Previous Topic: Install CA ControlMinder Enterprise Management on WindowsNext Topic: Upgrade the DMS


Encrypt Passwords in AES Encryption Method

In CA ControlMinder r12.0 SP1, passwords were encrypted using the RC2 encryption method. In CA ControlMinder r12.5 SP1,the password encryption method was changed to AES. Therefore, passwords that were encrypted using RC2 encryption method cannot work in newer versions of CA ControlMinder. To solve this problem, you encrypt the existing passwords in AES after you upgrade from CA ControlMinder r12.0SP1.

Follow these steps:

  1. Stop all the CA ControlMinder services.
  2. Do the following:
    1. Connect to the Enterprise Management Server database as a user with read and write access privileges.
    2. Run the following query to remove the password CA ControlMinder Enterprise Management use to connect to the user store:
      update IM_DIR_CONNECTION set password=null where connection_name='java:/userstore’;
      
  3. Encrypt all the passwords in the database using the pwdtools utility.

    For each entry in the tlbusers table, change the password with the encrypted passwords that you generate.

  4. Remove the DMS settings from the connection table. Run the following query:
    DELETE FROM connection WHERE connection_name='con1';
    
  5. Start all CA ControlMinder services.
  6. Configure the DMS connection settings in CA ControlMinder Enterprise Management.

    Note:For more information about the DMS connection settings, see the Online Help.

Example: Encrypt passwords using the pwdtools utility

This example shows you how to encrypt a user password in AES encryption mode using the pwdtools utility and set the encrypted password in the Enterprise Management Server database.

  1. Open the pwdtool.bat for editing. The file is located in the following directory, where ACServerInstallDir is the directory where the Enterprise Management Server is installed:
    ACServerInstallDir/IAM_Suite/Access_Control/tools/PasswordTool/
    
  2. Enter the JAVA_HOME path in the "::SET JAVA_HOME=<enter valid java home here>" token. For example:
    SET JAVA_HOME=C:\jdk1.5.0
    
  3. From a command-line window, run the following command, where password is a clear text password and JBOSS_Home is the directory where JBoss is installed:
    pwdtools -FIPS -p <"password"> -k  JBOSS_HOME\server\default\deploy\IdentityMinder.ear\config\com\netegrity\config\keys\FIPSkey.dat
    

    The encrypted password is displayed. Copy the password to a clipboard.

  4. Connect to the Enterprise Management Server as a user with read and write access rights to the database.
  5. Run the following query where encrypted password is the encrypted password that you previously copied to a clipboard and username is the name of the user account:
    update tblusers set password = '<encrypted password>' where loginid='<username>';
    

You have set the account password with an encrypted password.