Configuring a user-defined key for password encryption

Configuring a user-defined key for password encryption involves defining the AES-128 key location in the EGO_KEYFILE parameter of the ego.conf file, using the egogenkey tool to generate the key file, and using the egoapplykey command to apply the key file. Once complete, enable password encryption using the AES-128 key.

Before you begin

  • Ensure that IBM® Spectrum Symphony is installed on management hosts in your cluster.
  • Ensure that the paths you specify for key file storage when running the egogenkey and egoapplykey tools in this task are different. They cannot share the same locations.

Procedure

  1. Stop the cluster:
    1. Log on to the primary host as the cluster administrator.
    2. Run the following commands to stop the cluster:
      # egosh service stop all
      # egosh ego shutdown
  2. Specify the path to where the AES-128 key must be generated.

    Define this configuration before you run the egoapplykey tool in a later step. Running egoapplykey applies this generated key file and stores it in the location you define in this step.

    1. Open the $EGO_CONFDIR/ego.conf file on your IBM Spectrum Symphony management host.
    2. Locate the EGO_KEYFILE parameter, and specify the absolute path to the location where the generated AES-128 key is to be stored. Use the following syntax:
      EGO_KEYFILE=keyfile_location
      For example, if you want egoapplykey to store the key file in the /mykeyfiles/seckey.conf directory, specify EGO_KEYFILE=/mykeyfiles/seckey.conf.
      Notes:
      1. Do not use the same location as where you temporarily store your generated AES-128 key when running egogenkey in the next step.
      2. Place the key file in a secure location. Only management hosts in the cluster require access to the key file.
      3. The EGO_KEYFILE parameter is not defined by default. If a value is not specified or the parameter is not defined, the built-in key is used instead.
    3. Save the ego.conf file.
  3. Generate an AES-128 key by running egogenkey.
    Note: When prompted to specify a temporarily key file storage location, do not use the same location as where you want to permanently store the key file when running egoapplykey later.
    Here is an example of the output for running egogenkey:
    [egoadmin@host1 ego]$ egogenkey
    Enter location to store temporary key file: /tmp/seckey.conf
  4. For security, set file permissions for the key file so that ownership and permission is owner=os_clusteradmin, permission=600.
  5. Apply the generated AES-128 key:
    1. To enable database recovery in case of fatal errors, back up $EGO_CONFDIR/users.xml and the key file specified by EGO_KEYFILE in $EGO_CONFDIR/ego.conf.
    2. Run egoapplykey.

      This tool stores the key file in the location you specified in the EGO_KEYFILE parameter in step 2 (for example, in /mykeyfiles/seckey.conf).

    3. If egoapplykey runs successfully, and you do not need to roll back to the old password used for encrypted passwords in users.xml, delete the backed-up files.
    Here is an example of the output for running egoapplykey:
    [egoadmin@host1 ego]$ egoapplykey
    To enable database recovery in case of fatal errors, back up users.xml
    and the key file specified by EGO_KEYFILE before proceeding. Continue
    Y/N? y
    Enter location of temporary key file: /tmp/seckey.conf
    Enter Admin password: Admin
    Applying temporary key file to generate new encryption key...
    New encryption key has been applied successfully and saved to location
    specified by EGO_KEYFILE.
  6. If you configured the AD or PAM plug-in as the security plug-in, use the following commands to stash the Admin password:
    • For AD plug-in: egostashpass-ad
    • For PAM plug-in: egostashpass-pam
  7. Start the cluster with the following command:
    # egosh ego start