Previous Topic: Change the Symmetric Encryption KeyNext Topic: Multiple Symmetric Encryption Methods in an Enterprise Deployment


Change the Symmetric Encryption Method

Symmetric encryption protects communication between CA ControlMinder components and is implemented by encryption libraries. You use the sechkey utility to change the encryption library, and therefore change the symmetric encryption method.

You must have the ADMIN attribute to use sechkey.

Note: If CA ControlMinder is operating in FIPS-only mode, you cannot change the symmetric encryption method. CA ControlMinder operates in FIPS-only mode when the value of the fips_only configuration token in the crypto section is 1. This restriction prevents you from changing the encryption method to a non-FIPS compliant method.

Important! To avoid communication problems, use the same encryption method on all computers that run CA ControlMinder components.

To change the symmetric encryption method

  1. Stop CA ControlMinder.

    If you are changing the encryption settings on a CA ControlMinder Enterprise Management server, also stop the CA ControlMinder Web Service.

  2. Use the sechkey utility to change the symmetric encryption method.
  3. Start CA ControlMinder.

    If you are changing the encryption settings on a CA ControlMinder Enterprise Management server, also start the CA ControlMinder Web Service.

    CA ControlMinder starts and encrypts communication with the new encryption method.

Example: Change the Symmetric Encryption Method to 3DES

The following command changes the symmetric encryption method to 3DES:

sechkey -m -sym tripledes

Note: For more information about the sechkey utility, see the Reference Guide.

More information:

sechkey Utility—Change the Symmetric Encryption Method