Run the TM1Crypt utility

The TM1Crypt utility (tm1crypt.exe) is a command prompt that encrypts the password that the IBM® TM1® Server needs to access the private key. The utility can be used to convert a model or a file.

The password is encrypted with Advanced Encryption Standard, 256 bit, Cipher Block Chaining (AES-256-CBC).

Location

The TM1Crypt utility, tm1crypt.exe, is installed in the directory:

PA_install_directory\bin64

Syntax

Run the TM1Crypt utility from a command prompt with the following syntax:

tm1crypt.exe [<cmd_parm> <connect_parm> <password_parm>]

You can provide parameters with constant values in a configuration file when you run tm1crypt.

Command parameters

Table 1. TM1Crypt command parameters
Parameter	Value	Description
`i`	`filespec`	Name of the file that contains default configuration parameters. Parameters specified in this file are used, unless overridden by parameters provided on the command prompt. If no path is specified, the TM1 Server directory is assumed. If `-i` is not specified, then other parameters must be specified to provide the process name, TM1 Server, and so on.
`connect`	`string`	This parameter can be used to specify a section in the configuration file that contains parameters used to make server connections, such as user, pwd, or CAMnamespace.
`logpath`	`string`	Enables logging and specifies location of log.
`action`	`string`	1 [default] - Generate encrypted password and key file 2 - Encrypt server model 3 - Decrypt server model 4 - Encrypt file using server key 5 - Decrypt file using server key 6 - Rotate server key
`keyfile`	`string`	Name of the file generated containing key. If no `keyfile` is specified the default is tm1key.dat.
`outfile`	`string`	Name of file generated encrypted password. If no `outfile` is specified the default is tm1cipher.dat.
`filesrc`	`string`	Source file to perform conversion. Source is replaced with converted data unless file destination is provided.
`filedest`	`string`	Source file to perform conversion. Source is replaced with converted data unless file destination is provided.
`filetype`	`string`	1 [default] - TM1 object file 2 - Transaction log 3 - Audit log
`minsbeforeshutdown`		Time before performing a shutdown when encrypting or decrypting a server model.
`validate`		Validate key file.
`help`		Display help documentation including parameters and descriptions.
`?`		Display a synopsis of command line parameters.

Connect Parameters

Connect parameters are common across TM1 components and can be defined in their own section of a configuration file to reuse them.

Table 2. TM1Crypt connect parameters
Parameter	Value	Description
`-adminhost`	`string`	TM1 admin host
`-server`	`string`	TM1 Server name
`-user`	`string`	TM1 or Cognos Access Manager (CAM) username, depending on the type of authentication that is used by the TM1 Server.
`-securitymode`		Security mode used to connect to the TM1 Server. The mode must match the value in the TM1 Server configuration file.
`-retryattempts`		Number of attempts to connect to the TM1 Server.
`-retryinterval`		Time in seconds to retry connection to the TM1 Server.
`-keystorefile`	`filespec`	The full path of the key database file that contains the trusted certificate authorities.
`-keystashfile`	`filespec`	The full path of the file that contains the password that is used to access the key database file.
`-FIPSOperationMode`	`1\|2\|3`	Indicates FIPS mode of operation. FIPS_MODE = 1 (default) FIPS_APPROVED = 2 FIPS_NONE = 3
`CAMNamespace`	`id`	The ID of the Cognos Access Manager (CAM) namespace. This parameter is the namespace ID, not the namespace name.

Password Parameters

Passwords are either prompted for on the command line or supplied by using an encrypted file provided by the passwordfile parameter.

Table 3. TM1Crypt password parameters
Parameter	Value	Description
`pwd`	`string`	Password for the `username` given in the `-user` parameter, in clear text. For greater security, the password can be specified in an encrypted file using the `-passwordfile` parameter. This parameter is ignored on the command line. You are prompted for the password.
`passwordfile`	`filespec`	Filename of the file containing the encrypted password for the user specified by `-user`. If no path is specified, the TM1 Server directory will be assumed. When this option is used, you cannot use `-pwd`.
-`passwordkeyfile`	`filespec`	If the `passwordfile` parameter is given, a key file is also required to decrypt the password. The password file and key file can be created using the TM1Crypt tool.

Example

For example, the command

tm1crypt.exe -keyfile btkey.dat -outfile btprk.dat -validate

Generates two files:

btkey.dat contains the key that is used to encrypt/decrypt the password for the private key.
btprk.dat contains the encrypted password for the private key.

The generated files are written to the PA_install_directory\bin directory.

Note: The use of the pwd parameter on the command line does not display an error but the pwd parameter is ignored. You are prompted for the password and must verify it.

TM1Crypt configuration file

[tm1crypt]
#connect=ConnectParams
#retryattempts=3
#retryinterval=3

### Actions ###
##1 – OPERATION_CRYPT_PWD 
##2 - OPERATION_ENCRYPT_MODEL
##3 - OPERATION_DECRYPT_MODEL
##4 - OPERATION_ENCRYPT_FILE
##5 - OPERATION_DECRYPT_FILE
##6 - OPERATION_ROTATE_KEY
###
#action=

### File Types
##1 - Object File //default
##2 - Transaction Log
##3 - Audit Log
###
#filetype=

### Valid path for logs files
#logpath=

### Path to file source and destination 
#filesrc=
#filedest=

#adminhost=
#server=
#user=
#pwd=
#camnamespace=

[Connect - ConnectParams]
#adminhost=
#server=
#user=
#pwd=
#camnamespace=
#passwordfile=
#passwordkeyfile=