Improving security of storing VM manager passwords

9.2.9 Available from 9.2.9.

To improve security of storing passwords to VM managers, you can overwrite the default key that is used to encrypt the passwords or change the default password to the VM Manager Tool keystore. These two procedures are independent. You can change the encryption key, the VM Manager Tool keystore password or both, depending on your needs.

Procedure

  • To overwrite the default key that is used to encrypt passwords to VM managers, perform the following steps.
    1. Go to the VM Manager Tool directory.
    2. Stop the VM Manager Tool.
      • For local VM Manager Tool, run the following script. The script also stops the License Metric Tool server.
        • Linux /opt/ibm/LMT/cli/srvstop.sh
        • Windows C:\Program Files\ibm\LMT\cli\srvstop.bat
      • For central, distributed, and disconnected VM Manager Tool, run the following command.
        • Linux ./vmman.sh -stop
        • Windows vmman.bat -stop
    3. Back up the config and keydb directories. By default, the directories are in the following location.
      • For local VM Manager Tool
        • Linux/opt/ibm/LMT/VMMAN
        • Windows C:\Program Files\ibm\LMT\VMMAN
      • For central and distributed VM Manager Tool
        • Linux/var/opt/BESClient/LMT/VMMAN
        • Windows C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\VMMAN
      • For disconnected VM Manager Tool
        • Linux VM Manager Tool install dir/VMMAN
        • Windows VM Manager Tool install dir\VMMAN
      If an error occurs during the regeneration of the key, restore these directories to their current locations.
    4. Run the following command.
      • Linux ./vmman.sh -regenerateencryptionkey
      • Windows vmman.bat -regenerateencryptionkey
    5. Start the VM Manager Tool.
      • For local VM Manager Tool, run the following script. The script also starts the License Metric Tool server.
        • Linux /opt/ibm/LMT/cli/srvstart.sh
        • Windows C:\Program Files\ibm\LMT\cli\srvstart.bat
      • For central, distributed, and disconnected VM Manager Tool, run the following command.
        • Linux ./vmman.sh -run
        • Windows vmman.bat -run
  • To change the default password to the VM Manager Tool keystore, perform the following steps.
    1. Go to the VM Manager Tool directory.
    2. Stop the VM Manager Tool.
      • For local VM Manager Tool, run the following script. The script also stops the License Metric Tool server.
        • Linux /opt/ibm/LMT/cli/srvstop.sh
        • Windows C:\Program Files\ibm\LMT\cli\srvstop.bat
      • For central, distributed, and disconnected VM Manager Tool, run the following command.
        • Linux ./vmman.sh -stop
        • Windows vmman.bat -stop
    3. Back up the VM Manager Tool keydb/keys.p12 and config/vmmmainconf.properties files. By default, the files are in the following location.
      • For local VM Manager Tool
        • Linux/opt/ibm/LMT/VMMAN
        • Windows C:\Program Files\ibm\LMT\VMMAN
      • For central and distributed VM Manager Tool
        • Linux/var/opt/BESClient/LMT/VMMAN
        • Windows C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\VMMAN
      • For disconnected VM Manager Tool
        • Linux VM Manager Tool install dir/VMMAN
        • Windows VM Manager Tool install dir\VMMAN
      If an error occurs during changing the VM Manager Tool keystore password, restore these files to their current locations.
    4. Create a txt file, for example keystore_password.txt. Provide the new VM Manager Tool keystore password in the customPassword parameter.
      customPassword=<new_password>
    5. To change the password, run the following command.
      • Linux ./vmman.sh -changepassword -file <file_location>/keystore_password.txt
      • Windows vmman.bat -changepassword -file <file_location>\keystore_password.txt"
      Where -file is the path to the txt file in which you specified the new VM Manager Tool keystore password.
      After you run the command, the password is encrypted and saved in the vmmmainconf.properties under the vmm_keystore_password_do_not_change_it parameter.
    6. After the new password is set, remove the txt file in which you specified the password.
    7. Start the VM Manager Tool.
      • For local VM Manager Tool, run the following script. The script also starts the License Metric Tool server.
        • Linux /opt/ibm/LMT/cli/srvstart.sh
        • Windows C:\Program Files\ibm\LMT\cli\srvstart.bat
      • For central, distributed, and disconnected VM Manager Tool, run the following command.
        • Linux ./vmman.sh -run
        • Windows vmman.bat -run