Available from 9.2.9. To improve security of encrypting the
password to the SAP Metric Data Collector, you can change the default
secret key or the default password to the SAP Metric Data Collector
keystore. These two procedures are independent. You can change the secret key, the keystore password
or both depending on your needs.
Before you begin
Contact BigFix Support to obtain the current password to the SAP Metric Data Collector keystore.
Procedure
-
To substitute the default secret key with a custom one, perform the following steps.
Important: To run each of the following commands, provide the current password for the
SAP Metric Data Collector keystore. You can obtain the default password
from BigFix Support. If you already changed it, use the custom password that you set up.
-
To remove the default secret key, run the following command.
-
"/var/opt/BESClient/LMT/SAPTOOL/java/jre/bin/keytool" -delete -keystore
"/var/opt/BESClient/LMT/SAPTOOL/keydb/keys.jceks" -storetype JCEKS -alias bigfixsaptoolcustomkey
-
"C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\java\jre\bin\keytool.exe"
-delete -keystore "C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\keydb\keys.jceks"
-storetype JCEKS -alias bigfixsaptoolcustomkey
-
To create a custom secret key, run the following command.
Important: During the creation of the new secret key, you are asked to provide its
password. Specify the same password as the password for the SAP Metric Data Collector keystore. If you did not change the keystore password,
provide the one that you obtained from BigFix Support. Otherwise, provide your custom password for the
SAP Metric Data Collector keystore.
-
"/var/opt/BESClient/LMT/SAPTOOL/java/jre/bin/keytool" -genseckey -keystore
"/var/opt/BESClient/LMT/SAPTOOL/keydb/keys.jceks" -storetype JCEKS -keyalg AES -keysize 128 -alias
bigfixsaptoolcustomkey
-
"C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\java\jre\bin\keytool.exe"
-genseckey -keystore "C:\Program Files (x86)\BigFix Enterprise\BES
Client\LMT\SAPTOOL\keydb\keys.jceks" -storetype JCEKS -keyalg AES -keysize 128 -alias
bigfixsaptoolcustomkey
Where:
- -keyalg
- Is the algorithm used to encrypt the secret key. Only AES is supported.
- -keysize
- Is the size of the secret key. The default size is 128 bits. To use a longer key, set up Java
JCE unlimited jurisdiction policy. For more information, see: IBM SDK Policy files.
-
To change the default password to the SAP Metric Data Collector
keystore, perform the following steps.
Important: To run each of the following commands, provide the current password for the
SAP Metric Data Collector keystore that you obtained from HCL
Support.
-
To change the password to the keystore, run the following command.
Password to each key in the keystore must be the same as the password to the keystore. Thus,
the
-all parameter is used in the command.
-
"/var/opt/BESClient/LMT/SAPTOOL/java/jre/bin/keytool" -storepasswd -all -keystore
"/var/opt/BESClient/LMT/SAPTOOL/keydb/keys.jceks" -storetype JCEKS
-
"C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\java\jre\bin\keytool.exe"
-storepasswd -all -keystore "C:\Program Files (x86)\BigFix Enterprise\BES
Client\LMT\SAPTOOL\keydb\keys.jceks" -storetype JCEKS
-
When prompted, provide the new keystore password.
-
To encode the password, run the following command.
-
"/var/opt/BESClient/LMT/SAPTOOL/saptool.sh" -encode
-
"C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\saptool.bat"
-encode
The password is encoded and displayed in the command line.
-
Copy the encoded password to a file, and save it in a text format.
For example:
-
"/var/opt/BESClient/LMT/SAPTOOL/config/custom_access_code.txt"
-
"C:\Program Files (x86)\BigFix Enterprise\BES
Client\LMT\SAPTOOL\config\custom_access_code.txt"
Note: It is recommended to save the custom_access_code.txt in the
config directory. This directory remains unchanged after the SAP Metric Data Collector update.
-
Open the saptool_config.properties file that is in the following
location.
-
"/var/opt/BESClient/LMT/SAPTOOL/config/"
-
"C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\SAPTOOL\config\"
Provide the path to the file with the encoded password in the
configuration_key_init_path parameter.
For example:
-
configuration_key_init_path=/var/opt/BESClient/LMT/SAPTOOL/config/custom_access_code.txt
-
configuration_key_init_path=C:\\Program Files (x86)\\BigFix Enterprise\\BES
Client\\LMT\\SAPTOOL\\config\\custom_access_code.txt
Note: Provide the path in one line and without quotation marks. To use a backslash, provide it
twice (\\).