Configuring a user-defined key for password encryption involves defining the AES-128 key
location in the EGO_KEYFILE parameter of the ego.conf
file, using the egogenkey tool to generate the key file, and using the
egoapplykey command to apply the key file. Once complete, enable password
encryption using the AES-128 key.
Before you begin
- Ensure that IBM® Spectrum Symphony is
installed on management hosts in your cluster.
- Ensure that the paths you specify for key file storage when running the
egogenkey and egoapplykey tools in this task are different.
They cannot share the same locations.
Procedure
- Stop the cluster:
- Log on to the primary host as the cluster
administrator.
- Run the following commands to stop the cluster:
# egosh service stop all
# egosh ego shutdown
-
Specify the path to where the AES-128 key must be generated.
Define this configuration before you run the egoapplykey tool in a later step.
Running egoapplykey applies this generated key file and stores it in the location
you define in this step.
-
Open the $EGO_CONFDIR/ego.conf file on your IBM Spectrum Symphony
management host.
-
Locate the EGO_KEYFILE parameter, and specify the absolute path to the
location where the generated AES-128 key is to be stored. Use the following syntax:
EGO_KEYFILE=keyfile_location
For example, if you want
egoapplykey to store the key file in the
/mykeyfiles/seckey.conf directory, specify
EGO_KEYFILE=/mykeyfiles/seckey.conf
.
Notes:
- Do not use the same location as where you temporarily store your generated AES-128 key when
running egogenkey in the next step.
- Place the key file in a secure location. Only management hosts in the cluster require access to
the key file.
- The EGO_KEYFILE parameter is not defined by default. If a value is not
specified or the parameter is not defined, the built-in key is used instead.
-
Save the ego.conf file.
- Generate an AES-128 key by running egogenkey.
Note: When prompted to specify a temporarily key file storage location, do not use the same location
as where you want to permanently store the key file when running egoapplykey
later.
Here is an example of the output for
running
egogenkey:
[egoadmin@host1 ego]$ egogenkey
Enter location to store temporary key file: /tmp/seckey.conf
- For security, set file permissions for the key file so
that ownership and permission is
owner=os_clusteradmin, permission=600
.
- Apply the generated AES-128 key:
- To enable database recovery in case of fatal errors,
back up $EGO_CONFDIR/users.xml and the key file
specified by EGO_KEYFILE in $EGO_CONFDIR/ego.conf.
- Run egoapplykey.
This
tool stores the key file in the location you specified in the EGO_KEYFILE parameter in step 2 (for example, in /mykeyfiles/seckey.conf).
-
If egoapplykey runs successfully, and you do not need to roll back to the
old password used for encrypted passwords in users.xml, delete the backed-up
files.
Here is an example of the output for running
egoapplykey:
[egoadmin@host1 ego]$ egoapplykey
To enable database recovery in case of fatal errors, back up users.xml
and the key file specified by EGO_KEYFILE before proceeding. Continue
Y/N? y
Enter location of temporary key file: /tmp/seckey.conf
Enter Admin password: Admin
Applying temporary key file to generate new encryption key...
New encryption key has been applied successfully and saved to location
specified by EGO_KEYFILE.
-
If you configured the AD or PAM plug-in as the security plug-in, use the following commands to
stash the
Admin
password:
- For AD plug-in: egostashpass-ad
- For PAM plug-in: egostashpass-pam
- Start the cluster with the following command: