The IBM Security Directory Integrator Encryption utility

You can edit the files using cryptoutils utility. You should take care of the listed parameters while performing the same.

In the TDI_install_dir/serverapi directory you find a utility (cryptoutils) which enable you to decrypt and re-encrypt files, (for example, the Identity Registry file) such that you can edit the file manually.

The tool recognizes the following command-line parameters:

input

{required} Specifies the file to be encrypted or decrypted.

output

{required} Specifies the new file that is created with the resulting data after the encryption or decryption is done. If the file exists, it is overwritten.

mode

{required} Specifies the mode in which the tool operate; it can be one of the following modes:

encrypt: encrypt user registry
decrypt: decrypt user registry
encrypt_config: encrypt an The IBM Security Directory Integrator Encryption utility configuration file or a JavaScript file
decrypt_config: decrypt an The IBM Security Directory Integrator Encryption utility configuration file or a JavaScript file
encrypt_props: encrypt the values of all protected properties in an The IBM Security Directory Integrator Encryption utility properties file
decrypt_props: decrypt the values of all protected properties in an The IBM Security Directory Integrator Encryption utility properties file

Note: User Registry files are encrypted differently from configuration and JavaScript files.

keystore

{required} Specifies the keystore file which contains the key for encryption/decryption.

storepass

{required} Specifies the password of the keystore file.

alias

{required} Specifies the alias of the encryption/decryption key in the keystore

keypass

{optional} Specifies the password of the encryption/decryption key; by default, the keystore password is used to access the key

transformation

{optional} Specifies the name of the cryptography transformation used for encryption/decryption; can be RSA or any secret key transformation (for example, AES/CBC/PKCS5Padding); the default is RSA.

storetype

{optional} Specifies the type of the keystore file (for example, JKS); this parameter is case-insensitive (JCEKS and jceks are equivalent); if this parameter is missing, the default keystore type of the JRE (configured by the "keystore.type" security property in the java.security file of the JRE) is used.

cryptoproviderclass

{optional} Specifies the Java security provider which is used for encryption/decryption (but not for keystore access); by default the providers from the security provider list of the JRE (configured in java.security JRE file) is used.

Examples:

Encrypt the User Registry

An IBM Security Directory Integrator Server running in secure mode requires that the User Registry is encrypted with the Server key.

You can encrypt a plaintext User Registry file like this:

cryptoutils -input registry.txt -output registry.enc -mode encrypt 
     -keystore ../testserver.jks -storepass server -alias server

Decrypt an IBM Security Directory Integrator configuration

cryptoutils -input myconfig.enc.xml -output myconfig.xml -mode decrypt_config -keystore ../testserver.jks 
	-storepass server -alias server

This command decrypts the "myconfig.enc.xml" configuration file (possibly created by an IBM Security Directory Integrator Server, which runs in secure mode). Now the decrypted configuration "myconfig.xml" can be easily modified using the Configuration Editor. After modifying the configuration, it can be encrypted again, so that an IBM Security Directory Integrator Server in secure mode can read and use it.

Encrypt an IBM Security Directory Integrator configuration using a symmetric cipher (rather than the default "RSA")

cryptoutils -input myconfig.xml -output myconfig.enc.xml -mode encrypt_config -keystore ../server.jck
	-storepass server -alias server -transformation AES/CBC/PKCS5Padding -storetype jceks

The above command assumes that the keystore "server.jck" exists. That keystore is supposed to contain an AES secret key under alias "server".

Decrypt the global.properties file

The IBM Security Directory Integrator Server automatically encrypts the values of protected properties when reading the global.properties or solution.properties file.

You can decrypt all encrypted values in the global.properties file like this:

cryptoutils -input ../etc/global.properties -output ../etc/global.properties -mode decrypt_props
 -keystore ../testserver.jks -storepass server -alias server

Note: When the cryptoutils tool is used to encrypt and decrypt the Server API User Registry, configuration files (see the "Server Security Modes" section for details how the server treats encrypted configurations) or Encryption of IBM Security Directory Integrator Server Hooks, it encrypts and decrypts a file as a whole.

On the other hand, the encryption/decryption mode for property files encrypts/decrypt only the values of the protected properties and not the whole file. Thus after encrypting a .properties file using encrypt_props mode, the property keys and the comments in the file are still readable by humans. For more information on protected properties see sections Standard encryption of global.properties or solution.properties and Encryption of properties in external property files.