Configuring encryption length and type

Starting with Network Manager Fix Pack 9, you can use encryption keys between 128 and 256 bits. You can also choose CBC or EBC encryption. After upgrading to Fix Pack 9, you must complete some post-installation configuration steps in order to change from the default of 128 bits.

About this task

To use the default 128-bit encryption, you do not need to make any changes. To use 192-bit or 256-bit encryption, you must configure the Network Manager core components or GUI components manually. The encryption for the core components and the GUI is separate and can be different. Ensure that Storm uses the same encryption file and type as the core components.

Procedure

Configure the Network Manager core components.

  1. Shut down all Network Manager processes.
    You can use the itnm_stop command.
  2. If you want to change the length of the encryption key, edit the $NCHOME/etc/precision/ConfigSchema.cfg file and change the value that is inserted into config.settings.m_KeyLength to the length of the new key in bits. Permitted values are 128, 192 and 256.
  3. If you want to configure the encryption type, change the m_EncryptAlgorithm value to AES_CBC or AES_EBC.
  4. Use the nco_keygen utility to generate a new encryption key. Ensure that you specify the output file as $NCHOME/etc/security/keys/conf.key.

    For more information, refer to the topic Generating a key in a key file within the IBM Knowledge Center for IBM Tivoli Netcool/OMNIbus at http://www.ibm.com/support/knowledgecenter/SSSHTQ/landingpage/NetcoolOMNIbus.html.

  5. Restart all Network Manager processes.
    You can use the itnm_start command.
  6. Using the new encryption key, re-encrypt all the passwords currently used in configuration files using the ncp_crypt utility by typing the following command.
    ncp_crypt -password password
    Where password is the password to encrypt.

If you changed the location of the key file or the encryption type for the core components, configure Storm to match.

  1. Edit the $NCHOME/precision/storm/conf/NMStormTopology.properties file.
  2. Configure the location of the key file by editing the following property:
    tnm.fips.key.location=/opt/IBM/tivoli/netcool/etc/security/keys/conf.key
  3. To change the encryption mode, edit the following property and set it to CBC or EBC:
    nm.cipher_mode=CBC

Configure the GUI components.

  1. Stop the GUI processes.
    You can use the stopServer.sh script. For more information about stopping the GUI server, see Restarting the Dashboard Application Services Hub server.
  2. Use the nco_keygen utility to generate a new encryption key. Ensure that you store the key file in $NMGUI_HOME/profile/etc/tnm/encryption/keys directory. You can overwrite the existing key file or use a new name.
  3. If necessary, adjust the file ownership of the key file to be owned by the operating system user who runs the GUI, and adjust the file permissions of the key file so that only that user has read permission on it.
  4. If you gave the key file a new name, edit the $NMGUI_HOME/profile/etc/tnm/tnm.properties file and change tnm.fips.key.location to point to it. The location is relative to $NMGUI_HOME/profile/etc/tnm.
  5. Restart the GUI processes.
    You can use the startServer.sh script. Refer to the topic Starting Network Manager for more information.
  6. Log in to the GUI as an administrator.
  7. Select Administration > Database Access Configuration from the menu.
  8. Enter the topology database password in the Password and Confirm password boxes.
  9. Click the Save icon.
  10. Log out.
  11. Restart the GUI again.