Encrypting passwords (optional)

How to encrypt passwords required by the installation, upgrade, and management processes.

About this task

This picture describes the steps for installing the Dynamic Workload Console. You are now at step 2, which is optional, about encrypting passwords.

You can optionally encrypt the passwords that you will use while installing, upgrading, and managing HCL Workload Automation. The secure command uses the AES method and prints the encrypted password to the screen or saves it to a file.

Note: It is important you understand the limits to the protection that this method provides. The custom passphrase you use to encrypt the passwords is stored in clear format in the passphrase_variables.xml file, stored in configureDropin. To fully understand the implications of this method, it is recommended you read the information provided by WebSphere Application Server Liberty Base at the link Liberty: The limits to protection through password encryption.

You can perform a typical procedure, which uses a custom passphrase, as described in the following scenario. For more information about all secure arguments and default values, see Optional password encryption - secure script.

Encrytping the password
  1. Browse to the folder where the secure command is located:
    • Before the installation, the command is located in the product image directory, <image_directory>/TWS/<op_sys>/Tivoli_LWA_<op_sys>/TWS/bin
    • After the installation, the command is located in TWA_home/TWS/bin
  2. Depending on your operating system, encrypt the password as follows:
    Windows operating systems
    secure -password password -passphrase passphrase
    UNIX operating systems
    ./secure -password password -passphrase passphrase
    z/OS operating systems
    ./secure -password password -passphrase passphrase
    where
    -password
    Specifies the password to be encrypted.
    -passphrase
    Optional. Specifies the custom passphrase that is used to generate the key with which the command encrypts the password. If you set this parameter, inform the user who installs HCL Workload Automation that they must define the SECUREWRAP_PASSPHRASE environment variable in the same shell from which they run the installation command, and set it to the same value as the passphrase argument. On Windows operating systems, the passphrase must be at least 8 characters long.
  3. Provide both the encrypted password and custom passphrase to the user in charge of installing HCL Workload Automation. You can use encrypted passwords only in association with the specific passphrase used to encrypt them.

Installing with the encrypted password

The user in charge of installing HCL Workload Automation must set the SECUREWRAP_PASSPHRASE environment variable by performing the following steps:
  1. Open a brand new shell session.
  2. Ensure that no value is set for the SECUREWRAP_PASSPHRASE environment variable.
  3. Define the SECUREWRAP_PASSPHRASE environment variable and set it to the passphrase defined by the user who ran the secure command, as follows:
    SECUREWRAP_PASSPHRASE=<passphrase>

    You can use encrypted passwords only in association with the specific passphrase used to encrypt them.

  4. In the same shell session, provide the encrypted passwords when running any command that uses a password. An encrypted password looks like the following example:
    {aes}AFC3jj9cROYyqR+3CONBzVi8deLb2Bossb9GGroh8UmDPGikIkzXZzid3nzY0IhnSg=