AES encryption
AES encryption can be used to encrypt any string within the gateway writer section of the configuration file. It is used by the gateway to prevent sensitive data from being available in readable format in the gateway configuration file.
nco_aes_crypt
@datalength:encrypted_data@
Where datalength
is
the length of the data in bytes (expressed as a decimal) and the data
itself is base64 encoded. The at sign (@)
indicates
the start and end of the encrypted data definition. The colon (:)
acts
as a field separator.
HOST ='@64:lHBLuIPLNye8zCWhykFVFY7y90V9kCjGK5GSWu5VBdSlgQOqarq6T4UK4xk5Vqix@'
Netcool/OMNIbus
Gateway configuration encryption library
.Using the nco_aes_crypt tool
Data in the configuration file must be encrypted using the nco_aes_crypt tool.
nco_aes_crypt [-d | -e] [-o outfile] -k keyfile -f filename
nco_aes_crypt [-d | -e] [-o outfile] -k keyfile data
The output of this command will be the encrypted string to be used in the configuration file.
Command line option | Description |
---|---|
-d or-e | Use this option to specify the mode in which the nco_aes_crypt tool runs: d - decrypt mode e - encrypt mode The default is e. |
-o string | Use this option to specify the output file to which the encrypted data will be written. |
-k string | Use this option to specify the path of the file containing the key data. |
-f string | Use this option to specify the path of the file containing data requiring encryption. |
data | Use this option to specify the data to be encrypted or decrypted. |
Encryption key file
The encryption key is stored in a flat file alongside the encrypted data. The key storage file has an ASCII numeric key length indicator followed by a colon and the key in binary form.
key_length:key_data
Where key_length
is
the length of the key in bits and the key_data
is
the key in binary form. Valid length values are 128, 192 and 256.128:1234567812345678
In this case, key_length
is 128 since
the ASCII string 1234567812345678
has 16 bytes (128
bits).nco_keygen -o outfile[-l length|-k]key][-h |-?]
Command line option | Description |
---|---|
-o outfile | Use this option to specify the output file name. |
-l length | Use this option to specify the length (in bits) of the key to write out. The default is 128. Note: The
value that you specify must be divisible by 8.
|
-k key | Use this option to specify the key to be written out, expressed as hex digits. Note: This option bypasses
automatic key generation.
|
-h |-? | Use this option to print the help information and exit |
Using encrypted data
LOAD ENCRYPTION KEY FROM 'key_file_path' USING 'AES'
Where key_file_path
is
the path to the file containing the encryption key.Running the ObjectServer in a secure mode
When the gateway connects to the ObjectServer running in secure mode, it needs to authenticate with a user name and password. This user name and password can be encrypted using the nco_aes_crypt tool.
To enable the encryption, the location of the key file
must be specified at the beginning of the configuration file. This
is followed by the AUTH_USER
and AUTH_PASSWORD
fields
which contain the encrypted user name and password required for authentication.
LOAD ENCRYPTION KEY FROM '/HOME/72/solaris/omnibus/keyflie_name' USING
'AES';
AUTH_USER '@44:2yXgd6fp9q1Ey4sSAb2RibzA3+PpCZmhAZXo6nNdkvQ=@'; #
encrypted_user_name
AUTH_PASSWORD '@44:mdyEb8VTh+2wALnNlR7dnGnxRZ3BkMOQbR5IgxLlHuc=@'; #
encrypted_password