foopass)
The madconfig utility prompts for this information when creating
InfoSphere MDM and InfoSphere MDM
Message Brokers
instances.
Results
AES decryption in InfoSphere MDM is supported
through native OpenSSL APIs as well as Java™ APIs.