Generating AES keys and password

Use the OpenSSL command-line tool, which is included with InfoSphere® MDM, to generate AES 128-, 192-, or 256-bit keys. The madpwd3 utility is used to create the password.

Before you begin

Verify that these environment variables are set:
  • On Microsoft Windows, set MAD_SSLLIB=ssleay32.dll and set MAD_SSLCRYPTOLIB=libeay32.dll
  • On AIX® or Linux®, export and export


  1. From a command line, go to MAD_ROOTDIR/bin (either MDM_INSTALL_HOME or WAS_PROFILE_HOME/installedApps/CELL/MDM-native-APPNAME/native.war/bin). For example:
    • On Microsoft Windows:
      cd C:\Program Files\IBM\MDM\bin
      cd C:\IBM\WebSphere\AppServer\profiles\Node01\installedApps\localhostCell01\MDM-native-MDMInstance.ear\native.war/bin
    • On AIX or Linux:
      cd /opt/IBM/MDM/bin
      cd /opt/IBM/WebSphere/AppServer/profiles/Node01/installedApps/localhostCell01/MDM-native-MDMInstance.ear/native.war/bin
  2. On the command line, type:
    • For 128-bit key:
      openssl enc -aes-128-cbc -k secret -P -md sha1
    • For 192-bit key:
      openssl enc -aes-192-cbc -k secret -P -md sha1
    • For 256-bit key:
      openssl enc -aes-256-cbc -k secret -P -md sha1

      “secret” is a passphrase for generating the key.

      The output from the command is similar to:

      • 128-bit:
      • 192-bit:
        iv =35B2FF0795FB84BBD666DB8430CA214E
      • 256-bit:
        iv =7E892875A52C59A3B588306B13C31FBD
  3. Copy the key output into a .dat file, excluding the “key” characters. For example, a “myaeskey.dat” file for 256-bit can contain:

    Do not have a carriage return or line feed in the file.

  4. Place the iv output into another .dat file, excluding the “iv” characters. For example, a myiv.dat file can contain:

    Do not have a carriage return or line feed in the file.

    Important: If the key and iv are generated with another tool, you must verify that the result is hex-encoded and that the size of the key for 128 is 32 characters, 192 is 48 characters, and 256 is 64 characters. The hex-encoded iv is 32 characters in length. Hex encoding means that each character in the key and iv are converted to its hexadecimal equivalent. For example, the letter “A” is “41” in hexadecimal. Hex encoding eases the storage and transport of the key and iv because the non-encoded versions of these items can contain ASCII control character sequences.
  5. Run the madpwd3 utility to generate the encrypted password. The madpwd3 utility allows for the key and iv to be entered either from a file or directly on the command line. Use the -keyfile and -ivfile options to specify as a file or use the -key and -iv options to enter them at the command prompt. There is no limit on the length of the password input and the output length is variable. For example:
    madpwd3 -keyfile myaeskey.dat -ivfile myaesiv.dat -in foopass

    generates this output:

    PLAINTEXT = (foopass)
    ENCRYPTED = (99CA56BDF62638567F456941650237AB)
    DECRYPTED = (foopass)

    The madconfig utility prompts for this information when creating InfoSphere MDM and InfoSphere MDM Message Brokers instances.


AES decryption in InfoSphere MDM is supported through native OpenSSL APIs as well as Java™ APIs.