Create HP Codar encryption keystore

This section describes an example of how to create a keystore, referred to in this document as the HP Codar encryption keystore, that is used by HP Codar to encrypt and decrypt a key. This key is used to encrypt and decrypt the data in HP Codar. The validity period assigned to the HP Codar encryption keystore is not used by HP Codar.

The examples used in this document saves the keystore in the
CSA_HOME\jboss-as\standalone\configuration\ directory. You may choose to store the keystore in any location; however, you must remember to use that location in any other subsequent example.

The following is an example of how to create the HP Codar encryption keystore.

To create the HP Codar encryption keystore, complete the following steps:

1. Open a command prompt and change directories to CSA_HOME.

2. Run the following command:

   "CSA_JRE_HOME\bin\keytool" -genkey -alias csa_encryption_key
-validity 365 -keyalg rsa -keysize 2048 -storetype PKCS12
-keystore .\jboss-as\standalone\configuration\
csa_encryption_keystore.p12CSA_JRE_HOME/bin/keytool -genkey -alias csa_encryption_key
-validity 365 -keyalg rsa -keysize 2048 -storetype PKCS12
-keystore ./jboss-as/standalone/configuration/
csa_encryption_keystore.p12

   where

   certificate_key_file is the same keystore file defined by the certificate-key-file attribute in the ssl element of the CSA_HOME\jboss-as\standalone\
configuration\standalone.xml file (for example, CSA_HOME\jboss-as\
standalone\configuration\.keystore).

   certificate_key_file_password is the password to the keystore file.

   certificate_key_file_type is the keystore type (for example, JKS or PKCS12).

   .

   You can use different values for -alias, -validity, -keysize and -keystore. These instructions assume that you will use the -alias and -keystore values recommended here; you will have to adjust the commands accordingly if you use different values.

   Because the HP Codar encryption keystore is used by HP Codar to only encrypt and decrypt a key and not to generate certificates, you can enter any value for -validity. The validity period assigned to the HP Codar encryption keystore is not used by HP Codar.

3. Enter a keystore password (referred to in this document as the HP Codar encryption keystore password).

   This password is used to control access to the keystore. This password must be the same as the password you enter for the key in step 5 of this task.

   Note You must create a password file with this password whenever HP Codar is started. See Start Codar for more information.

4. Follow the prompts to enter your first and last name, organization, and location values.

5. Enter the keystore password you supplied earlier to use as the key password.

   Although keytool allows you to enter different passwords for the keystore and the key, the two passwords must be the same to work with HP Codar.

Generate an Encrypted Symmetric Key

This section describes an example of how to generate an encrypted symmetric key that is used by HP Codar to encrypt and decrypt data. This key is also used to encrypt the passwords for the Codar Console.

The following is an example of how to generate an encrypted symmetric key:

1. Open a command prompt and change to the CSA_HOME\Tools\PasswordUtilCSA_HOME/Tools/PasswordUtil directory. For example:

   C:\Program Files\Hewlett-Packard\CSA\Tools\PasswordUtil/usr/local/hp/csa/Tools/PasswordUtil

2. Run the following command (this example uses the same example names from Create HP  encryption keystore):

   "CSA_JRE_HOME\bin\java" -jar passwordUtil-standalone.jar genAndEncKey JsafeJCE ../../jboss-as/standalone/configuration/csa_encryption_keystore.p12 <HP Codar encryption keystore password>
csa_encryption_key
../../jboss-as/standalone/configuration/key.dat
   

   Note The path separators used in the passwordUtil-standalone.jar script options are forward slashes (/). You can also use double backward slashes (\\) as your path separators.

   CSA_JRE_HOME/bin/java -jar passwordUtil-standalone.jar genAndEncKey JsafeJCE ../../jboss-as/standalone/configuration/csa_encryption_keystore.p12 <HP Codar encryption keystore password>
csa_encryption_key
../../jboss-as/standalone/configuration/key.dat

   In this example, the encrypted symmetric key is saved to:

   CSA_HOME\jboss-as\standalone\configuration\key.dat CSA_HOME/jboss-as/standalone/configuration/key.dat

   Note You will use this file name and location when encrypting HP Codar passwords for the Codar Console.

   If you used different names for the keystore, alias, or encrypted symmetric key file, here is an example of the command without using the example names:

   "CSA_JRE_HOME\bin\java" -jar "CSA_HOME\Tools\PasswordUtil\passwordUtil-standalone.jar" genAndEncKey JsafeJCE <HP Codar encryption keystore>
<HP Codar encryption keystore password>
<HP Codar encryption keystore alias>
<location and name of the encrypted symmetric key>
   

   Note If you use path separators in the passwordUtil-standalone.jar script options, use either a single forward slash (/) or double backward slashes (\\) as your path separator.

   CSA_JRE_HOME/bin/java -jar CSA_HOME/Tools/PasswordUtil/passwordUtil-standalone.jar" genAndEncKey JsafeJCE <HP Codar encryption keystore>
<HP Codar encryption keystore password>
<HP Codar encryption keystore alias>
<location and name of the encrypted symmetric key>

When to Regenerate the HP Codar Encryption Keystore or Encrypted Symmetric Key

You should not regenerate the HP Codar encryption keystore or encrypted symmetric key unless one of the following occurs:

• The HP Codar encryption keystore or encrypted symmetric key was deleted and is not recoverable.
• The HP Codar encryption keystore or encrypted symmetric key was regenerated and the original file is not recoverable.
• The HP Codar encryption keystore password is not retained.
• The validity period for the HP Codar encryption keystore has expired.

Locate your situation in the table below and perform the tasks starting at the listed step.

Situation	Start at:
Lost HP Codar encryption keystore	Step 1
Lost encrypted symmetric key	Step 2
Regenerated HP Codar encryption keystore	Step 1
Regenerated encrypted symmetric key	Step 3
Forgotten HP Codar encryption keystore password	Step 1

Tasks to perform:

1. Regenerate the HP Codar encryption keystore (see "Create an HP Codar Encryption Keystore").
2. Regenerate the encrypted symmetric key (see "Generate an Encrypted Symmetric Key").
3. Encrypt HP Codar passwords (see Encrypt HP Codar passwords again).
4. Configure HP Codar properties (see Configure HP Codar properties). As applicable, update the keystore, keyAlias, encryptedKeyFile, and csaTruststorePassword property values.

5. Reset the password for every organization's LDAP access point:

   Update the passwords for the following users in the CSA_ACCESS_POINT table in the database.

   1. Open an SQL client to your database.
   2. Run the following: update CSA_ACCESS_POINT set password=null;

   3. Launch the Codar Console by typing the following URL in a supported web browser: https://<codarhostname>:8444/csa where <codarhostname> is the fully‑qualified domain name of the system on which the Codar Console resides.

   4. Log in to the Codar Console as the Codar Administrator.

   5. Click the Organizations sidebar menu item.

   6. In the left-navigation frame, select an organization.
   7. From the organization's navigation frame, select LDAP.
   8. Enter the password in the Password and Retype Password fields.
   9. Click Save Changes.
   10. Repeat steps f - i for every organization.

6. Restart HP Codar.

   See Restart Codar for detailed information on how to restart HP Codar.