Run the TM1Crypt utility

The TM1Crypt utility (tm1crypt.exe) is a command prompt that encrypts the password that the IBM® TM1® Server needs to access the private key. The utility can be used to convert a model or a file.

The password is encrypted with Advanced Encryption Standard, 256 bit, Cipher Block Chaining (AES-256-CBC).


The TM1Crypt utility, tm1crypt.exe, is installed in the directory:



Run the TM1Crypt utility from a command prompt with the following syntax:

tm1crypt.exe [<cmd_parm> <connect_parm> <password_parm>]

You can provide parameters with constant values in a configuration file when you run tm1crypt.

Command parameters

Table 1. TM1Crypt command parameters
Parameter Value Description
i filespec Name of the file that contains default configuration parameters. Parameters specified in this file are used, unless overridden by parameters provided on the command prompt. If no path is specified, the TM1 Server directory is assumed. If -i is not specified, then other parameters must be specified to provide the process name, TM1 Server, and so on.
connect string This parameter can be used to specify a section in the configuration file that contains parameters used to make server connections, such as user, pwd, or CAMnamespace.
logpath string Enables logging and specifies location of log.
action string 1 [default] - Generate encrypted password and key file

2 - Encrypt server model

3 - Decrypt server model

4 - Encrypt file using server key

5 - Decrypt file using server key

6 - Rotate server key

keyfile string Name of the file generated containing key. If no keyfile is specified the default is tm1key.dat.
outfile string Name of file generated encrypted password. If no outfile is specified the default is tm1cipher.dat.
filesrc string Source file to perform conversion. Source is replaced with converted data unless file destination is provided.
filedest string Source file to perform conversion. Source is replaced with converted data unless file destination is provided.
filetype string 1 [default] - TM1 object file

2 - Transaction log

3 - Audit log

minsbeforeshutdown   Time before performing a shutdown when encrypting or decrypting a server model.
validate   Validate key file.


  Display help documentation including parameters and descriptions.


  Display a synopsis of command line parameters.

Connect Parameters

Connect parameters are common across TM1 components and can be defined in their own section of a configuration file to reuse them.

Table 2. TM1Crypt connect parameters
Parameter Value Description
-adminhost string TM1 admin host
-server string TM1 Server name
-user string TM1 or Cognos Access Manager (CAM) username, depending on the type of authentication that is used by the TM1 Server.
-securitymode   Security mode used to connect to the TM1 Server. The mode must match the value in the TM1 Server configuration file.
-retryattempts   Number of attempts to connect to the TM1 Server.
-retryinterval   Time in seconds to retry connection to the TM1 Server.
-keystorefile filespec The full path of the key database file that contains the trusted certificate authorities.
-keystashfile filespec The full path of the file that contains the password that is used to access the key database file.
-FIPSOperationMode 1|2|3 Indicates FIPS mode of operation.

FIPS_MODE = 1 (default)



CAMNamespace id The ID of the Cognos Access Manager (CAM) namespace. This parameter is the namespace ID, not the namespace name.

Password Parameters

Passwords are either prompted for on the command line or supplied by using an encrypted file provided by the passwordfile parameter.

Table 3. TM1Crypt password parameters
Parameter Value Description
pwd string Password for the username given in the -user parameter, in clear text. For greater security, the password can be specified in an encrypted file using the -passwordfile parameter.

This parameter is ignored on the command line. You are prompted for the password.

passwordfile filespec Filename of the file containing the encrypted password for the user specified by -user. If no path is specified, the TM1 Server directory will be assumed. When this option is used, you cannot use -pwd.
-passwordkeyfile filespec If the passwordfile parameter is given, a key file is also required to decrypt the password. The password file and key file can be created using the TM1Crypt tool.


For example, the command

tm1crypt.exe -keyfile btkey.dat -outfile btprk.dat -validate

Generates two files:

  • btkey.dat contains the key that is used to encrypt/decrypt the password for the private key.
  • btprk.dat contains the encrypted password for the private key.

The generated files are written to the PA_install_directory\bin directory.

Note: The use of the pwd parameter on the command line does not display an error but the pwd parameter is ignored. You are prompted for the password and must verify it.

TM1Crypt configuration file


### Actions ###

### File Types
##1 - Object File //default
##2 - Transaction Log
##3 - Audit Log

### Valid path for logs files

### Path to file source and destination 


[Connect - ConnectParams]