Resetting the password encryption key

About this task

The Integrated Cryptographic Services Facility (ICSF) uses a symmetric key to encrypt and decrypt data. The key is known as symmetric because the same key is used to transform plain text to cipher text (encryption) as is used to transform cipher text back to plain text (decryption). The configuration process creates a key file named KAES256 in rhilev.rte_name.RKANPARU and loads the encrypted key into it.

The same key must be used on all Tivoli Management Services components in your enterprise. For example, the encryption key you set for the Tivoli Enterprise Portal must be the same value you specify for the encryption key for the hub monitoring server, and the key you set for each of the remote monitoring servers that connect to the hub must also have the same value. If you reset the key for one component, you must reset it for all of them.

The encryption key has the following characteristics:
  • The key must be 32 bytes in length.
  • The key is case-sensitive.
  • The key cannot contain an ampersand (&) value.

If you change the encryption key on any component, you must change the key to the same value on all components that connect to the same hub.

Procedure

  1. When using Configuration Manager for the configuration of the hub runtime environment (RTE), make any additions or changes in RTEDEF(rte_name) by adding or changing the RTE_SECURITY_KAES256KEY accordingly. When using PARMGEN for the configuration of the hub runtime environment (RTE), set the RTE_SECURITY_KAES256_KEY parameter to the new value of choice as shown below: 
    
 000591 ** -------------------------------------------------------------------  
 000592 ** (Required) KAES256 encryption key:                                   
 ...
 ...       
 000617 ** -------------------------------------------------------------------  
 000618 RTE_SECURITY_KAES256_KEY     "IBMTivoliMonitoringEncryptionKey"         
 000619                                                                         
 000620 ** -------------------------------------------------------------------
  2. When using Configuration Manager, simply run the GENERATE action. When using PARMGEN, rerun the $PARSE or $PARSESV (if variables are enabled) composite job.
    The PARMGEN composite Jobs recreate the following members:
    WKANSAMU(KDSDKAES)
    Stand-alone Tivoli Management Services on z/OS password encryption job, if you want a sample job that you can edit manually.
    WKANSAMU(KCIJPSEC)
    Composite security job's KAES256 step, if you want a file-tailored job.
    WKANSAMU(IBMDS)
    Monitoring server started task to concatenate the ICSF load library in the STEPLIB DDNAME.

    IBMDS is the IBM®-supplied default; set the value to whatever you specified for the KDS_TEMS_STC parameter.

    WKANSAMU(KDSDKAES) or WKANSAMU(KCIJPSEC)
    Creates the encryption key member.
    WKANPARU(KAES256) or WKANSAMU(KCISYPJB)
    Run either WKANPARU(KAES256), the stand-alone started task procedure copy job, or WKANSAMU(KCIJPSYS), the composite system copy job that copies the modified monitoring server started task to the system procedure library.
  3. When using Configuration Manager, simply run the GENERATE action again to refresh the required members. When using PARMGEN, resubmit the WKANSAMU(KDSDKAES) job to refresh the RKANPARU(KAES256) member.
  4. Adjust the Tivoli Enterprise Portal Server to also use the same password encryption key (the same key must be used across your enterprise).
  5. Recycle the Tivoli Enterprise Monitoring Server started task.