|
|
|
The FIPS-compliant password tool utility, pwdtools.bat (or pwdtools.sh), can generate the encryption key during CA Identity Manager installation, from the command line.
Before using the password tool, edit the pwdtools.bat/pwdtools.sh file and set the JAVA_HOME variable as required.
Important! Because CA Identity Manager does not support data migration or re-encryption, you should not change encryption keys after installation.
This command has the following syntax:
pwdtools -[FIPSKEY|JSAFE|FIPS] -p [plain text] -k [key file location]
Encrypt a plain text value using non-FIPS algorithm.
Example:
pwdtools -JSAFE –p mypassword
Create a FIPS key file required by the installer. You generate the key before installing CA Identity Manager.
Example:
pwdtools -FIPSKEY –k C:\keypath\FIPSkey.dat
Where keypath is the full path to the location where you want the FIPS key to be stored.
The password tool creates the FIPS key in the location specified. During installation, you provide the location of the FIPS key file to the installer.
Note: Be sure to secure the key by setting the directory access permissions for specific group or user types, such as the user who is authorized to run CA Identity Manager.
Encrypt a plain text value using a FIPS key file. This uses the existing FIPS key file.
Example:
pwdtools -FIPS –p firewall -k C:\keypath\FIPSkey.dat
Where keypath is the full path to the FIPS key directory.
Note: Use the same FIPS key file that you specified during installation.
Important! Because Identity Manager uses the FIPS key file to check whether the application is to start in FIPS mode or non-FIPS mode, the key file must be named FIPSKey.dat with the following application server deployment path:
IdentityMinder.ear\config\com\netegrity\config\keys\FIPSkey.dat
where IdentityMinder.ear is in the application server deployment directory, for example:
jboss_home\server\default\deploy
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |