Passwords and process-to-process communication in Watson™ Explorer Engine are secured with the AES-128-GCM encryption
algorithm, which uses 128 bit keys, and OpenSSL. A default encryption key is included when you
install Watson Explorer Engine. IBM recommends that you generate a
new, unique key after installation for maximum security.
About this task
All of the following in
Watson Explorer Engine will be
encrypted using this encryption method:
- All Distributed Indexing communications.
- All passwords that are used to authenticate to external systems (e.g. the passwords
needed for connectors in seeds, for remote push, collaboration features, etc.) will be
stored in an encrypted form on disk.
- Interprocess communication where passwords need to be transmitted.
Note: Indexes remain unencrypted in Watson Explorer Engine.
Additional note regarding security: Beginning with Watson Explorer version 11.0.0.1, all Watson Explorer user passwords are secured using the scrypt
algorithm, which generates one-way cryptographic hashes. These user passwords are stored in
users.xml.
Warning: Proceed with caution when generating a new encryption key. This key is
used to encrypt and decrypt everything listed above.
- If this key is stolen, all encrypted data would be at risk. It is strongly recommended
that this encryption key be stored in a data vault with proper safeguards.
- If it were lost, all encrypted passwords would need to be reentered, and all system
services would need to be restarted.
Important: You should generate ONE KEY on ONE SERVER and copy it to all other
servers. Do not generate multiple keys. If you start using Watson Explorer, and run the utility after that, the encryption
key will be replaced - and you risk being unable to decrypt the data encrypted with the
original key.
Procedure
-
To generate a new encryption key:
| Option |
Description |
|---|
| Linux |
Start a terminal session (xterm, gnome-terminal, or other terminal application)
and use the su or sudo -s command to become the root user. Enter
<file-path>/generate-key.Note: Run generate-key
-help if you would like to view additional system information before running the
utility. This command does not run the utility. See generate-key to learn more about the
generate-key command.
|
| Windows |
From a command prompt, run
<file-path>\generate-key.exe. This command is located in
<install_dir>\Engine\bin. Note: Run
generate-key.exe -help if you would like to view additional
system information before running the utility. This command does not run the
utility.
|
You will receive this message: "WARNING: An encryption keyfile already exists on
disk. Any data encrypted using this key cannot be decrypted after generating a new key."
(The encryption keyfile this warning is referring to is the default id_vcrypt
key included with Watson Explorer.)
Followed by this message: "Please confirm that you wish to continue [Y/N]"
-
After you enter Y, you will receive the following messages:
- "The existing keyfile has been backed up to
<install_dir>\Engine\data\static\id_vcrypt.bak" (The old
encryption key is backed up to this location in the event you accidentally generate a
new key and need to restore the old one.)
- "A new key has been generated and written to
<install_dir>\Engine\data\static\id_vcrypt"
-
Navigate to the id_vcrypt file to verify the key has been
generated. (This file is located by default in
<install_dir>\Engine\data\static\)
-
Immediately store a copy of the encryption key in a safe place (such as a data vault)
and secure it using your company's best practices. You should also safeguard the key
stored in your Watson Explorer installation.
-
Copy the key to the static directory of all other Watson Explorer servers that have Watson Explorer Engine installed. The default location of this
directory is <install_dir>\Engine\data\static\