AES encryption

AES encryption can be used to encrypt any string within the gateway properties file. It is used by the gateway to prevent sensitive data from being available in readable format in the gateway properties file.

Note: AES encryption is supported on all supported versions of Tivoli® Netcool/OMNIbus on all UNIX and Linux operating systems.

nco_aes_crypt

You can encrypt strings in the gateway properties file using the nco_aes_crypt tool (supplied with Tivoli Netcool/OMNIbus). The syntax of encrypted data is as follows:

@datalength:encrypted_data@

Where datalength is the length of the data in bytes (expressed as a decimal) and the data itself is base64 encoded. The at sign (@) indicates the start and end of the encrypted data definition. The colon (:) acts as a field separator.

The encrypted values appear in single quotes in the properties file. The following example shows the server password in encrypted format for the Gate.Remedy.Password property in the G_bmc_remedy_v9.props file:

# Remedy gateway specific properties
.
.
.
Gate.Remedy.Password  : 
'@64:lHBLuIPLNye8zCWhykFVFY7y90V9kCjGK5GSWu5VBdSlgQOqarq6T4UK4xk5Vqix@'
.
.
.

Note: You can obtain the nco_aes_crypt tool from the IBM Passport Advantage website: http://www-306.ibm.com/software/howtobuy/passportadvantage/pao_customers.htm. Access the Software Downloads section and search for

Netcool/OMNIbus Gateway configuration encryption
library

Using the nco_aes_crypt tool

Property values in the properties file must be encrypted using the nco_aes_crypt tool.

This is a command line tool which takes the following format:

nco_aes_crypt [-d] [-o outfile] [-c cipher] -k keyfile -f filename
nco_aes_crypt [-d] [-o outfile] [-c cipher] -k keyfile data

The output of this command will be the encrypted string to be used in the properties file.

The following table describes the options available with nco_aes_crypt:

Table 1. nco_aes_crypt command line options
Command line option	Description
-d	Use this option to specify the mode in which the nco_aes_crypt tool runs: d - decrypt mode The default is encrypt mode.
-o `string`	Use this option to specify the output file to which the encrypted or decrypted data will be written.
-c `string`	Use this option to specify the cipher to use: `AES` - Specifies the non-FIPS cipher. `AES_FIPS` - Specifies the FIPS cipher. The default is `AES` (non-FIPS).
-k `string`	Use this option to specify the path of the file containing the key data. This option is mandatory.
-f `string`	Use this option to specify the path of the file containing data requiring encryption or decryption.
`data`	Use this option to specify the data to be encrypted or decrypted.

Encryption key file

The encryption key is stored in a flat file alongside the encrypted data. The key storage file has an ASCII numeric key length indicator followed by a colon and the key in binary form.

The format of the key file is as follows:

key_length:key_data

Where key_length is the length of the key in bits and the key_data is the key in binary form. Valid length values are 128, 192 and 256.

For example:

128:1234567812345678

In this case, key_length is 128 since the ASCII string 1234567812345678 has 16 bytes (128 bits).

You can generate random or pre-defined keys of varying lengths using nco_keygen. To generate a key file, use the following command:

nco_keygen -o outfile[-l length|-k key] [-h] [-?]

The following table gives the descriptions of the above command line options.

Table 2. Encrytion key file command line options
Command line option	Description
-o `outfile`	Use this option to specify the output file name.
-l `length`	Use this option to specify the length (in bits) of the key to write out. The default is 128. Note: The value that you specify must be divisible by 8.
-k `key`	Use this option to specify the key to be written out, expressed as hex digits. Note: This option bypasses automatic key generation.
-h `\|-?`	Use this option to print the help information and exit

Note: AES encryption is used as the initial encryption method for sensitive data. However, this does not mean that the data can be considered to be secure purely due to AES encryption; the security of the data depends on the restriction of access to the key file used for AES encryption. Access to this file is controlled using UNIX or Windows file permissions.

Using encrypted data

To use encrypted data, you set the ConfigKeyFile property in the G_bmc_remedy_v9.props file to the path of the file that contains the encryption key. For example:

# Generic Omnibus Properties
#
ConfigKeyFile : 'key_file_path'
.
.
.

Where key_file_path is the path to the file containing the encryption key.

Running the ObjectServer in a secure mode

When the gateway connects to the ObjectServer running in secure mode, it needs to authenticate with a username and password. This username and password can be encrypted using the nco_aes_crypt tool.

To enable the encryption, the location of the key file must be specified using the ConfigKeyFile property in the G_bmc_remedy_v9.props file, as described previously. You also need to specify the encrypted username and password required for authentication using the Gate.RdrWtr.Username and Gate.RdrWtr.Password properties in the G_bmc_remedy_v9.props file.

The following example shows the three fields that need to be specified in the G_bmc_remedy_v9.props file when the ObjectServer runs in a secure mode:

# Generic Omnibus Properties
#
ConfigKeyFile  : '/HOME/74/solaris/omnibus/keyflie_name'
.
.
.
# Gateway Framework properties
.
.
.
Gate.RdrWtr.Password   : '@44:mdyEb8VTh+2wALnNlR7dnGnxRZ3BkMOQbR5IgxLlHuc=@'
.
.
.
Gate.RdrWtr.Username  : '@44:2yXgd6fp9q1Ey4sSAb2RibzA3+PpCZmhAZXo6nNdkvQ=@'