Running the ObjectServer in secure mode

You can run the ObjectServer in secure mode. When you specify the -secure command-line option, the ObjectServer authenticates probe, gateway, and proxy server connections by requiring a user name and password.

Note: Secure mode can also be enabled in the ObjectServer props file:
SecureMode: TRUE # BOOLEAN (Secure authentication)

When a connection request is sent, the ObjectServer issues an authentication message. The probe, gateway, or proxy server must respond with the correct user name and password combination.

If you do not specify the -secure option, probe, gateway, and proxy server connection requests are not authenticated.

Note: Connections from other clients, such as the event list and SQL interactive interface, are always authenticated.
When connecting to a secure ObjectServer:
  • Each probe or proxy server that makes a connection must have the AuthUserName and AuthPassword properties specified in its properties file.For more information, see Common probe properties and command-line options.
  • Each unidirectional gateway that uses a properties file must have values specified for the Gate.Writer.Username, Gate.Writer.Password, Gate.Reader.Username, and Gate.Reader.Password properties. Each bidirectional gateway that uses a properties file must have values specified for the Gate.ObjectServerA.Username, Gate.ObjectServerA.Password, Gate.ObjectServerB.Username, and Gate.ObjectServerB.Password properties. Each gateway that uses a configuration file must have values specified for the AUTH_USER and AUTH_PASSWORD commands in the gateway configuration file. For more information, see Unidirectional gateway properties and Bidirectional gateway properties.

If the user name and password combination is incorrect, the ObjectServer issues an error message and rejects the connection.

You can choose any valid user name for the AuthUserName, Gate.Writer.Username, Gate.Reader.Username, Gate.ObjectServerA.Username, or Gate.ObjectServerB.Username property, or the AUTH_USER command.

Password encryption details for running in FIPS 140–2 mode and non-FIPS 140–2 mode are described in the following table.

Table 1. Password encryption in FIPS 140–2 mode and non-FIPS 140–2 mode
Mode Action

FIPS 140–2 mode

When in FIPS 140–2 mode, passwords can either be specified in plain text or in encrypted format. You can encrypt passwords by using property value encryption, as follows:

  1. If you do not yet have a key for encrypting the password, create one by running the nco_keygen utility, which is located in $NCHOME/omnibus/bin.
  2. Run the nco_aes_crypt utility to encrypt the password with the key that was generated by the nco_keygen utility. The nco_aes_crypt utility is also located in $NCHOME/omnibus/bin. Note that you must specify AES_FIPS as the algorithm to use for encrypting the password.
  3. Open the properties file to which you want to add the encrypted password and specify this encrypted output for the AuthPassword setting.
    Note: You must also set the ConfigKeyFile property to the key file that you specified when running nco_aes_crypt, and set the ConfigCryptoAlg property to the encryption algorithm used.

Non-FIPS 140–2 mode

When in non-FIPS 140–2 mode, passwords can either be specified in plain text or in encrypted format. However, the client always transmits encrypted login information irrespective of the password encryption that is used in the properties file. You can encrypt passwords by using the nco_g_crypt utility or by using property value encryption, as follows:

  • To encrypt a password by using the nco_g_crypt utility, run the command as follows:

    $NCHOME/omnibus/bin/nco_g_crypt plaintext_password

    In this command, plaintext_password represents the unencrypted form of the password. The nco_g_crypt utility takes the unencrypted password and displays an encrypted version. Open the properties file to which you want to add the encrypted password and specify this encrypted output for the AuthPassword setting.

  • To encrypt a password by using property value encryption, you require a key that is generated with the nco_keygen utility. You can then run nco_aes_crypt to encrypt the password with the key. Note that you can specify either AES_FIPS or AES as the algorithm for encrypting the password. Use AES only if you need to maintain compatibility with passwords that were encrypted using the tools provided in versions earlier than Tivoli Netcool/OMNIbus V7.2.1.

    Open the file to which you want to add the encrypted password and specify this encrypted output for the AuthPassword setting.

    Note: You must also set the ConfigKeyFile property to the key file that you specified when running nco_aes_crypt, and set the ConfigCryptoAlg property to the encryption algorithm used.

A password encrypted with nco_g_crypt is specified in the same way as an unencrypted password when connecting to the ObjectServer. The ObjectServer automatically detects an encrypted password and performs the necessary decryption to verify the password during authentication.

Attention: Passwords encrypted with nco_g_crypt can be used in the same way as unencrypted passwords to access the ObjectServer. Therefore, you must set appropriate permissions on any files containing encrypted passwords to prevent unauthorized access. Alternatively, passwords that have been encrypted with nco_g_crypt must be further encrypted with nco_aes_crypt, and permissions on the key file must be set appropriately.