[8.5.5.18 or later]

Enabling a custom AES key manager

You can enable an Advanced Encryption Standard (AES) custom key manager to generate a key for AES password encryption. Do this enablement in rare situations where the default key manager does not implement a specific requirement that meets your key generation needs.

Before you begin

Create a custom class for the AES key manager and put the JAR file that contains the custom class in the directory for the class path. For more information, see Creating a custom AES key manager.

About this task

You can use this procedure for both the client environment and the server environment to set the class name of the custom AES key manager in the passwordUtil properties files.

Procedure

  1. Start the wsadmin scripting tool.
  2. For the server environment, enable or modify AES password encryption.
    If AES password encryption is not enabled, set the class name on the -aesCustomKeyManager parameter of the enablePasswordEncryption as in the following command example.
    $AdminTask enablePasswordEncryption {[-aesCustomKeyManager com.myco.crypto.key.MyAesKeyManager ]}
    If AES password encryption is enabled, set the class name on the -aesCustomKeyManager parameter of the modifyPasswordEncryption command as in the following example:
    
$AdminTask modifyPasswordEncryption {[-aesCustomKeyManager com.myco.crypto.key.MyAesKeyManager ]}
  3. For the server environment, run the node synchronization for propagating the configuration change to the nodes.
  4. For the server environment, restart the servers.
  5. Optional: For the client environment, enable or modify AES password encryption.
    If AES password encryption is not enabled, enable it as in the following command example.
    • Set the class name on the -aesCustomKeyManager parameter of the enablePasswordEncryption.
    • Set the -clientPropsLocation parameter to the location of the passwordUtil.properties file.
    $AdminTask enablePasswordEncryption {[-clientPropsLocation /usr/WAS/AppClient -aesCustomKeyManager com.myco.crypto.key.MyAesKeyManager ]}
    If AES password encryption is enabled, set the class name on the -aesCustomKeyManager parameter of the modifyPasswordEncryption command as in the following example:
    $AdminTask modifyPasswordEncryption {[-clientPropsLocation /usr/WAS/AppClient -aesCustomKeyManager  com.myco.crypto.key.MyAesKeyManager ]}
  6. Optional: For the client environment, put the modified passwordUtil.properties file in the location where the client environment is configured.

    For information about password encryption in the client environment, see Enabling AES password encryption for the client environment.