Starting with Network Manager Fix Pack 9, you can use
encryption keys between 128 and 256 bits. You can also choose CBC or EBC encryption. After upgrading
to Fix Pack 9, you must complete some post-installation configuration steps in order to change from
the default of 128 bits.
About this task
To use the default 128-bit encryption, you do not need to make any changes. To use 192-bit or
256-bit encryption, you must configure the Network Manager core components or GUI
components manually. The encryption for the core components and the GUI is separate and can be
different. Ensure that Storm uses the same encryption file and type as the core components.
Procedure
Configure the Network Manager core components.
-
Shut down all Network Manager
processes.
You can use the itnm_stop
command.
- If you want to change the length of the encryption key, edit the $NCHOME/etc/precision/ConfigSchema.cfg file and change the value that is inserted into
config.settings.m_KeyLength
to the length of the new key in bits. Permitted values
are 128
, 192
and 256
.
- If you want to configure the encryption type, change the
m_EncryptAlgorithm
value to AES_CBC
or
AES_EBC
.
- Use the nco_keygen utility to generate a new encryption key. Ensure
that you specify the output file as $NCHOME/etc/security/keys/conf.key.
-
Restart all Network Manager
processes.
You can use the itnm_start
command.
-
Using the new encryption key, re-encrypt all the passwords currently used in configuration
files using the ncp_crypt utility by typing the following command.
ncp_crypt -password password
Where
password is the
password to encrypt.
If you changed the location of the key file or the encryption type for the core
components, configure Storm to match.
- Edit the $NCHOME/precision/storm/conf/NMStormTopology.properties
file.
- Configure the location of the key file by editing the following property:
tnm.fips.key.location=/opt/IBM/tivoli/netcool/etc/security/keys/conf.key
- To change the encryption mode, edit the following property and set it to
CBC
or EBC
:
Configure the GUI components.
- Stop the GUI processes.
- Use the nco_keygen utility to generate a new encryption key. Ensure
that you store the key file in $NMGUI_HOME/profile/etc/tnm/encryption/keys directory. You can overwrite the existing key file or
use a new name.
- If necessary, adjust the file ownership of the key file to be owned by the operating
system user who runs the GUI, and adjust the file permissions of the key file so that only that user
has read permission on it.
- If you gave the key file a new name, edit the $NMGUI_HOME/profile/etc/tnm/tnm.properties file and change
tnm.fips.key.location
to point to it. The location is relative to $NMGUI_HOME/profile/etc/tnm.
- Restart the GUI processes.
- Log in to the GUI as an administrator.
- Select from the menu.
- Enter the topology database password in the Password and
Confirm password boxes.
- Click the Save icon.
- Log out.
- Restart the GUI again.