Improving security of storing VM manager passwords

Available from 9.2.9. To improve security of storing passwords to VM managers, you can overwrite the default key that is used to encrypt the passwords or change the default password to the VM Manager Tool keystore. These two procedures are independent. You can change the encryption key, the keystore password or both, depending on your needs.

Procedure

  • To overwrite the default key that is used to encrypt passwords to VM managers, perform the following steps.
    1. Go to the VM Manager Tool directory.
    2. Stop VM Manager Tool by using the following command.
      • Linux ./vmman.sh -stop
      • Windows vmman.bat -stop
    3. Back up the config and keydb directories.
      • Linux/var/opt/BESClient/LMT/VMMAN/config//var/opt/BESClient/LMT/VMMAN/keydb/
      • WindowsC:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\VMMAN\config\C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\VMMAN\keydb
      If an error occurs during the regeneration of the key, restore these directories to their current locations.
    4. Run the following command.
      • Linux ./vmman.sh -regenerateencryptionkey
      • Windows vmman.bat -regenerateencryptionkey
    5. Start VM Manager Tool by using the following command.
      • Linux ./vmman.sh -run
      • Windows vmman.bat -run
  • To change the default password to the VM Manager Tool keystore, perform the following steps.
    1. Go to the VM Manager Tool directory.
    2. Stop VM Manager Tool by using the following command.
      • Linux ./vmman.sh -stop
      • Windows vmman.bat -stop
    3. Back up the VM Manager Tool keystore and configuration files.
      • Linux/var/opt/BESClient/LMT/VMMAN/keydb/keys.jceks/var/opt/BESClient/LMT/VMMAN/config/vmmmainconf.properties
      • WindowsC:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\VMMAN\keydb\keys.jceksC:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\VMMAN\config\vmmmainconf.properties
      If an error occurs during changing the keystore password, restore these files to their current locations.
    4. Create a txt file, for example keystore_password.txt. Provide the new keystore password in the customPassword parameter. 
      customPassword=<new_password>
    5. To change the password, run the following command.
      • Linux ./vmman.sh -changepassword -file /var/opt/BESClient/LMT/VMMAN/config/keystore_password.txt
      • Windows vmman.bat -changepassword -file "C:\Program Files (x86)\BigFix Enterprise\BES Client\LMT\VMMAN\config\keystore_password.txt"
      Where -file is the path to the txt file in which you specified the new keystore password.
      After you run the command, the password is encrypted and saved in the vmmmainconf.properties under the vmm_keystore_password_do_not_change_it parameter.
    6. After the new password is set, remove the txt file in which you specified the password.
    7. Start VM Manager Tool by using the following command.
      • Linux ./vmman.sh -run
      • Windows vmman.bat -run