Previous Topic: Key File StorageNext Topic: FIPS Mode Detection

CA Identity Manager Configuration GuideFIPS 140-2 ComplianceThe Password Tool

The Password Tool

The FIPS-compliant password tool utility, pwdtools.bat (or pwdtools.sh), can generate the encryption key during CA Identity Manager installation, from the command line.

Edit the pwdtools.bat/pwdtools.sh file before using the password tool and set the JAVA_HOME variable as required.

Important! CA Identity Manager does not support data migration or reencryption. Therefore, ensure that the encryption keys are not changed after installation.

This command has the following syntax:

pwdtools -{FIPSKEY|JSAFE|FIPS|RC2} -p plain text [-k <key file location>] [-f  <encrypting parameters file>]
JSAFE

Encrypt a plain text value using the PBE algorithm.

Example: 

pwdtools -JSAFE -p mypassword

Note: In the earlier versions, the password for the bootstrap administrator is stored in clear text. If you are upgrading or migrating to CA Identity Manager r12.6 SP1 or above, you need to manually encrypt the clear text password. Ensure that the JSAFE option is specified when using the tool and follow these steps:

  1. After upgrading or migrating to CA Identity Manager r12.6 SP1 and above, go to the CA Identity Manager object store datatase and search for the following table: 
    IM_AUTH_USER
  2. Encrypt the clear text password using the password tool with JSAFE.
  3. Replace the clear text with the encrypted password in the table.
FIPSKEY

For the installer, create a FIPS key file. You generate the key before installing CA Identity Manager.

Example: 

pwdtools -FIPSKEY -k C:\keypath\FIPSkey.dat

Where keypath is the full path to the location where you want to store the FIPS key.

The password tool creates the FIPS key in the location specified. During installation, you provide the location of the FIPS key file to the installer.

Note: Be sure to secure the key by setting the directory access permissions for specific group or user types, such as the user who is authorized to run CA Identity Manager.

FIPS

Encrypt a plain text value using a FIPS key file. FIPS uses the existing FIPS key file.

Example: 

pwdtools -FIPS -p firewall -k C:\keypath\FIPSkey.dat

Where keypath is the full path to the FIPS key directory.

Note: Use the same FIPS key file that you specified during installation.

RC2

Encrypt a plain text value using the RC2 algorithm.

Important! CA Identity Manager uses the FIPS key file to verify whether the application is to start in FIPS mode or in non-FIPS mode. Therefore, ensure that the key file is named FIPSKey.dat with the following application server deployment path:

iam_im.ear\config\com\netegrity\config\keys\FIPSkey.dat

where iam_im.ear is in the application server deployment directory, for example:

jboss_home\server\default\deploy