Sentinel: Changing encryption key in iSCALE

  • 3330550
  • 03-Nov-2006
  • 26-Apr-2012

Environment

Windows 2000 sp4; 2003 sp1
Solaris 9
Redhat Linux ES 3
Sentinel 5.1.x

Situation

Changing encryption key in iSCALE
Making changes to the Communication Layer (iSCALE)

Resolution

Making Changes to the Communication Layer (iSCALE)

The communication layer (iSCALE) connecting all components of the architecture is encrypted. Communication between all parts is an encrypted TCP/IP based connection. By default this communication is encrypted using AES 256 bit. ARC4 is available for use.

Change the encryption method and the key using keymgr. The program generates a file in the lib directory of a Sentinel installation ($ESEC_HOME/lib or %ESEC_HOME%\lib) called .keystore. This file must be copied to each machine that has an e-Security component installed.

Best pratices recommends that the default security key be changed to provide unique encryption and authentication parameters.

NOTE: If using Advisor, a change to the Advisor Password is required. Even if the password has not changed.

Making key changes or enable other encryption methods

  1. For Solaris, login as esecadm. For Windows, login as a user with administrative rights.
  2. cd to:

For Windows:

%ESEC_HOME%\lib

For Solaris:

$ESEC_HOME/lib

  1. Run the following script:

java –jar keymgr.jar --keyalgo --keysize 256

This will allow you to set your encryption method. A file called .keystore will be created in the lib directory.

NOTE: Another method of executing this command is:

java -cp keymgr.jar;bcprov-jdk14-118.jar com.esecurity.system.KeyManager --keyalgo--keysize 256

4.Copy .keystore to each machine with a Sentinel component installed. The file should be copied to:

For Windows:

%ESEC_HOME%

For Solaris:

$ESEC_HOME

5.If the Sentinel environment is set for Windows Authentication, skip this step.

§On the machine where DAS is installed, cd to:

%ESEC_HOME%\sentinel\config

§run the following commands:

For Windows:

dbconfig.bat -a . -p

For Solaris:

dbconfig -a . -p

§Restart all services for .keystore to be reloaded.

NOTE: For more information about the dbconfig command, go the Sentinel Reference User's Guide – Sentinel Data Access Service.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.