Encrypting passwords (optional)

How to encrypt passwords required by the installation, upgrade, and management processes.

This picture describes the steps required for installing the full IBM Workload Scheduler software stack. You are now at step 2: optionally encrypting passwords.

You can optionally encrypt the passwords that you will use while installing, upgrading, and managing IBM Workload Scheduler. The secure command uses the AES method and prints the encrypted password to the screen or saves it to a file.

Note: It is important you understand the limits to the protection that this method provides. The custom passphrase you use to encrypt the passwords is stored in clear format in the passphrase_variables.xml file, stored in configureDropin. To fully understand the implications of this method, it is recommended you read the information provided by WebSphere Application Server Liberty Base at the link Liberty: The limits to protection through password encryption.

You can perform a typical procedure, which uses a custom passphrase, as described in the following scenario. For more information about all secure arguments and default values, see Optional password encryption - secure script.

Encrytping the password
  1. Browse to the folder where the secure command is located:
    • Before the installation, the command is located in the product image directory, <image_directory>/TWS/<op_sys>/Tivoli_LWA_<op_sys>/TWS/bin
    • After the installation, the command is located in TWA_home/TWS/bin
  2. Depending on your operating system, encrypt the password as follows:
    Windows operating systems
    secure -password password -passphrase passphrase
    UNIX operating systems
    ./secure -password password -passphrase passphrase
    z/OS operating systems
    ./secure -password password -passphrase passphrase
    where
    -password
    Specifies the password to be encrypted.
    -passphrase
    Specifies the custom passphrase that is used to generate the key with which the command encrypts the password. If you set this parameter, inform the user who installs IBM Workload Automation that they must define the SECUREWRAP_PASSPHRASE environment variable in the same shell from which they run the installation command, and set it to the same value as the passphrase parameter. On Windows operating systems, the passphrase must be at least 8 characters long. This argument generates a password which can be reused for all IBM Workload Scheduler components. This parameter is mutually exclusive with the #awspiencryptpwd__d946e260 parameter, which generates a password which can be decrypted only on the local workstation and not reused for other components.
  3. Provide both the encrypted password and custom passphrase to the user in charge of installing IBM Workload Automation. You can use encrypted passwords only in association with the specific passphrase used to encrypt them.

Installing with the encrypted password

The user in charge of installing IBM Workload Automation must set the SECUREWRAP_PASSPHRASE environment variable by performing the following steps:
  1. Open a brand new shell session.
  2. Ensure that no value is set for the SECUREWRAP_PASSPHRASE environment variable.
  3. Define the SECUREWRAP_PASSPHRASE environment variable and set it to the passphrase defined by the user who ran the secure command, as follows:
    SECUREWRAP_PASSPHRASE=<passphrase>

    You can use encrypted passwords only in association with the specific passphrase used to encrypt them.

  4. In the same shell session, provide the encrypted passwords when running any command that uses a password. An encrypted password looks like the following example:
    {aes}AFC3jj9cROYyqR+3CONBzVi8deLb2Bossb9GGroh8UmDPGikIkzXZzid3nzY0IhnSg=
You can now proceed to Creating and populating the database.