Encryption
Encryption is the process of transforming data into an unintelligible form in such a way that the original data either cannot be obtained or can be obtained only by using a decryption process.
TADDM uses the property 'com.collation.security.algo.aes.keylength' to
decide the algorithm (AES 128 or AES 256) from the 'FIPS-compliant IBMJCEFIPS' security
provider to encrypt the following items:- Passwords, including entries in the collation.properties and userdata.xml files
- Access list entries that are stored in the database
This property defines the key length for AES -com.collation.security.algo.aes.keylength=128.
When you install TADDM for the first time, an encryption key is generated, and passwords are encrypted using this new encryption key. The default location for the encryption key is the etc/TADDMSec.properties file.
Changing the location of the TADDM encryption key
To
change the location of the encryption key, change the value of the com.collation.security.key property
in the collation.properties file. You can set
the property to another location that is relative to the $COLLATION_HOME directory.
To avoid data loss, store a backup copy of the encryption key in a separate location. The key can be restored if a problem occurs with the original copy.
Changing the TADDM encryption key in a domain server deployment
To change the TADDM encryption key in a domain server deployment, use the bin/changekey.sh script (or the equivalent batch script file). This script migrates encrypted entries in the collation.properties and userdata.xml files and migrates access list entries that are stored in the database. To use the bin/changekey.sh script, ensure that you are logged in as the non-root user that was defined during installation.
You must restart TADDM after successful use of this script.
- Format for running the script
./changekey.sh $COLLATION_HOME admin_user admin_password- Example
./changekey.sh /opt/IBM/taddm/dist administrator taddm