Run the TM1Crypt utility
The password is encrypted with Advanced Encryption Standard, 256 bit, Cipher Block Chaining (AES-256-CBC).
Location
The TM1Crypt utility, tm1crypt.exe, is installed in the directory:
PA_install_directory\bin64
Syntax
Run the TM1Crypt utility from a command prompt with the following syntax:
tm1crypt.exe [<cmd_parm> <connect_parm> <password_parm>]
You can provide parameters with constant values in a configuration file when you run tm1crypt.
Command parameters
Parameter | Value | Description |
---|---|---|
i |
filespec | Name of the file that contains default configuration parameters. Parameters
specified in this file are used, unless overridden by parameters provided on the command prompt. If
no path is specified, the TM1
Server
directory is assumed. If -i is not specified, then other parameters must be
specified to provide the process name, TM1
Server, and so on. |
connect |
string | This parameter can be used to specify a section in the configuration file that contains parameters used to make server connections, such as user, pwd, or CAMnamespace. |
logpath |
string | Enables logging and specifies location of log. |
action |
string | 1 [default] - Generate encrypted password and key file 2 - Encrypt server model 3 - Decrypt server model 4 - Encrypt file using server key 5 - Decrypt file using server key 6 - Rotate server key |
keyfile |
string | Name of the file generated containing key. If no keyfile is
specified the default is tm1key.dat. |
outfile |
string | Name of file generated encrypted password. If no outfile is
specified the default is tm1cipher.dat. |
filesrc |
string | Source file to perform conversion. Source is replaced with converted data unless file destination is provided. |
filedest |
string | Source file to perform conversion. Source is replaced with converted data unless file destination is provided. |
filetype |
string | 1 [default] - TM1 object file 2 - Transaction log 3 - Audit log |
minsbeforeshutdown |
Time before performing a shutdown when encrypting or decrypting a server model. | |
validate |
Validate key file. | |
|
Display help documentation including parameters and descriptions. | |
|
Display a synopsis of command line parameters. |
Connect Parameters
Connect parameters are common across TM1 components and can be defined in their own section of a configuration file to reuse them.
Parameter | Value | Description |
---|---|---|
-adminhost |
string | TM1 admin host |
-server |
string | TM1 Server name |
-user |
string | TM1 or Cognos Access Manager (CAM) username, depending on the type of authentication that is used by the TM1 Server. |
-securitymode |
Security mode used to connect to the TM1 Server. The mode must match the value in the TM1 Server configuration file. | |
-retryattempts |
Number of attempts to connect to the TM1 Server. | |
-retryinterval |
Time in seconds to retry connection to the TM1 Server. | |
-keystorefile |
filespec | The full path of the key database file that contains the trusted certificate authorities. |
-keystashfile |
filespec | The full path of the file that contains the password that is used to access the key database file. |
-FIPSOperationMode |
1|2|3 | Indicates FIPS mode of operation. FIPS_MODE = 1 (default) FIPS_APPROVED = 2 FIPS_NONE = 3 |
CAMNamespace |
id | The ID of the Cognos Access Manager (CAM) namespace. This parameter is the namespace ID, not the namespace name. |
Password Parameters
Passwords are either prompted for on the command line or supplied by using an encrypted file provided by the passwordfile parameter.
Parameter | Value | Description |
---|---|---|
pwd |
string | Password for the username given in the -user
parameter, in clear text. For greater security, the password can be specified in an encrypted file
using the -passwordfile parameter.This parameter is ignored on the command line. You are prompted for the password. |
passwordfile |
filespec | Filename of the file containing the encrypted password for the user specified
by -user . If no path is specified, the TM1
Server directory will be assumed. When
this option is used, you cannot use -pwd . |
-passwordkeyfile |
filespec | If the passwordfile parameter is given, a key file is also
required to decrypt the password. The password file and key file can be created using the TM1Crypt
tool. |
Example
For example, the command
tm1crypt.exe -keyfile btkey.dat -outfile btprk.dat -validate
Generates two files:
- btkey.dat contains the key that is used to encrypt/decrypt the password for the private key.
- btprk.dat contains the encrypted password for the private key.
The generated files are written to the PA_install_directory\bin directory.
pwd
parameter on the command line does not display an error
but the pwd
parameter is ignored. You are prompted for the password and must verify
it.TM1Crypt configuration file
[tm1crypt]
#connect=ConnectParams
#retryattempts=3
#retryinterval=3
### Actions ###
##1 – OPERATION_CRYPT_PWD
##2 - OPERATION_ENCRYPT_MODEL
##3 - OPERATION_DECRYPT_MODEL
##4 - OPERATION_ENCRYPT_FILE
##5 - OPERATION_DECRYPT_FILE
##6 - OPERATION_ROTATE_KEY
###
#action=
### File Types
##1 - Object File //default
##2 - Transaction Log
##3 - Audit Log
###
#filetype=
### Valid path for logs files
#logpath=
### Path to file source and destination
#filesrc=
#filedest=
#adminhost=
#server=
#user=
#pwd=
#camnamespace=
[Connect - ConnectParams]
#adminhost=
#server=
#user=
#pwd=
#camnamespace=
#passwordfile=
#passwordkeyfile=