The FIPS-compliant password tool utility, pwdtools.bat (or pwdtools.sh), can generate the encryption key during CA IdentityMinder installation, from the command line.
Edit the pwdtools.bat/pwdtools.sh file before using the password tool and set the JAVA_HOME variable as required.
Important! CA IdentityMinder does not support data migration or reencryption. Therefore, make sure that the encryption keys are not changed after installation.
This command has the following syntax:
pwdtools -{FIPSKEY|JSAFE|FIPS|RC2} -p plain text [-k <key file location>] [-f <encrypting parameters file>]
Encrypt a plain text value using the PBE algorithm.
Example:
pwdtools -JSAFE -p mypassword
For the installer, create a FIPS key file. You generate the key before installing CA IdentityMinder.
Example:
pwdtools -FIPSKEY -k C:\keypath\FIPSkey.dat
Where keypath is the full path to the location where you want to store the FIPS key.
The password tool creates the FIPS key in the location specified. During installation, you provide the location of the FIPS key file to the installer.
Note: Be sure to secure the key by setting the directory access permissions for specific group or user types, such as the user who is authorized to run CA IdentityMinder.
Encrypt a plain text value using a FIPS key file. FIPS uses the existing FIPS key file.
Example:
pwdtools -FIPS -p firewall -k C:\keypath\FIPSkey.dat
Where keypath is the full path to the FIPS key directory.
Note: Use the same FIPS key file that you specified during installation.
Encrypt a plain text value using the RC2 algorithm.
Important! CA IdentityMinder uses the FIPS key file to check whether the application is to start in FIPS mode or in non-FIPS mode. Therefore, make sure that the key file is named FIPSKey.dat with the following application server deployment path:
iam_im.ear\config\com\netegrity\config\keys\FIPSkey.dat
where iam_im.ear is in the application server deployment directory, for example:
jboss_home\server\default\deploy
|
Copyright © 2013 CA.
All rights reserved.
|
|