Automatic encryption for key product files

Key product files, such as the Symphony file, are automatically encrypted for all fresh installations using AES-256 or AES-128 cryptography starting from version 10.1.

Data breaches are becoming more and more common and pervasive in today's business world. Encryption is a key feature when it comes to protect sensitive data, such as the data at rest stored in your Symphony plan or message queues. For this reason, all fresh installations starting from this release automatically encrypt key product files using AES-256 or AES-128 cryptography.

Data at rest means data is not being accessed or used but instead stored on your computer, external hard drive, cloud storage, server, or database. Encryption at rest ensures that this data is protected and encrypted.

If you want HCL Workload Automation to encrypt files such as the Symphony file, messages queues, and the useropts file at runtime, you do not need to take any actions. By default, the product is automatically encrypted without your intervention. You can also define the folder containing the certificates and the certificates password using the sslpassword and sslkeysfolder parameters when installing the master domain manager and agents, both fault-tolerant agents and dynamic agents.

The following HCL Workload Automation elements are automatically encrypted:
  • Symphony file
  • messages queues
  • useropts file
  • jmJobTableDir directory on dynamic agents
Information about encryption keys is stored in the following localopts properties:
encrypt keystore file
The path to the keystore PKCS12 file, containing the AES-256 or AES-128 key.
encrypt keystore pwd
The path to the keystore stash file.
encrypt label
The label of the key in the keystore. When you modify a key label for key rotation, store the previous label in the decrypt label list property, so it can be retrieved if it is still used in the product. This property is case insensitive.
decrypt label list
The list of previously used aliases for key encryption. When you modify a key alias for key rotation, store the previous alias in this property. This storage method is useful if the obsolete key is still used in the product. Separate each value with a comma ",". Note that this property is commented. This property is case insensitive.

For more information about the localopts file, see Setting local options.

For more information about rotating the keys, see Encryption key rotation.